[selinux-policy/f19] * Mon Mar 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-22 - Allow nagios to manage nagios spool
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Mar 18 20:53:16 UTC 2013
commit 8e632102dc6267c79b5ae62868687c893bdf04bf
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Mar 18 21:52:55 2013 +0100
* Mon Mar 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-22
- Allow nagios to manage nagios spool files
- /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6
- Add swift_alias.* policy files which contain typealiases for swift types
- Add support for /run/lock/opencryptoki
- Allow pkcsslotd chown capability
- Allow pkcsslotd to read passwd
- Add rsync_stub() interface
- Allow systemd_timedate also manage gnome config homedirs
- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t
- Fix filetrans rules for kdm creates .xsession-errors
- Allow sytemd_tmpfiles to create wtmp file
- Really should not label content under /var/lock, since it could have labels on it different from var_lock_t
- Allow systemd to list all file system directories
- Add some basic stub interfaces which will be used in PRODUCT policies
policy-rawhide-base.patch | 5108 +++++++++++++++++++++++++++++++++---------
policy-rawhide-contrib.patch | 156 +-
selinux-policy.spec | 18 +-
3 files changed, 4184 insertions(+), 1098 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 56656df..c1404bd 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3021,7 +3021,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..330ed39 100644
+index 644d4d7..d2dbf35 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3089,11 +3089,12 @@ index 644d4d7..330ed39 100644
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +146,11 @@ ifdef(`distro_debian',`
+@@ -134,10 +146,12 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib64/security/pam_krb5/pam_krb5_cchelper -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
@@ -3102,7 +3103,7 @@ index 644d4d7..330ed39 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -151,7 +164,7 @@ ifdef(`distro_gentoo',`
+@@ -151,7 +165,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -3111,7 +3112,7 @@ index 644d4d7..330ed39 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +180,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +181,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3119,7 +3120,7 @@ index 644d4d7..330ed39 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -178,33 +192,49 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +193,49 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3178,7 +3179,7 @@ index 644d4d7..330ed39 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +245,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +246,28 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3214,7 +3215,7 @@ index 644d4d7..330ed39 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +281,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +282,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3230,7 +3231,7 @@ index 644d4d7..330ed39 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +302,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +303,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3251,7 +3252,7 @@ index 644d4d7..330ed39 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +328,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +329,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3267,7 +3268,7 @@ index 644d4d7..330ed39 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +351,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +352,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3292,7 +3293,7 @@ index 644d4d7..330ed39 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +384,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +385,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3321,7 +3322,7 @@ index 644d4d7..330ed39 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +453,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +454,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3338,7 +3339,7 @@ index 644d4d7..330ed39 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +471,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +472,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -3352,10 +3353,33 @@ index 644d4d7..330ed39 100644
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..87d577e 100644
+index 9e9263a..979f47f 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
-@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
+@@ -8,6 +8,22 @@
+ ## run init.
+ ## </required>
+
++#####################################
++## <summary>
++## corecmd stub bin_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`corecmd_stub_bin',`
++ gen_require(`
++ type bin_t;
++ ')
++')
++
+ ########################################
+ ## <summary>
+ ## Make the specified type usable for files
+@@ -122,6 +138,7 @@ interface(`corecmd_search_bin',`
type bin_t;
')
@@ -3363,7 +3387,7 @@ index 9e9263a..87d577e 100644
search_dirs_pattern($1, bin_t, bin_t)
')
-@@ -158,6 +159,7 @@ interface(`corecmd_list_bin',`
+@@ -158,6 +175,7 @@ interface(`corecmd_list_bin',`
type bin_t;
')
@@ -3371,7 +3395,7 @@ index 9e9263a..87d577e 100644
list_dirs_pattern($1, bin_t, bin_t)
')
-@@ -203,7 +205,7 @@ interface(`corecmd_getattr_bin_files',`
+@@ -203,7 +221,7 @@ interface(`corecmd_getattr_bin_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -3380,7 +3404,7 @@ index 9e9263a..87d577e 100644
## </summary>
## </param>
#
-@@ -231,6 +233,7 @@ interface(`corecmd_read_bin_files',`
+@@ -231,6 +249,7 @@ interface(`corecmd_read_bin_files',`
type bin_t;
')
@@ -3388,7 +3412,7 @@ index 9e9263a..87d577e 100644
read_files_pattern($1, bin_t, bin_t)
')
-@@ -254,6 +257,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
+@@ -254,6 +273,24 @@ interface(`corecmd_dontaudit_write_bin_files',`
########################################
## <summary>
@@ -3413,7 +3437,7 @@ index 9e9263a..87d577e 100644
## Read symbolic links in bin directories.
## </summary>
## <param name="domain">
-@@ -285,6 +306,7 @@ interface(`corecmd_read_bin_pipes',`
+@@ -285,6 +322,7 @@ interface(`corecmd_read_bin_pipes',`
type bin_t;
')
@@ -3421,7 +3445,7 @@ index 9e9263a..87d577e 100644
read_fifo_files_pattern($1, bin_t, bin_t)
')
-@@ -303,6 +325,7 @@ interface(`corecmd_read_bin_sockets',`
+@@ -303,6 +341,7 @@ interface(`corecmd_read_bin_sockets',`
type bin_t;
')
@@ -3429,7 +3453,7 @@ index 9e9263a..87d577e 100644
read_sock_files_pattern($1, bin_t, bin_t)
')
-@@ -345,6 +368,10 @@ interface(`corecmd_exec_bin',`
+@@ -345,6 +384,10 @@ interface(`corecmd_exec_bin',`
read_lnk_files_pattern($1, bin_t, bin_t)
list_dirs_pattern($1, bin_t, bin_t)
can_exec($1, bin_t)
@@ -3440,7 +3464,7 @@ index 9e9263a..87d577e 100644
')
########################################
-@@ -362,6 +389,7 @@ interface(`corecmd_manage_bin_files',`
+@@ -362,6 +405,7 @@ interface(`corecmd_manage_bin_files',`
type bin_t;
')
@@ -3448,7 +3472,7 @@ index 9e9263a..87d577e 100644
manage_files_pattern($1, bin_t, bin_t)
')
-@@ -398,6 +426,7 @@ interface(`corecmd_mmap_bin_files',`
+@@ -398,6 +442,7 @@ interface(`corecmd_mmap_bin_files',`
type bin_t;
')
@@ -3456,7 +3480,7 @@ index 9e9263a..87d577e 100644
mmap_files_pattern($1, bin_t, bin_t)
')
-@@ -954,6 +983,24 @@ interface(`corecmd_exec_chroot',`
+@@ -954,6 +999,24 @@ interface(`corecmd_exec_chroot',`
########################################
## <summary>
@@ -3481,7 +3505,7 @@ index 9e9263a..87d577e 100644
## Get the attributes of all executable files.
## </summary>
## <param name="domain">
-@@ -1012,6 +1059,10 @@ interface(`corecmd_exec_all_executables',`
+@@ -1012,6 +1075,10 @@ interface(`corecmd_exec_all_executables',`
can_exec($1, exec_type)
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, exec_type)
@@ -3492,7 +3516,7 @@ index 9e9263a..87d577e 100644
')
########################################
-@@ -1049,6 +1100,7 @@ interface(`corecmd_manage_all_executables',`
+@@ -1049,6 +1116,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t;
')
@@ -3500,7 +3524,7 @@ index 9e9263a..87d577e 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
-@@ -1091,3 +1143,36 @@ interface(`corecmd_mmap_all_executables',`
+@@ -1091,3 +1159,36 @@ interface(`corecmd_mmap_all_executables',`
mmap_files_pattern($1, bin_t, exec_type)
')
@@ -8056,7 +8080,7 @@ index cf04cb5..431baa5 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c2c6e05..d0e6d1c 100644
+index c2c6e05..96aeeef 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -8253,7 +8277,7 @@ index c2c6e05..d0e6d1c 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +243,21 @@ ifndef(`distro_redhat',`
+@@ -237,11 +243,22 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -8263,6 +8287,7 @@ index c2c6e05..d0e6d1c 100644
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
+-/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
@@ -8270,12 +8295,13 @@ index c2c6e05..d0e6d1c 100644
+/var/lib/openshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/var/lib/openshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
- /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
++/var/lock -d gen_context(system_u:object_r:var_lock_t,s0)
+/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
++/var/lock/.* <<none>>
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -262,6 +278,7 @@ ifndef(`distro_redhat',`
+@@ -262,6 +279,7 @@ ifndef(`distro_redhat',`
/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
@@ -8283,17 +8309,137 @@ index c2c6e05..d0e6d1c 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -270,3 +287,5 @@ ifndef(`distro_redhat',`
+@@ -270,3 +288,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..8a9355a 100644
+index 64ff4d7..90999af 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
-@@ -55,6 +55,7 @@
+@@ -19,6 +19,119 @@
+ ## Comains the file initial SID.
+ ## </required>
+
++#####################################
++## <summary>
++## files stub etc_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_etc',`
++ gen_require(`
++ type etc_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub var_lock_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_var_lock',`
++ gen_require(`
++ type var_lock_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub var_log_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_var_log',`
++ gen_require(`
++ type var_log_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub var_lib_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_var_lib',`
++ gen_require(`
++ type var_lib_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub var_run_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_var_run',`
++ gen_require(`
++ type var_run_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub var_run_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_var_spool',`
++ gen_require(`
++ type var_spool_t;
++ ')
++')
++
++#####################################
++## <summary>
++## files stub tmp_t interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_stub_tmp',`
++ gen_require(`
++ type tmp_t;
++ ')
++')
++
++
+ ########################################
+ ## <summary>
+ ## Make the specified type usable for files
+@@ -55,6 +168,7 @@
## <li>files_pid_file()</li>
## <li>files_security_file()</li>
## <li>files_security_mountpoint()</li>
@@ -8301,7 +8447,87 @@ index 64ff4d7..8a9355a 100644
## <li>files_tmp_file()</li>
## <li>files_tmpfs_file()</li>
## <li>logging_log_file()</li>
-@@ -521,7 +522,7 @@ interface(`files_mounton_non_security',`
+@@ -125,30 +239,31 @@ interface(`files_security_file',`
+ typeattribute $1 file_type, security_file_type, non_auth_file_type;
+ ')
+
++
+ ########################################
+ ## <summary>
+ ## Make the specified type usable for
+-## lock files.
++## filesystem mount points.
+ ## </summary>
+ ## <param name="type">
+ ## <summary>
+-## Type to be used for lock files.
++## Type to be used for mount points.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_lock_file',`
++interface(`files_mountpoint',`
+ gen_require(`
+- attribute lockfile;
++ attribute mountpoint;
+ ')
+
+ files_type($1)
+- typeattribute $1 lockfile;
++ typeattribute $1 mountpoint;
+ ')
+
+ ########################################
+ ## <summary>
+ ## Make the specified type usable for
+-## filesystem mount points.
++## security file filesystem mount points.
+ ## </summary>
+ ## <param name="type">
+ ## <summary>
+@@ -156,33 +271,33 @@ interface(`files_lock_file',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mountpoint',`
++interface(`files_security_mountpoint',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+- files_type($1)
++ files_security_file($1)
+ typeattribute $1 mountpoint;
+ ')
+
+ ########################################
+ ## <summary>
+ ## Make the specified type usable for
+-## security file filesystem mount points.
++## lock files.
+ ## </summary>
+ ## <param name="type">
+ ## <summary>
+-## Type to be used for mount points.
