[selinux-policy/f19] - Activate account openlmi policy - pegasus_openlmi_domain_template needs also require pegasus_t - O
Miroslav Grepl
mgrepl at fedoraproject.org
Fri May 10 20:52:34 UTC 2013
commit a43ccd3c45c8acb3173af2d1b6efb728b7d66f5e
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri May 10 22:52:07 2013 +0200
- Activate account openlmi policy
- pegasus_openlmi_domain_template needs also require pegasus_t
- One more fix for policykit.te
- Call fs_list_cgroups_dirs() in policykit.te
- Allow nagios service plugin to read mysql config files
- Add labeling for /var/svn
- Fix chrome.te
- Fix pegasus_openlmi_domain_template() interfaces
- Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks
- Fix location of google-chrome data
- Add support for chome_sandbox to store content in the homedir
- Allow policykit to watch for changes in cgroups file system
- Add boolean to allow mozilla_plugin_t to use spice
- Allow collectd to bind to udp port
- Allow collected_t to read all of /proc
- Should use netlink socket_perms
- Should use netlink socket_perms
- Allow glance domains to connect to apache ports
- Allow apcupsd_t to manage its log files
- Allow chrome objects to rw_inherited unix_stream_socket from callers
- Allow staff_t to execute virtd_exec_t for running vms
- nfsd_t needs to bind mountd port to make nfs-mountd.service working
- Allow unbound net_admin capability because of setsockopt syscall
- Fix fs_list_cgroup_dirs()
- Label /usr/lib/nagios/plugins/utils.pm as bin_t
- Remove uplicate definition of fs_read_cgroup_files()
- Remove duplicate definition of fs_read_cgroup_files()
- Add files_mountpoint_filetrans interface to be used by quotadb_t and sna
- Additional interfaces needed to list and read cgroups config
- Add port definition for collectd port
- Add labels for /dev/ptp*
- Allow staff_t to execute virtd_exec_t for running vms
policy-rawhide-base.patch | 5431 +++++++++++++-----------------------------
policy-rawhide-contrib.patch | 894 ++++---
selinux-policy.spec | 41 +-
3 files changed, 2244 insertions(+), 4122 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index f491cf2..459d84d 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -2042,7 +2042,7 @@ index 0960199..aa51ab2 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..ed65dbc 100644
+index d9fce57..fc6d1d3 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,100 @@ attribute sudodomain;
@@ -2115,7 +2115,7 @@ index d9fce57..ed65dbc 100644
+#auth_run_chk_passwd(sudodomain)
+# sudo stores a token in the pam_pid directory
+auth_manage_pam_pid(sudodomain)
-+#auth_use_nsswitch(sudodomain)
++auth_manage_faillog(sudodomain)
+
+application_signal(sudodomain)
+
@@ -3027,7 +3027,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..4debbf2 100644
+index 644d4d7..38a8a2d 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3185,7 +3185,7 @@ index 644d4d7..4debbf2 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +246,30 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +246,31 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3198,6 +3198,7 @@ index 644d4d7..4debbf2 100644
+/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins/utils.pm -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
@@ -3223,7 +3224,7 @@ index 644d4d7..4debbf2 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +284,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +285,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3239,7 +3240,7 @@ index 644d4d7..4debbf2 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +305,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +306,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3260,7 +3261,7 @@ index 644d4d7..4debbf2 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +331,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +332,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3276,7 +3277,7 @@ index 644d4d7..4debbf2 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +354,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +355,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3301,7 +3302,7 @@ index 644d4d7..4debbf2 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +387,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +388,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3330,7 +3331,7 @@ index 644d4d7..4debbf2 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +456,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +457,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3347,7 +3348,7 @@ index 644d4d7..4debbf2 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +474,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +475,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5082,7 +5083,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..a69e038 100644
+index 4edc40d..73d7b76 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5168,7 +5169,15 @@ index 4edc40d..a69e038 100644
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
-@@ -107,7 +129,6 @@ network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
+@@ -96,6 +118,7 @@ network_port(boinc, tcp,31416,s0)
+ network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
+ network_port(biff) # no defined portcon
+ network_port(certmaster, tcp,51235,s0)
++network_port(collectd, udp,25826,s0)
+ network_port(chronyd, udp,323,s0)
+ network_port(clamd, tcp,3310,s0)
+ network_port(clockspeed, udp,4041,s0)
+@@ -107,7 +130,6 @@ network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
network_port(comsat, udp,512,s0)
network_port(condor, tcp,9618,s0, udp,9618,s0)
network_port(couchdb, tcp,5984,s0, udp,5984,s0)
@@ -5176,7 +5185,7 @@ index 4edc40d..a69e038 100644
network_port(ctdb, tcp,4379,s0, udp,4397,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -119,18 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+@@ -119,18 +141,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -5201,7 +5210,7 @@ index 4edc40d..a69e038 100644
network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
-@@ -139,45 +165,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +166,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5267,7 +5276,7 @@ index 4edc40d..a69e038 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -188,21 +220,28 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -188,21 +221,28 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -5299,7 +5308,7 @@ index 4edc40d..a69e038 100644
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +253,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +254,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5347,7 +5356,7 @@ index 4edc40d..a69e038 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +299,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +300,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5358,7 +5367,7 @@ index 4edc40d..a69e038 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +311,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +312,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5371,7 +5380,7 @@ index 4edc40d..a69e038 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +335,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +336,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -5390,7 +5399,7 @@ index 4edc40d..a69e038 100644
########################################
#
-@@ -330,6 +377,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +378,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5399,7 +5408,7 @@ index 4edc40d..a69e038 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +391,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +392,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -5451,10 +5460,10 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..3a628fe 100644
+index b31c054..3035b45 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -15,15 +15,17 @@
+@@ -15,15 +15,18 @@
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@@ -5471,10 +5480,11 @@ index b31c054..3a628fe 100644
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh)
++/dev/ptp.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -61,7 +63,8 @@
+@@ -61,7 +64,8 @@
/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -5484,7 +5494,15 @@ index b31c054..3a628fe 100644
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +132,14 @@ ifdef(`distro_suse', `
+@@ -118,6 +122,7 @@
+ ifdef(`distro_suse', `
+ /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
+ ')
++/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0)
+ /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
+ /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -129,12 +134,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -5499,7 +5517,7 @@ index b31c054..3a628fe 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -198,12 +203,22 @@ ifdef(`distro_debian',`
+@@ -198,12 +205,22 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -5525,7 +5543,7 @@ index b31c054..3a628fe 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..059e984 100644
+index 76f285e..09ccba4 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6424,7 +6442,7 @@ index 76f285e..059e984 100644
#
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_read_cpu_online',`
- gen_require(`
++ gen_require(`
+ type cpu_online_t;
+ ')
+
@@ -6443,7 +6461,7 @@ index 76f285e..059e984 100644
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
-+ gen_require(`
+ gen_require(`
+ type cpu_online_t;
type sysfs_t;
')
@@ -6457,11 +6475,81 @@ index 76f285e..059e984 100644
########################################
## <summary>
## Read hardware state information.
-@@ -4016,6 +4445,62 @@ interface(`dev_rw_sysfs',`
+@@ -4016,7 +4445,7 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
+-## Read and write the TPM device.
+## Relabel hardware state directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4024,58 +4453,114 @@ interface(`dev_rw_sysfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_rw_tpm',`
++interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
+- type device_t, tpm_device_t;
++ type sysfs_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, tpm_device_t)
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read from pseudo random number generator devices (e.g., /dev/urandom).
++## Relabel hardware state files
+ ## </summary>
+-## <desc>
+-## <p>
+-## Allow the specified domain to read from pseudo random number
+-## generator devices (e.g., /dev/urandom). Typically this is
+-## used in situations when a cryptographically secure random
+-## number is not necessarily needed. One example is the Stack
+-## Smashing Protector (SSP, formerly known as ProPolice) support
+-## that may be compiled into programs.
+-## </p>
+-## <p>
+-## Related interface:
+-## </p>
+-## <ul>
+-## <li>dev_read_rand()</li>
+-## </ul>
+-## <p>
+-## Related tunable:
+-## </p>
+-## <ul>
+-## <li>global_ssp</li>
+-## </ul>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="10"/>
+ #
+-interface(`dev_read_urand',`
++interface(`dev_relabel_all_sysfs',`
+ gen_require(`
+- type device_t, urandom_device_t;
++ type sysfs_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, urandom_device_t)
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_files_pattern($1, sysfs_t, sysfs_t)
++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read from pseudo
++## Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6469,17 +6557,17 @@ index 76f285e..059e984 100644
+## </summary>
+## </param>
+#
-+interface(`dev_relabel_sysfs_dirs',`
++interface(`dev_manage_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
-+## Relabel hardware state files
++## Read and write the TPM device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6487,37 +6575,59 @@ index 76f285e..059e984 100644
+## </summary>
+## </param>
+#
-+interface(`dev_relabel_all_sysfs',`
++interface(`dev_rw_tpm',`
+ gen_require(`
-+ type sysfs_t;
++ type device_t, tpm_device_t;
+ ')
+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+ relabel_files_pattern($1, sysfs_t, sysfs_t)
-+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ rw_chr_files_pattern($1, device_t, tpm_device_t)
+')
+
+########################################
+## <summary>
-+## Allow caller to modify hardware state information.
++## Read from pseudo random number generator devices (e.g., /dev/urandom).
+## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read from pseudo random number
++## generator devices (e.g., /dev/urandom). Typically this is
++## used in situations when a cryptographically secure random
++## number is not necessarily needed. One example is the Stack
++## Smashing Protector (SSP, formerly known as ProPolice) support
++## that may be compiled into programs.
++## </p>
++## <p>
++## Related interface:
++## </p>
++## <ul>
++## <li>dev_read_rand()</li>
++## </ul>
++## <p>
++## Related tunable:
++## </p>
++## <ul>
++## <li>global_ssp</li>
++## </ul>
++## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <infoflow type="read" weight="10"/>
+#
-+interface(`dev_manage_sysfs_dirs',`
++interface(`dev_read_urand',`
+ gen_require(`
-+ type sysfs_t;
++ type device_t, urandom_device_t;
+ ')
+
-+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
++ read_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
+########################################
+## <summary>
- ## Read and write the TPM device.
++## Do not audit attempts to read from pseudo
+ ## random devices (e.g., /dev/urandom)
## </summary>
## <param name="domain">
@@ -4113,6 +4598,25 @@ interface(`dev_write_urand',`
@@ -6546,7 +6656,193 @@ index 76f285e..059e984 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4557,6 +5061,24 @@ interface(`dev_rw_vhost',`
+@@ -4409,9 +4913,9 @@ interface(`dev_rw_usbfs',`
+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
+
+-########################################
++######################################
+ ## <summary>
+-## Get the attributes of video4linux devices.
++## Read and write userio device.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4419,17 +4923,17 @@ interface(`dev_rw_usbfs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_getattr_video_dev',`
++interface(`dev_rw_userio_dev',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, userio_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+
+-######################################
++########################################
+ ## <summary>
+-## Read and write userio device.
++## Get the attributes of video4linux devices.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4437,12 +4941,12 @@ interface(`dev_getattr_video_dev',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`dev_rw_userio_dev',`
++interface(`dev_getattr_video_dev',`
+ gen_require(`
+- type device_t, userio_device_t;
++ type device_t, v4l_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, userio_device_t)
++ getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+
+ ########################################
+@@ -4539,6 +5043,134 @@ interface(`dev_write_video_dev',`
+
+ ########################################
+ ## <summary>
++## Get the attributes of vfio devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_getattr_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the attributes
++## of vfio device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_getattr_vfio_dev',`
++ gen_require(`
++ type vfio_device_t;
++ ')
++
++ dontaudit $1 vfio_device_t:chr_file getattr;
++')
++
++########################################
++## <summary>
++## Set the attributes of vfio device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_setattr_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to set the attributes
++## of vfio device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_setattr_vfio_dev',`
++ gen_require(`
++ type vfio_device_t;
++ ')
++
++ dontaudit $1 vfio_device_t:chr_file setattr;
++')
++
++########################################
++## <summary>
++## Read the vfio devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++## <summary>
++## Write the vfio devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_write_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ write_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++## <summary>
++## Read and write the VFIO devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_vfio_dev',`
++ gen_require(`
++ type device_t, vfio_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++## <summary>
+ ## Allow read/write the vhost net device
+ ## </summary>
+ ## <param name="domain">
+@@ -4557,6 +5189,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -6571,7 +6867,7 @@ index 76f285e..059e984 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4762,6 +5284,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5412,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -6598,7 +6894,7 @@ index 76f285e..059e984 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4851,3 +5393,937 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5521,943 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -6758,6 +7054,7 @@ index 76f285e..059e984 100644
+ type dlm_control_device_t;
+ type clock_device_t;
+ type v4l_device_t;
++ type vfio_device_t;
+ type event_device_t;
+ type xen_device_t;
+ type framebuf_device_t;
@@ -6901,7 +7198,12 @@ index 76f285e..059e984 100644
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9")
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2")
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3")
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201")
++ filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002")
@@ -7537,7 +7839,7 @@ index 76f285e..059e984 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 6529bd9..cfec99c 100644
+index 6529bd9..831344c 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -7603,7 +7905,17 @@ index 6529bd9..cfec99c 100644
#
# Type for /dev/tpm
#
-@@ -274,6 +283,7 @@ dev_node(v4l_device_t)
+@@ -266,6 +275,9 @@ dev_node(usbmon_device_t)
+ type userio_device_t;
+ dev_node(userio_device_t)
+
++type vfio_device_t;
++dev_node(vfio_device_t)
++
+ type v4l_device_t;
+ dev_node(v4l_device_t)
+
+@@ -274,6 +286,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -7611,7 +7923,7 @@ index 6529bd9..cfec99c 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -319,5 +329,5 @@ files_associate_tmp(device_node)
+@@ -319,5 +332,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -7757,7 +8069,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..ff7b3f4 100644
+index cf04cb5..3a38af0 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -7790,11 +8102,13 @@ index cf04cb5..ff7b3f4 100644
## <desc>
## <p>
-@@ -86,23 +109,43 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +109,45 @@ neverallow ~{ domain unlabeled_t } *:process *;
allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
+allow domain self:fifo_file rw_fifo_file_perms;
++allow domain self:sem create_sem_perms;
++allow domain self:shm create_shm_perms;
+
kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
@@ -7835,7 +8149,7 @@ index cf04cb5..ff7b3f4 100644
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
-@@ -121,8 +164,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +166,18 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -7854,7 +8168,7 @@ index cf04cb5..ff7b3f4 100644
')
optional_policy(`
-@@ -133,6 +186,8 @@ optional_policy(`
+@@ -133,6 +188,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -7863,7 +8177,7 @@ index cf04cb5..ff7b3f4 100644
')
########################################
-@@ -147,12 +202,18 @@ optional_policy(`
+@@ -147,12 +204,18 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -7883,7 +8197,7 @@ index cf04cb5..ff7b3f4 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8395,7 +8709,7 @@ index c2c6e05..be423a7 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..87c124c 100644
+index 64ff4d7..9389e60 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -8543,7 +8857,7 @@ index 64ff4d7..87c124c 100644
## <li>files_tmp_file()</li>
## <li>files_tmpfs_file()</li>
## <li>logging_log_file()</li>
-@@ -125,30 +256,31 @@ interface(`files_security_file',`
+@@ -125,44 +256,59 @@ interface(`files_security_file',`
typeattribute $1 file_type, security_file_type, non_auth_file_type;
')
@@ -8575,55 +8889,74 @@ index 64ff4d7..87c124c 100644
########################################
## <summary>
- ## Make the specified type usable for
+-## Make the specified type usable for
-## filesystem mount points.
-+## security file filesystem mount points.
++## Create a private type object in mountpoint dir
++## with an automatic type transition
## </summary>
- ## <param name="type">
+-## <param name="type">
++## <param name="domain">
## <summary>
-@@ -156,33 +288,33 @@ interface(`files_lock_file',`
+-## Type to be used for mount points.
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
## </summary>
## </param>
#
-interface(`files_mountpoint',`
-+interface(`files_security_mountpoint',`
++interface(`files_mountpoint_filetrans',`
gen_require(`
attribute mountpoint;
')
- files_type($1)
-+ files_security_file($1)
- typeattribute $1 mountpoint;
+- typeattribute $1 mountpoint;
++ filetrans_pattern($1, mountpoint, $2, $3, $4)
')
########################################
+@@ -188,6 +334,26 @@ interface(`files_security_mountpoint',`
+ ########################################
## <summary>
## Make the specified type usable for
--## security file filesystem mount points.
+## lock files.
- ## </summary>
- ## <param name="type">
- ## <summary>
--## Type to be used for mount points.
++## </summary>
++## <param name="type">
++## <summary>
+## Type to be used for lock files.
- ## </summary>
- ## </param>
- #
--interface(`files_security_mountpoint',`
++## </summary>
++## </param>
++#
+interface(`files_lock_file',`
- gen_require(`
-- attribute mountpoint;
++ gen_require(`
+ attribute lockfile;
- ')
-
-- files_security_file($1)
-- typeattribute $1 mountpoint;
++ ')
++
+ files_type($1)
+ typeattribute $1 lockfile;
- ')
-
- ########################################
-@@ -521,7 +653,7 @@ interface(`files_mounton_non_security',`
++')
++
++########################################
++## <summary>
++## Make the specified type usable for
+ ## runtime process ID files.
