[selinux-policy] - Add files_relabel_base_file_types() interface - Allow netlabel-config to read passwd - update glus
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Nov 6 21:12:32 UTC 2013
commit c872e599536ecff70823e26e77b2a2007c7f0e18
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Nov 6 23:12:50 2013 +0100
- Add files_relabel_base_file_types() interface
- Allow netlabel-config to read passwd
- update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr()
- Allow x86_energy_perf tool to modify the MSR
- Fix /var/lib/dspam/data labeling
- Allow pegasus to domtrans to mount_t
- Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts
- Add support for unconfined watchdog scripts
- Allow watchdog to manage own log files
policy-rawhide-base.patch | 1252 +++++++++++++++++++++---------------------
policy-rawhide-contrib.patch | 76 ++-
selinux-policy.spec | 13 +-
3 files changed, 708 insertions(+), 633 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 1159097..1f78c01 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -9495,7 +9495,7 @@ index c2c6e05..058bb58 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..5a0a4ea 100644
+index 64ff4d7..36fa375 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -9815,7 +9815,7 @@ index 64ff4d7..5a0a4ea 100644
## Read all files.
## </summary>
## <param name="domain">
-@@ -683,12 +906,82 @@ interface(`files_read_non_security_files',`
+@@ -683,12 +906,107 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -9895,10 +9895,35 @@ index 64ff4d7..5a0a4ea 100644
+
+########################################
+## <summary>
++## Relabel all base file types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_base_file_types',`
++ gen_require(`
++ attribute base_file_type;
++ ')
++
++ allow $1 base_file_type:dir list_dir_perms;
++ relabel_dirs_pattern($1, base_file_type , base_file_type )
++ relabel_files_pattern($1, base_file_type , base_file_type )
++ relabel_lnk_files_pattern($1, base_file_type , base_file_type )
++ relabel_fifo_files_pattern($1, base_file_type , base_file_type )
++ relabel_sock_files_pattern($1, base_file_type , base_file_type )
++ relabel_blk_files_pattern($1, base_file_type , base_file_type )
++ relabel_chr_files_pattern($1, base_file_type , base_file_type )
++')
++
++########################################
++## <summary>
## Read all directories on the filesystem, except
## the listed exceptions.
## </summary>
-@@ -953,6 +1246,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+@@ -953,6 +1271,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
########################################
## <summary>
@@ -9924,52 +9949,111 @@ index 64ff4d7..5a0a4ea 100644
## Get the attributes of all named sockets.
## </summary>
## <param name="domain">
-@@ -991,6 +1303,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,8 +1328,8 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
## <summary>
+-## Do not audit attempts to get the attributes
+-## of non security named sockets.
+## Do not audit attempts to read
+## of all named sockets.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1000,43 +1337,81 @@ interface(`files_dontaudit_getattr_all_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_non_security_sockets',`
+interface(`files_dontaudit_read_all_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute non_security_file_type;
+ attribute file_type;
+ ')
+
+- dontaudit $1 non_security_file_type:sock_file getattr;
++ dontaudit $1 file_type:sock_file read;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all block nodes with file types.
++## Do not audit attempts to read
++## of all security file types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_all_blk_files',`
++interface(`files_dontaudit_read_all_non_security_files',`
+ gen_require(`
+- attribute file_type;
++ attribute non_security_file_type;
+ ')
+
+- read_blk_files_pattern($1, file_type, file_type)
++ dontaudit $1 non_security_file_type:file read_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all character nodes with file types.
++## Do not audit attempts to get the attributes
++## of non security named sockets.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_all_chr_files',`
++interface(`files_dontaudit_getattr_non_security_sockets',`
++ gen_require(`
++ attribute non_security_file_type;
+ ')
+
-+ dontaudit $1 file_type:sock_file read;
++ dontaudit $1 non_security_file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to read
-+## of all security file types.
++## Read all block nodes with file types.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_read_all_non_security_files',`
++interface(`files_read_all_blk_files',`
+ gen_require(`
-+ attribute non_security_file_type;
++ attribute file_type;
+ ')
+
-+ dontaudit $1 non_security_file_type:file read_file_perms;
++ read_blk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
- ## Do not audit attempts to get the attributes
- ## of non security named sockets.