++## Type to be used for lock files.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_security_mountpoint',`
++interface(`files_lock_file',`
+ gen_require(`
+- attribute mountpoint;
++ attribute lockfile;
+ ')
+
+- files_security_file($1)
+- typeattribute $1 mountpoint;
++ files_type($1)
++ typeattribute $1 lockfile;
+ ')
+
+ ########################################
+@@ -521,7 +636,7 @@ interface(`files_mounton_non_security',`
attribute non_security_file_type;
')
@@ -8310,7 +8536,7 @@ index 64ff4d7..8a9355a 100644
allow $1 non_security_file_type:file mounton;
')
-@@ -620,6 +621,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+@@ -620,6 +735,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
########################################
## <summary>
@@ -8374,7 +8600,7 @@ index 64ff4d7..8a9355a 100644
## Read all files.
## </summary>
## <param name="domain">
-@@ -683,12 +741,82 @@ interface(`files_read_non_security_files',`
+@@ -683,12 +855,82 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -8457,7 +8683,7 @@ index 64ff4d7..8a9355a 100644
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
-@@ -953,6 +1081,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+@@ -953,6 +1195,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
########################################
## <summary>
@@ -8483,7 +8709,7 @@ index 64ff4d7..8a9355a 100644
## Get the attributes of all named sockets.
## </summary>
## <param name="domain">
-@@ -991,6 +1138,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1252,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
## <summary>
@@ -8509,7 +8735,7 @@ index 64ff4d7..8a9355a 100644
## Do not audit attempts to get the attributes
## of non security named sockets.
## </summary>
-@@ -1073,10 +1239,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,10 +1353,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8522,7 +8748,7 @@ index 64ff4d7..8a9355a 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1346,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1460,6 @@ interface(`files_list_all',`
########################################
## <summary>
@@ -8547,7 +8773,7 @@ index 64ff4d7..8a9355a 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,9 +1589,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1703,6 @@ interface(`files_relabel_non_auth_files',`
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -8557,7 +8783,7 @@ index 64ff4d7..8a9355a 100644
')
#############################################
-@@ -1583,6 +1726,24 @@ interface(`files_getattr_all_mountpoints',`
+@@ -1583,6 +1840,24 @@ interface(`files_getattr_all_mountpoints',`
########################################
## <summary>
@@ -8582,7 +8808,7 @@ index 64ff4d7..8a9355a 100644
## Set the attributes of all mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +1834,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +1948,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -8607,11 +8833,33 @@ index 64ff4d7..8a9355a 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1691,6 +1870,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,7 +1984,7 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
+-## List the contents of the root directory.
+## Write all file type directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1699,12 +1992,30 @@ interface(`files_dontaudit_write_all_mountpoints',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_root',`
++interface(`files_write_all_dirs',`
+ gen_require(`
+- type root_t;
++ attribute file_type;
+ ')
+
+- allow $1 root_t:dir list_dir_perms;
++ allow $1 file_type:dir write;
++')
++
++########################################
++## <summary>
++## List the contents of the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -8619,20 +8867,16 @@ index 64ff4d7..8a9355a 100644
+## </summary>
+## </param>
+#
-+interface(`files_write_all_dirs',`
++interface(`files_list_root',`
+ gen_require(`
-+ attribute file_type;
++ type root_t;
+ ')
+
-+ allow $1 file_type:dir write;
-+')
-+
-+########################################
-+## <summary>
- ## List the contents of the root directory.
- ## </summary>
- ## <param name="domain">
-@@ -1874,25 +2071,25 @@ interface(`files_delete_root_dir_entry',`
++ allow $1 root_t:dir list_dir_perms;
+ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
+
+@@ -1874,25 +2185,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -8664,7 +8908,7 @@ index 64ff4d7..8a9355a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2102,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2216,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -8673,7 +8917,7 @@ index 64ff4d7..8a9355a 100644
')
########################################
-@@ -1928,6 +2125,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2239,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -8698,7 +8942,7 @@ index 64ff4d7..8a9355a 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2627,6 +2842,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +2956,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -8723,7 +8967,7 @@ index 64ff4d7..8a9355a 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +2931,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3045,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -8731,7 +8975,7 @@ index 64ff4d7..8a9355a 100644
')
########################################
-@@ -2706,7 +2940,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3054,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -8740,104 +8984,37 @@ index 64ff4d7..8a9355a 100644
## </summary>
## </param>
#
-@@ -2762,25 +2996,26 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3110,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
--## Delete system configuration files in /etc.
+## Do not audit attempts to check the
+## access on etc files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_delete_etc_files',`
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_access_check_etc',`
- gen_require(`
- type etc_t;
- ')
-
-- delete_files_pattern($1, etc_t, etc_t)
++ gen_require(`
++ type etc_t;
++ ')
++
+ dontaudit $1 etc_t:dir_file_class_set audit_access;
- ')
-
- ########################################
- ## <summary>
--## Execute generic files in /etc.
-+## Delete system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2788,19 +3023,17 @@ interface(`files_delete_etc_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_exec_etc_files',`
-+interface(`files_delete_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
-- allow $1 etc_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, etc_t, etc_t)
-- exec_files_pattern($1, etc_t, etc_t)
-+ delete_files_pattern($1, etc_t, etc_t)
- ')
-
--#######################################
++')
++
+########################################
- ## <summary>
--## Relabel from and to generic files in /etc.
-+## Remove entries from the etc directory.
++## <summary>
+ ## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -2808,18 +3041,17 @@ interface(`files_exec_etc_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_relabel_etc_files',`
-+interface(`files_delete_etc_dir_entry',`
- gen_require(`
- type etc_t;
- ')
-
-- allow $1 etc_t:dir list_dir_perms;
-- relabel_files_pattern($1, etc_t, etc_t)
-+ allow $1 etc_t:dir del_entry_dir_perms;
- ')
+@@ -2780,6 +3147,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
--## Read symbolic links in /etc.
-+## Execute generic files in /etc.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2827,17 +3059,56 @@ interface(`files_relabel_etc_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_etc_symlinks',`
-+interface(`files_exec_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
-+ allow $1 etc_t:dir list_dir_perms;
- read_lnk_files_pattern($1, etc_t, etc_t)
-+ exec_files_pattern($1, etc_t, etc_t)
- ')
-
--########################################
-+#######################################
- ## <summary>
--## Create, read, write, and delete symbolic links in /etc.
-+## Relabel from and to generic files in /etc.
++## Remove entries from the etc directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -8845,40 +9022,20 @@ index 64ff4d7..8a9355a 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabel_etc_files',`
++interface(`files_delete_etc_dir_entry',`
+ gen_require(`
+ type etc_t;
+ ')
+
-+ allow $1 etc_t:dir list_dir_perms;
-+ relabel_files_pattern($1, etc_t, etc_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read symbolic links in /etc.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_read_etc_symlinks',`
-+ gen_require(`
-+ type etc_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, etc_t, etc_t)
++ allow $1 etc_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete symbolic links in /etc.
+ ## Execute generic files in /etc.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -2945,24 +3216,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3330,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -8903,7 +9060,7 @@ index 64ff4d7..8a9355a 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3256,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3370,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -8914,7 +9071,7 @@ index 64ff4d7..8a9355a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3264,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3378,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -8936,7 +9093,7 @@ index 64ff4d7..8a9355a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3292,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3406,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -8963,7 +9120,7 @@ index 64ff4d7..8a9355a 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3059,6 +3329,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3443,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -8971,7 +9128,7 @@ index 64ff4d7..8a9355a 100644
')
########################################
-@@ -3080,6 +3351,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3465,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -8979,7 +9136,7 @@ index 64ff4d7..8a9355a 100644
')
########################################
-@@ -3132,6 +3404,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3518,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -9005,7 +9162,7 @@ index 64ff4d7..8a9355a 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3208,6 +3499,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3613,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
@@ -9031,7 +9188,7 @@ index 64ff4d7..8a9355a 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3455,6 +3765,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3879,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -9057,7 +9214,7 @@ index 64ff4d7..8a9355a 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4125,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4239,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -9101,64 +9258,98 @@ index 64ff4d7..8a9355a 100644
')
########################################
-@@ -4199,6 +4546,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,156 +4660,176 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Allow the specified type to associate
+-## to a filesystem with the type of the
+-## temporary directory (/tmp).
+## Read manageable system configuration files in /etc
-+## </summary>
+ ## </summary>
+-## <param name="file_type">
+-## <summary>
+-## Type of the file to associate.
+-## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_associate_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:filesystem associate;
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Get the attributes of the tmp directory (/tmp).
+## Manage manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_getattr_tmp_dirs',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:dir getattr;
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+ files_filetrans_system_conf_named_files($1)
-+')
-+
+ ')
+
+-########################################
+#####################################
-+## <summary>
+ ## <summary>
+-## Do not audit attempts to get the
+-## attributes of the tmp directory (/tmp).
+## File name transition for system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_tmp_dirs',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- dontaudit $1 tmp_t:dir getattr;
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -9175,124 +9366,195 @@ index 64ff4d7..8a9355a 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Search the tmp directory (/tmp).
+## Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_search_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-+
+
+- allow $1 tmp_t:dir search_dir_perms;
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Do not audit attempts to search the tmp directory (/tmp).
+## Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain to not audit.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_search_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-+
+
+- dontaudit $1 tmp_t:dir search_dir_perms;
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+###################################
-+## <summary>
+ ## <summary>
+-## Read the tmp directory (/tmp).
+## Create files in /etc with the type used for
+## the manageable system config files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## The type of the process performing this action.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_list_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:dir list_dir_perms;
+ filetrans_pattern($1, etc_t, system_conf_t, file)
-+')
-+
+ ')
+
########################################
## <summary>
- ## Allow the specified type to associate
-@@ -4221,6 +4695,26 @@ interface(`files_associate_tmp',`
+-## Do not audit listing of the tmp directory (/tmp).
++## Allow the specified type to associate
++## to a filesystem with the type of the
++## temporary directory (/tmp).
+ ## </summary>
+-## <param name="domain">
++## <param name="file_type">
+ ## <summary>
+-## Domain not to audit.
++## Type of the file to associate.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_list_tmp',`
++interface(`files_associate_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+- dontaudit $1 tmp_t:dir list_dir_perms;
++ allow $1 tmp_t:filesystem associate;
+ ')
########################################
## <summary>
+-## Remove entries from the tmp directory.
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type of the file to associate.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_tmp_dir_entry',`
+interface(`files_associate_rootfs',`
-+ gen_require(`
+ gen_require(`
+- type tmp_t;
+ type root_t;
-+ ')
-+
+ ')
+
+- allow $1 tmp_t:dir del_entry_dir_perms;
+ allow $1 root_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of the tmp directory (/tmp).
+ ')
+
+ ########################################
+ ## <summary>
+-## Read files in the tmp directory (/tmp).
++## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4234,17 +4728,37 @@ interface(`files_getattr_tmp_dirs',`
+ ## <summary>
+@@ -4356,53 +4837,56 @@ interface(`files_delete_tmp_dir_entry',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_files',`
++interface(`files_getattr_tmp_dirs',`
+ gen_require(`
type tmp_t;
')
+- read_files_pattern($1, tmp_t, tmp_t)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir getattr;
++ allow $1 tmp_t:dir getattr;
')
########################################
## <summary>
+-## Manage temporary directories in /tmp.
+## Do not audit attempts to check the
+## access on tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_dirs',`
+interface(`files_dontaudit_access_check_tmp',`
-+ gen_require(`
+ gen_require(`
+- type tmp_t;
+ type etc_t;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, tmp_t, tmp_t)
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to get the
- ## attributes of the tmp directory (/tmp).
+ ')
+
+ ########################################
+ ## <summary>
+-## Manage temporary files and directories in /tmp.
++## Do not audit attempts to get the
++## attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
@@ -9301,116 +9563,2298 @@ index 64ff4d7..8a9355a 100644
## </summary>
## </param>
#
-@@ -4271,6 +4785,7 @@ interface(`files_search_tmp',`
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_dontaudit_getattr_tmp_dirs',`
+ gen_require(`
type tmp_t;
')
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir search_dir_perms;
+- manage_files_pattern($1, tmp_t, tmp_t)
++ dontaudit $1 tmp_t:dir getattr;
')
-@@ -4307,6 +4822,7 @@ interface(`files_list_tmp',`
+ ########################################
+ ## <summary>
+-## Read symbolic links in the tmp directory (/tmp).
++## Search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4410,35 +4894,36 @@ interface(`files_manage_generic_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_symlinks',`
++interface(`files_search_tmp',`
+ gen_require(`
type tmp_t;
')
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4316,7 +4832,7 @@ interface(`files_list_tmp',`
+ ########################################
+ ## <summary>
+-## Read and write generic named sockets in the tmp directory (/tmp).
++## Do not audit attempts to search the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
--## Domain not to audit.
+-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-@@ -4328,6 +4844,25 @@ interface(`files_dontaudit_list_tmp',`
- dontaudit $1 tmp_t:dir list_dir_perms;
+-interface(`files_rw_generic_tmp_sockets',`
++interface(`files_dontaudit_search_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+- rw_sock_files_pattern($1, tmp_t, tmp_t)
++ dontaudit $1 tmp_t:dir search_dir_perms;
')
-+#######################################
-+## <summary>
-+## Allow read and write to the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain not to audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_generic_tmp_dir',`
-+ gen_require(`
+ ########################################
+ ## <summary>
+-## Set the attributes of all tmp directories.
++## Read the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4446,77 +4931,74 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_list_tmp',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir { search_dir_perms setattr };
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## List all tmp directories.
++## Do not audit listing of the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_dontaudit_list_tmp',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
++ dontaudit $1 tmp_t:dir list_dir_perms;
+ ')
+
+-########################################
++#######################################
+ ## <summary>
+-## Relabel to and from all temporary
+-## directory types.
++## Allow read and write to the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain not to audit.
++## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
+- gen_require(`
+- attribute tmpfile;
+- type var_t;
+- ')
++interface(`files_rw_generic_tmp_dir',`
++ gen_require(`
+ type tmp_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- relabel_dirs_pattern($1, tmpfile, tmpfile)
++ files_search_tmp($1)
++ allow $1 tmp_t:dir rw_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
++## Remove entries from the tmp directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_delete_tmp_dir_entry',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- dontaudit $1 tmpfile:file getattr;
++ files_search_tmp($1)
++ allow $1 tmp_t:dir del_entry_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow attempts to get the attributes
+-## of all tmp files.
++## Read files in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4524,58 +5006,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_read_generic_tmp_files',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:file getattr;
++ read_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel to and from all temporary
+-## file types.
++## Manage temporary directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_manage_generic_tmp_dirs',`
+ gen_require(`
+- attribute tmpfile;
+- type var_t;
++ type tmp_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- relabel_files_pattern($1, tmpfile, tmpfile)
++ manage_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp sock_file.
++## Allow shared library text relocations in tmp files.
+ ## </summary>
++## <desc>
++## <p>
++## Allow shared library text relocations in tmp files.
++## </p>
++## <p>
++## This is added to support java policy.
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_execmod_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+- dontaudit $1 tmpfile:sock_file getattr;
++ allow $1 tmpfile:file execmod;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all tmp files.
++## Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4583,51 +5068,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_all_tmp_files',`
++interface(`files_manage_generic_tmp_files',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- read_files_pattern($1, tmpfile, tmpfile)
++ manage_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the tmp directories, with a private
+-## type using a type transition.
++## Read symbolic links in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+-## <summary>
+-## The type of the object to be created.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`files_tmp_filetrans',`
++interface(`files_read_generic_tmp_symlinks',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+- filetrans_pattern($1, tmp_t, $2, $3, $4)
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete the contents of /tmp.
++## Read and write generic named sockets in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4635,22 +5104,17 @@ interface(`files_tmp_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_purge_tmp',`
++interface(`files_rw_generic_tmp_sockets',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
+- delete_dirs_pattern($1, tmpfile, tmpfile)
+- delete_files_pattern($1, tmpfile, tmpfile)
+- delete_lnk_files_pattern($1, tmpfile, tmpfile)
+- delete_fifo_files_pattern($1, tmpfile, tmpfile)
+- delete_sock_files_pattern($1, tmpfile, tmpfile)
++ rw_sock_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of the /usr directory.
++## Relabel a dir from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4658,17 +5122,17 @@ interface(`files_purge_tmp',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_usr_dirs',`
++interface(`files_relabelfrom_tmp_dirs',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
+ ')
+
+- allow $1 usr_t:dir setattr;
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the content of /usr.
++## Relabel a file from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4676,18 +5140,17 @@ interface(`files_setattr_usr_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_usr',`
++interface(`files_relabelfrom_tmp_files',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
+ ')
+
+- allow $1 usr_t:dir search_dir_perms;
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of generic
+-## directories in /usr.
++## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4695,35 +5158,35 @@ interface(`files_search_usr',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_usr',`
++interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- allow $1 usr_t:dir list_dir_perms;
++ allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit write of /usr dirs
++## Allow caller to read inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_usr_dirs',`
++interface(`files_read_inherited_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- dontaudit $1 usr_t:dir write;
++ allow $1 tmpfile:file { append read_inherited_file_perms };
+ ')
+
+ ########################################
+ ## <summary>
+-## Add and remove entries from /usr directories.
++## Allow caller to append inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4731,36 +5194,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_usr_dirs',`
++interface(`files_append_inherited_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- allow $1 usr_t:dir rw_dir_perms;
++ allow $1 tmpfile:file append_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to add and remove
+-## entries from /usr directories.
++## Allow caller to read and write inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_usr_dirs',`
++interface(`files_rw_inherited_tmp_file',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- dontaudit $1 usr_t:dir rw_dir_perms;
++ allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete generic directories in /usr in the caller domain.
++## List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4768,111 +5230,100 @@ interface(`files_dontaudit_rw_usr_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_usr_dirs',`
++interface(`files_list_all_tmp',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- delete_dirs_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete generic files in /usr in the caller domain.
++## Relabel to and from all temporary
++## directory types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_delete_usr_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
++ type var_t;
+ ')
+
+- delete_files_pattern($1, usr_t, usr_t)
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of files in /usr.
++## Do not audit attempts to get the attributes
++## of all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- getattr_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic files in /usr.
++## Allow attempts to get the attributes
++## of all tmp files.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Allow the specified domain to read generic
+-## files in /usr. These files are various program
+-## files that do not have more specific SELinux types.
+-## Some examples of these files are:
+-## </p>
+-## <ul>
+-## <li>/usr/include/*</li>
+-## <li>/usr/share/doc/*</li>
+-## <li>/usr/share/info/*</li>
+-## </ul>
+-## <p>
+-## Generally, it is safe for many domains to have
+-## this access.
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="10"/>
+ #
+-interface(`files_read_usr_files',`
++interface(`files_getattr_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- allow $1 usr_t:dir list_dir_perms;
+- read_files_pattern($1, usr_t, usr_t)
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute generic programs in /usr in the caller domain.
++## Relabel to and from all temporary
++## file types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_exec_usr_files',`
++interface(`files_relabel_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
++ type var_t;
+ ')
+
+- allow $1 usr_t:dir list_dir_perms;
+- exec_files_pattern($1, usr_t, usr_t)
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ allow $1 var_t:dir search_dir_perms;
++ relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## dontaudit write of /usr files
++## Do not audit attempts to get the attributes
++## of all tmp sock_file.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4880,35 +5331,17 @@ interface(`files_exec_usr_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_usr_files',`
+- gen_require(`
+- type usr_t;
+- ')
+-
+- dontaudit $1 usr_t:file write;
+-')
+-
+-########################################
+-## <summary>
+-## Create, read, write, and delete files in the /usr directory.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`files_manage_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- manage_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:sock_file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel a file to the type used in /usr.
++## Read all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4916,67 +5349,70 @@ interface(`files_manage_usr_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_relabelto_usr_files',`
++interface(`files_read_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- relabelto_files_pattern($1, usr_t, usr_t)
++ read_files_pattern($1, tmpfile, tmpfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel a file from the type used in /usr.
++## Do not audit attempts to read or write
++## all leaked tmpfiles files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_relabelfrom_usr_files',`
++interface(`files_dontaudit_tmp_file_leaks',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- relabelfrom_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links in /usr.
++## Do allow attempts to read or write
++## all leaked tmpfiles files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_usr_symlinks',`
++interface(`files_rw_tmp_file_leaks',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /usr directory
++## Create an object in the tmp directories, with a private
++## type using a type transition.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
++## <param name="private type">
+ ## <summary>
+-## The type of the object to be created
++## The type of the object to be created.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
++## <param name="object">
+ ## <summary>
+-## The object class.
++## The object class of the object being created.
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -4985,35 +5421,50 @@ interface(`files_read_usr_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_usr_filetrans',`
++interface(`files_tmp_filetrans',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
+ ')
+
+- filetrans_pattern($1, usr_t, $2, $3, $4)
++ filetrans_pattern($1, tmp_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search /usr/src.
++## Delete the contents of /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_src',`
++interface(`files_purge_tmp',`
+ gen_require(`
+- type src_t;
++ attribute tmpfile;
+ ')
+
+- dontaudit $1 src_t:dir search_dir_perms;
++ allow $1 tmpfile:dir list_dir_perms;
++ delete_dirs_pattern($1, tmpfile, tmpfile)
++ delete_files_pattern($1, tmpfile, tmpfile)
++ delete_lnk_files_pattern($1, tmpfile, tmpfile)
++ delete_fifo_files_pattern($1, tmpfile, tmpfile)
++ delete_sock_files_pattern($1, tmpfile, tmpfile)
++ delete_chr_files_pattern($1, tmpfile, tmpfile)
++ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_list_isid_type_dirs($1)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
++ files_delete_isid_type_symlinks($1)
++ files_delete_isid_type_fifo_files($1)
++ files_delete_isid_type_sock_files($1)
++ files_delete_isid_type_blk_files($1)
++ files_delete_isid_type_chr_files($1)
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of files in /usr/src.
++## Set the attributes of the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5021,20 +5472,17 @@ interface(`files_dontaudit_search_src',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_usr_src_files',`
++interface(`files_setattr_usr_dirs',`
+ gen_require(`
+- type usr_t, src_t;
++ type usr_t;
+ ')
+
+- getattr_files_pattern($1, src_t, src_t)
+-
+- # /usr/src/linux symlink:
+- read_lnk_files_pattern($1, usr_t, src_t)
++ allow $1 usr_t:dir setattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read files in /usr/src.
++## Search the content of /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5042,20 +5490,18 @@ interface(`files_getattr_usr_src_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_usr_src_files',`
++interface(`files_search_usr',`
+ gen_require(`
+- type usr_t, src_t;
++ type usr_t;
+ ')
+
+ allow $1 usr_t:dir search_dir_perms;
+- read_files_pattern($1, { usr_t src_t }, src_t)
+- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+- allow $1 src_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute programs in /usr/src in the caller domain.
++## List the contents of generic
++## directories in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5063,38 +5509,35 @@ interface(`files_read_usr_src_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_exec_usr_src_files',`
++interface(`files_list_usr',`
+ gen_require(`
+- type usr_t, src_t;
++ type usr_t;
+ ')
+
+- list_dirs_pattern($1, usr_t, src_t)
+- exec_files_pattern($1, src_t, src_t)
+- read_lnk_files_pattern($1, src_t, src_t)
++ allow $1 usr_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Install a system.map into the /boot directory.
++## Do not audit write of /usr dirs
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_create_kernel_symbol_table',`
++interface(`files_dontaudit_write_usr_dirs',`
+ gen_require(`
+- type boot_t, system_map_t;
++ type usr_t;
+ ')
+
+- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+- allow $1 system_map_t:file { create_file_perms rw_file_perms };
++ dontaudit $1 usr_t:dir write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read system.map in the /boot directory.
++## Add and remove entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5102,37 +5545,36 @@ interface(`files_create_kernel_symbol_table',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_kernel_symbol_table',`
++interface(`files_rw_usr_dirs',`
+ gen_require(`
+- type boot_t, system_map_t;
++ type usr_t;
+ ')
+
+- allow $1 boot_t:dir list_dir_perms;
+- read_files_pattern($1, boot_t, system_map_t)
++ allow $1 usr_t:dir rw_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete a system.map in the /boot directory.
++## Do not audit attempts to add and remove
++## entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_kernel_symbol_table',`
++interface(`files_dontaudit_rw_usr_dirs',`
+ gen_require(`
+- type boot_t, system_map_t;
++ type usr_t;
+ ')
+
+- allow $1 boot_t:dir list_dir_perms;
+- delete_files_pattern($1, boot_t, system_map_t)
++ dontaudit $1 usr_t:dir rw_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of /var.
++## Delete generic directories in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5140,35 +5582,35 @@ interface(`files_delete_kernel_symbol_table',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_var',`
++interface(`files_delete_usr_dirs',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write to /var.
++## Delete generic files in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_var_dirs',`
++interface(`files_delete_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- dontaudit $1 var_t:dir write;
++ delete_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow attempts to write to /var.dirs
++## Get the attributes of files in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5176,36 +5618,55 @@ interface(`files_dontaudit_write_var_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_write_var_dirs',`
++interface(`files_getattr_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir write;
++ getattr_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search
+-## the contents of /var.
++## Read generic files in /usr.
+ ## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read generic
++## files in /usr. These files are various program
++## files that do not have more specific SELinux types.
++## Some examples of these files are:
++## </p>
++## <ul>
++## <li>/usr/include/*</li>
++## <li>/usr/share/doc/*</li>
++## <li>/usr/share/info/*</li>
++## </ul>
++## <p>
++## Generally, it is safe for many domains to have
++## this access.
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <infoflow type="read" weight="10"/>
+ #
+-interface(`files_dontaudit_search_var',`
++interface(`files_read_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- dontaudit $1 var_t:dir search_dir_perms;
++ allow $1 usr_t:dir list_dir_perms;
++ read_files_pattern($1, usr_t, usr_t)
++ read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of /var.
++## Execute generic programs in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5213,36 +5674,37 @@ interface(`files_dontaudit_search_var',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_var',`
++interface(`files_exec_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir list_dir_perms;
++ allow $1 usr_t:dir list_dir_perms;
++ exec_files_pattern($1, usr_t, usr_t)
++ read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete directories
+-## in the /var directory.
++## dontaudit write of /usr files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_var_dirs',`
++interface(`files_dontaudit_write_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- allow $1 var_t:dir manage_dir_perms;
++ dontaudit $1 usr_t:file write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read files in the /var directory.