+ ## </summary>
+ ## <desc>
+@@ -521,7 +687,7 @@ interface(`files_mounton_non_security',`
attribute non_security_file_type;
')
@@ -8632,7 +8965,7 @@ index 64ff4d7..87c124c 100644
allow $1 non_security_file_type:file mounton;
')
-@@ -620,6 +752,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+@@ -620,6 +786,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
########################################
## <summary>
@@ -8696,7 +9029,7 @@ index 64ff4d7..87c124c 100644
## Read all files.
## </summary>
## <param name="domain">
-@@ -683,12 +872,82 @@ interface(`files_read_non_security_files',`
+@@ -683,12 +906,82 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -8779,7 +9112,7 @@ index 64ff4d7..87c124c 100644
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
-@@ -953,6 +1212,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+@@ -953,6 +1246,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
########################################
## <summary>
@@ -8805,7 +9138,7 @@ index 64ff4d7..87c124c 100644
## Get the attributes of all named sockets.
## </summary>
## <param name="domain">
-@@ -991,6 +1269,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1303,25 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
## <summary>
@@ -8831,7 +9164,7 @@ index 64ff4d7..87c124c 100644
## Do not audit attempts to get the attributes
## of non security named sockets.
## </summary>
-@@ -1073,10 +1370,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,10 +1404,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -8844,7 +9177,7 @@ index 64ff4d7..87c124c 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1477,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1511,6 @@ interface(`files_list_all',`
########################################
## <summary>
@@ -8869,17 +9202,19 @@ index 64ff4d7..87c124c 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,9 +1720,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,10 +1754,7 @@ interface(`files_relabel_non_auth_files',`
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
-
- # satisfy the assertions:
- seutil_relabelto_bin_policy($1)
- ')
+-')
++')
#############################################
-@@ -1583,6 +1857,24 @@ interface(`files_getattr_all_mountpoints',`
+ ## <summary>
+@@ -1583,6 +1891,24 @@ interface(`files_getattr_all_mountpoints',`
########################################
## <summary>
@@ -8904,54 +9239,35 @@ index 64ff4d7..87c124c 100644
## Set the attributes of all mount points.
## </summary>
## <param name="domain">
-@@ -1673,25 +1965,61 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +1999,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
--## Do not audit attempts to write to mount points.
+## Write all mount points.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_write_all_mountpoints',`
-- gen_require(`
-- attribute mountpoint;
-- ')
-+interface(`files_write_all_mountpoints',`
-+ gen_require(`
-+ attribute mountpoint;
-+ ')
-
-- dontaudit $1 mountpoint:dir write;
-+ allow $1 mountpoint:dir write;
- ')
-
- ########################################
- ## <summary>
--## List the contents of the root directory.
-+## Do not audit attempts to write to mount points.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_write_all_mountpoints',`
-+ gen_require(`
-+ attribute mountpoint;
-+ ')
++interface(`files_write_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
+
-+ dontaudit $1 mountpoint:dir write;
++ allow $1 mountpoint:dir write;
+')
+
+########################################
+## <summary>
+ ## Do not audit attempts to write to mount points.
+ ## </summary>
+ ## <param name="domain">
+@@ -1691,6 +2035,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+
+ ########################################
+ ## <summary>
+## Write all file type directories.
+## </summary>
+## <param name="domain">
@@ -8970,11 +9286,10 @@ index 64ff4d7..87c124c 100644
+
+########################################
+## <summary>
-+## List the contents of the root directory.
+ ## List the contents of the root directory.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -1874,25 +2202,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2236,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -9006,7 +9321,7 @@ index 64ff4d7..87c124c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2233,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2267,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -9015,7 +9330,7 @@ index 64ff4d7..87c124c 100644
')
########################################
-@@ -1928,6 +2256,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2290,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -9040,7 +9355,7 @@ index 64ff4d7..87c124c 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2627,6 +2973,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3007,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -9065,7 +9380,7 @@ index 64ff4d7..87c124c 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +3062,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3096,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -9073,7 +9388,7 @@ index 64ff4d7..87c124c 100644
')
########################################
-@@ -2706,7 +3071,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3105,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -9082,7 +9397,7 @@ index 64ff4d7..87c124c 100644
## </summary>
## </param>
#
-@@ -2762,6 +3127,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3161,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -9108,7 +9423,7 @@ index 64ff4d7..87c124c 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2780,6 +3164,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3198,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -9133,7 +9448,7 @@ index 64ff4d7..87c124c 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2945,24 +3347,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3381,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -9158,7 +9473,7 @@ index 64ff4d7..87c124c 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3387,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3421,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -9169,7 +9484,7 @@ index 64ff4d7..87c124c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3395,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3429,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -9191,7 +9506,7 @@ index 64ff4d7..87c124c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3423,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3457,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -9218,7 +9533,7 @@ index 64ff4d7..87c124c 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3059,6 +3460,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3494,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -9226,7 +9541,7 @@ index 64ff4d7..87c124c 100644
')
########################################
-@@ -3080,6 +3482,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3516,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -9234,7 +9549,7 @@ index 64ff4d7..87c124c 100644
')
########################################
-@@ -3132,6 +3535,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3569,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -9260,7 +9575,7 @@ index 64ff4d7..87c124c 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3208,6 +3630,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3208,6 +3664,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
@@ -9286,7 +9601,7 @@ index 64ff4d7..87c124c 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3455,6 +3896,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +3930,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -9312,7 +9627,7 @@ index 64ff4d7..87c124c 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4256,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4290,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -9356,7 +9671,7 @@ index 64ff4d7..87c124c 100644
')
########################################
-@@ -4199,156 +4677,176 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,58 +4711,225 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -9441,13 +9756,11 @@ index 64ff4d7..87c124c 100644
-interface(`files_dontaudit_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
-- ')
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- dontaudit $1 tmp_t:dir getattr;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -9464,473 +9777,386 @@ index 64ff4d7..87c124c 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
- ')
-
--########################################
++')
++
+######################################
- ## <summary>
--## Search the tmp directory (/tmp).
++## <summary>
+## Relabel manageable system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++## </param>
++#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- allow $1 tmp_t:dir search_dir_perms;
++
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+######################################
- ## <summary>
--## Do not audit attempts to search the tmp directory (/tmp).
++## <summary>
+## Relabel manageable system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain to not audit.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++## </param>
++#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- dontaudit $1 tmp_t:dir search_dir_perms;
++
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+###################################
- ## <summary>
--## Read the tmp directory (/tmp).
++## <summary>
+## Create files in /etc with the type used for
+## the manageable system config files.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
- ## </param>
- #
--interface(`files_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++## </param>
++#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:dir list_dir_perms;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file)
- ')
-
- ########################################
- ## <summary>
--## Do not audit listing of the tmp directory (/tmp).
++')
++
++########################################
++## <summary>
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## temporary directory (/tmp).
- ## </summary>
--## <param name="domain">
++## </summary>
+## <param name="file_type">
- ## <summary>
--## Domain not to audit.
++## <summary>
+## Type of the file to associate.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_list_tmp',`
++## </summary>
++## </param>
++#
+interface(`files_associate_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
-- dontaudit $1 tmp_t:dir list_dir_perms;
++ gen_require(`
++ type tmp_t;
++ ')
++
+ allow $1 tmp_t:filesystem associate;
- ')
-
- ########################################
- ## <summary>
--## Remove entries from the tmp directory.
++')
++
++########################################
++## <summary>
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
- ## </summary>
--## <param name="domain">
++## </summary>
+## <param name="file_type">
- ## <summary>
--## Domain allowed access.
++## <summary>
+## Type of the file to associate.
- ## </summary>
- ## </param>
- #
--interface(`files_delete_tmp_dir_entry',`
++## </summary>
++## </param>
++#
+interface(`files_associate_rootfs',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type root_t;
- ')
-
-- allow $1 tmp_t:dir del_entry_dir_perms;
++ ')
++
+ allow $1 root_t:filesystem associate;
- ')
-
- ########################################
- ## <summary>
--## Read files in the tmp directory (/tmp).
++')
++
++########################################
++## <summary>
+## Get the attributes of the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4356,53 +4854,56 @@ interface(`files_delete_tmp_dir_entry',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_generic_tmp_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
- ')
-
-- read_files_pattern($1, tmp_t, tmp_t)
++ gen_require(`
++ type tmp_t;
++ ')
++
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir getattr;
- ')
-
- ########################################
- ## <summary>
--## Manage temporary directories in /tmp.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to check the
+## access on tmp files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_tmp_dirs',`
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_access_check_tmp',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type etc_t;
- ')
-
-- manage_dirs_pattern($1, tmp_t, tmp_t)
++ ')
++
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
- ')
-
- ########################################
- ## <summary>
--## Manage temporary files and directories in /tmp.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to get the
+## attributes of the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_tmp_files',`
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
++ gen_require(`
++ type tmp_t;
')
-- manage_files_pattern($1, tmp_t, tmp_t)
-+ dontaudit $1 tmp_t:dir getattr;
- ')
-
- ########################################
- ## <summary>
--## Read symbolic links in the tmp directory (/tmp).
-+## Search the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4410,35 +4911,36 @@ interface(`files_manage_generic_tmp_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_generic_tmp_symlinks',`
-+interface(`files_search_tmp',`
- gen_require(`
+ dontaudit $1 tmp_t:dir getattr;
+@@ -4271,6 +4950,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
- read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir search_dir_perms;
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir search_dir_perms;
')
- ########################################
- ## <summary>
--## Read and write generic named sockets in the tmp directory (/tmp).
-+## Do not audit attempts to search the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_rw_generic_tmp_sockets',`
-+interface(`files_dontaudit_search_tmp',`
- gen_require(`
+@@ -4307,6 +4987,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
-- rw_sock_files_pattern($1, tmp_t, tmp_t)
-+ dontaudit $1 tmp_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Set the attributes of all tmp directories.
-+## Read the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4446,77 +4948,74 @@ interface(`files_rw_generic_tmp_sockets',`
- ## </summary>
- ## </param>
- #
--interface(`files_setattr_all_tmp_dirs',`
-+interface(`files_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir { search_dir_perms setattr };
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir list_dir_perms;
+ allow $1 tmp_t:dir list_dir_perms;
')
- ########################################
- ## <summary>
--## List all tmp directories.
-+## Do not audit listing of the tmp directory (/tmp).
+@@ -4316,7 +4997,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
+-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
--interface(`files_list_all_tmp',`
-+interface(`files_dontaudit_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-+ dontaudit $1 tmp_t:dir list_dir_perms;
+@@ -4328,6 +5009,25 @@ interface(`files_dontaudit_list_tmp',`
+ dontaudit $1 tmp_t:dir list_dir_perms;
')
--########################################
+#######################################
- ## <summary>
--## Relabel to and from all temporary
--## directory types.
++## <summary>
+## Allow read and write to the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_relabel_all_tmp_dirs',`
-- gen_require(`
-- attribute tmpfile;
-- type var_t;
-- ')
++## </param>
++#
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
++
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
- ')
-
++')
++
########################################
## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp files.
-+## Remove entries from the tmp directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
-+interface(`files_delete_tmp_dir_entry',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ ## Remove entries from the tmp directory.
+@@ -4343,6 +5043,7 @@ interface(`files_delete_tmp_dir_entry',`
+ type tmp_t;
')
-- dontaudit $1 tmpfile:file getattr;
+ files_search_tmp($1)
-+ allow $1 tmp_t:dir del_entry_dir_perms;
+ allow $1 tmp_t:dir del_entry_dir_perms;
')
+@@ -4384,6 +5085,32 @@ interface(`files_manage_generic_tmp_dirs',`
+
########################################
## <summary>
--## Allow attempts to get the attributes
--## of all tmp files.
-+## Read files in the tmp directory (/tmp).
++## Allow shared library text relocations in tmp files.
++## </summary>
++## <desc>
++## <p>
++## Allow shared library text relocations in tmp files.
++## </p>
++## <p>
++## This is added to support java policy.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_execmod_tmp',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file execmod;
++')
++
++########################################
++## <summary>
+ ## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -4524,58 +5023,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_getattr_all_tmp_files',`
-+interface(`files_read_generic_tmp_files',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:file getattr;
-+ read_files_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4438,6 +5165,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
--## Relabel to and from all temporary
--## file types.
-+## Manage temporary directories in /tmp.
++## Relabel a dir from the type used in /tmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelfrom_tmp_dirs',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++## <summary>
++## Relabel a file from the type used in /tmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelfrom_tmp_files',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++## <summary>
+ ## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_relabel_all_tmp_files',`
-+interface(`files_manage_generic_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_files_pattern($1, tmpfile, tmpfile)
-+ manage_dirs_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4456,6 +5219,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp sock_file.
-+## Allow shared library text relocations in tmp files.
++## Allow caller to read inherited tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file { append read_inherited_file_perms };
++')
++
++########################################
++## <summary>
++## Allow caller to append inherited tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_append_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Allow caller to read and write inherited tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_inherited_tmp_file',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
+ ## List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4501,7 +5318,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
-+## <desc>
-+## <p>
-+## Allow shared library text relocations in tmp files.
-+## </p>
-+## <p>
-+## This is added to support java policy.
-+## </p>
-+## </desc>
## <param name="domain">
## <summary>
-## Domain not to audit.
-+## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+interface(`files_execmod_tmp',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- dontaudit $1 tmpfile:sock_file getattr;
-+ allow $1 tmpfile:file execmod;
- ')
-
- ########################################
- ## <summary>
--## Read all tmp files.
-+## Manage temporary files and directories in /tmp.
+@@ -4561,7 +5378,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
-@@ -4583,51 +5085,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+-## Domain not to audit.
++## Domain to not audit.
## </summary>
## </param>
#
--interface(`files_read_all_tmp_files',`
-+interface(`files_manage_generic_tmp_files',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- read_files_pattern($1, tmpfile, tmpfile)
-+ manage_files_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4593,59 +5410,107 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
-## Create an object in the tmp directories, with a private
-## type using a type transition.
-+## Read symbolic links in the tmp directory (/tmp).
++## Do not audit attempts to read or write
++## all leaked tmpfiles files.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
+-## Domain allowed access.
+-## </summary>
+-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
@@ -9944,2805 +10170,815 @@ index 64ff4d7..87c124c 100644
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
--## </summary>
--## </param>
++## Domain to not audit.
+ ## </summary>
+ ## </param>
#
-interface(`files_tmp_filetrans',`
-+interface(`files_read_generic_tmp_symlinks',`
++interface(`files_dontaudit_tmp_file_leaks',`
gen_require(`
- type tmp_t;
+- type tmp_t;
++ attribute tmpfile;
')
- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
++ dontaudit $1 tmpfile:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Delete the contents of /tmp.
-+## Read and write generic named sockets in the tmp directory (/tmp).
++## Do allow attempts to read or write
++## all leaked tmpfiles files.
## </summary>
## <param name="domain">
## <summary>
-@@ -4635,22 +5121,17 @@ interface(`files_tmp_filetrans',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`files_purge_tmp',`
-+interface(`files_rw_generic_tmp_sockets',`
++interface(`files_rw_tmp_file_leaks',`
gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ attribute tmpfile;
')
- allow $1 tmpfile:dir list_dir_perms;
- delete_dirs_pattern($1, tmpfile, tmpfile)
-- delete_files_pattern($1, tmpfile, tmpfile)
-- delete_lnk_files_pattern($1, tmpfile, tmpfile)
-- delete_fifo_files_pattern($1, tmpfile, tmpfile)
-- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ rw_sock_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Create an object in the tmp directories, with a private
++## type using a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_tmp_filetrans',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ filetrans_pattern($1, tmp_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Delete the contents of /tmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_purge_tmp',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:dir list_dir_perms;
++ delete_dirs_pattern($1, tmpfile, tmpfile)
+ delete_files_pattern($1, tmpfile, tmpfile)
+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ delete_sock_files_pattern($1, tmpfile, tmpfile)
++ delete_chr_files_pattern($1, tmpfile, tmpfile)
++ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_list_isid_type_dirs($1)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
++ files_delete_isid_type_symlinks($1)
++ files_delete_isid_type_fifo_files($1)
++ files_delete_isid_type_sock_files($1)
++ files_delete_isid_type_blk_files($1)
++ files_delete_isid_type_chr_files($1)
')
########################################
+@@ -5223,6 +6088,24 @@ interface(`files_list_var',`
+
+ ########################################
## <summary>
--## Set the attributes of the /usr directory.
-+## Relabel a dir from the type used in /tmp.
++## Do not audit listing of the var directory (/var).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_list_var',`
++ gen_require(`
++ type var_t;
++ ')
++
++ dontaudit $1 var_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete directories
+ ## in the /var directory.
## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4658,17 +5139,17 @@ interface(`files_purge_tmp',`
- ## </summary>
- ## </param>
- #
--interface(`files_setattr_usr_dirs',`
-+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir setattr;
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+@@ -5578,6 +6461,25 @@ interface(`files_read_var_lib_symlinks',`
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
++########################################
++## <summary>
++## manage generic symbolic links
++## in the /var/lib directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_var_lib_symlinks',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
++')
++
+ # cjp: the next two interfaces really need to be fixed
+ # in some way. They really neeed their own types.
+
+@@ -5623,7 +6525,7 @@ interface(`files_manage_mounttab',`
+
########################################
## <summary>
--## Search the content of /usr.
-+## Relabel a file from the type used in /tmp.
+-## Set the attributes of the generic lock directories.