- ## </summary>
-@@ -1073,10 +1423,8 @@ interface(`files_relabel_all_files',`
++## Read all character nodes with file types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_all_chr_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+@@ -1073,10 +1448,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -9982,7 +10066,7 @@ index 64ff4d7..5a0a4ea 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1530,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1555,6 @@ interface(`files_list_all',`
########################################
## <summary>
@@ -10007,7 +10091,7 @@ index 64ff4d7..5a0a4ea 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,9 +1773,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1798,6 @@ interface(`files_relabel_non_auth_files',`
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -10017,7 +10101,7 @@ index 64ff4d7..5a0a4ea 100644
')
#############################################
-@@ -1583,6 +1910,24 @@ interface(`files_getattr_all_mountpoints',`
+@@ -1583,6 +1935,24 @@ interface(`files_getattr_all_mountpoints',`
########################################
## <summary>
@@ -10042,7 +10126,7 @@ index 64ff4d7..5a0a4ea 100644
## Set the attributes of all mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +2018,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +2043,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -10067,7 +10151,7 @@ index 64ff4d7..5a0a4ea 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1691,6 +2054,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +2079,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -10092,7 +10176,7 @@ index 64ff4d7..5a0a4ea 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1874,25 +2255,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2280,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -10124,7 +10208,7 @@ index 64ff4d7..5a0a4ea 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2286,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2311,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10133,7 +10217,7 @@ index 64ff4d7..5a0a4ea 100644
')
########################################
-@@ -1928,6 +2309,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2334,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -10158,7 +10242,7 @@ index 64ff4d7..5a0a4ea 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2163,6 +2562,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2163,6 +2587,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10183,7 +10267,7 @@ index 64ff4d7..5a0a4ea 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
-@@ -2627,6 +3044,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3069,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10208,7 +10292,7 @@ index 64ff4d7..5a0a4ea 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +3133,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3158,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10216,7 +10300,7 @@ index 64ff4d7..5a0a4ea 100644
')
########################################
-@@ -2706,7 +3142,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3167,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10225,7 +10309,7 @@ index 64ff4d7..5a0a4ea 100644
## </summary>
## </param>
#
-@@ -2762,6 +3198,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3223,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10251,7 +10335,7 @@ index 64ff4d7..5a0a4ea 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2780,6 +3235,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3260,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10276,7 +10360,7 @@ index 64ff4d7..5a0a4ea 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2945,24 +3418,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3443,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10301,7 +10385,7 @@ index 64ff4d7..5a0a4ea 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3458,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3483,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10312,7 +10396,7 @@ index 64ff4d7..5a0a4ea 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3466,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3491,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -10334,7 +10418,7 @@ index 64ff4d7..5a0a4ea 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,6 +3494,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3519,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@@ -10361,7 +10445,7 @@ index 64ff4d7..5a0a4ea 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3059,6 +3531,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3556,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10369,7 +10453,7 @@ index 64ff4d7..5a0a4ea 100644
')
########################################
-@@ -3080,6 +3553,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3578,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10377,7 +10461,7 @@ index 64ff4d7..5a0a4ea 100644
')
########################################
-@@ -3132,6 +3606,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3631,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -10403,14 +10487,82 @@ index 64ff4d7..5a0a4ea 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3205,6 +3698,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,11 +3723,10 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
-+########################################
-+## <summary>
+-
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete directories
+-## on new filesystems that have not yet been labeled.
+## Execute files on new filesystems
+## that have not yet been labeled.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3217,18 +3734,18 @@ interface(`files_delete_isid_type_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_isid_type_dirs',`
++interface(`files_exec_isid_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+- allow $1 file_t:dir manage_dir_perms;
++ can_exec($1, file_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount a filesystem on a directory on new filesystems
+-## that has not yet been labeled.