++## Create, read, write, and delete files in the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5250,17 +5712,17 @@ interface(`files_manage_var_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_files',`
++interface(`files_manage_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- read_files_pattern($1, var_t, var_t)
++ manage_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Append files in the /var directory.
++## Relabel a file to the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5268,17 +5730,17 @@ interface(`files_read_var_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_append_var_files',`
++interface(`files_relabelto_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- append_files_pattern($1, var_t, var_t)
++ relabelto_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write files in the /var directory.
++## Relabel a file from the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5286,73 +5748,86 @@ interface(`files_append_var_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_var_files',`
++interface(`files_relabelfrom_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- rw_files_pattern($1, var_t, var_t)
++ relabelfrom_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and write
+-## files in the /var directory.
++## Read symbolic links in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_var_files',`
++interface(`files_read_usr_symlinks',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- dontaudit $1 var_t:file rw_file_perms;
++ read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete files in the /var directory.
++## Create objects in the /usr directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`files_manage_var_files',`
++interface(`files_usr_filetrans',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- manage_files_pattern($1, var_t, var_t)
++ filetrans_pattern($1, usr_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links in the /var directory.
++## Do not audit attempts to search /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_symlinks',`
++interface(`files_dontaudit_search_src',`
+ gen_require(`
+- type var_t;
++ type src_t;
+ ')
+
+- read_lnk_files_pattern($1, var_t, var_t)
++ dontaudit $1 src_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete symbolic
+-## links in the /var directory.
++## Get the attributes of files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5360,50 +5835,41 @@ interface(`files_read_var_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_var_symlinks',`
++interface(`files_getattr_usr_src_files',`
+ gen_require(`
+- type var_t;
++ type usr_t, src_t;
+ ')
+
+- manage_lnk_files_pattern($1, var_t, var_t)
++ getattr_files_pattern($1, src_t, src_t)
++
++ # /usr/src/linux symlink:
++ read_lnk_files_pattern($1, usr_t, src_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /var directory
++## Read files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
+-## <summary>
+-## The type of the object to be created
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## The object class.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`files_var_filetrans',`
++interface(`files_read_usr_src_files',`
+ gen_require(`
+- type var_t;
++ type usr_t, src_t;
+ ')
+
+- filetrans_pattern($1, var_t, $2, $3, $4)
++ allow $1 usr_t:dir search_dir_perms;
++ read_files_pattern($1, { usr_t src_t }, src_t)
++ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
++ allow $1 src_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of the /var/lib directory.
++## Execute programs in /usr/src in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5411,69 +5877,57 @@ interface(`files_var_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_var_lib_dirs',`
++interface(`files_exec_usr_src_files',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type usr_t, src_t;
+ ')
+
+- getattr_dirs_pattern($1, var_t, var_lib_t)
++ list_dirs_pattern($1, usr_t, src_t)
++ exec_files_pattern($1, src_t, src_t)
++ read_lnk_files_pattern($1, src_t, src_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the /var/lib directory.
++## Install a system.map into the /boot directory.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Search the /var/lib directory. This is
+-## necessary to access files or directories under
+-## /var/lib that have a private type. For example, a
+-## domain accessing a private library file in the
+-## /var/lib directory:
+-## </p>
+-## <p>
+-## allow mydomain_t mylibfile_t:file read_file_perms;
+-## files_search_var_lib(mydomain_t)
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_search_var_lib',`
++interface(`files_create_kernel_symbol_table',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- search_dirs_pattern($1, var_t, var_lib_t)
++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
++ allow $1 system_map_t:file { create_file_perms rw_file_perms };
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search the
+-## contents of /var/lib.
++## Read system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_dontaudit_search_var_lib',`
++interface(`files_read_kernel_symbol_table',`
+ gen_require(`
+- type var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- dontaudit $1 var_lib_t:dir search_dir_perms;
++ allow $1 boot_t:dir list_dir_perms;
++ read_files_pattern($1, boot_t, system_map_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of the /var/lib directory.
++## Delete a system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5481,17 +5935,18 @@ interface(`files_dontaudit_search_var_lib',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_var_lib',`
++interface(`files_delete_kernel_symbol_table',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- list_dirs_pattern($1, var_t, var_lib_t)
++ allow $1 boot_t:dir list_dir_perms;
++ delete_files_pattern($1, boot_t, system_map_t)
+ ')
+
+-###########################################
++########################################
+ ## <summary>
+-## Read-write /var/lib directories
++## Search the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5499,51 +5954,35 @@ interface(`files_list_var_lib',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_var_lib_dirs',`
++interface(`files_search_var',`
+ gen_require(`
+- type var_lib_t;
++ type var_t;
+ ')
+
+- rw_dirs_pattern($1, var_lib_t, var_lib_t)
++ allow $1 var_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /var/lib directory
++## Do not audit attempts to write to /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="file_type">
+-## <summary>
+-## The type of the object to be created
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## The object class.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_var_lib_filetrans',`
++interface(`files_dontaudit_write_var_dirs',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_lib_t, $2, $3, $4)
++ dontaudit $1 var_t:dir write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic files in /var/lib.
++## Allow attempts to write to /var.dirs
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5551,40 +5990,36 @@ interface(`files_var_lib_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_files',`
++interface(`files_write_var_dirs',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_lib_t:dir list_dir_perms;
+- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ allow $1 var_t:dir write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic symbolic links in /var/lib
++## Do not audit attempts to search
++## the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_symlinks',`
++interface(`files_dontaudit_search_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ dontaudit $1 var_t:dir search_dir_perms;
+ ')
+
+-# cjp: the next two interfaces really need to be fixed
+-# in some way. They really neeed their own types.
+-
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete the
+-## pseudorandom number generator seed.
++## List the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5592,38 +6027,36 @@ interface(`files_read_var_lib_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_urandom_seed',`
++interface(`files_list_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_lib_t, var_lib_t)
++ allow $1 var_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow domain to manage mount tables
+-## necessary for rpcd, nfsd, etc.
++## Do not audit listing of the var directory (/var).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_mounttab',`
++interface(`files_dontaudit_list_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_lib_t, var_lib_t)
++ dontaudit $1 var_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of the generic lock directories.
++## Create, read, write, and delete directories
++## in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5631,17 +6064,17 @@ interface(`files_manage_mounttab',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_manage_var_dirs',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- setattr_dirs_pattern($1, var_t, var_lock_t)
++ allow $1 var_t:dir manage_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the locks directory (/var/lock).
++## Read files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5649,38 +6082,35 @@ interface(`files_setattr_lock_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_locks',`
++interface(`files_read_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- search_dirs_pattern($1, var_t, var_lock_t)
++ read_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search the
+-## locks directory (/var/lock).
++## Append files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_locks',`
++interface(`files_append_var_files',`
+ gen_require(`
+- type var_lock_t;
++ type var_t;
+ ')
+
+- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_lock_t:dir search_dir_perms;
++ append_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List generic lock directories.
++## Read and write files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5688,80 +6118,73 @@ interface(`files_dontaudit_search_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_locks',`
++interface(`files_rw_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_lock_t)
++ rw_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Add and remove entries in the /var/lock
+-## directories.
++## Do not audit attempts to read and write
++## files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_lock_dirs',`
++interface(`files_dontaudit_rw_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- rw_dirs_pattern($1, var_t, var_lock_t)
++ dontaudit $1 var_t:file rw_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create lock directories
++## Create, read, write, and delete files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access
++## <summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_create_lock_dirs',`
++interface(`files_manage_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- create_dirs_pattern($1, var_lock_t, var_lock_t)
++ manage_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel to and from all lock directory types.
++## Read symbolic links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_lock_dirs',`
++interface(`files_read_var_symlinks',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- relabel_dirs_pattern($1, lockfile, lockfile)
++ read_lnk_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of generic lock files.
++## Create, read, write, and delete symbolic
++## links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5769,41 +6192,50 @@ interface(`files_relabel_all_lock_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_manage_var_symlinks',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 var_lock_t:dir list_dir_perms;
+- getattr_files_pattern($1, var_lock_t, var_lock_t)
++ manage_lnk_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete generic lock files.
++## Create objects in the /var directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`files_delete_generic_locks',`
++interface(`files_var_filetrans',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
++ filetrans_pattern($1, var_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## lock files.
++## Get the attributes of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5811,65 +6243,69 @@ interface(`files_delete_generic_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_locks',`
++interface(`files_getattr_var_lib_dirs',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
+- manage_files_pattern($1, var_lock_t, var_lock_t)
++ getattr_dirs_pattern($1, var_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all lock files.
++## Search the /var/lib directory.
+ ## </summary>
++## <desc>
++## <p>
++## Search the /var/lib directory. This is
++## necessary to access files or directories under
++## /var/lib that have a private type. For example, a
++## domain accessing a private library file in the
++## /var/lib directory:
++## </p>
++## <p>
++## allow mydomain_t mylibfile_t:file read_file_perms;
++## files_search_var_lib(mydomain_t)
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_delete_all_locks',`
++interface(`files_search_var_lib',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, lockfile, lockfile)
++ search_dirs_pattern($1, var_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all lock files.
++## Do not audit attempts to search the
++## contents of /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_read_all_locks',`
++interface(`files_dontaudit_search_var_lib',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_lib_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- allow $1 lockfile:dir list_dir_perms;
+- read_files_pattern($1, lockfile, lockfile)
+- read_lnk_files_pattern($1, lockfile, lockfile)
++ dontaudit $1 var_lib_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## manage all lock files.
++## List the contents of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5877,37 +6313,49 @@ interface(`files_read_all_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_locks',`
++interface(`files_list_var_lib',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- manage_dirs_pattern($1, lockfile, lockfile)
+- manage_files_pattern($1, lockfile, lockfile)
+- manage_lnk_files_pattern($1, lockfile, lockfile)
++ list_dirs_pattern($1, var_t, var_lib_t)
++')
++
++###########################################
++## <summary>
++## Read-write /var/lib directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ rw_dirs_pattern($1, var_lib_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the locks directory, with a private
+-## type using a type transition.
++## Create objects in the /var/lib directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
++## <param name="file_type">
+ ## <summary>
+-## The type of the object to be created.
++## The type of the object to be created
+ ## </summary>
+ ## </param>
+-## <param name="object">
++## <param name="object_class">
+ ## <summary>
+-## The object class of the object being created.
++## The object class.
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -5916,39 +6364,37 @@ interface(`files_manage_all_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_lock_filetrans',`
++interface(`files_var_lib_filetrans',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- filetrans_pattern($1, var_lock_t, $2, $3, $4)
++ filetrans_pattern($1, var_lib_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of the /var/run directory.
++## Read generic files in /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_pid_dirs',`
++interface(`files_read_var_lib_files',`
+ gen_require(`
+- type var_run_t;
++ type var_t, var_lib_t;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir getattr;
++ allow $1 var_lib_t:dir list_dir_perms;
++ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of the /var/run directory.
++## Read generic symbolic links in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5956,19 +6402,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_pid_dirs',`
++interface(`files_read_var_lib_symlinks',`
+ gen_require(`
+- type var_run_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir setattr;
++ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of runtime process
+-## ID directories (/var/run).
++## manage generic symbolic links
++## in the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5976,39 +6421,41 @@ interface(`files_setattr_pid_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_pids',`
++interface(`files_manage_var_lib_symlinks',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_lib_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- search_dirs_pattern($1, var_t, var_run_t)
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
+ ')
+
++# cjp: the next two interfaces really need to be fixed
++# in some way. They really neeed their own types.
++
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search
+-## the /var/run directory.
++## Create, read, write, and delete the
++## pseudorandom number generator seed.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_pids',`
++interface(`files_manage_urandom_seed',`
+ gen_require(`
+- type var_run_t;
++ type var_t, var_lib_t;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir search_dir_perms;
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_lib_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of the runtime process
+-## ID directories (/var/run).
++## Allow domain to manage mount tables
++## necessary for rpcd, nfsd, etc.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6016,18 +6463,1012 @@ interface(`files_dontaudit_search_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
++interface(`files_manage_mounttab',`
++ gen_require(`
++ type var_t, var_lib_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_lib_t, var_lib_t)
++')
++
++########################################
++## <summary>
++## List generic lock directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ list_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Search the locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ search_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search the
++## locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_lock_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read/write inherited
++## locks (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
+
-+ files_search_tmp($1)
-+ allow $1 tmp_t:dir rw_dir_perms;
++########################################
++## <summary>
++## Set the attributes of the /var/lock directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_setattr_lock_dirs',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ allow $1 var_lock_t:dir setattr;
+')
+
- ########################################
- ## <summary>
- ## Remove entries from the tmp directory.
