[selinux-policy/f20] * Wed Feb 26 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-128 - Make snapperd as unconfined domain
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Feb 26 16:07:06 UTC 2014
commit 2296aede5767b813cd2dcf7badd6bd6b4226bc1a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Feb 26 17:07:49 2014 +0100
* Wed Feb 26 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-128
- Make snapperd as unconfined domain and add additional fixes for it
- Remove nsplugin.pp module on upgrade
policy-f20-base.patch | 4769 ++++++++++++++++++++++++++++++++++------------
policy-f20-contrib.patch | 17 +-
selinux-policy.spec | 6 +-
3 files changed, 3579 insertions(+), 1213 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index f921776..e81ace6 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -9626,7 +9626,7 @@ index c2c6e05..2282452 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..a47b644 100644
+index 64ff4d7..d2cb90d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10257,7 +10257,32 @@ index 64ff4d7..a47b644 100644
## Set the attributes of all mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +2043,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1601,6 +1971,24 @@ interface(`files_setattr_all_mountpoints',`
+
+ ########################################
+ ## <summary>
++## Set the attributes of all mount points.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelto_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir relabelto;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to set the attributes on all mount points.
+ ## </summary>
+ ## <param name="domain">
+@@ -1673,6 +2061,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -10282,7 +10307,7 @@ index 64ff4d7..a47b644 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1691,6 +2079,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +2097,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -10325,7 +10350,7 @@ index 64ff4d7..a47b644 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1707,6 +2131,23 @@ interface(`files_list_root',`
+@@ -1707,6 +2149,23 @@ interface(`files_list_root',`
allow $1 root_t:dir list_dir_perms;
allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
')
@@ -10349,7 +10374,7 @@ index 64ff4d7..a47b644 100644
########################################
## <summary>
-@@ -1747,6 +2188,26 @@ interface(`files_dontaudit_rw_root_dir',`
+@@ -1747,6 +2206,26 @@ interface(`files_dontaudit_rw_root_dir',`
########################################
## <summary>
@@ -10376,7 +10401,7 @@ index 64ff4d7..a47b644 100644
## Create an object in the root directory, with a private
## type using a type transition.
## </summary>
-@@ -1874,25 +2335,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2353,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -10408,7 +10433,7 @@ index 64ff4d7..a47b644 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1905,7 +2366,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2384,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10417,7 +10442,7 @@ index 64ff4d7..a47b644 100644
')
########################################
-@@ -1928,6 +2389,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2407,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -10442,7 +10467,7 @@ index 64ff4d7..a47b644 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2163,6 +2642,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2163,6 +2660,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10467,7 +10492,7 @@ index 64ff4d7..a47b644 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
-@@ -2627,6 +3124,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3142,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10492,7 +10517,7 @@ index 64ff4d7..a47b644 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2698,6 +3213,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3231,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10500,7 +10525,7 @@ index 64ff4d7..a47b644 100644
')
########################################
-@@ -2706,7 +3222,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3240,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10509,7 +10534,7 @@ index 64ff4d7..a47b644 100644
## </summary>
## </param>
#
-@@ -2762,6 +3278,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3296,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -10535,7 +10560,7 @@ index 64ff4d7..a47b644 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2780,6 +3315,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3333,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -10560,7 +10585,7 @@ index 64ff4d7..a47b644 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2945,24 +3498,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,26 +3516,8 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -10582,10 +10607,14 @@ index 64ff4d7..a47b644 100644
-
-########################################
-## <summary>
- ## Read files in /etc that are dynamically
- ## created on boot, such as mtab.
+-## Read files in /etc that are dynamically
+-## created on boot, such as mtab.
++## Read files in /etc that are dynamically
++## created on boot, such as mtab.