++## Moundon directories on new filesystems
++## that have not yet been labeled.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3236,17 +3753,17 @@ interface(`files_manage_isid_type_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_isid_type_dirs',`
++interface(`files_mounton_isid',`
+ gen_require(`
+ type file_t;
+ ')
+
+- allow $1 file_t:dir { search_dir_perms mounton };
++ allow $1 file_t:dir mounton;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read files on new filesystems
++## Relabelfrom all file opbjects on new filesystems
+ ## that have not yet been labeled.
+ ## </summary>
+ ## <param name="domain">
+@@ -3255,12 +3772,69 @@ interface(`files_mounton_isid_type_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_isid_type_files',`
++interface(`files_relabelfrom_isid_type',`
+ gen_require(`
+ type file_t;
+ ')
+
+- allow $1 file_t:file read_file_perms;
++ dontaudit $1 file_t:dir_file_class_set relabelfrom;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete directories
++## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10418,18 +10570,18 @@ index 64ff4d7..5a0a4ea 100644
+## </summary>
+## </param>
+#
-+interface(`files_exec_isid_files',`
++interface(`files_manage_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ can_exec($1, file_t)
++ allow $1 file_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
-+## Moundon directories on new filesystems
-+## that have not yet been labeled.
++## Mount a filesystem on a directory on new filesystems
++## that has not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10437,17 +10589,17 @@ index 64ff4d7..5a0a4ea 100644
+## </summary>
+## </param>
+#
-+interface(`files_mounton_isid',`
++interface(`files_mounton_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:dir mounton;
++ allow $1 file_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
-+## Relabelfrom all file opbjects on new filesystems
++## Read files on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
@@ -10456,75 +10608,42 @@ index 64ff4d7..5a0a4ea 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabelfrom_isid_type',`
++interface(`files_read_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ dontaudit $1 file_t:dir_file_class_set relabelfrom;
-+')
++ allow $1 file_t:file read_file_perms;
+ ')
########################################
- ## <summary>
-@@ -3455,7 +4004,7 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +4029,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
--## Create, read, write, and delete block device nodes
+## rw any files inherited from another process
- ## on new filesystems that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
-@@ -3464,17 +4013,17 @@ interface(`files_rw_isid_type_blk_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_isid_type_blk_files',`
++## on new filesystems that have not yet been labeled.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_rw_inherited_isid_type_files',`
- gen_require(`
- type file_t;
- ')
-
-- allow $1 file_t:blk_file manage_blk_file_perms;
-+ allow $1 file_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete character device nodes
-+## Create, read, write, and delete block device nodes
- ## on new filesystems that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
-@@ -3483,7 +4032,26 @@ interface(`files_manage_isid_type_blk_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_isid_type_chr_files',`
-+interface(`files_manage_isid_type_blk_files',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:blk_file manage_blk_file_perms;
++ allow $1 file_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete character device nodes
-+## on new filesystems that have not yet been labeled.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_isid_type_chr_files',`
- gen_require(`
- type file_t;
- ')
-@@ -3796,20 +4364,38 @@ interface(`files_list_mnt',`
+ ## Create, read, write, and delete block device nodes
+ ## on new filesystems that have not yet been labeled.
+ ## </summary>
+@@ -3796,20 +4389,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10568,7 +10687,7 @@ index 64ff4d7..5a0a4ea 100644
')
########################################
-@@ -4199,6 +4785,171 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +4810,171 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -10740,7 +10859,7 @@ index 64ff4d7..5a0a4ea 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4221,6 +4972,26 @@ interface(`files_associate_tmp',`
+@@ -4221,6 +4997,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -10767,7 +10886,7 @@ index 64ff4d7..5a0a4ea 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4234,17 +5005,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4234,17 +5030,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -10806,7 +10925,7 @@ index 64ff4d7..5a0a4ea 100644
## </summary>
## </param>
#
-@@ -4271,6 +5062,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +5087,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -10814,7 +10933,7 @@ index 64ff4d7..5a0a4ea 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +5099,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +5124,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -10822,7 +10941,7 @@ index 64ff4d7..5a0a4ea 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +5109,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +5134,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -10831,7 +10950,7 @@ index 64ff4d7..5a0a4ea 100644
## </summary>
## </param>
#
-@@ -4328,6 +5121,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +5146,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -10857,7 +10976,7 @@ index 64ff4d7..5a0a4ea 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4343,6 +5155,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +5180,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -10865,7 +10984,7 @@ index 64ff4d7..5a0a4ea 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,6 +5197,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +5222,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -10898,54 +11017,125 @@ index 64ff4d7..5a0a4ea 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4438,6 +5277,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,7 +5302,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
+-## Set the attributes of all tmp directories.