-@@ -4343,6 +4878,7 @@ interface(`files_delete_tmp_dir_entry',`
- type tmp_t;
- ')
-
-+ files_search_tmp($1)
- allow $1 tmp_t:dir del_entry_dir_perms;
- ')
-
-@@ -4384,13 +4920,39 @@ interface(`files_manage_generic_tmp_dirs',`
-
- ########################################
- ## <summary>
--## Manage temporary files and directories in /tmp.
-+## Allow shared library text relocations in tmp files.
- ## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
-+## <desc>
-+## <p>
-+## Allow shared library text relocations in tmp files.
-+## </p>
-+## <p>
-+## This is added to support java policy.
-+## </p>
-+## </desc>
++########################################
++## <summary>
++## Add and remove entries in the /var/lock
++## directories.
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_execmod_tmp',`
++interface(`files_rw_lock_dirs',`
+ gen_require(`
-+ attribute tmpfile;
++ type var_t, var_lock_t;
+ ')
+
-+ allow $1 tmpfile:file execmod;
++ files_search_locks($1)
++ rw_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
-+## Manage temporary files and directories in /tmp.
++## Create lock directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_create_lock_dirs',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ create_dirs_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Relabel to and from all lock directory types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
- #
- interface(`files_manage_generic_tmp_files',`
- gen_require(`
-@@ -4438,6 +5000,42 @@ interface(`files_rw_generic_tmp_sockets',`
-
- ########################################
- ## <summary>
-+## Relabel a dir from the type used in /tmp.
++#
++interface(`files_relabel_all_lock_dirs',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ relabel_dirs_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Get the attributes of generic lock files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9418,17 +11862,19 @@ index 64ff4d7..8a9355a 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabelfrom_tmp_dirs',`
++interface(`files_getattr_generic_locks',`
+ gen_require(`
-+ type tmp_t;
++ type var_t, var_lock_t;
+ ')
+
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++ files_search_locks($1)
++ allow $1 var_lock_t:dir list_dir_perms;
++ getattr_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
-+## Relabel a file from the type used in /tmp.
++## Delete generic lock files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9436,425 +11882,458 @@ index 64ff4d7..8a9355a 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabelfrom_tmp_files',`
++interface(`files_delete_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ delete_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_locks',`
+ gen_require(`
-+ type tmp_t;
++ type var_t, var_lock_t;
+ ')
+
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++ files_search_locks($1)
++ manage_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
- ## Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4456,6 +5054,60 @@ interface(`files_setattr_all_tmp_dirs',`
-
- ########################################
- ## <summary>
-+## Allow caller to read inherited tmp files.
++## Delete all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_read_inherited_tmp_files',`
++interface(`files_delete_all_locks',`
+ gen_require(`
-+ attribute tmpfile;
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ delete_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Read all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ allow $1 lockfile:dir list_dir_perms;
++ read_files_pattern($1, lockfile, lockfile)
++ read_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## manage all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ manage_dirs_pattern($1, lockfile, lockfile)
++ manage_files_pattern($1, lockfile, lockfile)
++ manage_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Create an object in the locks directory, with a private
++## type using a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_lock_filetrans',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ filetrans_pattern($1, var_lock_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the attributes
++## of the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_run_t:dir getattr;
++')
++
++########################################
++## <summary>
++## Set the attributes of the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_setattr_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ allow $1 var_run_t:dir setattr;
++')
++
++########################################
++## <summary>
++## Search the contents of runtime process
++## ID directories (/var/run).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_pids',`
++ gen_require(`
++ type var_t, var_run_t;
+ ')
+
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ search_dirs_pattern($1, var_t, var_run_t)
++')
++
++######################################
++## <summary>
++## Add and remove entries from pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++## <summary>
++## Create generic pid directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_var_run_dirs',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
-+## Allow caller to append inherited tmp files.
++## Do not audit attempts to search
++## the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_dontaudit_search_pids',`
+ gen_require(`
-+ attribute tmpfile;
++ type var_run_t;
+ ')
+
-+ allow $1 tmpfile:file append_inherited_file_perms;
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## Allow caller to read and write inherited tmp files.
++## Do not audit attempts to search
++## the all /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
-+ attribute tmpfile;
++ attribute pidfile;
+ ')
+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+## <summary>
- ## List all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4501,7 +5153,7 @@ interface(`files_relabel_all_tmp_dirs',`
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -4561,7 +5213,7 @@ interface(`files_relabel_all_tmp_files',`
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -4593,6 +5245,44 @@ interface(`files_read_all_tmp_files',`
-
- ########################################
- ## <summary>
-+## Do not audit attempts to read or write
-+## all leaked tmpfiles files.
++## List the contents of the runtime process
++## ID directories (/var/run).
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_tmp_file_leaks',`
++interface(`files_list_pids',`
+ gen_require(`
-+ attribute tmpfile;
++ type var_t, var_run_t;
+ ')
+
-+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, var_t, var_run_t)
+')
+
+########################################
+## <summary>
-+## Do allow attempts to read or write
-+## all leaked tmpfiles files.
++## Read generic process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_rw_tmp_file_leaks',`
++interface(`files_read_generic_pids',`
+ gen_require(`
-+ attribute tmpfile;
++ type var_t, var_run_t;
+ ')
+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, var_t, var_run_t)
++ read_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
- ## Create an object in the tmp directories, with a private
- ## type using a type transition.
- ## </summary>
-@@ -4646,6 +5336,16 @@ interface(`files_purge_tmp',`
- delete_lnk_files_pattern($1, tmpfile, tmpfile)
- delete_fifo_files_pattern($1, tmpfile, tmpfile)
- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ delete_chr_files_pattern($1, tmpfile, tmpfile)
-+ delete_blk_files_pattern($1, tmpfile, tmpfile)
-+ files_list_isid_type_dirs($1)
-+ files_delete_isid_type_dirs($1)
-+ files_delete_isid_type_files($1)
-+ files_delete_isid_type_symlinks($1)
-+ files_delete_isid_type_fifo_files($1)
-+ files_delete_isid_type_sock_files($1)
-+ files_delete_isid_type_blk_files($1)
-+ files_delete_isid_type_chr_files($1)
- ')
-
- ########################################
-@@ -5223,6 +5923,24 @@ interface(`files_list_var',`
-
- ########################################
- ## <summary>
-+## Do not audit listing of the var directory (/var).
++## Write named generic process ID pipes
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_list_var',`
++interface(`files_write_generic_pid_pipes',`
+ gen_require(`
-+ type var_t;
++ type var_run_t;
+ ')
+
-+ dontaudit $1 var_t:dir list_dir_perms;
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ allow $1 var_run_t:fifo_file write;
+')
+
+########################################
+## <summary>
- ## Create, read, write, and delete directories
- ## in the /var directory.
- ## </summary>
-@@ -5578,6 +6296,25 @@ interface(`files_read_var_lib_symlinks',`
- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
-+########################################
-+## <summary>
-+## manage generic symbolic links
-+## in the /var/lib directory.
++## Create an object in the process ID directory, with a private type.
+## </summary>
++## <desc>
++## <p>
++## Create an object in the process ID directory (e.g., /var/run)
++## with a private type. Typically this is used for creating
++## private PID files in /var/run with the private type instead
++## of the general PID file type. To accomplish this goal,
++## either the program must be SELinux-aware, or use this interface.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_pid_file()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create and
++## write its PID file with a private PID file type in the
++## /var/run directory:
++## </p>
++## <p>
++## type mypidfile_t;
++## files_pid_file(mypidfile_t)
++## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
++## files_pid_filetrans(mydomain_t, mypidfile_t, file)
++## </p>
++## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+#
-+interface(`files_manage_var_lib_symlinks',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
- # cjp: the next two interfaces really need to be fixed
- # in some way. They really neeed their own types.
-
-@@ -5623,7 +6360,7 @@ interface(`files_manage_mounttab',`
-
- ########################################
- ## <summary>
--## Set the attributes of the generic lock directories.
-+## List generic lock directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5631,12 +6368,13 @@ interface(`files_manage_mounttab',`
- ## </summary>
- ## </param>
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_list_locks',`
- gen_require(`
- type var_t, var_lock_t;
- ')
-
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ files_search_locks($1)
-+ list_dirs_pattern($1, var_t, var_lock_t)
- ')
-
- ########################################
-@@ -5654,6 +6392,7 @@ interface(`files_search_locks',`
- type var_t, var_lock_t;
- ')
-
-+ files_search_pids($1)
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- search_dirs_pattern($1, var_t, var_lock_t)
- ')
-@@ -5680,7 +6419,26 @@ interface(`files_dontaudit_search_locks',`
-
- ########################################
- ## <summary>
--## List generic lock directories.
-+## Do not audit attempts to read/write inherited
-+## locks (/var/lock).
-+## </summary>
-+## <param name="domain">
++## <param name="private type">
+## <summary>
-+## Domain to not audit.
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
+## </summary>
+## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++## <infoflow type="write" weight="10"/>
+#
-+interface(`files_dontaudit_rw_inherited_locks',`
++interface(`files_pid_filetrans',`
+ gen_require(`
-+ type var_lock_t;
++ type var_t, var_run_t;
+ ')
-+
-+ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Set the attributes of the /var/lock directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5688,13 +6446,12 @@ interface(`files_dontaudit_search_locks',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_locks',`
-+interface(`files_setattr_lock_dirs',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_lock_t:dir setattr;
- ')
-
- ########################################
-@@ -5713,7 +6470,7 @@ interface(`files_rw_lock_dirs',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- rw_dirs_pattern($1, var_t, var_lock_t)
- ')
-
-@@ -5746,7 +6503,6 @@ interface(`files_create_lock_dirs',`
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
- interface(`files_relabel_all_lock_dirs',`
- gen_require(`
-@@ -5774,8 +6530,7 @@ interface(`files_getattr_generic_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- allow $1 var_lock_t:dir list_dir_perms;
- getattr_files_pattern($1, var_lock_t, var_lock_t)
- ')
-@@ -5791,13 +6546,12 @@ interface(`files_getattr_generic_locks',`
- ## </param>
- #
- interface(`files_delete_generic_locks',`
-- gen_require(`
-+ gen_require(`
- type var_t, var_lock_t;
-- ')
-+ ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ files_search_locks($1)
-+ delete_files_pattern($1, var_lock_t, var_lock_t)
- ')
-
- ########################################
-@@ -5816,9 +6570,7 @@ interface(`files_manage_generic_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-+ files_search_locks($1)
- manage_files_pattern($1, var_lock_t, var_lock_t)
- ')
-
-@@ -5860,8 +6612,7 @@ interface(`files_read_all_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ files_search_locks($1)
- allow $1 lockfile:dir list_dir_perms;
- read_files_pattern($1, lockfile, lockfile)
- read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6634,7 @@ interface(`files_manage_all_locks',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ files_search_locks($1)
- manage_dirs_pattern($1, lockfile, lockfile)
- manage_files_pattern($1, lockfile, lockfile)
- manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6671,7 @@ interface(`files_lock_filetrans',`
- type var_t, var_lock_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- filetrans_pattern($1, var_lock_t, $2, $3, $4)
- ')
-
-@@ -5985,6 +6734,43 @@ interface(`files_search_pids',`
- search_dirs_pattern($1, var_t, var_run_t)
- ')
-
-+######################################
++
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_run_t, $2, $3, $4)
++')
++
++########################################
+## <summary>
-+## Add and remove entries from pid directories.
++## Create a generic lock directory within the run directories
+## </summary>
+## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_pid_filetrans_lock_dir',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ files_pid_filetrans($1, var_lock_t, dir, $2)
++')
++
++########################################
+## <summary>
-+## Domain allowed access.
++## Read and write generic process ID files.
+## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`files_rw_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
++interface(`files_rw_generic_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
+
-+ allow $1 var_run_t:dir rw_dir_perms;
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ list_dirs_pattern($1, var_t, var_run_t)
++ rw_files_pattern($1, var_run_t, var_run_t)
+')
+
-+#######################################
++########################################
+## <summary>
-+## Create generic pid directory.
++## Do not audit attempts to get the attributes of
++## daemon runtime data files.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain to not audit.
++## </summary>
+## </param>
+#
-+interface(`files_create_var_run_dirs',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
++interface(`files_dontaudit_getattr_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_run_t;
++ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir create_dir_perms;
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file getattr;
+')
+
- ########################################
- ## <summary>
- ## Do not audit attempts to search
-@@ -6007,6 +6793,25 @@ interface(`files_dontaudit_search_pids',`
-
- ########################################
- ## <summary>
-+## Do not audit attempts to search
-+## the all /var/run directory.