## </summary>
-@@ -3003,9 +3538,7 @@ interface(`files_read_etc_runtime_files',`
+ ## <desc>
+ ## <p>
+@@ -3003,9 +3556,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -10596,7 +10625,7 @@ index 64ff4d7..a47b644 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3013,18 +3546,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3564,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@@ -10618,22 +10647,19 @@ index 64ff4d7..a47b644 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3042,15 +3574,35 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3592,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
--## Read and write files in /etc that are dynamically
+## Do not audit attempts to read files
+## in /etc that are dynamically
- ## created on boot, such as mtab.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## created on boot, such as mtab.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
- ## </summary>
- ## </param>
--## <rolecap/>
++## </summary>
++## </param>
+#
+interface(`files_dontaudit_read_etc_runtime_files',`
+ gen_require(`
@@ -10645,19 +10671,10 @@ index 64ff4d7..a47b644 100644
+
+########################################
+## <summary>
-+## Read and write files in /etc that are dynamically
-+## created on boot, such as mtab.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
- #
- interface(`files_rw_etc_runtime_files',`
- gen_require(`
-@@ -3059,6 +3611,7 @@ interface(`files_rw_etc_runtime_files',`
+ ## Read and write files in /etc that are dynamically
+ ## created on boot, such as mtab.
+ ## </summary>
+@@ -3059,6 +3629,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10665,7 +10682,7 @@ index 64ff4d7..a47b644 100644
')
########################################
-@@ -3080,6 +3633,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3651,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10673,7 +10690,7 @@ index 64ff4d7..a47b644 100644
')
########################################
-@@ -3132,6 +3686,44 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3704,44 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -10718,7 +10735,7 @@ index 64ff4d7..a47b644 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3205,6 +3797,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,6 +3815,62 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
@@ -10781,7 +10798,7 @@ index 64ff4d7..a47b644 100644
########################################
## <summary>
-@@ -3246,6 +3894,25 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3246,6 +3912,25 @@ interface(`files_mounton_isid_type_dirs',`
########################################
## <summary>
@@ -10807,7 +10824,7 @@ index 64ff4d7..a47b644 100644
## Read files on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3455,6 +4122,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +4140,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -10833,7 +10850,7 @@ index 64ff4d7..a47b644 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4482,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4500,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10877,64 +10894,98 @@ index 64ff4d7..a47b644 100644
')
########################################
-@@ -4199,6 +4903,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,192 +4921,215 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
+-########################################
+#######################################
-+## <summary>
+ ## <summary>
+-## Allow the specified type to associate
+-## to a filesystem with the type of the
+-## temporary directory (/tmp).
+## Read manageable system configuration files in /etc
-+## </summary>
+ ## </summary>
+-## <param name="file_type">
+-## <summary>
+-## Type of the file to associate.
+-## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_associate_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:filesystem associate;
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Get the attributes of the tmp directory (/tmp).
+## Manage manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_getattr_tmp_dirs',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:dir getattr;
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+ files_filetrans_system_conf_named_files($1)
-+')
-+
+ ')
+
+-########################################
+#####################################
-+## <summary>
+ ## <summary>
+-## Do not audit attempts to get the
+-## attributes of the tmp directory (/tmp).
+## File name transition for system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_tmp_dirs',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- dontaudit $1 tmp_t:dir getattr;
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -10952,162 +11003,253 @@ index 64ff4d7..a47b644 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Search the tmp directory (/tmp).
+## Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_search_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-+
+
+- allow $1 tmp_t:dir search_dir_perms;
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Do not audit attempts to search the tmp directory (/tmp).
+## Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain to not audit.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_search_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-+
+
+- dontaudit $1 tmp_t:dir search_dir_perms;
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+
+-########################################
+###################################
-+## <summary>
+ ## <summary>
+-## Read the tmp directory (/tmp).
+## Create files in /etc with the type used for
+## the manageable system config files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## The type of the process performing this action.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_list_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-+
+
+- allow $1 tmp_t:dir list_dir_perms;
+ filetrans_pattern($1, etc_t, system_conf_t, file)
-+')
-+
+ ')
+
+-########################################
+######################################
-+## <summary>
+ ## <summary>
+-## Do not audit listing of the tmp directory (/tmp).
+## Manage manageable system db files in /var/lib.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain not to audit.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_list_tmp',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_manage_system_db_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-+
+
+- dontaudit $1 tmp_t:dir list_dir_perms;
+ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
+ files_filetrans_system_db_named_files($1)
-+')
-+
+ ')
+
+-########################################
+#####################################
-+## <summary>
+ ## <summary>
+-## Remove entries from the tmp directory.