+## Relabel a dir from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4446,17 +5310,17 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
+interface(`files_relabelfrom_tmp_dirs',`
-+ gen_require(`
+ gen_require(`
+- attribute tmpfile;
+ type tmp_t;
-+ ')
-+
+ ')
+
+- allow $1 tmpfile:dir { search_dir_perms setattr };
+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## List all tmp directories.
+## Relabel a file from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4464,59 +5328,53 @@ interface(`files_setattr_all_tmp_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
+interface(`files_relabelfrom_tmp_files',`
-+ gen_require(`
+ gen_require(`
+- attribute tmpfile;
+ type tmp_t;
-+ ')
-+
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
- ## Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4456,6 +5331,60 @@ interface(`files_setattr_all_tmp_dirs',`
+ ')
########################################
## <summary>
-+## Allow caller to read inherited tmp files.
+-## Relabel to and from all temporary
+-## directory types.
++## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+- type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- relabel_dirs_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
++## Allow caller to read inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_read_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+- dontaudit $1 tmpfile:file getattr;
++ allow $1 tmpfile:file { append read_inherited_file_perms };
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow attempts to get the attributes
+-## of all tmp files.
++## Allow caller to append inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4524,12 +5382,108 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_append_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+- allow $1 tmpfile:file getattr;
++ allow $1 tmpfile:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Allow caller to read and write inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10953,17 +11143,17 @@ index 64ff4d7..5a0a4ea 100644
+## </summary>
+## </param>
+#
-+interface(`files_read_inherited_tmp_files',`
++interface(`files_rw_inherited_tmp_file',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
++ allow $1 tmpfile:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
-+## Allow caller to append inherited tmp files.
++## List all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10971,47 +11161,76 @@ index 64ff4d7..5a0a4ea 100644
+## </summary>
+## </param>
+#
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file append_inherited_file_perms;
++ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Allow caller to read and write inherited tmp files.
++## Relabel to and from all temporary
++## directory types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
++ type var_t;
+ ')
+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+## <summary>
- ## List all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4501,7 +5430,7 @@ interface(`files_relabel_all_tmp_dirs',`
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
++## Do not audit attempts to get the attributes
++## of all tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -4561,7 +5490,7 @@ interface(`files_relabel_all_tmp_files',`
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ dontaudit $1 tmpfile:file getattr;
++')
++
++########################################
++## <summary>
++## Allow attempts to get the attributes
++## of all tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_getattr_all_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file getattr;
+ ')
+
+ ########################################
+@@ -4561,7 +5515,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -11020,22 +11239,18 @@ index 64ff4d7..5a0a4ea 100644
## </summary>
## </param>
#
-@@ -4593,15 +5522,53 @@ interface(`files_read_all_tmp_files',`
+@@ -4593,6 +5547,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
--## Create an object in the tmp directories, with a private
--## type using a type transition.
+## Do not audit attempts to read or write
+## all leaked tmpfiles files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
--## <param name="private type">
++## </summary>
++## </param>
+#
+interface(`files_dontaudit_tmp_file_leaks',`
+ gen_require(`
@@ -11066,19 +11281,10 @@ index 64ff4d7..5a0a4ea 100644
+
+########################################
+## <summary>
-+## Create an object in the tmp directories, with a private
-+## type using a type transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="private type">
- ## <summary>
- ## The type of the object to be created.
- ## </summary>
-@@ -4646,6 +5613,16 @@ interface(`files_purge_tmp',`
+ ## Create an object in the tmp directories, with a private
+ ## type using a type transition.