++## List generic lock directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -4676,18 +5157,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -5631,12 +6533,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
--interface(`files_search_usr',`
-+interface(`files_relabelfrom_tmp_files',`
+-interface(`files_setattr_lock_dirs',`
++interface(`files_list_locks',`
gen_require(`
-- type usr_t;
-+ type tmp_t;
+ type var_t, var_lock_t;
')
-- allow $1 usr_t:dir search_dir_perms;
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+- setattr_dirs_pattern($1, var_t, var_lock_t)
++ files_search_locks($1)
++ list_dirs_pattern($1, var_t, var_lock_t)
')
########################################
- ## <summary>
--## List the contents of generic
--## directories in /usr.
-+## Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4695,35 +5175,35 @@ interface(`files_search_usr',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_usr',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+@@ -5654,6 +6557,7 @@ interface(`files_search_locks',`
+ type var_t, var_lock_t;
')
-- allow $1 usr_t:dir list_dir_perms;
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
++ files_search_pids($1)
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_lock_t)
')
+@@ -5680,7 +6584,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
--## Do not audit write of /usr dirs
-+## Allow caller to read inherited tmp files.
+-## List generic lock directories.
++## Do not audit attempts to read/write inherited
++## locks (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Set the attributes of the /var/lock directory.
## </summary>
## <param name="domain">
## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -5688,13 +6611,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
--interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_read_inherited_tmp_files',`
+-interface(`files_list_locks',`
++interface(`files_setattr_lock_dirs',`
gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+- type var_t, var_lock_t;
++ type var_lock_t;
')
-- dontaudit $1 usr_t:dir write;
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_lock_t)
++ allow $1 var_lock_t:dir setattr;
')
########################################
- ## <summary>
--## Add and remove entries from /usr directories.
-+## Allow caller to append inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4731,36 +5211,35 @@ interface(`files_dontaudit_write_usr_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_rw_usr_dirs',`
-+interface(`files_append_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+@@ -5713,7 +6635,7 @@ interface(`files_rw_lock_dirs',`
+ type var_t, var_lock_t;
')
-- allow $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file append_inherited_file_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ rw_dirs_pattern($1, var_t, var_lock_t)
')
- ########################################
- ## <summary>
--## Do not audit attempts to add and remove
--## entries from /usr directories.
-+## Allow caller to read and write inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
+@@ -5746,7 +6668,6 @@ interface(`files_create_lock_dirs',`
+ ## Domain allowed access.
## </summary>
## </param>
+-## <rolecap/>
#
--interface(`files_dontaudit_rw_usr_dirs',`
-+interface(`files_rw_inherited_tmp_file',`
+ interface(`files_relabel_all_lock_dirs',`
gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+@@ -5774,8 +6695,7 @@ interface(`files_getattr_generic_locks',`
+ type var_t, var_lock_t;
')
-- dontaudit $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file rw_inherited_file_perms;
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ allow $1 var_lock_t:dir list_dir_perms;
+ getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-
- ########################################
- ## <summary>
--## Delete generic directories in /usr in the caller domain.
-+## List all tmp directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4768,111 +5247,100 @@ interface(`files_dontaudit_rw_usr_dirs',`
- ## </summary>
+@@ -5791,13 +6711,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
--interface(`files_delete_usr_dirs',`
-+interface(`files_list_all_tmp',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
+ interface(`files_delete_generic_locks',`
+- gen_require(`
++ gen_require(`
+ type var_t, var_lock_t;
+- ')
++ ')
-- delete_dirs_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:dir list_dir_perms;
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
++ files_search_locks($1)
++ delete_files_pattern($1, var_lock_t, var_lock_t)
')
########################################
- ## <summary>
--## Delete generic files in /usr in the caller domain.
-+## Relabel to and from all temporary
-+## directory types.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`files_delete_usr_files',`
-+interface(`files_relabel_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
+@@ -5816,9 +6735,7 @@ interface(`files_manage_generic_locks',`
+ type var_t, var_lock_t;
')
-- delete_files_pattern($1, usr_t, usr_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
++ files_search_locks($1)
+ manage_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+@@ -5860,8 +6777,7 @@ interface(`files_read_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1, lockfile, lockfile)
+ read_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5883,8 +6799,7 @@ interface(`files_manage_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5921,8 +6836,7 @@ interface(`files_lock_filetrans',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
+ ')
+
+@@ -5961,7 +6875,7 @@ interface(`files_setattr_pid_dirs',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:dir setattr;
+ ')
+
+@@ -5981,10 +6895,48 @@ interface(`files_search_pids',`
+ type var_t, var_run_t;
+ ')
+
++ allow $1 var_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_run_t)
')
++######################################
++## <summary>
++## Add and remove entries from pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++## <summary>
++## Create generic pid directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_var_run_dirs',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir create_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to search
+@@ -6007,6 +6959,25 @@ interface(`files_dontaudit_search_pids',`
+
########################################
## <summary>
--## Get the attributes of files in /usr.
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## Do not audit attempts to search
++## the all /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_getattr_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ dontaudit $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ## </summary>
+@@ -6021,7 +6992,7 @@ interface(`files_list_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+@@ -6040,7 +7011,7 @@ interface(`files_read_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6060,7 +7031,7 @@ interface(`files_write_generic_pid_pipes',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:fifo_file write;
+ ')
+
+@@ -6122,7 +7093,6 @@ interface(`files_pid_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
+ ')
+
+@@ -6164,7 +7134,7 @@ interface(`files_rw_generic_pids',`
+ type var_t, var_run_t;
')
-- getattr_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file getattr;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
')
+@@ -6231,55 +7201,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
--## Read generic files in /usr.
-+## Allow attempts to get the attributes
-+## of all tmp files.
+-## Read all process ID files.
++## Relable all pid directories
## </summary>
--## <desc>
--## <p>
--## Allow the specified domain to read generic
--## files in /usr. These files are various program
--## files that do not have more specific SELinux types.
--## Some examples of these files are:
--## </p>
--## <ul>
--## <li>/usr/include/*</li>
--## <li>/usr/share/doc/*</li>
--## <li>/usr/share/info/*</li>
--## </ul>
--## <p>
--## Generally, it is safe for many domains to have
--## this access.
--## </p>
--## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
--## <infoflow type="read" weight="10"/>
+-## <rolecap/>
#
--interface(`files_read_usr_files',`
-+interface(`files_getattr_all_tmp_files',`
+-interface(`files_read_all_pids',`
++interface(`files_relabel_all_pid_dirs',`
gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+ attribute pidfile;
+- type var_t, var_run_t;
')
-- allow $1 usr_t:dir list_dir_perms;
-- read_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file getattr;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
++ relabel_dirs_pattern($1, pidfile, pidfile)
')
########################################
## <summary>
--## Execute generic programs in /usr in the caller domain.
-+## Relabel to and from all temporary
-+## file types.
+-## Delete all process IDs.
++## Delete all pid sockets
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-+## <rolecap/>
+-## <rolecap/>
#
--interface(`files_exec_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
+-interface(`files_delete_all_pids',`
++interface(`files_delete_all_pid_sockets',`
gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
+ attribute pidfile;
+- type var_t, var_run_t;
')
-- allow $1 usr_t:dir list_dir_perms;
-- exec_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 pidfile:sock_file delete_sock_file_perms;
')
########################################
## <summary>
--## dontaudit write of /usr files
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
+-## Delete all process ID directories.
++## Create all pid sockets
## </summary>
## <param name="domain">
## <summary>
-@@ -4880,35 +5348,17 @@ interface(`files_exec_usr_files',`
+@@ -6287,42 +7245,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
--interface(`files_dontaudit_write_usr_files',`
-- gen_require(`
-- type usr_t;
-- ')
--
-- dontaudit $1 usr_t:file write;
--')
--
--########################################
--## <summary>
--## Create, read, write, and delete files in the /usr directory.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`files_manage_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
+-interface(`files_delete_all_pid_dirs',`
++interface(`files_create_all_pid_sockets',`
gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+ attribute pidfile;
+- type var_t, var_run_t;
')
-- manage_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:sock_file getattr;
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:sock_file create_sock_file_perms;
')
########################################
## <summary>
--## Relabel a file to the type used in /usr.
-+## Read all tmp files.
+-## Create, read, write and delete all
+-## var_run (pid) content
++## Create all pid named pipes
## </summary>
## <param name="domain">
## <summary>
-@@ -4916,67 +5366,70 @@ interface(`files_manage_usr_files',`
+-## Domain alloed access.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_relabelto_usr_files',`
-+interface(`files_read_all_tmp_files',`
+-interface(`files_manage_all_pids',`
++interface(`files_create_all_pid_pipes',`
gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+ attribute pidfile;
')
-- relabelto_files_pattern($1, usr_t, usr_t)
-+ read_files_pattern($1, tmpfile, tmpfile)
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
')
########################################
## <summary>
--## Relabel a file from the type used in /usr.
-+## Do not audit attempts to read or write
-+## all leaked tmpfiles files.
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Delete all pid named pipes
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -6330,18 +7281,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
--interface(`files_relabelfrom_usr_files',`
-+interface(`files_dontaudit_tmp_file_leaks',`
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pid_pipes',`
gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+- attribute polymember;
++ attribute pidfile;
')
-- relabelfrom_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
+- allow $1 polymember:dir mounton;
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
')
########################################
## <summary>
--## Read symbolic links in /usr.
-+## Do allow attempts to read or write
-+## all leaked tmpfiles files.
+-## Search the contents of generic spool
+-## directories (/var/spool).
++## manage all pidfile directories
++## in the /var/run directory.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -6349,37 +7300,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
--interface(`files_read_usr_symlinks',`
-+interface(`files_rw_tmp_file_leaks',`
+-interface(`files_search_spool',`
++interface(`files_manage_all_pid_dirs',`
gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+- type var_t, var_spool_t;
++ attribute pidfile;
')
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file rw_inherited_file_perms;
+- search_dirs_pattern($1, var_t, var_spool_t)
++ manage_dirs_pattern($1,pidfile,pidfile)
')
++
########################################
## <summary>
--## Create objects in the /usr directory
-+## Create an object in the tmp directories, with a private
-+## type using a type transition.
+-## Do not audit attempts to search generic
+-## spool directories.
++## Read all process ID files.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="file_type">
-+## <param name="private type">
- ## <summary>
--## The type of the object to be created
-+## The type of the object to be created.
- ## </summary>
- ## </param>
--## <param name="object_class">
-+## <param name="object">
- ## <summary>
--## The object class.
-+## The object class of the object being created.
- ## </summary>
- ## </param>
- ## <param name="name" optional="true">
-@@ -4985,35 +5438,50 @@ interface(`files_read_usr_symlinks',`
- ## </summary>
- ## </param>
- #
--interface(`files_usr_filetrans',`
-+interface(`files_tmp_filetrans',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- filetrans_pattern($1, usr_t, $2, $3, $4)
-+ filetrans_pattern($1, tmp_t, $2, $3, $4)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to search /usr/src.
-+## Delete the contents of /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_src',`
-+interface(`files_purge_tmp',`
- gen_require(`
-- type src_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 src_t:dir search_dir_perms;
-+ allow $1 tmpfile:dir list_dir_perms;
-+ delete_dirs_pattern($1, tmpfile, tmpfile)
-+ delete_files_pattern($1, tmpfile, tmpfile)
-+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
-+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
-+ delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ delete_chr_files_pattern($1, tmpfile, tmpfile)
-+ delete_blk_files_pattern($1, tmpfile, tmpfile)
-+ files_list_isid_type_dirs($1)
-+ files_delete_isid_type_dirs($1)
-+ files_delete_isid_type_files($1)
-+ files_delete_isid_type_symlinks($1)
-+ files_delete_isid_type_fifo_files($1)
-+ files_delete_isid_type_sock_files($1)
-+ files_delete_isid_type_blk_files($1)
-+ files_delete_isid_type_chr_files($1)
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of files in /usr/src.
-+## Set the attributes of the /usr directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5021,20 +5489,17 @@ interface(`files_dontaudit_search_src',`
- ## </summary>
- ## </param>
- #
--interface(`files_getattr_usr_src_files',`
-+interface(`files_setattr_usr_dirs',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
-- getattr_files_pattern($1, src_t, src_t)
--
-- # /usr/src/linux symlink:
-- read_lnk_files_pattern($1, usr_t, src_t)
-+ allow $1 usr_t:dir setattr;
- ')
-
- ########################################
- ## <summary>
--## Read files in /usr/src.
-+## Search the content of /usr.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5042,20 +5507,18 @@ interface(`files_getattr_usr_src_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_usr_src_files',`
-+interface(`files_search_usr',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
- allow $1 usr_t:dir search_dir_perms;
-- read_files_pattern($1, { usr_t src_t }, src_t)
-- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-- allow $1 src_t:dir list_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Execute programs in /usr/src in the caller domain.
-+## List the contents of generic
-+## directories in /usr.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5063,38 +5526,35 @@ interface(`files_read_usr_src_files',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
++## <rolecap/>
#
--interface(`files_exec_usr_src_files',`
-+interface(`files_list_usr',`
+-interface(`files_dontaudit_search_spool',`
++interface(`files_read_all_pids',`
gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
+- type var_spool_t;
++ attribute pidfile;
++ type var_t;
')
-- list_dirs_pattern($1, usr_t, src_t)
-- exec_files_pattern($1, src_t, src_t)
-- read_lnk_files_pattern($1, src_t, src_t)
-+ allow $1 usr_t:dir list_dir_perms;
+- dontaudit $1 var_spool_t:dir search_dir_perms;
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
')
########################################
## <summary>
--## Install a system.map into the /boot directory.
-+## Do not audit write of /usr dirs
+-## List the contents of generic spool
+-## (/var/spool) directories.
++## Relable all pid files
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -6387,18 +7341,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
--interface(`files_create_kernel_symbol_table',`
-+interface(`files_dontaudit_write_usr_dirs',`
+-interface(`files_list_spool',`
++interface(`files_relabel_all_pid_files',`
gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
+- type var_t, var_spool_t;
++ attribute pidfile;
')
-- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-- allow $1 system_map_t:file { create_file_perms rw_file_perms };
-+ dontaudit $1 usr_t:dir write;
+- list_dirs_pattern($1, var_t, var_spool_t)
++ relabel_files_pattern($1, pidfile, pidfile)
')
########################################
## <summary>
--## Read system.map in the /boot directory.
-+## Add and remove entries from /usr directories.
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
++## Execute generic programs in /var/run in the caller domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -5102,37 +5562,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -6406,18 +7359,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
--interface(`files_read_kernel_symbol_table',`
-+interface(`files_rw_usr_dirs',`
+-interface(`files_manage_generic_spool_dirs',`
++interface(`files_exec_generic_pid_files',`
gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
+- type var_t, var_spool_t;
++ type var_run_t;
')
-- allow $1 boot_t:dir list_dir_perms;
-- read_files_pattern($1, boot_t, system_map_t)
-+ allow $1 usr_t:dir rw_dir_perms;
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ exec_files_pattern($1, var_run_t, var_run_t)
')
########################################
## <summary>
--## Delete a system.map in the /boot directory.
-+## Do not audit attempts to add and remove
-+## entries from /usr directories.
+-## Read generic spool files.
++## manage all pidfiles
++## in the /var/run directory.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain to not audit.
+@@ -6425,19 +7378,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
--interface(`files_delete_kernel_symbol_table',`
-+interface(`files_dontaudit_rw_usr_dirs',`
+-interface(`files_read_generic_spool',`
++interface(`files_manage_all_pids',`
gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
+- type var_t, var_spool_t;
++ attribute pidfile;
')
-- allow $1 boot_t:dir list_dir_perms;
-- delete_files_pattern($1, boot_t, system_map_t)
-+ dontaudit $1 usr_t:dir rw_dir_perms;
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
++ manage_files_pattern($1,pidfile,pidfile)
')
########################################
## <summary>
--## Search the contents of /var.
-+## Delete generic directories in /usr in the caller domain.
+-## Create, read, write, and delete generic
+-## spool files.
++## Mount filesystems on all polyinstantiation
++## member directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -5140,35 +5599,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -6445,29 +7397,296 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
--interface(`files_search_var',`
-+interface(`files_delete_usr_dirs',`
+-interface(`files_manage_generic_spool',`
++interface(`files_mounton_all_poly_members',`
gen_require(`
-- type var_t;
-+ type usr_t;
+- type var_t, var_spool_t;
++ attribute polymember;
')
- allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to write to /var.
-+## Delete generic files in /usr in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_write_var_dirs',`
-+interface(`files_delete_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:dir write;
-+ delete_files_pattern($1, usr_t, usr_t)
+- manage_files_pattern($1, var_spool_t, var_spool_t)
++ allow $1 polymember:dir mounton;
')
########################################
## <summary>
--## Allow attempts to write to /var.dirs
-+## Get the attributes of files in /usr.
+-## Create objects in the spool directory
+-## with a private type with a type transition.
++## Delete all process IDs.
## </summary>
## <param name="domain">
## <summary>
-@@ -5176,36 +5635,55 @@ interface(`files_dontaudit_write_var_dirs',`
+ ## Domain allowed access.
## </summary>
## </param>
- #
--interface(`files_write_var_dirs',`
-+interface(`files_getattr_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir write;
-+ getattr_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to search
--## the contents of /var.
-+## Read generic files in /usr.
- ## </summary>
+-## <param name="file">
+-## <summary>
+-## Type to which the created node will be transitioned.
+-## </summary>
++## <rolecap/>
++#
++interface(`files_delete_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++## Delete all process ID directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++## Make the specified type a file
++## used for spool files.
++## </summary>
+## <desc>
+## <p>
-+## Allow the specified domain to read generic
-+## files in /usr. These files are various program
-+## files that do not have more specific SELinux types.
-+## Some examples of these files are:
++## Make the specified type usable for spool files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a spool file may result in problems with
++## purging spool files.