++########################################
++## <summary>
++## Do not audit attempts to write to daemon runtime data files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9862,76 +12341,68 @@ index 64ff4d7..8a9355a 100644
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_search_all_pids',`
++interface(`files_dontaudit_write_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ dontaudit $1 pidfile:dir search_dir_perms;
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file write;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to ioctl daemon runtime data files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_ioctl_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file ioctl;
+')
+
+########################################
+## <summary>
- ## List the contents of the runtime process
- ## ID directories (/var/run).
- ## </summary>
-@@ -6122,7 +6927,6 @@ interface(`files_pid_filetrans',`
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- filetrans_pattern($1, var_run_t, $2, $3, $4)
- ')
-
-@@ -6231,46 +7035,230 @@ interface(`files_dontaudit_ioctl_all_pids',`
-
- ########################################
- ## <summary>
--## Read all process ID files.
+## Relable all pid directories
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_read_all_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_relabel_all_pid_dirs',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ relabel_dirs_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Delete all process IDs.
++')
++
++########################################
++## <summary>
+## Delete all pid sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_delete_all_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_delete_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ allow $1 pidfile:sock_file delete_sock_file_perms;
+')
+
@@ -10125,15 +12596,35 @@ index 64ff4d7..8a9355a 100644
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:dir rmdir;
- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- delete_files_pattern($1, pidfile, pidfile)
- delete_fifo_files_pattern($1, pidfile, pidfile)
-@@ -6300,29 +7288,73 @@ interface(`files_delete_all_pid_dirs',`
-
- ########################################
- ## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++## Delete all process ID directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
+## Make the specified type a file
+## used for spool files.
+## </summary>
@@ -10183,399 +12674,757 @@ index 64ff4d7..8a9355a 100644
+########################################
+## <summary>
+## Create all spool sockets
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_all_spool_sockets',`
+ gen_require(`
+- type var_t, var_run_t;
++ attribute spoolfile;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
++ allow $1 spoolfile:sock_file create_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic process ID files.
++## Delete all spool sockets
## </summary>
## <param name="domain">
## <summary>
--## Domain alloed access.
-+## Domain allowed access.
+@@ -6035,123 +7476,336 @@ interface(`files_list_pids',`
## </summary>
## </param>
#
--interface(`files_manage_all_pids',`
-+interface(`files_create_all_spool_sockets',`
+-interface(`files_read_generic_pids',`
++interface(`files_delete_all_spool_sockets',`
gen_require(`
-- attribute pidfile;
+- type var_t, var_run_t;
+ attribute spoolfile;
')
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
')
########################################
## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
-+## Delete all spool sockets
+-## Write named generic process ID pipes
++## Relabel to and from all spool
++## directory types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_write_generic_pid_pipes',`
++interface(`files_relabel_all_spool_dirs',`
+ gen_require(`
+- type var_run_t;
++ attribute spoolfile;
++ type var_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the process ID directory, with a private type.
++## Search the contents of generic spool
++## directories (/var/spool).
## </summary>
+-## <desc>
+-## <p>
+-## Create an object in the process ID directory (e.g., /var/run)
+-## with a private type. Typically this is used for creating
+-## private PID files in /var/run with the private type instead
+-## of the general PID file type. To accomplish this goal,
+-## either the program must be SELinux-aware, or use this interface.
+-## </p>
+-## <p>
+-## Related interfaces:
+-## </p>
+-## <ul>
+-## <li>files_pid_file()</li>
+-## </ul>
+-## <p>
+-## Example usage with a domain that can create and
+-## write its PID file with a private PID file type in the
+-## /var/run directory:
+-## </p>
+-## <p>
+-## type mypidfile_t;
+-## files_pid_file(mypidfile_t)
+-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+-## files_pid_filetrans(mydomain_t, mypidfile_t, file)
+-## </p>
+-## </desc>
## <param name="domain">
## <summary>
-@@ -6330,12 +7362,33 @@ interface(`files_manage_all_pids',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
++#
++interface(`files_search_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search generic
++## spool directories.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The type of the object to be created.
++## Domain to not audit.
## </summary>
## </param>
- #
--interface(`files_mounton_all_poly_members',`
-+interface(`files_delete_all_spool_sockets',`
- gen_require(`
-- attribute polymember;
-+ attribute spoolfile;
- ')
-
-- allow $1 polymember:dir mounton;
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+-## <param name="object">
++#
++interface(`files_dontaudit_search_spool',`
++ gen_require(`
++ type var_spool_t;
++ ')
++
++ dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## Relabel to and from all spool
-+## directory types.
++## List the contents of generic spool
++## (/var/spool) directories.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The object class of the object being created.
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_spool_dirs',`
++interface(`files_list_spool',`
+ gen_require(`
-+ attribute spoolfile;
-+ type var_t;
++ type var_t, var_spool_t;
+ ')
+
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
- ')
-
- ########################################
-@@ -6562,3 +7615,459 @@ interface(`files_unconfined',`
-
- typeattribute $1 files_unconfined_type;
- ')
++ list_dirs_pattern($1, var_t, var_spool_t)
++')
+
+########################################
+## <summary>
-+## Create a core files in /
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
+## </summary>
-+## <desc>
-+## <p>
-+## Create a core file in /,
-+## </p>
-+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_manage_root_files',`
++interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
-+ type root_t;
++ type var_t, var_spool_t;
+ ')
+
-+ manage_files_pattern($1, root_t, root_t)
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Create a default directory
++## Read generic spool files.
+## </summary>
-+## <desc>
-+## <p>
-+## Create a default_t direcrory
-+## </p>
-+## </desc>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_create_default_dir',`
-+ gen_require(`
-+ type default_t;
-+ ')
++interface(`files_read_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
+
-+ allow $1 default_t:dir create;
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Create, default_t objects with an automatic
-+## type transition.
++## Create, read, write, and delete generic
++## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <param name="object">
-+## <summary>
-+## The class of the object being created.
-+## </summary>
-+## </param>
+#
-+interface(`files_root_filetrans_default',`
-+ gen_require(`
-+ type root_t, default_t;
-+ ')
++interface(`files_manage_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
+
-+ filetrans_pattern($1, root_t, default_t, $2)
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## manage generic symbolic links
-+## in the /var/run directory.
++## Create objects in the spool directory
++## with a private type with a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <param name="file">
++## <summary>
++## Type to which the created node will be transitioned.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+ ## <summary>
+-## The name of the object being created.
++## The name of the object being created.
++## </summary>
++## </param>
+#
-+interface(`files_manage_generic_pids_symlinks',`
++interface(`files_spool_filetrans',`
+ gen_require(`
-+ type var_run_t;
++ type var_t, var_spool_t;
+ ')
+
-+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to getattr
-+## all tmpfs files.
++## Allow access to manage all polyinstantiated
++## directories on the system.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_getattr_tmpfs_files',`
++interface(`files_polyinstantiate_all',`
+ gen_require(`
-+ attribute tmpfsfile;
++ attribute polydir, polymember, polyparent;
++ type poly_t;
+ ')
+
-+ allow $1 tmpfsfile:file getattr;
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
++ allow $1 polyparent:dir { getattr mounton };
++
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
+')
+
+########################################
+## <summary>
-+## Allow read write all tmpfs files
++## Unconfined access to files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_rw_tmpfs_files',`
++interface(`files_unconfined',`
+ gen_require(`
-+ attribute tmpfsfile;
++ attribute files_unconfined_type;
+ ')
+
-+ allow $1 tmpfsfile:file { read write };
++ typeattribute $1 files_unconfined_type;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read security files
++## Create a core files in /
+## </summary>
++## <desc>
++## <p>
++## Create a core file in /,
++## </p>
++## </desc>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
-+## </summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
++## <rolecap/>
+ #
+-interface(`files_pid_filetrans',`
++interface(`files_manage_root_files',`
+ gen_require(`
+- type var_t, var_run_t;
++ type root_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- filetrans_pattern($1, var_run_t, $2, $3, $4)
++ manage_files_pattern($1, root_t, root_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create a generic lock directory within the run directories
++## Create a default directory
+ ## </summary>
++## <desc>
++## <p>
++## Create a default_t direcrory
++## </p>
++## </desc>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
++## <rolecap/>
+#
++interface(`files_create_default_dir',`
++ gen_require(`
++ type default_t;
++ ')
++
++ allow $1 default_t:dir create;
++')
++
++########################################
++## <summary>
++## Create, default_t objects with an automatic
++## type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
++## <param name="object">
+ ## <summary>
+-## The name of the object being created.
++## The class of the object being created.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_pid_filetrans_lock_dir',`
+- gen_require(`
+- type var_lock_t;
+- ')
++interface(`files_root_filetrans_default',`
++ gen_require(`
++ type root_t, default_t;
++ ')
+
+- files_pid_filetrans($1, var_lock_t, dir, $2)
++ filetrans_pattern($1, root_t, default_t, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write generic process ID files.
++## manage generic symbolic links
++## in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6159,20 +7813,18 @@ interface(`files_pid_filetrans_lock_dir',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_generic_pids',`
++interface(`files_manage_generic_pids_symlinks',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- rw_files_pattern($1, var_run_t, var_run_t)
++ manage_lnk_files_pattern($1,var_run_t,var_run_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes of
+-## daemon runtime data files.
++## Do not audit attempts to getattr
++## all tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6180,19 +7832,17 @@ interface(`files_rw_generic_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_pids',`
++interface(`files_dontaudit_getattr_tmpfs_files',`
+ gen_require(`
+- attribute pidfile;
+- type var_run_t;
++ attribute tmpfsfile;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file getattr;
++ allow $1 tmpfsfile:file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write to daemon runtime data files.
++## Allow read write all tmpfs files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6200,18 +7850,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_all_pids',`
++interface(`files_rw_tmpfs_files',`
+ gen_require(`
+- attribute pidfile;
++ attribute tmpfsfile;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file write;
++ allow $1 tmpfsfile:file { read write };
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to ioctl daemon runtime data files.
++## Do not audit attempts to read security files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6219,41 +7868,43 @@ interface(`files_dontaudit_write_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_ioctl_all_pids',`
+interface(`files_dontaudit_read_security_files',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_run_t;
+ attribute security_file_type;
-+ ')
-+
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file ioctl;
+ dontaudit $1 security_file_type:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all process ID files.
+## rw any files inherited from another process
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+## <param name="object_type">
+## <summary>
+## Object type.
+## </summary>
+## </param>
-+#
+ #
+-interface(`files_read_all_pids',`
+interface(`files_rw_all_inherited_files',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process IDs.
+## Allow any file point to be the entrypoint of this domain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6262,67 +7913,55 @@ interface(`files_read_all_pids',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
+interface(`files_entrypoint_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
+ attribute file_type;
-+ ')
+ ')
+-
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ allow $1 file_type:file entrypoint;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process ID directories.
+## Do not audit attempts to rw inherited file perms
+## of non security files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
+interface(`files_dontaudit_all_non_security_leaks',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
+ attribute non_security_file_type;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Do not audit attempts to read or write
+## all leaked files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain alloed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
+interface(`files_dontaudit_leaks',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Allow domain to create_file_ass all types
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6330,37 +7969,37 @@ interface(`files_manage_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_create_as_is_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute file_type;
+ class kernel_service create_files_as;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 file_type:kernel_service create_files_as;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of generic spool
+-## directories (/var/spool).
+## Do not audit attempts to check the
+## access on all files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
+interface(`files_dontaudit_all_access_check',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
+ dontaudit $1 file_type:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search generic
+-## spool directories.
+## Do not audit attempts to write to all files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6368,186 +8007,169 @@ interface(`files_search_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_spool',`
+interface(`files_dontaudit_write_all_files',`
-+ gen_require(`
+ gen_require(`
+- type var_spool_t;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
+ dontaudit $1 file_type:dir_file_class_set write;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of generic spool
+-## (/var/spool) directories.
+## Allow domain to delete to all files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
+interface(`files_delete_all_non_security_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute non_security_file_type;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+ allow $1 non_security_file_type:dir del_entry_dir_perms;
+ allow $1 non_security_file_type:file_class_set delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
+## Transition named content in the var_run_t directory
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
+interface(`files_filetrans_named_content',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ type mnt_t;
+ type usr_t;
+ type var_t;
+ type tmp_t;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ files_pid_filetrans($1, mnt_t, dir, "media")
+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -10597,13 +13446,15 @@ index 64ff4d7..8a9355a 100644
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic spool files.
+## Make the specified type a
+## base file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <desc>
+## <p>
+## Identify file type as base file type. Tools will use this attribute,
@@ -10611,103 +13462,185 @@ index 64ff4d7..8a9355a 100644
+## </p>
+## </desc>
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type to be used as a base files.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <infoflow type="none"/>
-+#
+ #
+-interface(`files_read_generic_spool',`
+interface(`files_base_file',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute base_file_type;
-+ ')
+ ')
+-
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
+ files_type($1)
+ typeattribute $1 base_file_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool files.