+ ## </summary>
+@@ -4646,6 +5638,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11095,7 +11301,7 @@ index 64ff4d7..5a0a4ea 100644
')
########################################
-@@ -5223,6 +6200,24 @@ interface(`files_list_var',`
+@@ -5223,6 +6225,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -11120,7 +11326,7 @@ index 64ff4d7..5a0a4ea 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5578,6 +6573,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5578,6 +6598,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11146,7 +11352,7 @@ index 64ff4d7..5a0a4ea 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6637,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6662,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11155,7 +11361,7 @@ index 64ff4d7..5a0a4ea 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,12 +6645,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6670,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11171,7 +11377,7 @@ index 64ff4d7..5a0a4ea 100644
')
########################################
-@@ -5654,6 +6669,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6694,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11179,7 +11385,7 @@ index 64ff4d7..5a0a4ea 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6696,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6721,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11207,7 +11413,7 @@ index 64ff4d7..5a0a4ea 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,13 +6723,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6748,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11224,7 +11430,7 @@ index 64ff4d7..5a0a4ea 100644
')
########################################
-@@ -5713,7 +6747,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6772,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11233,7 +11439,7 @@ index 64ff4d7..5a0a4ea 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6780,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6805,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11241,7 +11447,7 @@ index 64ff4d7..5a0a4ea 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5761,7 +6794,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5761,7 +6819,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11250,7 +11456,7 @@ index 64ff4d7..5a0a4ea 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5769,13 +6802,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,13 +6827,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11285,7 +11491,7 @@ index 64ff4d7..5a0a4ea 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6844,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6869,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11303,7 +11509,7 @@ index 64ff4d7..5a0a4ea 100644
')
########################################
-@@ -5816,9 +6868,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6893,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11314,7 +11520,7 @@ index 64ff4d7..5a0a4ea 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6910,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6935,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11324,7 +11530,7 @@ index 64ff4d7..5a0a4ea 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6932,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6957,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11334,7 +11540,7 @@ index 64ff4d7..5a0a4ea 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6969,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6994,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11344,7 +11550,7 @@ index 64ff4d7..5a0a4ea 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +7008,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +7033,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11353,7 +11559,7 @@ index 64ff4d7..5a0a4ea 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +7028,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +7053,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11402,7 +11608,7 @@ index 64ff4d7..5a0a4ea 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6007,6 +7092,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +7117,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11428,7 +11634,7 @@ index 64ff4d7..5a0a4ea 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6021,7 +7125,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7150,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11437,7 +11643,7 @@ index 64ff4d7..5a0a4ea 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6040,7 +7144,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7169,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11446,7 +11652,7 @@ index 64ff4d7..5a0a4ea 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7164,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7189,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11455,7 +11661,7 @@ index 64ff4d7..5a0a4ea 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7226,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7251,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11463,18 +11669,20 @@ index 64ff4d7..5a0a4ea 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6151,6 +7254,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6151,7 +7279,7 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
+-## Read and write generic process ID files.
+## rw generic pid files inherited from another process
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6159,12 +7287,30 @@ interface(`files_pid_filetrans_lock_dir',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_generic_pids',`
+interface(`files_rw_inherited_generic_pid_files',`
+ gen_require(`
+ type var_run_t;
@@ -11485,10 +11693,16 @@ index 64ff4d7..5a0a4ea 100644
+
+########################################
+## <summary>
- ## Read and write generic process ID files.
- ## </summary>
- ## <param name="domain">
-@@ -6164,7 +7285,7 @@ interface(`files_rw_generic_pids',`
++## Read and write generic process ID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_generic_pids',`
+ gen_require(`
type var_t, var_run_t;
')
@@ -11497,309 +11711,196 @@ index 64ff4d7..5a0a4ea 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6231,55 +7352,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,6 +7377,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
--## Read all process ID files.
+## Relable all pid directories
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_read_all_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_relabel_all_pid_dirs',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ relabel_dirs_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Delete all process IDs.
++')
++
++########################################
++## <summary>
+## Delete all pid sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_delete_all_pids',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_delete_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ allow $1 pidfile:sock_file delete_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Delete all process ID directories.