++## </p>
++## <p>
++## Related interfaces:
+## </p>
+## <ul>
-+## <li>/usr/include/*</li>
-+## <li>/usr/share/doc/*</li>
-+## <li>/usr/share/info/*</li>
++## <li>files_spool_filetrans()</li>
+## </ul>
+## <p>
-+## Generally, it is safe for many domains to have
-+## this access.
-+## </p>
-+## </desc>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
-+## <infoflow type="read" weight="10"/>
- #
--interface(`files_dontaudit_search_var',`
-+interface(`files_read_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:dir search_dir_perms;
-+ allow $1 usr_t:dir list_dir_perms;
-+ read_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ## <summary>
--## List the contents of /var.
-+## Execute generic programs in /usr in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5213,36 +5691,37 @@ interface(`files_dontaudit_search_var',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_var',`
-+interface(`files_exec_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir list_dir_perms;
-+ allow $1 usr_t:dir list_dir_perms;
-+ exec_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete directories
--## in the /var directory.
-+## dontaudit write of /usr files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_var_dirs',`
-+interface(`files_dontaudit_write_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir manage_dir_perms;
-+ dontaudit $1 usr_t:file write;
- ')
-
- ########################################
- ## <summary>
--## Read files in the /var directory.
-+## Create, read, write, and delete files in the /usr directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5250,17 +5729,17 @@ interface(`files_manage_var_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_var_files',`
-+interface(`files_manage_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- read_files_pattern($1, var_t, var_t)
-+ manage_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ## <summary>
--## Append files in the /var directory.
-+## Relabel a file to the type used in /usr.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5268,17 +5747,17 @@ interface(`files_read_var_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_append_var_files',`
-+interface(`files_relabelto_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- append_files_pattern($1, var_t, var_t)
-+ relabelto_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ## <summary>
--## Read and write files in the /var directory.
-+## Relabel a file from the type used in /usr.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5286,73 +5765,86 @@ interface(`files_append_var_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_rw_var_files',`
-+interface(`files_relabelfrom_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- rw_files_pattern($1, var_t, var_t)
-+ relabelfrom_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read and write
--## files in the /var directory.
-+## Read symbolic links in /usr.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_rw_var_files',`
-+interface(`files_read_usr_symlinks',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:file rw_file_perms;
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete files in the /var directory.
-+## Create objects in the /usr directory
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <param name="file_type">
-+## <summary>
-+## The type of the object to be created
-+## </summary>
-+## </param>
-+## <param name="object_class">
-+## <summary>
-+## The object class.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
- #
--interface(`files_manage_var_files',`
-+interface(`files_usr_filetrans',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- manage_files_pattern($1, var_t, var_t)
-+ filetrans_pattern($1, usr_t, $2, $3, $4)
- ')
-
- ########################################
- ## <summary>
--## Read symbolic links in the /var directory.
-+## Do not audit attempts to search /usr/src.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_read_var_symlinks',`
-+interface(`files_dontaudit_search_src',`
- gen_require(`
-- type var_t;
-+ type src_t;
- ')
-
-- read_lnk_files_pattern($1, var_t, var_t)
-+ dontaudit $1 src_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete symbolic
--## links in the /var directory.
-+## Get the attributes of files in /usr/src.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5360,50 +5852,41 @@ interface(`files_read_var_symlinks',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_var_symlinks',`
-+interface(`files_getattr_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- manage_lnk_files_pattern($1, var_t, var_t)
-+ getattr_files_pattern($1, src_t, src_t)
-+
-+ # /usr/src/linux symlink:
-+ read_lnk_files_pattern($1, usr_t, src_t)
- ')
-
- ########################################
- ## <summary>
--## Create objects in the /var directory
-+## Read files in /usr/src.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="file_type">
--## <summary>
--## The type of the object to be created
--## </summary>
--## </param>
--## <param name="object_class">
--## <summary>
--## The object class.
--## </summary>
--## </param>
--## <param name="name" optional="true">
--## <summary>
--## The name of the object being created.
--## </summary>
--## </param>
- #
--interface(`files_var_filetrans',`
-+interface(`files_read_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- filetrans_pattern($1, var_t, $2, $3, $4)
-+ allow $1 usr_t:dir search_dir_perms;
-+ read_files_pattern($1, { usr_t src_t }, src_t)
-+ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-+ allow $1 src_t:dir list_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of the /var/lib directory.
-+## Execute programs in /usr/src in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5411,69 +5894,57 @@ interface(`files_var_filetrans',`
- ## </summary>
- ## </param>
- #
--interface(`files_getattr_var_lib_dirs',`
-+interface(`files_exec_usr_src_files',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type usr_t, src_t;
- ')
-
-- getattr_dirs_pattern($1, var_t, var_lib_t)
-+ list_dirs_pattern($1, usr_t, src_t)
-+ exec_files_pattern($1, src_t, src_t)
-+ read_lnk_files_pattern($1, src_t, src_t)
- ')
-
- ########################################
- ## <summary>
--## Search the /var/lib directory.
-+## Install a system.map into the /boot directory.
- ## </summary>
--## <desc>
--## <p>
--## Search the /var/lib directory. This is
--## necessary to access files or directories under
--## /var/lib that have a private type. For example, a
--## domain accessing a private library file in the
--## /var/lib directory:
--## </p>
--## <p>
--## allow mydomain_t mylibfile_t:file read_file_perms;
--## files_search_var_lib(mydomain_t)
--## </p>
--## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <infoflow type="read" weight="5"/>
- #
--interface(`files_search_var_lib',`
-+interface(`files_create_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- search_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to search the
--## contents of /var/lib.
-+## Read system.map in the /boot directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
--## <infoflow type="read" weight="5"/>
- #
--interface(`files_dontaudit_search_var_lib',`
-+interface(`files_read_kernel_symbol_table',`
- gen_require(`
-- type var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- dontaudit $1 var_lib_t:dir search_dir_perms;
-+ allow $1 boot_t:dir list_dir_perms;
-+ read_files_pattern($1, boot_t, system_map_t)
- ')
-
- ########################################
- ## <summary>
--## List the contents of the /var/lib directory.
-+## Delete a system.map in the /boot directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5481,17 +5952,18 @@ interface(`files_dontaudit_search_var_lib',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_var_lib',`
-+interface(`files_delete_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ delete_files_pattern($1, boot_t, system_map_t)
- ')
-
--###########################################
-+########################################
- ## <summary>
--## Read-write /var/lib directories
-+## Search the contents of /var.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5499,51 +5971,35 @@ interface(`files_list_var_lib',`
- ## </summary>
- ## </param>
- #
--interface(`files_rw_var_lib_dirs',`
-+interface(`files_search_var',`
- gen_require(`
-- type var_lib_t;
-+ type var_t;
- ')
-
-- rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 var_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Create objects in the /var/lib directory
-+## Do not audit attempts to write to /var.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--## <param name="file_type">
--## <summary>
--## The type of the object to be created
--## </summary>
--## </param>
--## <param name="object_class">
--## <summary>
--## The object class.
--## </summary>
--## </param>
--## <param name="name" optional="true">
--## <summary>
--## The name of the object being created.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_var_lib_filetrans',`
-+interface(`files_dontaudit_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_lib_t, $2, $3, $4)
-+ dontaudit $1 var_t:dir write;
- ')
-
- ########################################
- ## <summary>
--## Read generic files in /var/lib.
-+## Allow attempts to write to /var.dirs
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5551,40 +6007,36 @@ interface(`files_var_lib_filetrans',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_var_lib_files',`
-+interface(`files_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_lib_t:dir list_dir_perms;
-- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ allow $1 var_t:dir write;
- ')
-
- ########################################
- ## <summary>
--## Read generic symbolic links in /var/lib
-+## Do not audit attempts to search
-+## the contents of /var.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_read_var_lib_symlinks',`
-+interface(`files_dontaudit_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ dontaudit $1 var_t:dir search_dir_perms;
- ')
-
--# cjp: the next two interfaces really need to be fixed
--# in some way. They really neeed their own types.
--
- ########################################
- ## <summary>
--## Create, read, write, and delete the
--## pseudorandom number generator seed.
-+## List the contents of /var.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5592,38 +6044,36 @@ interface(`files_read_var_lib_symlinks',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_urandom_seed',`
-+interface(`files_list_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Allow domain to manage mount tables
--## necessary for rpcd, nfsd, etc.
-+## Do not audit listing of the var directory (/var).
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_mounttab',`
-+interface(`files_dontaudit_list_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ dontaudit $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Set the attributes of the generic lock directories.
-+## Create, read, write, and delete directories
-+## in the /var directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5631,17 +6081,17 @@ interface(`files_manage_mounttab',`
- ## </summary>
- ## </param>
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_manage_var_dirs',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_t:dir manage_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Search the locks directory (/var/lock).
-+## Read files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5649,38 +6099,35 @@ interface(`files_setattr_lock_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_search_locks',`
-+interface(`files_read_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_lock_t)
-+ read_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to search the
--## locks directory (/var/lock).
-+## Append files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_locks',`
-+interface(`files_append_var_files',`
- gen_require(`
-- type var_lock_t;
-+ type var_t;
- ')
-
-- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_lock_t:dir search_dir_perms;
-+ append_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ## <summary>
--## List generic lock directories.
-+## Read and write files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5688,80 +6135,73 @@ interface(`files_dontaudit_search_locks',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_locks',`
-+interface(`files_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_lock_t)
-+ rw_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ## <summary>
--## Add and remove entries in the /var/lock
--## directories.
-+## Do not audit attempts to read and write
-+## files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_rw_lock_dirs',`
-+interface(`files_dontaudit_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- rw_dirs_pattern($1, var_t, var_lock_t)
-+ dontaudit $1 var_t:file rw_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create lock directories
-+## Create, read, write, and delete files in the /var directory.
- ## </summary>
- ## <param name="domain">
--## <summary>
--## Domain allowed access
-+## <summary>
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_create_lock_dirs',`
-+interface(`files_manage_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- create_dirs_pattern($1, var_lock_t, var_lock_t)
-+ manage_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ## <summary>
--## Relabel to and from all lock directory types.
-+## Read symbolic links in the /var directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_relabel_all_lock_dirs',`
-+interface(`files_read_var_symlinks',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- relabel_dirs_pattern($1, lockfile, lockfile)
-+ read_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of generic lock files.
-+## Create, read, write, and delete symbolic
-+## links in the /var directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5769,41 +6209,50 @@ interface(`files_relabel_all_lock_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_manage_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 var_lock_t:dir list_dir_perms;
-- getattr_files_pattern($1, var_lock_t, var_lock_t)
-+ manage_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ## <summary>
--## Delete generic lock files.
-+## Create objects in the /var directory
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <param name="file_type">
-+## <summary>
-+## The type of the object to be created
-+## </summary>
-+## </param>
-+## <param name="object_class">
-+## <summary>
-+## The object class.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
- #
--interface(`files_delete_generic_locks',`
-+interface(`files_var_filetrans',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ filetrans_pattern($1, var_t, $2, $3, $4)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete generic
--## lock files.
-+## Get the attributes of the /var/lib directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5811,65 +6260,69 @@ interface(`files_delete_generic_locks',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_locks',`
-+interface(`files_getattr_var_lib_dirs',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-- manage_files_pattern($1, var_lock_t, var_lock_t)
-+ getattr_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ## <summary>
--## Delete all lock files.
-+## Search the /var/lib directory.
- ## </summary>
-+## <desc>
-+## <p>
-+## Search the /var/lib directory. This is
-+## necessary to access files or directories under
-+## /var/lib that have a private type. For example, a
-+## domain accessing a private library file in the
-+## /var/lib directory:
-+## </p>
-+## <p>
-+## allow mydomain_t mylibfile_t:file read_file_perms;
-+## files_search_var_lib(mydomain_t)
-+## </p>
-+## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
-+## <infoflow type="read" weight="5"/>
- #
--interface(`files_delete_all_locks',`
-+interface(`files_search_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, lockfile, lockfile)
-+ search_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ## <summary>
--## Read all lock files.
-+## Do not audit attempts to search the
-+## contents of /var/lib.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
-+## <infoflow type="read" weight="5"/>
- #
--interface(`files_read_all_locks',`
-+interface(`files_dontaudit_search_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- allow $1 lockfile:dir list_dir_perms;
-- read_files_pattern($1, lockfile, lockfile)
-- read_lnk_files_pattern($1, lockfile, lockfile)
-+ dontaudit $1 var_lib_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## manage all lock files.
-+## List the contents of the /var/lib directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5877,37 +6330,49 @@ interface(`files_read_all_locks',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_all_locks',`
-+interface(`files_list_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- manage_dirs_pattern($1, lockfile, lockfile)
-- manage_files_pattern($1, lockfile, lockfile)
-- manage_lnk_files_pattern($1, lockfile, lockfile)
-+ list_dirs_pattern($1, var_t, var_lib_t)
-+')
-+
-+###########################################
-+## <summary>
-+## Read-write /var/lib directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_var_lib_dirs',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+
-+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
- ')
-
- ########################################
- ## <summary>
--## Create an object in the locks directory, with a private
--## type using a type transition.
-+## Create objects in the /var/lib directory
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="private type">
-+## <param name="file_type">
- ## <summary>
--## The type of the object to be created.
-+## The type of the object to be created
- ## </summary>
- ## </param>
--## <param name="object">
-+## <param name="object_class">
- ## <summary>
--## The object class of the object being created.
-+## The object class.
- ## </summary>
- ## </param>
- ## <param name="name" optional="true">
-@@ -5916,39 +6381,37 @@ interface(`files_manage_all_locks',`
- ## </summary>
- ## </param>
- #
--interface(`files_lock_filetrans',`
-+interface(`files_var_lib_filetrans',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of the /var/run directory.
-+## Read generic files in /var/lib.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_pid_dirs',`
-+interface(`files_read_var_lib_files',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir getattr;
-+ allow $1 var_lib_t:dir list_dir_perms;
-+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
- ########################################
- ## <summary>
--## Set the attributes of the /var/run directory.
-+## Read generic symbolic links in /var/lib
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5956,19 +6419,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_setattr_pid_dirs',`
-+interface(`files_read_var_lib_symlinks',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir setattr;
-+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
- ########################################
- ## <summary>
--## Search the contents of runtime process
--## ID directories (/var/run).
-+## manage generic symbolic links
-+## in the /var/lib directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5976,19 +6438,1114 @@ interface(`files_setattr_pid_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_search_pids',`
-+interface(`files_manage_var_lib_symlinks',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_run_t)
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
- ')
-
-+# cjp: the next two interfaces really need to be fixed
-+# in some way. They really neeed their own types.
-+
- ########################################
- ## <summary>
--## Do not audit attempts to search
--## the /var/run directory.
-+## Create, read, write, and delete the
-+## pseudorandom number generator seed.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_urandom_seed',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Allow domain to manage mount tables
-+## necessary for rpcd, nfsd, etc.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_mounttab',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## List generic lock directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_list_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ list_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+## Search the locks directory (/var/lock).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_search_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to search the
-+## locks directory (/var/lock).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_lock_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to read/write inherited
-+## locks (/var/lock).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_rw_inherited_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Set the attributes of the /var/lock directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_setattr_lock_dirs',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ allow $1 var_lock_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
-+## Add and remove entries in the /var/lock
-+## directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ rw_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create lock directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access
-+## </summary>
-+## </param>
-+#
-+interface(`files_create_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ create_dirs_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+## Relabel to and from all lock directory types.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_relabel_all_lock_dirs',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_dirs_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+## <summary>
-+## Get the attributes of generic lock files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_getattr_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ allow $1 var_lock_t:dir list_dir_perms;
-+ getattr_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+## Delete generic lock files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_delete_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ delete_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete generic
-+## lock files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ manage_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
-+## Delete all lock files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_delete_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ delete_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+## <summary>
-+## Read all lock files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_read_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ allow $1 lockfile:dir list_dir_perms;
-+ read_files_pattern($1, lockfile, lockfile)
-+ read_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+## <summary>
-+## manage all lock files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ manage_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, lockfile, lockfile)
-+ manage_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+## <summary>
-+## Create an object in the locks directory, with a private
-+## type using a type transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="private type">
-+## <summary>
-+## The type of the object to be created.
-+## </summary>
-+## </param>
-+## <param name="object">
-+## <summary>
-+## The object class of the object being created.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
-+#
-+interface(`files_lock_filetrans',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to get the attributes
-+## of the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_getattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir getattr;
-+')
-+
-+########################################
-+## <summary>
-+## Set the attributes of the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_setattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_run_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
-+## Search the contents of runtime process
-+## ID directories (/var/run).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_search_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:lnk_file read_lnk_file_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+######################################
-+## <summary>
-+## Add and remove entries from pid directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ allow $1 var_run_t:dir rw_dir_perms;
-+')
-+
-+#######################################
-+## <summary>
-+## Create generic pid directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_create_var_run_dirs',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir create_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to search
-+## the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_pids',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to search
-+## the all /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## List the contents of the runtime process
-+## ID directories (/var/run).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_list_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read generic process ID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_read_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ read_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Write named generic process ID pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_write_generic_pid_pipes',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_run_t:fifo_file write;
-+')
-+
-+########################################
-+## <summary>
-+## Create an object in the process ID directory, with a private type.
-+## </summary>
-+## <desc>
-+## <p>
-+## Create an object in the process ID directory (e.g., /var/run)
-+## with a private type. Typically this is used for creating
-+## private PID files in /var/run with the private type instead
-+## of the general PID file type. To accomplish this goal,
-+## either the program must be SELinux-aware, or use this interface.