+## File name transition for system db files in /var/lib.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_delete_tmp_dir_entry',`
+- gen_require(`
+- type tmp_t;
+- ')
+interface(`files_filetrans_system_db_named_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-+
+
+- allow $1 tmp_t:dir del_entry_dir_perms;
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
-+')
-+
- ########################################
- ## <summary>
- ## Allow the specified type to associate
-@@ -4221,6 +5091,26 @@ interface(`files_associate_tmp',`
+ ')
########################################
## <summary>
+-## Read files in the tmp directory (/tmp).
+## Allow the specified type to associate
+## to a filesystem with the type of the
-+## / file system
-+## </summary>
++## temporary directory (/tmp).
+ ## </summary>
+-## <param name="domain">
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type of the file to associate.
-+## </summary>
-+## </param>
-+#
-+interface(`files_associate_rootfs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ allow $1 root_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of the tmp directory (/tmp).
- ## </summary>
- ## <param name="domain">
-@@ -4234,17 +5124,37 @@ interface(`files_getattr_tmp_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_files',`
++interface(`files_associate_tmp',`
+ gen_require(`
type tmp_t;
')
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir getattr;
+- read_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:filesystem associate;
')
########################################
## <summary>
-+## Do not audit attempts to check the
-+## access on tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+-## Manage temporary directories in /tmp.
++## Allow the specified type to associate
++## to a filesystem with the type of the
++## / file system
+ ## </summary>
+-## <param name="domain">
++## <param name="file_type">
+ ## <summary>
+-## Domain allowed access.
++## Type of the file to associate.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_dirs',`
++interface(`files_associate_rootfs',`
+ gen_require(`
+- type tmp_t;
++ type root_t;
+ ')
+
+- manage_dirs_pattern($1, tmp_t, tmp_t)
++ allow $1 root_t:filesystem associate;
+ ')
+
+ ########################################
+ ## <summary>
+-## Manage temporary files and directories in /tmp.
++## Get the attributes of the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4392,53 +5137,56 @@ interface(`files_manage_generic_tmp_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_getattr_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+- manage_files_pattern($1, tmp_t, tmp_t)
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmp_t:dir getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links in the tmp directory (/tmp).
++## Do not audit attempts to check the
++## access on tmp files
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_symlinks',`
+interface(`files_dontaudit_access_check_tmp',`
-+ gen_require(`
+ gen_require(`
+- type tmp_t;
+ type etc_t;
-+ ')
-+
+ ')
+
+- read_lnk_files_pattern($1, tmp_t, tmp_t)
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts to get the
- ## attributes of the tmp directory (/tmp).
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write generic named sockets in the tmp directory (/tmp).
++## Do not audit attempts to get the
++## attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
@@ -11116,23 +11258,94 @@ index 64ff4d7..a47b644 100644
## </summary>
## </param>
#
-@@ -4271,6 +5181,7 @@ interface(`files_search_tmp',`
+-interface(`files_rw_generic_tmp_sockets',`
++interface(`files_dontaudit_getattr_tmp_dirs',`
+ gen_require(`
type tmp_t;
')
+- rw_sock_files_pattern($1, tmp_t, tmp_t)
++ dontaudit $1 tmp_t:dir getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of all tmp directories.
++## Search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4446,77 +5194,92 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_search_tmp',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir { search_dir_perms setattr };
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir search_dir_perms;
++ allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +5218,7 @@ interface(`files_list_tmp',`
- type tmp_t;
+ ########################################
+ ## <summary>
+-## List all tmp directories.
++## Do not audit attempts to search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_dontaudit_search_tmp',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
++ dontaudit $1 tmp_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel to and from all temporary
+-## directory types.
++## Read the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_list_tmp',`
+ gen_require(`
+- attribute tmpfile;
+- type var_t;
++ type tmp_t;
')
+- allow $1 var_t:dir search_dir_perms;
+- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- allow $1 tmp_t:dir list_dir_perms;
++ allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +5228,7 @@ interface(`files_list_tmp',`
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
++## Do not audit listing of the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
@@ -11141,11 +11354,17 @@ index 64ff4d7..a47b644 100644
## </summary>
## </param>
#
-@@ -4328,7 +5240,26 @@ interface(`files_dontaudit_list_tmp',`
- dontaudit $1 tmp_t:dir list_dir_perms;
- ')
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_dontaudit_list_tmp',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
--########################################
+- dontaudit $1 tmpfile:file getattr;
++ dontaudit $1 tmp_t:dir list_dir_perms;
++')
++
+#######################################
+## <summary>
+## Allow read and write to the tmp directory (/tmp).