++')
++
++########################################
++## <summary>
+## Create all pid sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6287,42 +7396,35 @@ interface(`files_delete_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_delete_all_pid_dirs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_create_all_pid_sockets',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ allow $1 pidfile:sock_file create_sock_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
++')
++
++########################################
++## <summary>
+## Create all pid named pipes
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain alloed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
++## </summary>
++## </param>
++#
+interface(`files_create_all_pid_pipes',`
- gen_require(`
- attribute pidfile;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
++ gen_require(`
++ attribute pidfile;
++ ')
++
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
++')
++
++########################################
++## <summary>
+## Delete all pid named pipes
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6330,18 +7432,18 @@ interface(`files_manage_all_pids',`
- ## </summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_delete_all_pid_pipes',`
- gen_require(`
-- attribute polymember;
++ gen_require(`
+ attribute pidfile;
- ')
-
-- allow $1 polymember:dir mounton;
++ ')
++
+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Search the contents of generic spool
--## directories (/var/spool).
++')
++
++########################################
++## <summary>
+## manage all pidfile directories
+## in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6349,37 +7451,40 @@ interface(`files_mounton_all_poly_members',`
- ## </summary>
- ## </param>
- #
--interface(`files_search_spool',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_manage_all_pid_dirs',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute pidfile;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ manage_dirs_pattern($1,pidfile,pidfile)
- ')
-
++')
+
- ########################################
- ## <summary>
--## Do not audit attempts to search generic
--## spool directories.
-+## Read all process ID files.
++
++########################################
++## <summary>
+ ## Read all process ID files.
## </summary>
## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`files_dontaudit_search_spool',`
-+interface(`files_read_all_pids',`
+@@ -6243,12 +7499,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ interface(`files_read_all_pids',`
gen_require(`
-- type var_spool_t;
-+ attribute pidfile;
+ attribute pidfile;
+- type var_t, var_run_t;
+ type var_t;
')
-- dontaudit $1 var_spool_t:dir search_dir_perms;
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## List the contents of generic spool
--## (/var/spool) directories.
++')
++
++########################################
++## <summary>
+## Relable all pid files
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6387,18 +7492,17 @@ interface(`files_dontaudit_search_spool',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_spool',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_relabel_all_pid_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute pidfile;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ relabel_files_pattern($1, pidfile, pidfile)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
++')
++
++########################################
++## <summary>
+## Execute generic programs in /var/run in the caller domain.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6406,18 +7510,18 @@ interface(`files_list_spool',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_spool_dirs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_exec_generic_pid_files',`
- gen_require(`
-- type var_t, var_spool_t;
-+ type var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+ exec_files_pattern($1, var_run_t, var_run_t)
- ')
-
- ########################################
- ## <summary>
--## Read generic spool files.
-+## manage all pidfiles
-+## in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6425,19 +7529,18 @@ interface(`files_manage_generic_spool_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_read_generic_spool',`
-+interface(`files_manage_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
-+ manage_files_pattern($1,pidfile,pidfile)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete generic
--## spool files.
-+## Mount filesystems on all polyinstantiation
-+## member directories.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6445,7 +7548,274 @@ interface(`files_read_generic_spool',`
- ## </summary>
- ## </param>
- #
--interface(`files_manage_generic_spool',`
-+interface(`files_mounton_all_poly_members',`
+ gen_require(`
-+ attribute polymember;
++ type var_run_t;
+ ')
+
-+ allow $1 polymember:dir mounton;
++ exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
-+## Delete all process IDs.
++## manage all pidfiles
++## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_delete_all_pids',`
++interface(`files_manage_all_pids',`
+ gen_require(`
+ attribute pidfile;
-+ type var_t, var_run_t;
+ ')
+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ manage_files_pattern($1,pidfile,pidfile)
+')
+
+########################################
+## <summary>
-+## Delete all process ID directories.