-+## </p>
-+## <p>
-+## Related interfaces:
-+## </p>
-+## <ul>
-+## <li>files_pid_file()</li>
-+## </ul>
-+## <p>
-+## Example usage with a domain that can create and
-+## write its PID file with a private PID file type in the
-+## /var/run directory:
-+## </p>
-+## <p>
-+## type mypidfile_t;
-+## files_pid_file(mypidfile_t)
-+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-+## files_pid_filetrans(mydomain_t, mypidfile_t, file)
-+## </p>
-+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="private type">
-+## <summary>
-+## The type of the object to be created.
-+## </summary>
-+## </param>
-+## <param name="object">
-+## <summary>
-+## The object class of the object being created.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
-+## <infoflow type="write" weight="10"/>
-+#
-+interface(`files_pid_filetrans',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_run_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
-+## Create a generic lock directory within the run directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
-+#
-+interface(`files_pid_filetrans_lock_dir',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ files_pid_filetrans($1, var_lock_t, dir, $2)
-+')
-+
-+########################################
-+## <summary>
-+## Read and write generic process ID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ rw_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to get the attributes of
-+## daemon runtime data files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_getattr_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file getattr;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to write to daemon runtime data files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_write_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file write;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to ioctl daemon runtime data files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_ioctl_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file ioctl;
-+')
-+
-+########################################
-+## <summary>
-+## Relable all pid directories
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_relabel_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ relabel_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+## Delete all pid sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_delete_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Create all pid sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_create_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Create all pid named pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_create_all_pid_pipes',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Delete all pid named pipes
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_delete_all_pid_pipes',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## manage all pidfile directories
-+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Read all process ID files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_read_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+## Relable all pid files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_relabel_all_pid_files',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ relabel_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+## Execute generic programs in /var/run in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_exec_generic_pid_files',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+## manage all pidfiles
-+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ manage_files_pattern($1,pidfile,pidfile)
-+')
-+
-+########################################
-+## <summary>
-+## Mount filesystems on all polyinstantiation
-+## member directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_mounton_all_poly_members',`
-+ gen_require(`
-+ attribute polymember;
-+ ')
-+
-+ allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+## <summary>
-+## Delete all process IDs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_delete_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+## <summary>
-+## Delete all process ID directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
-+## Make the specified type a file
-+## used for spool files.
-+## </summary>
-+## <desc>
-+## <p>
-+## Make the specified type usable for spool files.
-+## This will also make the type usable for files, making
-+## calls to files_type() redundant. Failure to use this interface
-+## for a spool file may result in problems with
-+## purging spool files.
-+## </p>
-+## <p>
-+## Related interfaces:
-+## </p>
-+## <ul>
-+## <li>files_spool_filetrans()</li>
-+## </ul>
-+## <p>
-+## Example usage with a domain that can create and
-+## write its spool file in the system spool file
-+## directories (/var/spool):
-+## </p>
-+## <p>
-+## type myspoolfile_t;
-+## files_spool_file(myfile_spool_t)
-+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++## Example usage with a domain that can create and
++## write its spool file in the system spool file
++## directories (/var/spool):
++## </p>
++## <p>
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
+## </p>
+## </desc>
+## <param name="file_type">
@@ -12788,300 +11024,137 @@ index 64ff4d7..87c124c 100644
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
-+interface(`files_delete_all_spool_sockets',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Relabel to and from all spool
-+## directory types.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_relabel_all_spool_dirs',`
-+ gen_require(`
-+ attribute spoolfile;
-+ type var_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
-+########################################
-+## <summary>
-+## Search the contents of generic spool
-+## directories (/var/spool).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to search generic
-+## spool directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5996,19 +7553,18 @@ interface(`files_search_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_pids',`
-+interface(`files_dontaudit_search_spool',`
- gen_require(`
-- type var_run_t;
-+ type var_spool_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## List the contents of the runtime process
--## ID directories (/var/run).
-+## List the contents of generic spool
-+## (/var/spool) directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6016,18 +7572,18 @@ interface(`files_dontaudit_search_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_pids',`
-+interface(`files_list_spool',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-+ list_dirs_pattern($1, var_t, var_spool_t)
- ')
-
- ########################################
- ## <summary>
--## Read generic process ID files.
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6035,19 +7591,18 @@ interface(`files_list_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_generic_pids',`
-+interface(`files_manage_generic_spool_dirs',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ## <summary>
--## Write named generic process ID pipes
-+## Read generic spool files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6055,103 +7610,220 @@ interface(`files_read_generic_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_write_generic_pid_pipes',`
-+interface(`files_read_generic_spool',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ## <summary>
--## Create an object in the process ID directory, with a private type.
-+## Create, read, write, and delete generic
-+## spool files.
- ## </summary>
--## <desc>
--## <p>
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
--## </p>
--## <p>
--## Related interfaces:
--## </p>
--## <ul>
--## <li>files_pid_file()</li>
--## </ul>
--## <p>
--## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
--## </p>
--## <p>
--## type mypidfile_t;
--## files_pid_file(mypidfile_t)
--## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
--## files_pid_filetrans(mydomain_t, mypidfile_t, file)
--## </p>
--## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="private type">
++## </param>
+#
-+interface(`files_manage_generic_spool',`
++interface(`files_delete_all_spool_sockets',`
+ gen_require(`
-+ type var_t, var_spool_t;
++ attribute spoolfile;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_spool_t, var_spool_t)
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
-+## Create objects in the spool directory
-+## with a private type with a type transition.
++## Relabel to and from all spool
++## directory types.
+## </summary>
+## <param name="domain">
- ## <summary>
--## The type of the object to be created.
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="object">
-+## <param name="file">
- ## <summary>
--## The object class of the object being created.
-+## Type to which the created node will be transitioned.
+## </summary>
+## </param>
-+## <param name="class">
++## <rolecap/>
++#
++interface(`files_relabel_all_spool_dirs',`
++ gen_require(`
++ attribute spoolfile;
++ type var_t;
++ ')
++
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
++')
++
++########################################
++## <summary>
++## Search the contents of generic spool
++## directories (/var/spool).
++## </summary>
++## <param name="domain">
+## <summary>
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
- ## </summary>
- ## </param>
- ## <param name="name" optional="true">
- ## <summary>
--## The name of the object being created.
-+## The name of the object being created.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_spool_filetrans',`
++interface(`files_search_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ search_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
++## Do not audit attempts to search generic
++## spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+interface(`files_polyinstantiate_all',`
++interface(`files_dontaudit_search_spool',`
+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
++ type var_spool_t;
+ ')
+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
++ dontaudit $1 var_spool_t:dir search_dir_perms;
++')
+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
++########################################
++## <summary>
++## List the contents of generic spool
++## (/var/spool) directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++ list_dirs_pattern($1, var_t, var_spool_t)
++')
+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_spool_dirs',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
++')
+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
++########################################
++## <summary>
++## Read generic spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
+ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
-+## Unconfined access to files.
++## Create, read, write, and delete generic
++## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -13089,16 +11162,39 @@ index 64ff4d7..87c124c 100644
+## </summary>
+## </param>
+#
-+interface(`files_unconfined',`
++interface(`files_manage_generic_spool',`
+ gen_require(`
-+ attribute files_unconfined_type;
++ type var_t, var_spool_t;
+ ')
+
-+ typeattribute $1 files_unconfined_type;
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
++## Create objects in the spool directory
++## with a private type with a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file">
++## <summary>
++## Type to which the created node will be transitioned.
++## </summary>
+ ## </param>
+ ## <param name="class">
+ ## <summary>
+@@ -6562,3 +7781,459 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
+## Create a core files in /
+## </summary>
+## <desc>
@@ -13109,37 +11205,28 @@ index 64ff4d7..87c124c 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <infoflow type="write" weight="10"/>
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`files_pid_filetrans',`
++#
+interface(`files_manage_root_files',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ type root_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_run_t, $2, $3, $4)
++ ')
++
+ manage_files_pattern($1, root_t, root_t)
- ')
-
- ########################################
- ## <summary>
--## Create a generic lock directory within the run directories
++')
++
++########################################
++## <summary>
+## Create a default directory
- ## </summary>
++## </summary>
+## <desc>
+## <p>
+## Create a default_t direcrory
+## </p>
+## </desc>
- ## <param name="domain">
--## <summary>
--## Domain allowed access
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
@@ -13162,367 +11249,272 @@ index 64ff4d7..87c124c 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="name" optional="true">
++## </summary>
++## </param>
+## <param name="object">
- ## <summary>
--## The name of the object being created.
++## <summary>
+## The class of the object being created.
- ## </summary>
- ## </param>
- #
--interface(`files_pid_filetrans_lock_dir',`
-- gen_require(`
-- type var_lock_t;
-- ')
++## </summary>
++## </param>
++#
+interface(`files_root_filetrans_default',`
+ gen_require(`
+ type root_t, default_t;
+ ')
-
-- files_pid_filetrans($1, var_lock_t, dir, $2)
++
+ filetrans_pattern($1, root_t, default_t, $2)
- ')
-
- ########################################
- ## <summary>
--## Read and write generic process ID files.
++')
++
++########################################
++## <summary>
+## manage generic symbolic links
+## in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6159,20 +7831,18 @@ interface(`files_pid_filetrans_lock_dir',`
- ## </summary>
- ## </param>
- #
--interface(`files_rw_generic_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_manage_generic_pids_symlinks',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ type var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- rw_files_pattern($1, var_run_t, var_run_t)
++ ')
++
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes of
--## daemon runtime data files.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to getattr
+## all tmpfs files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6180,19 +7850,17 @@ interface(`files_rw_generic_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_all_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_getattr_tmpfs_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file getattr;
++ ')
++
+ allow $1 tmpfsfile:file getattr;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to write to daemon runtime data files.
++')
++
++########################################
++## <summary>
+## Allow read write all tmpfs files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6200,18 +7868,17 @@ interface(`files_dontaudit_getattr_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_write_all_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
+interface(`files_rw_tmpfs_files',`
- gen_require(`
-- attribute pidfile;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file write;
++ ')
++
+ allow $1 tmpfsfile:file { read write };
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to ioctl daemon runtime data files.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to read security files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6219,41 +7886,43 @@ interface(`files_dontaudit_write_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_ioctl_all_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_read_security_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
++ gen_require(`
+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file ioctl;
++ ')
++
+ dontaudit $1 security_file_type:file read_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Read all process ID files.
++')
++
++########################################
++## <summary>
+## rw any files inherited from another process
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <param name="object_type">
+## <summary>
+## Object type.
+## </summary>
+## </param>
- #
--interface(`files_read_all_pids',`
++#
+interface(`files_rw_all_inherited_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
++ ')
++
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Delete all process IDs.
++')
++
++########################################
++## <summary>
+## Allow any file point to be the entrypoint of this domain
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6262,67 +7931,55 @@ interface(`files_read_all_pids',`
- ## </param>
- ## <rolecap/>
- #
--interface(`files_delete_all_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
+interface(`files_entrypoint_all_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
- ')
--
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ ')
+ allow $1 file_type:file entrypoint;
- ')
-
- ########################################
- ## <summary>
--## Delete all process ID directories.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to rw inherited file perms
+## of non security files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_delete_all_pid_dirs',`
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_all_non_security_leaks',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
++ ')
++
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
++')
++
++########################################
++## <summary>
+## Do not audit attempts to read or write
+## all leaked files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain alloed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_leaks',`
- gen_require(`
-- attribute pidfile;
++ gen_require(`
+ attribute file_type;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
++ ')
++
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
- ')
-
- ########################################
- ## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
++')
++
++########################################
++## <summary>
+## Allow domain to create_file_ass all types
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6330,37 +7987,37 @@ interface(`files_manage_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_create_as_is_all_files',`
- gen_require(`
-- attribute polymember;
++ gen_require(`
+ attribute file_type;
+ class kernel_service create_files_as;
- ')
-
-- allow $1 polymember:dir mounton;
++ ')
++
+ allow $1 file_type:kernel_service create_files_as;
- ')
-
- ########################################
- ## <summary>
--## Search the contents of generic spool
--## directories (/var/spool).
++')
++
++########################################
++## <summary>
+## Do not audit attempts to check the
+## access on all files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_search_spool',`
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_all_access_check',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set audit_access;
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to search generic
--## spool directories.
++')
++
++########################################
++## <summary>
+## Do not audit attempts to write to all files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6368,186 +8025,169 @@ interface(`files_search_spool',`
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_search_spool',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
+interface(`files_dontaudit_write_all_files',`
- gen_require(`
-- type var_spool_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- dontaudit $1 var_spool_t:dir search_dir_perms;
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set write;
- ')
-
- ########################################
- ## <summary>
--## List the contents of generic spool
--## (/var/spool) directories.
++')
++
++########################################
++## <summary>
+## Allow domain to delete to all files
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`files_list_spool',`
++## </summary>
++## </param>
++#
+interface(`files_delete_all_non_security_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ allow $1 non_security_file_type:dir del_entry_dir_perms;
+ allow $1 non_security_file_type:file_class_set delete_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
++')
++
++########################################
++## <summary>
+## Transition named content in the var_run_t directory
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_spool_dirs',`
++## </summary>
++## </param>
++#
+interface(`files_filetrans_named_content',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ type mnt_t;
+ type usr_t;
+ type var_t;
+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ files_pid_filetrans($1, mnt_t, dir, "media")
+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -13544,15 +11536,13 @@ index 64ff4d7..87c124c 100644
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
- ')
-
- ########################################
- ## <summary>
--## Read generic spool files.
++')
++
++########################################
++## <summary>
+## Make the specified type a
+## base file.
- ## </summary>
--## <param name="domain">
++## </summary>
+## <desc>
+## <p>
+## Identify file type as base file type. Tools will use this attribute,
@@ -13560,185 +11550,103 @@ index 64ff4d7..87c124c 100644
+## </p>
+## </desc>
+## <param name="file_type">
- ## <summary>
--## Domain allowed access.
++## <summary>
+## Type to be used as a base files.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <infoflow type="none"/>
- #
--interface(`files_read_generic_spool',`
++#
+interface(`files_base_file',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_file_type;
- ')
--
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
++ ')
+ files_type($1)
+ typeattribute $1 base_file_type;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete generic
--## spool files.
++')
++
++########################################
++## <summary>
+## Make the specified type a
+## base read only file.
- ## </summary>
--## <param name="domain">
++## </summary>
+## <desc>
+## <p>
+## Make the specified type readable for all domains.
+## </p>
+## </desc>
+## <param name="file_type">
- ## <summary>
--## Domain allowed access.
++## <summary>
+## Type to be used as a base read only files.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <infoflow type="none"/>
- #
--interface(`files_manage_generic_spool',`
++#
+interface(`files_ro_base_file',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_ro_file_type;
- ')
--
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
++ ')
+ files_base_file($1)
+ typeattribute $1 base_ro_file_type;
- ')
-
- ########################################
- ## <summary>
--## Create objects in the spool directory
--## with a private type with a type transition.
++')
++
++########################################
++## <summary>
+## Read all ro base files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="file">
--## <summary>
--## Type to which the created node will be transitioned.
--## </summary>
--## </param>
--## <param name="class">
--## <summary>
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
--## </summary>
--## </param>
--## <param name="name" optional="true">
--## <summary>
--## The name of the object being created.
--## </summary>
--## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`files_spool_filetrans',`
++#
+interface(`files_read_all_base_ro_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_ro_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ ')
++
+ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
+ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
+ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
- ')
-
- ########################################
- ## <summary>
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++## <summary>
+## Execute all base ro files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`files_polyinstantiate_all',`
++#
+interface(`files_exec_all_base_ro_files',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute base_ro_file_type;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
--
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-- ')
++ ')
++
+ can_exec($1, base_ro_file_type)
- ')
-
- ########################################
- ## <summary>
--## Unconfined access to files.