+## Make the specified type a
+## base read only file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <desc>
+## <p>
+## Make the specified type readable for all domains.
+## </p>
+## </desc>
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type to be used as a base read only files.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <infoflow type="none"/>
-+#
+ #
+-interface(`files_manage_generic_spool',`
+interface(`files_ro_base_file',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute base_ro_file_type;
-+ ')
+ ')
+-
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
+ files_base_file($1)
+ typeattribute $1 base_ro_file_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the spool directory
+-## with a private type with a type transition.
+## Read all ro base files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file">
+-## <summary>
+-## Type to which the created node will be transitioned.
+-## </summary>
+-## </param>
+-## <param name="class">
+-## <summary>
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+## <rolecap/>
-+#
+ #
+-interface(`files_spool_filetrans',`
+interface(`files_read_all_base_ro_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute base_ro_file_type;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
+ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
+ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
+## Execute all base ro files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`files_polyinstantiate_all',`
+interface(`files_exec_all_base_ro_files',`
-+ gen_require(`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
+ attribute base_ro_file_type;
-+ ')
-+
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+-
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+- ')
+ can_exec($1, base_ro_file_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Unconfined access to files.
+## Allow the specified domain to modify the systemd configuration of
+## any file.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6555,10 +8177,11 @@ interface(`files_polyinstantiate_all',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_unconfined',`
+interface(`files_config_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute files_unconfined_type;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- typeattribute $1 files_unconfined_type;
+ allow $1 file_type:service all_service_perms;
-+')
+ ')
+
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 148d87a..822f6be 100644
@@ -23765,10 +26698,32 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..c0ec978 100644
+index 24e7804..f03be17 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
-@@ -106,6 +106,8 @@ interface(`init_domain',`
+@@ -1,5 +1,21 @@
+ ## <summary>System initialization programs (init and init scripts).</summary>
+
++######################################
++## <summary>
++## initrc stub interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`init_stub_initrc',`
++ gen_require(`
++ type initrc_t;
++ ')
++')
++
+ ########################################
+ ## <summary>
+ ## Create a file type used for init scripts.
+@@ -106,6 +122,8 @@ interface(`init_domain',`
role system_r types $1;
domtrans_pattern(init_t, $2, $1)
@@ -23777,7 +26732,7 @@ index 24e7804..c0ec978 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -192,50 +194,43 @@ interface(`init_ranged_domain',`
+@@ -192,50 +210,43 @@ interface(`init_ranged_domain',`
interface(`init_daemon_domain',`
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -23850,7 +26805,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -283,17 +278,20 @@ interface(`init_daemon_domain',`
+@@ -283,17 +294,20 @@ interface(`init_daemon_domain',`
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
@@ -23872,7 +26827,7 @@ index 24e7804..c0ec978 100644
')
')
-@@ -336,23 +334,19 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,23 +350,19 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -23903,7 +26858,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -401,20 +395,41 @@ interface(`init_system_domain',`
+@@ -401,20 +411,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -23945,7 +26900,7 @@ index 24e7804..c0ec978 100644
########################################
## <summary>
## Mark the file type as a daemon run dir, allowing initrc_t
-@@ -469,7 +484,6 @@ interface(`init_domtrans',`
+@@ -469,7 +500,6 @@ interface(`init_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -23953,7 +26908,7 @@ index 24e7804..c0ec978 100644
#
interface(`init_exec',`
gen_require(`
-@@ -478,6 +492,48 @@ interface(`init_exec',`
+@@ -478,6 +508,48 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -24002,7 +26957,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -566,6 +622,58 @@ interface(`init_sigchld',`
+@@ -566,6 +638,58 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -24061,7 +27016,7 @@ index 24e7804..c0ec978 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -576,10 +684,66 @@ interface(`init_sigchld',`
+@@ -576,10 +700,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -24130,7 +27085,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -743,22 +907,23 @@ interface(`init_write_initctl',`
+@@ -743,22 +923,23 @@ interface(`init_write_initctl',`
interface(`init_telinit',`
gen_require(`
type initctl_t;
@@ -24163,7 +27118,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -787,7 +952,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +968,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -24172,7 +27127,7 @@ index 24e7804..c0ec978 100644
## </summary>
## </param>
#
-@@ -830,11 +995,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -24187,7 +27142,7 @@ index 24e7804..c0ec978 100644
ifdef(`distro_gentoo',`
gen_require(`
-@@ -845,11 +1011,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',`
')
ifdef(`enable_mcs',`
@@ -24201,7 +27156,7 @@ index 24e7804..c0ec978 100644
')
')
-@@ -865,19 +1031,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -24247,7 +27202,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -933,9 +1121,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -24262,7 +27217,7 @@ index 24e7804..c0ec978 100644
files_search_etc($1)
')
-@@ -1026,7 +1219,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1235,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -24273,7 +27228,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -1125,6 +1320,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1336,25 @@ interface(`init_getattr_all_script_files',`
########################################
## <summary>
@@ -24299,7 +27254,7 @@ index 24e7804..c0ec978 100644
## Read all init script files.
## </summary>
## <param name="domain">
-@@ -1144,6 +1358,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1374,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -24324,7 +27279,7 @@ index 24e7804..c0ec978 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1195,12 +1427,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1443,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -24338,7 +27293,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -1440,6 +1667,27 @@ interface(`init_dbus_send_script',`
+@@ -1440,6 +1683,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -24366,7 +27321,7 @@ index 24e7804..c0ec978 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1526,6 +1774,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1526,6 +1790,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -24392,17 +27347,26 @@ index 24e7804..c0ec978 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1584,6 +1851,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,21 +1867,39 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
+-## Create files in a init script
+-## temporary data directory.
+## Read and write init script inherited temporary data.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
+-## <summary>
+-## The type of the object to be created
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+#
+interface(`init_rw_inherited_script_tmp_files',`
+ gen_require(`
@@ -24414,19 +27378,32 @@ index 24e7804..c0ec978 100644
+
+########################################
+## <summary>
- ## Create files in a init script
- ## temporary data directory.
- ## </summary>
-@@ -1656,11 +1941,48 @@ interface(`init_read_utmp',`
++## Create files in a init script
++## temporary data directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
+ ## The object class.
+ ## </summary>
+ ## </param>
+@@ -1656,6 +1957,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
--## Do not audit attempts to write utmp.
+## Read utmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
@@ -24460,15 +27437,10 @@ index 24e7804..c0ec978 100644
+
+########################################
+## <summary>
-+## Do not audit attempts to write utmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -1744,7 +2066,7 @@ interface(`init_dontaudit_rw_utmp',`
+ ## Do not audit attempts to write utmp.
+ ## </summary>
+ ## <param name="domain">
+@@ -1744,7 +2082,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -24477,7 +27449,7 @@ index 24e7804..c0ec978 100644
')
########################################
-@@ -1785,6 +2107,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2123,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -24611,7 +27583,7 @@ index 24e7804..c0ec978 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2268,283 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2284,283 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -24896,7 +27868,7 @@ index 24e7804..c0ec978 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..4d9b509 100644
+index dd3be8d..8913598 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -25134,7 +28106,7 @@ index dd3be8d..4d9b509 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +271,177 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +271,178 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -25245,6 +28217,7 @@ index dd3be8d..4d9b509 100644
+fs_mount_all_fs(init_t)
+fs_unmount_all_fs(init_t)
+fs_remount_all_fs(init_t)
++fs_list_all(init_t)
+fs_list_auto_mountpoints(init_t)
+fs_register_binary_executable_type(init_t)
+fs_relabel_tmpfs_sock_file(init_t)
@@ -25320,7 +28293,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -216,6 +449,27 @@ optional_policy(`
+@@ -216,6 +450,27 @@ optional_policy(`
')
optional_policy(`
@@ -25348,7 +28321,7 @@ index dd3be8d..4d9b509 100644
unconfined_domain(init_t)
')
-@@ -225,8 +479,9 @@ optional_policy(`
+@@ -225,8 +480,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -25360,7 +28333,7 @@ index dd3be8d..4d9b509 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +512,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +513,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -25377,7 +28350,7 @@ index dd3be8d..4d9b509 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +537,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +538,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -25420,7 +28393,7 @@ index dd3be8d..4d9b509 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +574,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +575,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -25432,7 +28405,7 @@ index dd3be8d..4d9b509 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +586,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +587,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -25443,7 +28416,7 @@ index dd3be8d..4d9b509 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +597,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +598,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -25453,7 +28426,7 @@ index dd3be8d..4d9b509 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +606,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +607,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -25461,7 +28434,7 @@ index dd3be8d..4d9b509 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +613,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +614,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -25469,7 +28442,7 @@ index dd3be8d..4d9b509 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +621,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +622,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -25487,7 +28460,7 @@ index dd3be8d..4d9b509 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +639,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +640,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -25501,7 +28474,7 @@ index dd3be8d..4d9b509 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +654,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +655,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -25515,7 +28488,7 @@ index dd3be8d..4d9b509 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +667,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +668,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -25523,7 +28496,7 @@ index dd3be8d..4d9b509 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +679,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +680,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -25531,7 +28504,7 @@ index dd3be8d..4d9b509 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +698,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +699,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -25555,7 +28528,7 @@ index dd3be8d..4d9b509 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +731,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +732,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -25563,7 +28536,7 @@ index dd3be8d..4d9b509 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +765,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +766,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -25574,7 +28547,7 @@ index dd3be8d..4d9b509 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +789,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +790,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -25583,7 +28556,7 @@ index dd3be8d..4d9b509 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +804,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +805,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -25591,7 +28564,7 @@ index dd3be8d..4d9b509 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +825,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +826,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -25599,7 +28572,7 @@ index dd3be8d..4d9b509 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +835,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +836,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -25644,7 +28617,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -558,14 +880,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +881,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -25676,7 +28649,7 @@ index dd3be8d..4d9b509 100644
')
')
-@@ -576,6 +915,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +916,39 @@ ifdef(`distro_suse',`
')
')
@@ -25716,7 +28689,7 @@ index dd3be8d..4d9b509 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +960,8 @@ optional_policy(`
+@@ -588,6 +961,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -25725,7 +28698,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -609,6 +983,7 @@ optional_policy(`
+@@ -609,6 +984,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -25733,7 +28706,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -625,6 +1000,17 @@ optional_policy(`
+@@ -625,6 +1001,17 @@ optional_policy(`
')
optional_policy(`