++## Mount filesystems on all polyinstantiation
++## member directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11807,19 +11908,39 @@ index 64ff4d7..5a0a4ea 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_pid_dirs',`
++interface(`files_mounton_all_poly_members',`
+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
++ attribute polymember;
+ ')
+
++ allow $1 polymember:dir mounton;
+ ')
+
+ ########################################
+@@ -6268,8 +7598,8 @@ interface(`files_delete_all_pids',`
+ type var_t, var_run_t;
+ ')
+
+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+@@ -6293,36 +7623,80 @@ interface(`files_delete_all_pid_dirs',`
+ type var_t, var_run_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Make the specified type a file
+## used for spool files.
+## </summary>
@@ -11869,36 +11990,47 @@ index 64ff4d7..5a0a4ea 100644
+########################################
+## <summary>
+## Create all spool sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain alloed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
+interface(`files_create_all_spool_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+ attribute spoolfile;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
+ allow $1 spoolfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Delete all spool sockets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6330,12 +7704,33 @@ interface(`files_manage_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_spool_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute spoolfile;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
@@ -11921,120 +12053,10 @@ index 64ff4d7..5a0a4ea 100644
+ ')
+
+ relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
-+########################################
-+## <summary>
-+## Search the contents of generic spool
-+## directories (/var/spool).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to search generic
-+## spool directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_spool',`
-+ gen_require(`
-+ type var_spool_t;
-+ ')
-+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## List the contents of generic spool
-+## (/var/spool) directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_list_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_generic_spool_dirs',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read generic spool files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_read_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete generic
-+## spool files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_generic_spool',`
- gen_require(`
- type var_t, var_spool_t;
- ')
-@@ -6562,3 +7932,491 @@ interface(`files_unconfined',`
+ ')
+
+ ########################################
+@@ -6562,3 +7957,491 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -33893,7 +33915,7 @@ index b263a8a..15576ab 100644
+/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
+/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
-index cbbda4a..e3c34dc 100644
+index cbbda4a..b569d5f 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0)
@@ -33929,7 +33951,7 @@ index cbbda4a..e3c34dc 100644
seutil_use_newrole_fds(netlabel_mgmt_t)
-userdom_use_user_terminals(netlabel_mgmt_t)
-+term_use_all_terms(netlabel_mgmt_t)
++auth_read_passwd(netlabel_mgmt_t)
+
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 3f17d3b..7ccb10d 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -23143,7 +23143,7 @@ index 8e5ee54..6e11edb 100644
-
sysnet_dns_name_resolve(drbd_t)
diff --git a/dspam.fc b/dspam.fc
-index 5eddac5..c08c8f6 100644
+index 5eddac5..3ea0423 100644
--- a/dspam.fc
+++ b/dspam.fc
@@ -5,8 +5,13 @@
@@ -23160,7 +23160,7 @@ index 5eddac5..c08c8f6 100644
+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
+/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0)
+
-+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_content_rw_t,s0)
++/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
diff --git a/dspam.if b/dspam.if
index 18f2452..a446210 100644
--- a/dspam.if
@@ -25999,10 +25999,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..d6a2e10
+index 0000000..ac74fc9
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,187 @@
+@@ -0,0 +1,188 @@
+policy_module(glusterfs, 1.0.1)
+
+## <desc>
@@ -26176,6 +26176,7 @@ index 0000000..d6a2e10
+ fs_manage_noxattr_fs_files(glusterd_t)
+ files_manage_non_security_dirs(glusterd_t)
+ files_manage_non_security_files(glusterd_t)
++ files_relabel_base_file_types(glusterd_t)
+')
+
+optional_policy(`
@@ -55250,7 +55251,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..c19ce47 100644
+index 7bcf327..2254bf5 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -55623,7 +55624,7 @@ index 7bcf327..c19ce47 100644
logging_send_syslog_msg(pegasus_t)
-miscfiles_read_localization(pegasus_t)