++')
++
++########################################
++## <summary>
+## Allow the specified domain to modify the systemd configuration of
+## any file.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6555,10 +8195,11 @@ interface(`files_polyinstantiate_all',`
- ## </summary>
- ## </param>
- #
--interface(`files_unconfined',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_config_all_files',`
- gen_require(`
-- attribute files_unconfined_type;
++ gen_require(`
+ attribute file_type;
- ')
-
-- typeattribute $1 files_unconfined_type;
++ ')
++
+ allow $1 file_type:service all_service_perms;
- ')
++')
+
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 148d87a..822f6be 100644
@@ -13961,7 +11869,7 @@ index cda5588..3035829 100644
+/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0)
+/var/run/[^/]*/gvfs/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..60b2ce1 100644
+index 8416beb..0776923 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -14024,7 +11932,14 @@ index 8416beb..60b2ce1 100644
## list cgroup directories.
## </summary>
## <param name="domain">
-@@ -665,9 +706,29 @@ interface(`fs_list_cgroup_dirs', `
+@@ -659,15 +700,35 @@ interface(`fs_search_cgroup_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_list_cgroup_dirs', `
++interface(`fs_list_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
')
list_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -18196,7 +16111,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..8bd910a 100644
+index 5da7870..3577c24 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1)
@@ -18516,7 +16431,7 @@ index 5da7870..8bd910a 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +363,21 @@ ifndef(`distro_redhat',`
+@@ -176,3 +363,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -18535,7 +16450,8 @@ index 5da7870..8bd910a 100644
+ allow staff_t self:fifo_file relabelfrom;
+ dev_rw_kvm(staff_t)
+ virt_manage_images(staff_t)
-+ virt_stream_connect_svirt(staff_t)
++ virt_stream_connect_svirt(staff_t)
++ virt_exec(staff_t)
+ ')
+')
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
@@ -25455,7 +23371,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..792df83 100644
+index 3efd5b6..5188076 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -25477,7 +23393,12 @@ index 3efd5b6..792df83 100644
')
########################################
-@@ -57,6 +63,8 @@ interface(`auth_use_pam',`
+@@ -53,10 +59,12 @@ interface(`auth_use_pam',`
+ auth_read_login_records($1)
+ auth_append_login_records($1)
+ auth_rw_lastlog($1)
+- auth_rw_faillog($1)
++ auth_manage_faillog($1)
auth_exec_pam($1)
auth_use_nsswitch($1)
@@ -34542,7 +32463,7 @@ index 3822072..1029e3b 100644
+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..d08ae58 100644
+index ec01d0b..73ef1e8 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,17 @@ gen_require(`
@@ -34761,7 +32682,7 @@ index ec01d0b..d08ae58 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -276,25 +310,38 @@ term_relabel_all_ptys(newrole_t)
+@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -34769,10 +32690,6 @@ index ec01d0b..d08ae58 100644
-auth_run_chk_passwd(newrole_t, newrole_roles)
-auth_run_upd_passwd(newrole_t, newrole_roles)
-auth_rw_faillog(newrole_t)
-+#auth_use_nsswitch(newrole_t)
-+#auth_run_chk_passwd(newrole_t, newrole_roles)
-+#auth_run_upd_passwd(newrole_t, newrole_roles)
-+#auth_rw_faillog(newrole_t)
+auth_use_pam(newrole_t)
# Write to utmp.
@@ -34807,7 +32724,7 @@ index ec01d0b..d08ae58 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -309,7 +356,7 @@ if(secure_mode) {
+@@ -309,7 +352,7 @@ if(secure_mode) {
userdom_spec_domtrans_all_users(newrole_t)
}
@@ -34816,7 +32733,7 @@ index ec01d0b..d08ae58 100644
files_polyinstantiate_all(newrole_t)
')
-@@ -328,9 +375,13 @@ kernel_use_fds(restorecond_t)
+@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -34831,7 +32748,7 @@ index ec01d0b..d08ae58 100644
fs_list_inotifyfs(restorecond_t)
selinux_validate_context(restorecond_t)
-@@ -341,16 +392,17 @@ selinux_compute_user_contexts(restorecond_t)
+@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_read_non_auth_files(restorecond_t)
@@ -34851,7 +32768,7 @@ index ec01d0b..d08ae58 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -366,21 +418,24 @@ optional_policy(`
+@@ -366,21 +414,24 @@ optional_policy(`
# Run_init local policy
#
@@ -34878,7 +32795,7 @@ index ec01d0b..d08ae58 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
-@@ -398,23 +453,30 @@ selinux_compute_create_context(run_init_t)
+@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -34914,7 +32831,7 @@ index ec01d0b..d08ae58 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
-@@ -425,6 +487,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -34934,7 +32851,7 @@ index ec01d0b..d08ae58 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -440,81 +515,87 @@ optional_policy(`
+@@ -440,81 +511,87 @@ optional_policy(`
# semodule local policy
#
@@ -35075,7 +32992,7 @@ index ec01d0b..d08ae58 100644
')
########################################
-@@ -522,108 +603,178 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +599,178 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 59d0278..e01db22 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -6715,7 +6715,7 @@ index f3c0aba..5189407 100644
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
')
diff --git a/apcupsd.te b/apcupsd.te
-index b236327..7e05d8c 100644
+index b236327..f194ee1 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -6728,7 +6728,18 @@ index b236327..7e05d8c 100644
########################################
#
# Local policy
-@@ -54,7 +57,6 @@ kernel_read_system_state(apcupsd_t)
+@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+ allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
+
+-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
++manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+ logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
+
+ manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
+@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t)
corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
@@ -6736,7 +6747,7 @@ index b236327..7e05d8c 100644
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,6 +69,7 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+@@ -67,6 +67,7 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
@@ -6744,7 +6755,7 @@ index b236327..7e05d8c 100644
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +77,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +75,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@@ -6772,7 +6783,7 @@ index b236327..7e05d8c 100644
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -112,7 +119,6 @@ optional_policy(`
+@@ -112,7 +117,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
@@ -8088,7 +8099,7 @@ index 866a1e2..6c2dbe4 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 076ffee..6bf02f0 100644
+index 076ffee..e3dbd11 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8110,9 +8121,12 @@ index 076ffee..6bf02f0 100644
type named_log_t;
logging_log_file(named_log_t)
-@@ -70,6 +73,7 @@ role ndc_roles types ndc_t;
+@@ -68,8 +71,9 @@ role ndc_roles types ndc_t;
+ # Local policy
+ #
- allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
++allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource };
dontaudit named_t self:capability sys_tty_config;
+allow named_t self:capability2 block_suspend;
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
@@ -9905,7 +9919,7 @@ index 2354e21..fb8c9ed 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..8da9f32 100644
+index 403af41..48a40cd 100644
--- a/certwatch.te
+++ b/certwatch.te
@@ -20,33 +20,42 @@ role certwatch_roles types certwatch_t;
@@ -9943,7 +9957,7 @@ index 403af41..8da9f32 100644
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
-+ apache_exec(certwatch_t)
++ apache_domtrans(certwatch_t)
apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
')
@@ -10183,19 +10197,22 @@ index fdee107..7a38b63 100644
+logging_send_syslog_msg(cgred_t)
diff --git a/chrome.fc b/chrome.fc
new file mode 100644
-index 0000000..88107d7
+index 0000000..57866f6
--- /dev/null
+++ b/chrome.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,9 @@
+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
++
++HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
++HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
-index 0000000..36bd6be
+index 0000000..5977d96
--- /dev/null
+++ b/chrome.if
@@ -0,0 +1,134 @@
@@ -10285,9 +10302,9 @@ index 0000000..36bd6be
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+ allow chrome_sandbox_t $2:unix_stream_socket { append getattr read write };
++ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
-+ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
++ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+
@@ -10335,10 +10352,10 @@ index 0000000..36bd6be
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..6300c78
+index 0000000..41d3959
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,205 @@
+@@ -0,0 +1,220 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10365,6 +10382,9 @@ index 0000000..6300c78
+role system_r types chrome_sandbox_nacl_t;
+ubac_constrained(chrome_sandbox_nacl_t)
+
++type chrome_sandbox_home_t;
++userdom_user_home_content(chrome_sandbox_home_t)
++
+########################################
+#
+# chrome_sandbox local policy
@@ -10382,12 +10402,17 @@ index 0000000..6300c78
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
++userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
-+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
++fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
@@ -10444,6 +10469,9 @@ index 0000000..6300c78
+optional_policy(`
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_read_home_config(chrome_sandbox_t)
++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
++
+')
+
+optional_policy(`
@@ -10520,10 +10548,14 @@ index 0000000..6300c78
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
+
++manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
++
+kernel_read_state(chrome_sandbox_nacl_t)
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
-+corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
++corecmd_bin_entry_type(chrome_sandbox_nacl_t)
+
+dev_read_urand(chrome_sandbox_nacl_t)
+dev_read_sysfs(chrome_sandbox_nacl_t)
@@ -11887,7 +11919,7 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..afeb58c 100644
+index 6471fa8..ace40ae 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
@@ -11905,28 +11937,37 @@ index 6471fa8..afeb58c 100644
########################################
#
# Local policy
-@@ -38,6 +44,7 @@ allow collectd_t self:process { getsched setsched signal };
+@@ -38,6 +44,8 @@ allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
allow collectd_t self:unix_stream_socket { accept listen };
-+allow collectd_t self:netlink_tcpdiag_socket create_socket_perms;
++allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++allow collectd_t self:udp_socket create_socket_perms;
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -48,21 +55,18 @@ files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+@@ -46,23 +54,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+ manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
+ files_pid_filetrans(collectd_t, collectd_var_run_t, file)
- domain_use_interactive_fds(collectd_t)
+-domain_use_interactive_fds(collectd_t)
++kernel_read_all_sysctls(collectd_t)
++kernel_read_all_proc(collectd_t)
++kernel_list_all_proc(collectd_t)
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
-+kernel_read_all_sysctls(collectd_t)
-+kernel_read_all_proc(collectd_t)
++corenet_udp_bind_generic_node(collectd_t)
++corenet_udp_bind_collectd_port(collectd_t)
dev_read_rand(collectd_t)
dev_read_sysfs(collectd_t)
dev_read_urand(collectd_t)
++domain_use_interactive_fds(collectd_t)
++domain_read_all_domains_state(collectd_t)
++
files_getattr_all_dirs(collectd_t)
-files_read_etc_files(collectd_t)
-files_read_usr_files(collectd_t)
@@ -11938,7 +11979,7 @@ index 6471fa8..afeb58c 100644
logging_send_syslog_msg(collectd_t)
-@@ -80,11 +84,17 @@ optional_policy(`
+@@ -80,11 +90,17 @@ optional_policy(`
########################################
#
@@ -16289,7 +16330,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..c861b5b 100644
+index 9f34c2e..52c170f 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16629,7 +16670,7 @@ index 9f34c2e..c861b5b 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +410,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +410,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16639,9 +16680,10 @@ index 9f34c2e..c861b5b 100644
stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
can_exec(cupsd_config_t, cupsd_config_exec_t)
-
--domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-
+-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
++can_exec(cupsd_config_t, cupsd_exec_t)
+
kernel_read_system_state(cupsd_config_t)
kernel_read_all_sysctls(cupsd_config_t)
@@ -16649,7 +16691,7 @@ index 9f34c2e..c861b5b 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +427,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +428,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16670,7 +16712,7 @@ index 9f34c2e..c861b5b 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +444,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +445,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16682,7 +16724,7 @@ index 9f34c2e..c861b5b 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +471,12 @@ optional_policy(`
+@@ -452,9 +472,12 @@ optional_policy(`
')
optional_policy(`
@@ -16696,7 +16738,7 @@ index 9f34c2e..c861b5b 100644
')
optional_policy(`
-@@ -490,10 +512,6 @@ optional_policy(`
+@@ -490,10 +513,6 @@ optional_policy(`
# Lpd local policy
#
@@ -16707,7 +16749,7 @@ index 9f34c2e..c861b5b 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +529,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +530,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -16740,7 +16782,7 @@ index 9f34c2e..c861b5b 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +555,6 @@ optional_policy(`
+@@ -546,7 +556,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16748,7 +16790,7 @@ index 9f34c2e..c861b5b 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +570,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +571,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -16900,7 +16942,7 @@ index 9f34c2e..c861b5b 100644
########################################
#
-@@ -731,7 +614,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +615,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16908,7 +16950,7 @@ index 9f34c2e..c861b5b 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +623,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +624,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -16922,7 +16964,7 @@ index 9f34c2e..c861b5b 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +635,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +636,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -23993,7 +24035,7 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index e0a4f46..16c0ddd 100644
+index e0a4f46..79bc951 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -24027,7 +24069,7 @@ index e0a4f46..16c0ddd 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
-@@ -56,27 +58,21 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,27 +58,22 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -24040,6 +24082,7 @@ index e0a4f46..16c0ddd 100644
corenet_tcp_sendrecv_all_ports(glance_domain)
corenet_tcp_bind_generic_node(glance_domain)
+corenet_tcp_connect_mysqld_port(glance_domain)
++corenet_tcp_connect_http_port(glance_domain)
corecmd_exec_bin(glance_domain)
corecmd_exec_shell(glance_domain)
@@ -24057,7 +24100,7 @@ index e0a4f46..16c0ddd 100644
sysnet_dns_name_resolve(glance_domain)
########################################
-@@ -88,8 +84,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +85,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@@ -24072,7 +24115,7 @@ index e0a4f46..16c0ddd 100644
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +110,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +111,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -32070,7 +32113,7 @@ index e736c45..4b1e1e4 100644
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
-index c530214..eadf7e0 100644
+index c530214..641f494 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
@@ -32103,7 +32146,7 @@ index c530214..eadf7e0 100644
########################################
## <summary>
## All of the rules required to
-@@ -57,21 +80,26 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -57,21 +80,24 @@ interface(`ksmtuned_initrc_domtrans',`
#
interface(`ksmtuned_admin',`
gen_require(`
@@ -32132,11 +32175,9 @@ index c530214..eadf7e0 100644
logging_search_logs($1)
admin_pattern($1, ksmtuned_log_t)
+
-+ ksmtuned_systemctl($1)
-+ admin_pattern($1, ksmtuned_unit_file_t)
-+ allow $1 ksmtuned_unit_file_t:service all_service_perms;
-+
-+
++ ksmtuned_systemctl($1)
++ admin_pattern($1, ksmtuned_unit_file_t)
++ allow $1 ksmtuned_unit_file_t:service all_service_perms;
')
diff --git a/ksmtuned.te b/ksmtuned.te
index c1539b5..fd0a17f 100644
@@ -37336,7 +37377,7 @@ index 6194b80..116d9d2 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..3ac5d92 100644
+index 6a306ee..66e7ada 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -37345,7 +37386,7 @@ index 6a306ee..3ac5d92 100644
########################################
#
-@@ -6,17 +6,27 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,34 @@ policy_module(mozilla, 2.7.4)
#
## <desc>
@@ -37362,6 +37403,13 @@ index 6a306ee..3ac5d92 100644
+
+## <desc>
+## <p>
++## Allow mozilla plugin to support spice protocols.
++## </p>
++## </desc>
++gen_tunable(mozilla_plugin_use_spice, false)
++
++## <desc>
++## <p>
+## Allow confined web browsers to read home directory content
+## </p>
+## </desc>
@@ -37378,7 +37426,7 @@ index 6a306ee..3ac5d92 100644
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +34,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +41,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
@@ -37388,7 +37436,7 @@ index 6a306ee..3ac5d92 100644
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,29 +44,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,29 +51,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
@@ -37423,7 +37471,7 @@ index 6a306ee..3ac5d92 100644
type mozilla_tmp_t;
userdom_user_tmp_file(mozilla_tmp_t)
-@@ -63,10 +71,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +78,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
@@ -37434,7 +37482,7 @@ index 6a306ee..3ac5d92 100644
########################################
#
# Local policy
-@@ -75,27 +79,30 @@ optional_policy(`
+@@ -75,27 +86,30 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -37478,7 +37526,7 @@ index 6a306ee..3ac5d92 100644
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +110,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +117,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -37586,7 +37634,7 @@ index 6a306ee..3ac5d92 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +181,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +188,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -37594,15 +37642,15 @@ index 6a306ee..3ac5d92 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -37697,7 +37745,7 @@ index 6a306ee..3ac5d92 100644
')
optional_policy(`
-@@ -244,19 +261,12 @@ optional_policy(`
+@@ -244,19 +268,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -37719,7 +37767,7 @@ index 6a306ee..3ac5d92 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +275,32 @@ optional_policy(`
+@@ -265,33 +282,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -37732,34 +37780,34 @@ index 6a306ee..3ac5d92 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
-+')
-+
-+optional_policy(`
-+ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ lpd_domtrans_lpr(mozilla_t)
++ java_domtrans(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ nscd_socket_use(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
++ nscd_socket_use(mozilla_t)
++')
++
++optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -37767,7 +37815,7 @@ index 6a306ee..3ac5d92 100644
')
optional_policy(`
-@@ -300,221 +309,174 @@ optional_policy(`
+@@ -300,221 +316,174 @@ optional_policy(`
########################################
#
@@ -37849,12 +37897,12 @@ index 6a306ee..3ac5d92 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
--
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -38084,7 +38132,7 @@ index 6a306ee..3ac5d92 100644
')
optional_policy(`
-@@ -523,36 +485,47 @@ optional_policy(`
+@@ -523,36 +492,47 @@ optional_policy(`
')
optional_policy(`
@@ -38145,7 +38193,7 @@ index 6a306ee..3ac5d92 100644
')
optional_policy(`
-@@ -560,7 +533,7 @@ optional_policy(`
+@@ -560,7 +540,7 @@ optional_policy(`
')
optional_policy(`
@@ -38154,7 +38202,7 @@ index 6a306ee..3ac5d92 100644
')
optional_policy(`
-@@ -568,108 +541,109 @@ optional_policy(`
+@@ -568,108 +548,113 @@ optional_policy(`
')
optional_policy(`
@@ -38310,13 +38358,10 @@ index 6a306ee..3ac5d92 100644
-optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
--')
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
-
--optional_policy(`
-- xserver_use_user_fonts(mozilla_plugin_config_t)
++
+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file)
+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir)
+#')
@@ -38324,6 +38369,12 @@ index 6a306ee..3ac5d92 100644
+tunable_policy(`selinuxuser_execmod',`
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
+
+-optional_policy(`
+- xserver_use_user_fonts(mozilla_plugin_config_t)
++tunable_policy(`mozilla_plugin_use_spice',`
++ dev_rw_generic_usb_dev(mozilla_plugin_t)
+ ')
diff --git a/mpd.fc b/mpd.fc
index 313ce52..6aa46d2 100644
--- a/mpd.fc
@@ -42355,7 +42406,7 @@ index 0641e97..d7d9a79 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 44ad3b7..5ba0194 100644
+index 44ad3b7..d731adf 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -42505,7 +42556,15 @@ index 44ad3b7..5ba0194 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -411,6 +411,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -391,6 +391,7 @@ optional_policy(`
+
+ optional_policy(`
+ mysql_stream_connect(nagios_services_plugin_t)
++ mysql_read_config(nagios_services_plugin_t)
+ ')
+
+ optional_policy(`
+@@ -411,6 +412,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -42513,7 +42572,7 @@ index 44ad3b7..5ba0194 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +421,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,10 +422,10 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@@ -42526,7 +42585,7 @@ index 44ad3b7..5ba0194 100644
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
-@@ -442,6 +443,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,6 +444,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -42541,7 +42600,7 @@ index 44ad3b7..5ba0194 100644
########################################
#
# Unconfined plugin policy
-@@ -450,3 +459,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
+@@ -450,3 +460,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -50676,28 +50735,59 @@ index dfd46e4..9515043 100644
/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
diff --git a/pegasus.if b/pegasus.if
-index d2fc677..22b745a 100644
+index d2fc677..ded726f 100644
--- a/pegasus.if
+++ b/pegasus.if
-@@ -1,52 +1,37 @@
+@@ -1,52 +1,59 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
--########################################
+######################################
- ## <summary>
--## All of the rules required to
--## administrate an pegasus environment.