@@ -11163,26 +11382,87 @@ index 64ff4d7..a47b644 100644
+
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
-+')
-+
-+########################################
+ ')
+
+ ########################################
## <summary>
- ## Remove entries from the tmp directory.
+-## Allow attempts to get the attributes
+-## of all tmp files.
++## Remove entries from the tmp directory.
## </summary>
-@@ -4343,6 +5274,7 @@ interface(`files_delete_tmp_dir_entry',`
- type tmp_t;
+ ## <param name="domain">
+ ## <summary>
+@@ -4524,110 +5287,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_delete_tmp_dir_entry',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
')
+- allow $1 tmpfile:file getattr;
+ files_search_tmp($1)
- allow $1 tmp_t:dir del_entry_dir_perms;
++ allow $1 tmp_t:dir del_entry_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel to and from all temporary
+-## file types.
++## Read files in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_read_generic_tmp_files',`
+ gen_require(`
+- attribute tmpfile;
+- type var_t;
++ type tmp_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- relabel_files_pattern($1, tmpfile, tmpfile)
++ read_files_pattern($1, tmp_t, tmp_t)
')
-@@ -4384,6 +5316,32 @@ interface(`files_manage_generic_tmp_dirs',`
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp sock_file.
++## Manage temporary directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_manage_generic_tmp_dirs',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- dontaudit $1 tmpfile:sock_file getattr;
++ manage_dirs_pattern($1, tmp_t, tmp_t)
+ ')
########################################
## <summary>
+-## Read all tmp files.
+## Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -11191,840 +11471,733 @@ index 64ff4d7..a47b644 100644
+## This is added to support java policy.
+## </p>
+## </desc>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_all_tmp_files',`
+interface(`files_execmod_tmp',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+- read_files_pattern($1, tmpfile, tmpfile)
+ allow $1 tmpfile:file execmod;
-+')
-+
-+########################################
-+## <summary>
- ## Manage temporary files and directories in /tmp.
- ## </summary>
- ## <param name="domain">
-@@ -4438,6 +5396,42 @@ interface(`files_rw_generic_tmp_sockets',`
+ ')
########################################
## <summary>
-+## Relabel a dir from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_relabelfrom_tmp_dirs',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
-+## Relabel a file from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_relabelfrom_tmp_files',`
-+ gen_require(`
-+ type tmp_t;
-+ ')
-+
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
- ## Set the attributes of all tmp directories.
+-## Create an object in the tmp directories, with a private
+-## type using a type transition.
++## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4456,6 +5450,60 @@ interface(`files_setattr_all_tmp_dirs',`
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+-## <summary>
+-## The type of the object to be created.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`files_tmp_filetrans',`
++interface(`files_manage_generic_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+- filetrans_pattern($1, tmp_t, $2, $3, $4)
++ manage_files_pattern($1, tmp_t, tmp_t)
+ ')
########################################
## <summary>
-+## Allow caller to read inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_read_inherited_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
-+')
-+
-+########################################
-+## <summary>
-+## Allow caller to append inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_append_inherited_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Allow caller to read and write inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_inherited_tmp_file',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## List all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4501,7 +5549,7 @@ interface(`files_relabel_all_tmp_dirs',`
+-## Delete the contents of /tmp.
++## Read symbolic links in the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
--## Domain not to audit.
-+## Domain to not audit.
+@@ -4635,22 +5386,17 @@ interface(`files_tmp_filetrans',`
## </summary>
## </param>
#
-@@ -4561,7 +5609,7 @@ interface(`files_relabel_all_tmp_files',`
+-interface(`files_purge_tmp',`
++interface(`files_read_generic_tmp_symlinks',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
+- delete_dirs_pattern($1, tmpfile, tmpfile)
+- delete_files_pattern($1, tmpfile, tmpfile)
+- delete_lnk_files_pattern($1, tmpfile, tmpfile)
+- delete_fifo_files_pattern($1, tmpfile, tmpfile)
+- delete_sock_files_pattern($1, tmpfile, tmpfile)
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of the /usr directory.
++## Read and write generic named sockets in the tmp directory (/tmp).
## </summary>
## <param name="domain">
## <summary>
--## Domain not to audit.
-+## Domain to not audit.