-+mount_exec(pegasus_t)
++mount_domtrans(pegasus_t)
+
+sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
@@ -90822,7 +90823,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..935ec1d 100644
+index 7116181..6b315d8 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -90887,7 +90888,7 @@ index 7116181..935ec1d 100644
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
-+dev_read_cpuid(tuned_t)
++dev_rw_cpu_microcode(tuned_t)
dev_rw_sysfs(tuned_t)
dev_rw_netcontrol(tuned_t)
@@ -96701,23 +96702,25 @@ index 9329eae..824e86f 100644
- seutil_use_newrole_fds(vpnc_t)
-')
diff --git a/watchdog.fc b/watchdog.fc
-index eecd0e0..50248a7 100644
+index eecd0e0..8d9b2f6 100644
--- a/watchdog.fc
+++ b/watchdog.fc
-@@ -2,6 +2,8 @@
+@@ -2,6 +2,10 @@
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
++/usr/libexec/watchdog/scripts(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0)
++
+/var/cache/watchdog(/.*)? gen_context(system_u:object_r:watchdog_cache_t,s0)
+
/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..1d43690 100644
+index 29f79e8..45b3926 100644
--- a/watchdog.te
+++ b/watchdog.te
-@@ -12,6 +12,9 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
+@@ -12,12 +12,18 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
type watchdog_initrc_exec_t;
init_script_file(watchdog_initrc_exec_t)
@@ -96727,21 +96730,31 @@ index 29f79e8..1d43690 100644
type watchdog_log_t;
logging_log_file(watchdog_log_t)
-@@ -29,8 +32,12 @@ allow watchdog_t self:process { setsched signal_perms };
+ type watchdog_var_run_t;
+ files_pid_file(watchdog_var_run_t)
+
++type watchdog_unconfined_exec_t;
++application_executable_file(watchdog_unconfined_exec_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -29,8 +35,12 @@ allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
allow watchdog_t self:tcp_socket { accept listen };
+-allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
+manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
+manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
+
- allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
--logging_log_filetrans(watchdog_t, watchdog_log_t, file)
++manage_files_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
+manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
+logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file})
manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
-@@ -63,7 +70,6 @@ domain_signull_all_domains(watchdog_t)
+@@ -63,7 +73,6 @@ domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
@@ -96749,7 +96762,7 @@ index 29f79e8..1d43690 100644
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
-@@ -75,8 +81,6 @@ auth_append_login_records(watchdog_t)
+@@ -75,8 +84,6 @@ auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)
@@ -96758,6 +96771,35 @@ index 29f79e8..1d43690 100644
sysnet_dns_name_resolve(watchdog_t)
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
+@@ -97,3 +104,28 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(watchdog_t)
+ ')
++
++########################################
++#
++# watchdog_unconfined_script_t local policy
++#
++
++optional_policy(`
++ type watchdog_unconfined_t;
++ domain_type(watchdog_unconfined_t)
++
++ domain_entry_file(watchdog_unconfined_t, watchdog_unconfined_exec_t)
++ role system_r types watchdog_unconfined_t;
++
++ domtrans_pattern(watchdog_t, watchdog_unconfined_exec_t, watchdog_unconfined_t)
++
++ allow watchdog_t watchdog_unconfined_exec_t:dir search_dir_perms;
++ allow watchdog_t watchdog_unconfined_exec_t:dir read_file_perms;
++ allow watchdog_t watchdog_unconfined_exec_t:file ioctl;
++
++ init_domtrans_script(watchdog_unconfined_t)
++
++ optional_policy(`
++ unconfined_domain(watchdog_unconfined_t)
++ ')
++')
diff --git a/wdmd.fc b/wdmd.fc
index 66f11f7..e051997 100644
--- a/wdmd.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e9cb68e..195b577 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 97%{?dist}
+Release: 98%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -573,6 +573,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Nov 6 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-98
+- Add files_relabel_base_file_types() interface
+- Allow netlabel-config to read passwd
+- update gluster_export_all_rw boolean to allow relabel all base file types caused by lsetxattr()
+- Allow x86_energy_perf tool to modify the MSR
+- Fix /var/lib/dspam/data labeling
+- Allow pegasus to domtrans to mount_t
+- Add labeling for unconfined scripts in /usr/libexec/watchdog/scripts
+- Add support for unconfined watchdog scripts
+- Allow watchdog to manage own log files
+
* Wed Nov 6 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-97
- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
- Label /etc/yum.repos.d as system_conf_t
More information about the scm-commits
mailing list