++## <summary>
+## Creates types and rules for a basic
+## openlmi init daemon domain.
- ## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
++## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
++## </param>
++#
++template(`pegasus_openlmi_domain_template',`
++ gen_require(`
++ attribute pegasus_openlmi_domain;
++ type pegasus_t;
++ ')
++
++ ##############################
++ #
++ # Declarations
++ #
++
++ type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
++ type pegasus_openlmi_$1_exec_t;
++ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
++
++ ##############################
++ #
++ # Local policy
++ #
++
++ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
++
++ kernel_read_system_state(pegasus_openlmi_$1_t)
++ logging_send_syslog_msg(pegasus_openlmi_$1_t)
++')
++
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an pegasus environment.
++## Connect to pegasus over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
## </param>
-## <param name="role">
-## <summary>
@@ -50707,12 +50797,14 @@ index d2fc677..22b745a 100644
-## <rolecap/>
#
-interface(`pegasus_admin',`
-- gen_require(`
++interface(`pegasus_stream_connect',`
+ gen_require(`
- type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t;
- type pegasus_cache_t, pegasus_data_t, pegasus_conf_t;
- type pegasus_mof_t, pegasus_var_run_t;
-- ')
--
++ type pegasus_t, pegasus_var_run_t, pegasus_tmp_t;
+ ')
+
- allow $1 pegasus_t:process { ptrace signal_perms };
- ps_process_pattern($1, pegasus_t)
-
@@ -50736,34 +50828,14 @@ index d2fc677..22b745a 100644
- files_search_var_lib($1)
- admin_pattern($1, pegasus_data_t)
-
-- files_search_pids($1)
+ files_search_pids($1)
- admin_pattern($1, pegasus_var_run_t)
-+template(`pegasus_openlmi_domain_template',`
-+ gen_require(`
-+ attribute pegasus_openlmi_domain;
-+ ')
-+
-+ ##############################
-+ #
-+ # Declarations
-+ #
-+
-+ type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
-+ type $1_exec_t;
-+ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
-+
-+ ##############################
-+ #
-+ # Local policy
-+ #
-+
-+ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
-+
-+ kernel_read_system_state(pegasus_openlmi_$1_t)
-+ logging_send_syslog_msg(pegasus_openlmi_$1_t)
++ stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t)
++ stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t)
')
++
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..36032a6 100644
+index 7bcf327..832de74 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -50787,22 +50859,62 @@ index 7bcf327..36032a6 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,33 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,73 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers
-+#pegasus_openlmi_domain_template(account)
++pegasus_openlmi_domain_template(account)
+
+#######################################
+#
+# pegasus openlmi providers local policy
+#
+
++allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
++
++list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++read_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++
+corecmd_exec_bin(pegasus_openlmi_domain)
+
+sysnet_read_config(pegasus_openlmi_domain)
+
++optional_policy(`
++ pegasus_stream_connect(pegasus_openlmi_domain)
++')
++
++######################################
++#
++# pegasus openlmi account local policy
++#
++
++allow pegasus_openlmi_account_t self:capability { setuid chown setgid dac_override };
++allow pegasus_openlmi_account_t self:process setfscreate;
++
++auth_manage_passwd(pegasus_openlmi_account_t)
++auth_manage_shadow(pegasus_openlmi_account_t)
++auth_relabel_shadow(pegasus_openlmi_account_t)
++auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
++
++init_rw_utmp(pegasus_openlmi_account_t)
++
++logging_send_syslog_msg(pegasus_openlmi_account_t)
++
++seutil_read_config(pegasus_openlmi_account_t)
++seutil_read_file_contexts(pegasus_openlmi_account_t)
++seutil_read_default_contexts(pegasus_openlmi_account_t)
++
++# Add/remove user home directories
++userdom_home_filetrans_user_home_dir(pegasus_openlmi_account_t)
++userdom_manage_home_role(system_r, pegasus_openlmi_account_t)
++userdom_delete_all_user_home_content(pegasus_openlmi_account_t)
++
++optional_policy(`
++ # run userdel
++ usermanage_domtrans_useradd(pegasus_openlmi_account_t)
++')
++
########################################
#
-# Local policy
@@ -50825,7 +50937,7 @@ index 7bcf327..36032a6 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +66,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +106,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -50856,7 +50968,7 @@ index 7bcf327..36032a6 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +92,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +132,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -50889,7 +51001,7 @@ index 7bcf327..36032a6 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +120,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +160,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -50897,7 +51009,7 @@ index 7bcf327..36032a6 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +135,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +175,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -50929,7 +51041,7 @@ index 7bcf327..36032a6 100644
')
optional_policy(`
-@@ -151,16 +165,19 @@ optional_policy(`
+@@ -151,16 +205,19 @@ optional_policy(`
')
optional_policy(`
@@ -50953,7 +51065,7 @@ index 7bcf327..36032a6 100644
')
optional_policy(`
-@@ -168,7 +185,7 @@ optional_policy(`
+@@ -168,7 +225,7 @@ optional_policy(`
')
optional_policy(`
@@ -53264,7 +53376,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 49694e8..3ad3019 100644
+index 49694e8..12483ae 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,4 +1,4 @@
@@ -53296,7 +53408,7 @@ index 49694e8..3ad3019 100644
type policykit_resolve_t, policykit_domain;
type policykit_resolve_exec_t;
-@@ -42,63 +37,64 @@ files_pid_file(policykit_var_run_t)
+@@ -42,63 +37,65 @@ files_pid_file(policykit_var_run_t)
#######################################
#
@@ -53363,6 +53475,7 @@ index 49694e8..3ad3019 100644
+fs_getattr_all_fs(policykit_t)
fs_list_inotifyfs(policykit_t)
++fs_list_cgroup_dirs(policykit_t)
auth_use_nsswitch(policykit_t)
@@ -53380,7 +53493,7 @@ index 49694e8..3ad3019 100644
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
-@@ -109,29 +105,43 @@ optional_policy(`
+@@ -109,29 +106,43 @@ optional_policy(`
')
optional_policy(`
@@ -53432,7 +53545,7 @@ index 49694e8..3ad3019 100644
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -145,9 +155,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,9 +156,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -53442,7 +53555,7 @@ index 49694e8..3ad3019 100644
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
dev_read_video_dev(policykit_auth_t)
-@@ -157,53 +164,64 @@ files_search_home(policykit_auth_t)
+@@ -157,53 +165,64 @@ files_search_home(policykit_auth_t)
fs_getattr_all_fs(policykit_auth_t)
fs_search_tmpfs(policykit_auth_t)
@@ -53517,7 +53630,7 @@ index 49694e8..3ad3019 100644
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
-@@ -211,23 +229,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +230,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@@ -53544,7 +53657,7 @@ index 49694e8..3ad3019 100644
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
-@@ -235,26 +250,28 @@ optional_policy(`
+@@ -235,26 +251,28 @@ optional_policy(`
########################################
#
@@ -53579,7 +53692,7 @@ index 49694e8..3ad3019 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -266,6 +283,7 @@ optional_policy(`
+@@ -266,6 +284,7 @@ optional_policy(`
')
optional_policy(`
@@ -55203,7 +55316,7 @@ index 2e23946..589bbf2 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..a9c1d4b 100644
+index 191a66f..e9e96bd 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -55297,9 +55410,8 @@ index 191a66f..a9c1d4b 100644
########################################
#
-# Common postfix domain local policy
-+# Postfix master process local policy
- #
-
+-#
+-
-allow postfix_domain self:capability { sys_nice sys_chroot };
-dontaudit postfix_domain self:capability sys_tty_config;
-allow postfix_domain self:process { signal_perms setpgid setsched };
@@ -55387,8 +55499,9 @@ index 191a66f..a9c1d4b 100644
-########################################
-#
-# Master local policy
--#
--
++# Postfix master process local policy
+ #
+
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -55412,10 +55525,10 @@ index 191a66f..a9c1d4b 100644
-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
-+
-+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
++
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -55462,17 +55575,17 @@ index 191a66f..a9c1d4b 100644
+rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
-
+-
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
-+kernel_read_all_sysctls(postfix_master_t)
-
--can_exec(postfix_master_t, postfix_exec_t)
-
+-can_exec(postfix_master_t, postfix_exec_t)
+
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
--
++kernel_read_all_sysctls(postfix_master_t)
+
-corenet_all_recvfrom_unlabeled(postfix_master_t)
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
@@ -55875,7 +55988,7 @@ index 191a66f..a9c1d4b 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +577,78 @@ optional_policy(`
+@@ -647,67 +577,77 @@ optional_policy(`
########################################
#
@@ -55921,12 +56034,11 @@ index 191a66f..a9c1d4b 100644
+allow postfix_showq_t self:tcp_socket create_socket_perms;
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
-+rw_files_pattern(postfix_showq_t, postfix_var_run_t, postfix_var_run_t)
-+
+
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
+
+postfix_list_spool(postfix_showq_t)
-
++
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
@@ -55972,7 +56084,7 @@ index 191a66f..a9c1d4b 100644
')
optional_policy(`
-@@ -720,24 +661,27 @@ optional_policy(`
+@@ -720,24 +660,27 @@ optional_policy(`
########################################
#
@@ -56006,7 +56118,7 @@ index 191a66f..a9c1d4b 100644
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
-@@ -754,6 +698,7 @@ optional_policy(`
+@@ -754,6 +697,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -56014,7 +56126,7 @@ index 191a66f..a9c1d4b 100644
')
optional_policy(`
-@@ -764,31 +709,99 @@ optional_policy(`
+@@ -764,31 +708,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -56081,7 +56193,7 @@ index 191a66f..a9c1d4b 100644
+
+allow postfix_domain postfix_spool_t:dir list_dir_perms;
+
-+manage_files_pattern(postfix_t, postfix_var_run_t, postfix_var_run_t)
++manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
+files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
+
+kernel_read_network_state(postfix_domain)
@@ -68023,7 +68135,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..427ea8c 100644
+index e5212e6..ede6c81 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -68234,7 +68346,7 @@ index e5212e6..427ea8c 100644
')
########################################
-@@ -195,41 +141,54 @@ optional_policy(`
+@@ -195,41 +141,55 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -68259,9 +68371,10 @@ index e5212e6..427ea8c 100644
+corenet_udp_bind_all_rpc_ports(nfsd_t)
corenet_tcp_bind_nfs_port(nfsd_t)
corenet_udp_bind_nfs_port(nfsd_t)
-
--corecmd_exec_shell(nfsd_t)
-
+-corecmd_exec_shell(nfsd_t)
++corenet_udp_bind_mountd_port(nfsd_t)
+
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
dev_rw_lvm_control(nfsd_t)
@@ -68296,7 +68409,7 @@ index e5212e6..427ea8c 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -238,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -68304,7 +68417,7 @@ index e5212e6..427ea8c 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +208,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -68319,7 +68432,7 @@ index e5212e6..427ea8c 100644
')
########################################
-@@ -271,6 +229,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -68327,7 +68440,7 @@ index e5212e6..427ea8c 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -279,25 +238,29 @@ kernel_signal(gssd_t)
+@@ -279,25 +239,29 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -68360,7 +68473,7 @@ index e5212e6..427ea8c 100644
')
optional_policy(`
-@@ -306,8 +269,7 @@ optional_policy(`
+@@ -306,8 +270,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@@ -79810,10 +79923,10 @@ index 9992e62..47f1802 100644
+
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/svnserve.fc b/svnserve.fc
-index effffd0..5ab0840 100644
+index effffd0..12ca090 100644
--- a/svnserve.fc
+++ b/svnserve.fc
-@@ -1,8 +1,12 @@
+@@ -1,8 +1,13 @@
-/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
+/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
@@ -79829,6 +79942,7 @@ index effffd0..5ab0840 100644
+/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
+/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
+
++/var/svn(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
diff --git a/svnserve.if b/svnserve.if
@@ -79968,10 +80082,10 @@ index 2ac91b6..dd2ac36 100644
')
+
diff --git a/svnserve.te b/svnserve.te
-index c6aaac7..dc3f167 100644
+index c6aaac7..a5600a8 100644
--- a/svnserve.te
+++ b/svnserve.te
-@@ -12,6 +12,9 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
+@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
type svnserve_initrc_exec_t;
init_script_file(svnserve_initrc_exec_t)
@@ -79981,7 +80095,28 @@ index c6aaac7..dc3f167 100644
type svnserve_content_t;
files_type(svnserve_content_t)
-@@ -34,9 +37,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
+ type svnserve_var_run_t;
+ files_pid_file(svnserve_var_run_t)
+
++type svnserve_tmp_t;
++files_tmp_file(svnserve_tmp_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -27,6 +33,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms;
+ allow svnserve_t self:tcp_socket create_stream_socket_perms;
+ allow svnserve_t self:unix_stream_socket { listen accept };
+
++manage_dirs_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
++manage_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
++manage_lnk_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
++files_tmp_filetrans(svnserve_t, svnserve_tmp_t, { file dir })
++
+ manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
+ manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
+
+@@ -34,9 +45,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
@@ -79991,7 +80126,7 @@ index c6aaac7..dc3f167 100644
corenet_all_recvfrom_unlabeled(svnserve_t)
corenet_all_recvfrom_netlabel(svnserve_t)
corenet_tcp_sendrecv_generic_if(svnserve_t)
-@@ -54,6 +54,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t)
+@@ -54,6 +62,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t)
logging_send_syslog_msg(svnserve_t)
@@ -85244,7 +85379,7 @@ index c30da4c..d60e3e4 100644
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..6e25af1 100644
+index 9dec06c..7877729 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -85386,38 +85521,19 @@ index 9dec06c..6e25af1 100644
## </summary>
## </param>
#
-@@ -125,51 +56,32 @@ interface(`virt_image',`
+@@ -125,31 +56,32 @@ interface(`virt_image',`
typeattribute $1 virt_image_type;
files_type($1)
-- dev_node($1)
--')
--
--########################################
--## <summary>
--## Execute a domain transition to run virtd.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed to transition.
--## </summary>
--## </param>
--#
--interface(`virt_domtrans',`
-- gen_require(`
-- type virtd_t, virtd_exec_t;
-- ')
-
-- corecmd_search_bin($1)
-- domtrans_pattern($1, virtd_exec_t, virtd_t)
++
+ # virt images can be assigned to blk devices
-+ dev_node($1)
+ dev_node($1)
')
-########################################
+#######################################
## <summary>
--## Execute a domain transition to run virt qmf.
+-## Execute a domain transition to run virtd.
+## Getattr on virt executable.
## </summary>
## <param name="domain">
@@ -85429,9 +85545,9 @@ index 9dec06c..6e25af1 100644
+## </summary>
## </param>
#
--interface(`virt_domtrans_qmf',`
+-interface(`virt_domtrans',`
- gen_require(`
-- type virt_qmf_t, virt_qmf_exec_t;
+- type virtd_t, virtd_exec_t;
- ')
+interface(`virt_getattr_exec',`
+ gen_require(`
@@ -85439,32 +85555,56 @@ index 9dec06c..6e25af1 100644
+ ')
- corecmd_search_bin($1)
-- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
+- domtrans_pattern($1, virtd_exec_t, virtd_t)
+ allow $1 virtd_exec_t:file getattr;
')
########################################
## <summary>
+-## Execute a domain transition to run virt qmf.
++## Execute a domain transition to run virt.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -157,162 +89,71 @@ interface(`virt_domtrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_domtrans_qmf',`
++interface(`virt_domtrans',`
+ gen_require(`
+- type virt_qmf_t, virt_qmf_exec_t;
++ type virtd_t, virtd_exec_t;
+ ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
++ domtrans_pattern($1, virtd_exec_t, virtd_t)
+ ')
+
+ ########################################
+ ## <summary>
-## Execute a domain transition to
-## run virt bridgehelper.
-+## Execute a domain transition to run virt.
++## Execute virtd in the caller domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -177,142 +89,53 @@ interface(`virt_domtrans_qmf',`
+-## Domain allowed to transition.
++## Domain allowed access.