@@ -25751,7 +28724,7 @@ index dd3be8d..4d9b509 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1027,13 @@ optional_policy(`
+@@ -641,9 +1028,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -25765,7 +28738,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -656,15 +1046,11 @@ optional_policy(`
+@@ -656,15 +1047,11 @@ optional_policy(`
')
optional_policy(`
@@ -25783,7 +28756,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -685,6 +1071,15 @@ optional_policy(`
+@@ -685,6 +1072,15 @@ optional_policy(`
')
optional_policy(`
@@ -25799,7 +28772,7 @@ index dd3be8d..4d9b509 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1120,7 @@ optional_policy(`
+@@ -725,6 +1121,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -25807,7 +28780,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -742,7 +1138,14 @@ optional_policy(`
+@@ -742,7 +1139,14 @@ optional_policy(`
')
optional_policy(`
@@ -25822,7 +28795,7 @@ index dd3be8d..4d9b509 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1168,10 @@ optional_policy(`
+@@ -765,6 +1169,10 @@ optional_policy(`
')
optional_policy(`
@@ -25833,7 +28806,7 @@ index dd3be8d..4d9b509 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1181,20 @@ optional_policy(`
+@@ -774,10 +1182,20 @@ optional_policy(`
')
optional_policy(`
@@ -25854,7 +28827,7 @@ index dd3be8d..4d9b509 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1203,10 @@ optional_policy(`
+@@ -786,6 +1204,10 @@ optional_policy(`
')
optional_policy(`
@@ -25865,7 +28838,7 @@ index dd3be8d..4d9b509 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1228,6 @@ optional_policy(`
+@@ -807,8 +1229,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -25874,7 +28847,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -817,6 +1236,10 @@ optional_policy(`
+@@ -817,6 +1237,10 @@ optional_policy(`
')
optional_policy(`
@@ -25885,7 +28858,7 @@ index dd3be8d..4d9b509 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1249,12 @@ optional_policy(`
+@@ -826,10 +1250,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -25898,7 +28871,7 @@ index dd3be8d..4d9b509 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1281,27 @@ optional_policy(`
+@@ -856,12 +1282,27 @@ optional_policy(`
')
optional_policy(`
@@ -25927,7 +28900,7 @@ index dd3be8d..4d9b509 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1311,18 @@ optional_policy(`
+@@ -871,6 +1312,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -25946,7 +28919,7 @@ index dd3be8d..4d9b509 100644
')
optional_policy(`
-@@ -886,6 +1338,10 @@ optional_policy(`
+@@ -886,6 +1339,10 @@ optional_policy(`
')
optional_policy(`
@@ -25957,7 +28930,7 @@ index dd3be8d..4d9b509 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1352,185 @@ optional_policy(`
+@@ -896,3 +1353,185 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -33494,10 +36467,10 @@ index 0000000..fc080a1
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..3932b82
+index 0000000..dd93187
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,636 @@
+@@ -0,0 +1,639 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -33533,6 +36506,7 @@ index 0000000..3932b82
+
+type random_seed_t;
+files_security_file(random_seed_t)
++files_mountpoint(random_seed_t)
+
+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
+# systemd components
@@ -33826,6 +36800,7 @@ index 0000000..3932b82
+auth_manage_faillog(systemd_tmpfiles_t)
+auth_relabel_faillog(systemd_tmpfiles_t)
+auth_manage_var_auth(systemd_tmpfiles_t)
++auth_manage_login_records(systemd_tmpfiles_t)
+auth_relabel_var_auth_dirs(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
@@ -34076,6 +37051,7 @@ index 0000000..3932b82
+optional_policy(`
+ gnome_manage_usr_config(systemd_timedated_t)
+ gnome_manage_home_config(systemd_timedated_t)
++ gnome_manage_home_config_dirs(systemd_timedated_t)
+')
+
+optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index c1a9cc7..f271bb8 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -41758,7 +41758,7 @@ index 0641e97..d7d9a79 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 44ad3b7..7508aef 100644
+index 44ad3b7..f675581 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -41797,7 +41797,17 @@ index 44ad3b7..7508aef 100644
########################################
#
-@@ -123,7 +124,6 @@ kernel_read_software_raid_state(nagios_t)
+@@ -110,7 +111,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+ files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+
+ manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
++manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
++files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file})
+
+ manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+ manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
+@@ -123,7 +125,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
@@ -41805,7 +41815,7 @@ index 44ad3b7..7508aef 100644
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,7 +143,6 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,7 +144,6 @@ domain_read_all_domains_state(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@@ -41813,7 +41823,7 @@ index 44ad3b7..7508aef 100644
files_search_spool(nagios_t)
fs_getattr_all_fs(nagios_t)
-@@ -153,8 +152,6 @@ auth_use_nsswitch(nagios_t)
+@@ -153,8 +153,6 @@ auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
@@ -41822,7 +41832,7 @@ index 44ad3b7..7508aef 100644
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
-@@ -178,6 +175,7 @@ optional_policy(`
+@@ -178,6 +176,7 @@ optional_policy(`
#
# CGI local policy
#
@@ -41830,7 +41840,7 @@ index 44ad3b7..7508aef 100644
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -231,7 +229,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin
+@@ -231,7 +230,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin
kernel_read_kernel_sysctls(nrpe_t)
kernel_read_software_raid_state(nrpe_t)
@@ -41838,7 +41848,7 @@ index 44ad3b7..7508aef 100644
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
-@@ -253,7 +250,6 @@ domain_use_interactive_fds(nrpe_t)
+@@ -253,7 +251,6 @@ domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
@@ -41846,7 +41856,7 @@ index 44ad3b7..7508aef 100644
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -262,8 +258,6 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,8 +259,6 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
@@ -41855,7 +41865,7 @@ index 44ad3b7..7508aef 100644
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
-@@ -310,15 +304,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +305,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -41874,7 +41884,7 @@ index 44ad3b7..7508aef 100644
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +339,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +340,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
@@ -41882,7 +41892,7 @@ index 44ad3b7..7508aef 100644
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
-@@ -357,9 +352,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +353,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
@@ -41896,7 +41906,7 @@ index 44ad3b7..7508aef 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -411,6 +408,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -411,6 +409,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -41904,7 +41914,7 @@ index 44ad3b7..7508aef 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +418,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,10 +419,10 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@@ -41917,7 +41927,7 @@ index 44ad3b7..7508aef 100644
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
-@@ -442,6 +440,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,6 +441,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -41932,7 +41942,7 @@ index 44ad3b7..7508aef 100644
########################################
#
# Unconfined plugin policy
-@@ -450,3 +456,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
+@@ -450,3 +457,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -50935,15 +50945,17 @@ index 977b972..0000000
-miscfiles_read_localization(pkcs_slotd_t)
diff --git a/pkcsslotd.fc b/pkcsslotd.fc
new file mode 100644
-index 0000000..dd1b8f2
+index 0000000..38fa01d
--- /dev/null
+++ b/pkcsslotd.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
+/usr/lib/systemd/system/pkcsslotd.service -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
+
+/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
+
+/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
++
++/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_lock_t,s0)
diff --git a/pkcsslotd.if b/pkcsslotd.if
new file mode 100644
index 0000000..848ddc9
@@ -51107,10 +51119,10 @@ index 0000000..848ddc9
+')
diff --git a/pkcsslotd.te b/pkcsslotd.te
new file mode 100644
-index 0000000..d6d79b9
+index 0000000..f788d35
--- /dev/null
+++ b/pkcsslotd.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,66 @@
+policy_module(pkcsslotd, 1.0.0)
+
+########################################
@@ -51125,6 +51137,9 @@ index 0000000..d6d79b9
+type pkcsslotd_var_lib_t;
+files_type(pkcsslotd_var_lib_t)
+
++type pkcsslotd_lock_t;
++files_lock_file(pkcsslotd_lock_t)
++
+type pkcsslotd_unit_file_t;
+systemd_unit_file(pkcsslotd_unit_file_t)
+
@@ -51142,14 +51157,16 @@ index 0000000..d6d79b9
+# pkcsslotd local policy
+#
+
-+allow pkcsslotd_t self:capability { kill };
-+allow pkcsslotd_t self:process { fork };
++allow pkcsslotd_t self:capability { chown kill };
+
+allow pkcsslotd_t self:fifo_file rw_fifo_file_perms;
+allow pkcsslotd_t self:sem create_sem_perms;
+allow pkcsslotd_t self:shm create_shm_perms;
+allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(pkcsslotd_t, pkcsslotd_lock_t, pkcsslotd_lock_t)
++files_lock_filetrans(pkcsslotd_t, pkcsslotd_lock_t, file)
++
+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
+manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
+files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir })
@@ -51169,6 +51186,7 @@ index 0000000..d6d79b9
+
+domain_use_interactive_fds(pkcsslotd_t)
+
++auth_read_passwd(pkcsslotd_t)
+
+logging_send_syslog_msg(pkcsslotd_t)
diff --git a/pki.fc b/pki.fc
@@ -68802,12 +68820,28 @@ index d25301b..d92f567 100644
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/rsync.if b/rsync.if
-index f1140ef..c5bd83a 100644
+index f1140ef..ebc2190 100644
--- a/rsync.if
+++ b/rsync.if
-@@ -1,16 +1,16 @@
+@@ -1,16 +1,32 @@
-## <summary>Fast incremental file transfer for synchronization.</summary>
+## <summary>Fast incremental file transfer for synchronization</summary>
++
++#######################################
++## <summary>
++## Sendmail stub interface. No access allowed.
++## </summary>
++## <param name="domain" unused="true">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sendmail_stub',`
++gen_require(`
++type sendmail_t;
++')
++')
########################################
## <summary>
@@ -68827,7 +68861,7 @@ index f1140ef..c5bd83a 100644
interface(`rsync_entry_type',`
gen_require(`
type rsync_exec_t;
-@@ -43,14 +43,13 @@ interface(`rsync_entry_type',`
+@@ -43,14 +59,13 @@ interface(`rsync_entry_type',`
## Domain to transition to.
## </summary>
## </param>
@@ -68844,7 +68878,7 @@ index f1140ef..c5bd83a 100644
')
########################################
-@@ -77,76 +76,31 @@ interface(`rsync_entry_spec_domtrans',`
+@@ -77,76 +92,31 @@ interface(`rsync_entry_spec_domtrans',`
## Domain to transition to.
## </summary>
## </param>
@@ -68924,7 +68958,7 @@ index f1140ef..c5bd83a 100644
can_exec($1, rsync_exec_t)
')
-@@ -165,13 +119,13 @@ interface(`rsync_read_config',`
+@@ -165,13 +135,13 @@ interface(`rsync_read_config',`
type rsync_etc_t;
')
@@ -68940,7 +68974,7 @@ index f1140ef..c5bd83a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -179,19 +133,18 @@ interface(`rsync_read_config',`
+@@ -179,19 +149,18 @@ interface(`rsync_read_config',`
## </summary>
## </param>
#
@@ -68965,7 +68999,7 @@ index f1140ef..c5bd83a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -199,83 +152,54 @@ interface(`rsync_write_config',`
+@@ -199,83 +168,54 @@ interface(`rsync_write_config',`
## </summary>
## </param>
#
@@ -73692,7 +73726,7 @@ index d14b6bf..da5d41d 100644
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
-index 88e753f..ca74cd9 100644
+index 88e753f..e25aecc 100644
--- a/sendmail.if
+++ b/sendmail.if
@@ -1,4 +1,4 @@
@@ -73701,6 +73735,15 @@ index 88e753f..ca74cd9 100644
########################################
## <summary>
+@@ -10,7 +10,7 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`sendmail_stub',`
++interface(`rsync_stub',`
+ gen_require(`
+ type sendmail_t;
+ ')
@@ -18,7 +18,8 @@ interface(`sendmail_stub',`
########################################
@@ -75903,10 +75946,14 @@ index 0000000..92c3638
+
+sysnet_dns_name_resolve(smsd_t)
diff --git a/snmp.fc b/snmp.fc
-index c73fa24..d852517 100644
+index c73fa24..9018dbc 100644
--- a/snmp.fc
+++ b/snmp.fc
-@@ -13,6 +13,8 @@
+@@ -10,9 +10,12 @@
+
+ /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+ /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
++/var/spool/snmptt(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0)
@@ -79007,6 +79054,53 @@ index 0000000..39f1ca1
+libs_exec_ldconfig(swift_t)
+
+logging_send_syslog_msg(swift_t)
+diff --git a/swift_alias.fc b/swift_alias.fc
+new file mode 100644
+index 0000000..b7db254
+--- /dev/null
++++ b/swift_alias.fc
+@@ -0,0 +1 @@
++# Empty
+diff --git a/swift_alias.if b/swift_alias.if
+new file mode 100644
+index 0000000..3fed1a3
+--- /dev/null
++++ b/swift_alias.if
+@@ -0,0 +1,2 @@
++
++## <summary>swift_alias policy module</summary>
+diff --git a/swift_alias.te b/swift_alias.te
+new file mode 100644
+index 0000000..6e39c4f
+--- /dev/null
++++ b/swift_alias.te
+@@ -0,0 +1,26 @@
++policy_module(swift_alias, 1.0.0)
++
++#
++# swift_alias.pp policy replaces swift.pp policy
++# which is a part of openstack-selinux.rpm package
++#
++
++########################################
++#
++# Declarations
++#
++
++#call stub interfaces for basic types
++init_stub_initrc()
++corecmd_stub_bin()
++files_stub_var_run()
++files_stub_var()
++systemd_stub_unit_file()
++
++typealias initrc_t alias swift_t;
++typealias bin_t alias swift_exec_t;
++typealias var_run_t alias swift_var_run_t;
++typealias systemd_unit_file_t alias swift_unit_file_t;
++typealias var_t alias swift_data_t;
++
++
diff --git a/sxid.te b/sxid.te
index c9824cb..1973f71 100644
--- a/sxid.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0755c7e..e4e0c82 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 21%{?dist}
+Release: 22%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-22
+- Allow nagios to manage nagios spool files
+- /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6
+- Add swift_alias.* policy files which contain typealiases for swift types
+- Add support for /run/lock/opencryptoki
+- Allow pkcsslotd chown capability
+- Allow pkcsslotd to read passwd
+- Add rsync_stub() interface
+- Allow systemd_timedate also manage gnome config homedirs
+- Label /usr/lib64/security/pam_krb5/pam_krb5_cchelper as bin_t
+- Fix filetrans rules for kdm creates .xsession-errors
+- Allow sytemd_tmpfiles to create wtmp file
+- Really should not label content under /var/lock, since it could have labels on it different from var_lock_t
+- Allow systemd to list all file system directories
+- Add some basic stub interfaces which will be used in PRODUCT policies
+
* Wed Mar 13 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-21
- Fix log transition rule for cluster domains
- Start to group all cluster log together
More information about the scm-commits
mailing list