+@@ -4658,17 +5404,17 @@ interface(`files_purge_tmp',`
## </summary>
## </param>
#
-@@ -4593,6 +5641,44 @@ interface(`files_read_all_tmp_files',`
+-interface(`files_setattr_usr_dirs',`
++interface(`files_rw_generic_tmp_sockets',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
+ ')
- ########################################
- ## <summary>
-+## Do not audit attempts to read or write
-+## all leaked tmpfiles files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_tmp_file_leaks',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do allow attempts to read or write
-+## all leaked tmpfiles files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_tmp_file_leaks',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Create an object in the tmp directories, with a private
- ## type using a type transition.
- ## </summary>
-@@ -4646,6 +5732,16 @@ interface(`files_purge_tmp',`
- delete_lnk_files_pattern($1, tmpfile, tmpfile)
- delete_fifo_files_pattern($1, tmpfile, tmpfile)
- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ delete_chr_files_pattern($1, tmpfile, tmpfile)
-+ delete_blk_files_pattern($1, tmpfile, tmpfile)
-+ files_list_isid_type_dirs($1)
-+ files_delete_isid_type_dirs($1)
-+ files_delete_isid_type_files($1)
-+ files_delete_isid_type_symlinks($1)
-+ files_delete_isid_type_fifo_files($1)
-+ files_delete_isid_type_sock_files($1)
-+ files_delete_isid_type_blk_files($1)
-+ files_delete_isid_type_chr_files($1)
+- allow $1 usr_t:dir setattr;
++ rw_sock_files_pattern($1, tmp_t, tmp_t)
')
########################################
-@@ -5094,6 +6190,24 @@ interface(`files_create_kernel_symbol_table',`
-
- ########################################
## <summary>
-+## Dontaudit getattr attempts on the system.map file
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
-+ gen_require(`
-+ type system_map_t;
-+ ')
-+
-+ dontaudit $1 system_map_t:file getattr;
-+')
-+
-+########################################
-+## <summary>
- ## Read system.map in the /boot directory.
+-## Search the content of /usr.
++## Relabel a dir from the type used in /tmp.
## </summary>
## <param name="domain">
-@@ -5223,6 +6337,24 @@ interface(`files_list_var',`
-
- ########################################
- ## <summary>
-+## Do not audit listing of the var directory (/var).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_list_var',`
-+ gen_require(`
-+ type var_t;
-+ ')
-+
-+ dontaudit $1 var_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Create, read, write, and delete directories
- ## in the /var directory.
- ## </summary>
-@@ -5310,7 +6442,7 @@ interface(`files_dontaudit_rw_var_files',`
- type var_t;
+ ## <summary>
+@@ -4676,18 +5422,17 @@ interface(`files_setattr_usr_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_usr',`
++interface(`files_relabelfrom_tmp_dirs',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
')
-- dontaudit $1 var_t:file rw_file_perms;
-+ dontaudit $1 var_t:file rw_inherited_file_perms;
- ')
-
- ########################################
-@@ -5507,6 +6639,23 @@ interface(`files_rw_var_lib_dirs',`
- rw_dirs_pattern($1, var_lib_t, var_lib_t)
+- allow $1 usr_t:dir search_dir_perms;
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
')
-+#######################################
-+## <summary>
-+## Create directories in /var/lib
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_create_var_lib_dirs',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+ allow $1 var_lib_t:dir { create rw_dir_perms };
-+')
-+
########################################
## <summary>
- ## Create objects in the /var/lib directory
-@@ -5578,6 +6727,25 @@ interface(`files_read_var_lib_symlinks',`
- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
-+########################################
-+## <summary>
-+## manage generic symbolic links
-+## in the /var/lib directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_manage_var_lib_symlinks',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
- # cjp: the next two interfaces really need to be fixed
- # in some way. They really neeed their own types.
+-## List the contents of generic
+-## directories in /usr.
++## Relabel a file from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4695,35 +5440,35 @@ interface(`files_search_usr',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_usr',`
++interface(`files_relabelfrom_tmp_files',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
+ ')
-@@ -5623,7 +6791,7 @@ interface(`files_manage_mounttab',`
+- allow $1 usr_t:dir list_dir_perms;
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
########################################
## <summary>
--## Set the attributes of the generic lock directories.
-+## List generic lock directories.