## </summary>
## </param>
#
-interface(`virt_domtrans_bridgehelper',`
-+interface(`virt_domtrans',`
++interface(`virt_exec',`
gen_require(`
- type virt_bridgehelper_t, virt_bridgehelper_exec_t;
-+ type virtd_t, virtd_exec_t;
++ type virtd_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
-+ domtrans_pattern($1, virtd_exec_t, virtd_t)
++ can_exec($1, virtd_exec_t)
')
########################################
@@ -85608,7 +85748,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -320,18 +143,18 @@ interface(`virt_run_svirt_lxc_domain',`
+@@ -320,18 +161,18 @@ interface(`virt_run_svirt_lxc_domain',`
## </summary>
## </param>
#
@@ -85632,7 +85772,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -339,18 +162,17 @@ interface(`virt_getattr_virtd_exec_files',`
+@@ -339,18 +180,17 @@ interface(`virt_getattr_virtd_exec_files',`
## </summary>
## </param>
#
@@ -85655,7 +85795,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -369,7 +191,7 @@ interface(`virt_attach_tun_iface',`
+@@ -369,7 +209,7 @@ interface(`virt_attach_tun_iface',`
########################################
## <summary>
@@ -85664,7 +85804,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -383,7 +205,6 @@ interface(`virt_read_config',`
+@@ -383,7 +223,6 @@ interface(`virt_read_config',`
')
files_search_etc($1)
@@ -85672,7 +85812,7 @@ index 9dec06c..6e25af1 100644
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -391,8 +212,7 @@ interface(`virt_read_config',`
+@@ -391,8 +230,7 @@ interface(`virt_read_config',`
########################################
## <summary>
@@ -85682,7 +85822,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -406,7 +226,6 @@ interface(`virt_manage_config',`
+@@ -406,7 +244,6 @@ interface(`virt_manage_config',`
')
files_search_etc($1)
@@ -85690,7 +85830,7 @@ index 9dec06c..6e25af1 100644
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -414,8 +233,7 @@ interface(`virt_manage_config',`
+@@ -414,8 +251,7 @@ interface(`virt_manage_config',`
########################################
## <summary>
@@ -85700,7 +85840,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -450,8 +268,7 @@ interface(`virt_read_content',`
+@@ -450,8 +286,7 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -85710,7 +85850,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,35 +276,17 @@ interface(`virt_read_content',`
+@@ -459,35 +294,17 @@ interface(`virt_read_content',`
## </summary>
## </param>
#
@@ -85749,7 +85889,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -495,53 +294,40 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +312,40 @@ interface(`virt_manage_virt_content',`
## </summary>
## </param>
#
@@ -85816,7 +85956,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -549,67 +335,36 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,67 +353,36 @@ interface(`virt_home_filetrans_virt_content',`
## </summary>
## </param>
#
@@ -85897,7 +86037,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -618,54 +373,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +391,36 @@ interface(`virt_relabel_svirt_home_content',`
## </summary>
## </param>
#
@@ -85961,7 +86101,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -673,54 +410,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +428,38 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@@ -86028,7 +86168,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -728,52 +449,78 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +467,39 @@ interface(`virt_manage_generic_virt_home_content',`
## </summary>
## </param>
#
@@ -86062,58 +86202,75 @@ index 9dec06c..6e25af1 100644
## </summary>
## </param>
-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+## <rolecap/>
-+#
+ #
+-interface(`virt_home_filetrans_virt_home',`
+interface(`virt_read_log',`
-+ gen_require(`
+ gen_require(`
+- type virt_home_t;
+ type virt_log_t;
-+ ')
-+
+ ')
+
+- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
+ logging_search_logs($1)
+ read_files_pattern($1, virt_log_t, virt_log_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read virt pid files.
+## Allow the specified domain to append
+## virt log files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## Class of the object being created.
-+## Domain allowed access.
+@@ -781,19 +507,18 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
--## <param name="name" optional="true">
-+#
+ #
+-interface(`virt_read_pid_files',`
+interface(`virt_append_log',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_run_t;
+ type virt_log_t;
-+ ')
-+
+ ')
+
+- files_search_pids($1)
+- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ logging_search_logs($1)
+ append_files_pattern($1, virt_log_t, virt_log_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## virt pid files.
+## Allow domain to manage virt log files
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
## <summary>
--## The name of the object being created.
-+## Domain allowed access.
+@@ -801,18 +526,19 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
--interface(`virt_home_filetrans_virt_home',`
+-interface(`virt_manage_pid_files',`
+interface(`virt_manage_log',`
gen_require(`
-- type virt_home_t;
+- type virt_var_run_t;
+ type virt_log_t;
')
-- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
+- files_search_pids($1)
+- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ manage_dirs_pattern($1, virt_log_t, virt_log_t)
+ manage_files_pattern($1, virt_log_t, virt_log_t)
+ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
@@ -86121,50 +86278,49 @@ index 9dec06c..6e25af1 100644
########################################
## <summary>
--## Read virt pid files.
+-## Search virt lib directories.
+## Allow domain to search virt image direcories
## </summary>
## <param name="domain">
## <summary>
-@@ -781,19 +528,18 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -820,18 +546,18 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
--interface(`virt_read_pid_files',`
+-interface(`virt_search_lib',`
+interface(`virt_search_images',`
gen_require(`
-- type virt_var_run_t;
+- type virt_var_lib_t;
+ attribute virt_image_type;
')
-- files_search_pids($1)
-- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+- files_search_var_lib($1)
+- allow $1 virt_var_lib_t:dir search_dir_perms;
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir search_dir_perms;
')
########################################
## <summary>
--## Create, read, write, and delete
--## virt pid files.
+-## Read virt lib files.
+## Allow domain to read virt image files
## </summary>
## <param name="domain">
## <summary>
-@@ -801,18 +547,36 @@ interface(`virt_read_pid_files',`
+@@ -839,20 +565,73 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
--interface(`virt_manage_pid_files',`
+-interface(`virt_read_lib_files',`
+interface(`virt_read_images',`
gen_require(`
-- type virt_var_run_t;
-+ type virt_var_lib_t;
+ type virt_var_lib_t;
+ attribute virt_image_type;
')
-- files_search_pids($1)
-- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+- files_search_var_lib($1)
+- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ list_dirs_pattern($1, virt_image_type, virt_image_type)
@@ -86184,52 +86340,41 @@ index 9dec06c..6e25af1 100644
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
- ')
-
- ########################################
- ## <summary>
--## Search virt lib directories.
++')
++
++########################################
++## <summary>
+## Allow domain to read virt blk image files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -820,18 +584,17 @@ interface(`virt_manage_pid_files',`
- ## </summary>
- ## </param>
- #
--interface(`virt_search_lib',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`virt_read_blk_images',`
- gen_require(`
-- type virt_var_lib_t;
++ gen_require(`
+ attribute virt_image_type;
- ')
-
-- files_search_var_lib($1)
-- allow $1 virt_var_lib_t:dir search_dir_perms;
++ ')
++
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
- ')
-
- ########################################
- ## <summary>
--## Read virt lib files.
++')
++
++########################################
++## <summary>
+## Allow domain to read/write virt image chr files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -839,20 +602,18 @@ interface(`virt_search_lib',`
- ## </summary>
- ## </param>
- #
--interface(`virt_read_lib_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`virt_rw_chr_files',`
- gen_require(`
-- type virt_var_lib_t;
++ gen_require(`
+ attribute virt_image_type;
- ')
-
-- files_search_var_lib($1)
-- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++ ')
++
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
')
@@ -86241,7 +86386,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,115 +621,245 @@ interface(`virt_read_lib_files',`
+@@ -860,115 +639,245 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -86524,7 +86669,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +867,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +885,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -86547,7 +86692,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +885,35 @@ interface(`virt_search_images',`
+@@ -995,36 +903,35 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -86603,7 +86748,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,58 +921,57 @@ interface(`virt_read_images',`
+@@ -1032,58 +939,57 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -86683,7 +86828,7 @@ index 9dec06c..6e25af1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,95 +979,168 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +997,168 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -86912,7 +87057,7 @@ index 9dec06c..6e25af1 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..9d71252 100644
+index 1f22fba..3f1bc45 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -87554,7 +87699,7 @@ index 1f22fba..9d71252 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -520,22 +343,12 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +343,15 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -87577,8 +87722,11 @@ index 1f22fba..9d71252 100644
-
corenet_rw_tun_tap_dev(virtd_t)
++dev_rw_vfio_dev(virtd_t)
dev_rw_sysfs(virtd_t)
-@@ -548,22 +361,22 @@ dev_rw_vhost(virtd_t)
+ dev_read_urand(virtd_t)
+ dev_read_rand(virtd_t)
+@@ -548,22 +362,23 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -87600,13 +87748,14 @@ index 1f22fba..9d71252 100644
-# files_manage_system_conf_files(virtd_t)
+files_manage_system_conf_files(virtd_t)
++fs_read_tmpfs_symlinks(virtd_t)
fs_list_auto_mountpoints(virtd_t)
-fs_getattr_all_fs(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +407,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +409,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -87626,7 +87775,7 @@ index 1f22fba..9d71252 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +429,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +431,24 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -87661,7 +87810,7 @@ index 1f22fba..9d71252 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +455,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +457,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -87670,7 +87819,7 @@ index 1f22fba..9d71252 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -646,107 +468,327 @@ optional_policy(`
+@@ -646,107 +470,328 @@ optional_policy(`
consoletype_exec(virtd_t)
')
@@ -87865,6 +88014,7 @@ index 1f22fba..9d71252 100644
+dev_read_urand(virt_domain)
+dev_write_sound(virt_domain)
+dev_rw_ksm(virt_domain)
++dev_rw_vfio_dev(virt_domain)
+dev_rw_kvm(virt_domain)
+dev_rw_qemu(virt_domain)
+dev_rw_inherited_vhost(virt_domain)
@@ -88056,7 +88206,7 @@ index 1f22fba..9d71252 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +800,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +803,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88086,7 +88236,7 @@ index 1f22fba..9d71252 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +819,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +822,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -88113,7 +88263,7 @@ index 1f22fba..9d71252 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +839,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +842,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -88145,7 +88295,7 @@ index 1f22fba..9d71252 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +872,19 @@ optional_policy(`
+@@ -847,14 +875,20 @@ optional_policy(`
')
optional_policy(`
@@ -88159,6 +88309,7 @@ index 1f22fba..9d71252 100644
optional_policy(`
xen_manage_image_dirs(virsh_t)
+ xen_read_image_files(virsh_t)
++ xen_read_lib_files(virsh_t)
xen_append_log(virsh_t)
xen_domtrans(virsh_t)
- xen_read_xenstored_pid_files(virsh_t)
@@ -88166,7 +88317,7 @@ index 1f22fba..9d71252 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +909,44 @@ optional_policy(`
+@@ -879,34 +913,44 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -88220,7 +88371,7 @@ index 1f22fba..9d71252 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +956,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +960,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -88238,7 +88389,7 @@ index 1f22fba..9d71252 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +978,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +982,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -88249,7 +88400,7 @@ index 1f22fba..9d71252 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +987,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +991,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -88257,7 +88408,7 @@ index 1f22fba..9d71252 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +999,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1003,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -88276,7 +88427,7 @@ index 1f22fba..9d71252 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1013,36 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1017,36 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -88321,7 +88472,7 @@ index 1f22fba..9d71252 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1050,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1054,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -88348,7 +88499,7 @@ index 1f22fba..9d71252 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1068,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1072,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -88367,7 +88518,7 @@ index 1f22fba..9d71252 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1087,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1091,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -88394,7 +88545,7 @@ index 1f22fba..9d71252 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1112,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1116,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -88453,7 +88604,8 @@ index 1f22fba..9d71252 100644
allow svirt_lxc_net_t self:socket create_socket_perms;
allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
- allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
+-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
++allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
kernel_read_network_state(svirt_lxc_net_t)
@@ -88532,7 +88684,7 @@ index 1f22fba..9d71252 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1210,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1214,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -88547,7 +88699,7 @@ index 1f22fba..9d71252 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1228,8 @@ optional_policy(`
+@@ -1183,9 +1232,8 @@ optional_policy(`
########################################
#
@@ -88558,7 +88710,7 @@ index 1f22fba..9d71252 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1242,75 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1246,75 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -89829,7 +89981,7 @@ index 42d83b0..7977c2c 100644
-/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
+/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
diff --git a/xen.if b/xen.if
-index f93558c..cc73c96 100644
+index f93558c..16e29c1 100644
--- a/xen.if
+++ b/xen.if
@@ -1,13 +1,13 @@
@@ -89880,44 +90032,58 @@ index f93558c..cc73c96 100644
can_exec($1, xend_exec_t)
')
-@@ -75,24 +74,24 @@ interface(`xen_dontaudit_use_fds',`
+@@ -75,24 +74,43 @@ interface(`xen_dontaudit_use_fds',`
dontaudit $1 xend_t:fd use;
')
--########################################
+#######################################
++## <summary>
++## Read xend pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xen_read_pid_files_xenstored',`
++ gen_require(`
++ type xenstored_var_run_t;
++ ')
++
++ files_search_pids($1)
++
++ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
++')
++
+ ########################################
## <summary>
-## Create, read, write, and delete
-## xend image directories.
-+## Read xend pid files.
++## Read xend lib files.
## </summary>
## <param name="domain">
-## <summary>
--## Domain allowed access.
++## <summary>
+ ## Domain allowed access.
-## </summary>
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## </summary>
## </param>
#
-interface(`xen_manage_image_dirs',`
-- gen_require(`
-- type xend_var_lib_t;
-- ')
-+interface(`xen_read_pid_files_xenstored',`
-+ gen_require(`
-+ type xenstored_var_run_t;
-+ ')
++interface(`xen_read_lib_files',`
+ gen_require(`
+ type xend_var_lib_t;
+ ')
- files_search_var_lib($1)
- manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
-+ files_search_pids($1)
-+
-+ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
++ files_list_var_lib($1)
++ read_files_pattern($1, xend_var_lib_t, xend_var_lib_t)
')
########################################
-@@ -100,9 +99,9 @@ interface(`xen_manage_image_dirs',`
+@@ -100,9 +118,9 @@ interface(`xen_manage_image_dirs',`
## Read xend image files.
## </summary>
## <param name="domain">
@@ -89929,7 +90095,7 @@ index f93558c..cc73c96 100644
## </param>
#
interface(`xen_read_image_files',`
-@@ -111,18 +110,40 @@ interface(`xen_read_image_files',`
+@@ -111,18 +129,40 @@ interface(`xen_read_image_files',`
')
files_list_var_lib($1)
@@ -89973,7 +90139,7 @@ index f93558c..cc73c96 100644
## </param>
#
interface(`xen_rw_image_files',`
-@@ -137,7 +158,8 @@ interface(`xen_rw_image_files',`
+@@ -137,7 +177,8 @@ interface(`xen_rw_image_files',`
########################################
## <summary>
@@ -89983,7 +90149,7 @@ index f93558c..cc73c96 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -157,13 +179,13 @@ interface(`xen_append_log',`
+@@ -157,13 +198,13 @@ interface(`xen_append_log',`
########################################
## <summary>
@@ -90000,7 +90166,7 @@ index f93558c..cc73c96 100644
## </param>
#
interface(`xen_manage_log',`
-@@ -176,29 +198,11 @@ interface(`xen_manage_log',`
+@@ -176,29 +217,11 @@ interface(`xen_manage_log',`
manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
')
@@ -90032,7 +90198,7 @@ index f93558c..cc73c96 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -216,8 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
+@@ -216,8 +239,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
########################################
## <summary>
@@ -90042,7 +90208,7 @@ index f93558c..cc73c96 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -236,8 +239,7 @@ interface(`xen_stream_connect_xenstore',`
+@@ -236,8 +258,7 @@ interface(`xen_stream_connect_xenstore',`
########################################
## <summary>
@@ -90052,7 +90218,7 @@ index f93558c..cc73c96 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -270,16 +272,15 @@ interface(`xen_stream_connect',`
+@@ -270,16 +291,15 @@ interface(`xen_stream_connect',`
interface(`xen_domtrans_xm',`
gen_require(`
type xm_t, xm_exec_t;
@@ -90072,7 +90238,7 @@ index f93558c..cc73c96 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -289,7 +290,7 @@ interface(`xen_domtrans_xm',`
+@@ -289,7 +309,7 @@ interface(`xen_domtrans_xm',`
#
interface(`xen_stream_connect_xm',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 24f2db5..192605c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 42%{?dist}
+Release: 43%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,45 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon May 10 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-43
+- Transition directories and files when in a user_tmp_t directory
+- Change certwatch to domtrans to apache instead of just execute
+- Allow virsh_t to read xen lib files
+- update policy rules for pegasus_openlmi_account_t
+- Add support for svnserve_tmp_t
+- Activate account openlmi policy
+- pegasus_openlmi_domain_template needs also require pegasus_t
+- One more fix for policykit.te
+- Call fs_list_cgroups_dirs() in policykit.te
+- Allow nagios service plugin to read mysql config files
+- Add labeling for /var/svn
+- Fix chrome.te
+- Fix pegasus_openlmi_domain_template() interfaces
+- Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks
+- Fix location of google-chrome data
+- Add support for chome_sandbox to store content in the homedir
+- Allow policykit to watch for changes in cgroups file system
+- Add boolean to allow mozilla_plugin_t to use spice
+- Allow collectd to bind to udp port
+- Allow collected_t to read all of /proc
+- Should use netlink socket_perms
+- Should use netlink socket_perms
+- Allow glance domains to connect to apache ports
+- Allow apcupsd_t to manage its log files
+- Allow chrome objects to rw_inherited unix_stream_socket from callers
+- Allow staff_t to execute virtd_exec_t for running vms
+- nfsd_t needs to bind mountd port to make nfs-mountd.service working
+- Allow unbound net_admin capability because of setsockopt syscall
+- Fix fs_list_cgroup_dirs()
+- Label /usr/lib/nagios/plugins/utils.pm as bin_t
+- Remove uplicate definition of fs_read_cgroup_files()
+- Remove duplicate definition of fs_read_cgroup_files()
+- Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd
+- Additional interfaces needed to list and read cgroups config
+- Add port definition for collectd port
+- Add labels for /dev/ptp*
+- Allow staff_t to execute virtd_exec_t for running vms
+
* Mon May 6 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-42
- Allow samba-net to also read realmd tmp files
- Allow NUT to use serial ports
More information about the scm-commits
mailing list