+-## Do not audit write of /usr dirs
++## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,12 +6799,13 @@ interface(`files_manage_mounttab',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_setattr_lock_dirs',`
-+interface(`files_list_locks',`
+-interface(`files_dontaudit_write_usr_dirs',`
++interface(`files_setattr_all_tmp_dirs',`
gen_require(`
- type var_t, var_lock_t;
+- type usr_t;
++ attribute tmpfile;
')
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ files_search_locks($1)
-+ list_dirs_pattern($1, var_t, var_lock_t)
+- dontaudit $1 usr_t:dir write;
++ allow $1 tmpfile:dir { search_dir_perms setattr };
')
########################################
-@@ -5654,6 +6823,7 @@ interface(`files_search_locks',`
- type var_t, var_lock_t;
+ ## <summary>
+-## Add and remove entries from /usr directories.
++## Allow caller to read inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4731,36 +5476,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_usr_dirs',`
++interface(`files_read_inherited_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
')
-+ files_search_pids($1)
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- search_dirs_pattern($1, var_t, var_lock_t)
+- allow $1 usr_t:dir rw_dir_perms;
++ allow $1 tmpfile:file { append read_inherited_file_perms };
')
-@@ -5680,7 +6850,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
--## List generic lock directories.
-+## Do not audit attempts to read/write inherited
-+## locks (/var/lock).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_rw_inherited_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Set the attributes of the /var/lock directory.
+-## Do not audit attempts to add and remove
+-## entries from /usr directories.
++## Allow caller to append inherited tmp files.
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,13 +6877,12 @@ interface(`files_dontaudit_search_locks',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`files_list_locks',`
-+interface(`files_setattr_lock_dirs',`
+-interface(`files_dontaudit_rw_usr_dirs',`
++interface(`files_append_inherited_tmp_files',`
gen_require(`
-- type var_t, var_lock_t;
-+ type var_lock_t;
+- type usr_t;
++ attribute tmpfile;
')
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_lock_t:dir setattr;
+- dontaudit $1 usr_t:dir rw_dir_perms;
++ allow $1 tmpfile:file append_inherited_file_perms;
')
########################################
-@@ -5713,7 +6901,7 @@ interface(`files_rw_lock_dirs',`
- type var_t, var_lock_t;
+ ## <summary>
+-## Delete generic directories in /usr in the caller domain.
++## Allow caller to read and write inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4768,17 +5512,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_usr_dirs',`
++interface(`files_rw_inherited_tmp_file',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
')
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- rw_dirs_pattern($1, var_t, var_lock_t)
+- delete_dirs_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:file rw_inherited_file_perms;
')
-@@ -5746,7 +6934,6 @@ interface(`files_create_lock_dirs',`
- ## Domain allowed access.
+ ########################################
+ ## <summary>
+-## Delete generic files in /usr in the caller domain.
++## List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4786,73 +5530,59 @@ interface(`files_delete_usr_dirs',`
## </summary>
## </param>
--## <rolecap/>
#
- interface(`files_relabel_all_lock_dirs',`
+-interface(`files_delete_usr_files',`
++interface(`files_list_all_tmp',`
gen_require(`
-@@ -5761,7 +6948,7 @@ interface(`files_relabel_all_lock_dirs',`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- delete_files_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:dir list_dir_perms;
+ ')
########################################
## <summary>
--## Get the attributes of generic lock files.
-+## Relabel to and from all lock file types.
+-## Get the attributes of files in /usr.
++## Relabel to and from all temporary
++## directory types.
## </summary>
## <param name="domain">
## <summary>
-@@ -5769,13 +6956,33 @@ interface(`files_relabel_all_lock_dirs',`
+ ## Domain allowed access.
## </summary>
## </param>
++## <rolecap/>
#
--interface(`files_getattr_generic_locks',`
-+interface(`files_relabel_all_lock_files',`
+-interface(`files_getattr_usr_files',`
++interface(`files_relabel_all_tmp_dirs',`
gen_require(`
-+ attribute lockfile;
- type var_t, var_lock_t;
+- type usr_t;
++ attribute tmpfile;
++ type var_t;
')
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+## <summary>
-+## Get the attributes of generic lock files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_getattr_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
- allow $1 var_lock_t:dir list_dir_perms;
- getattr_files_pattern($1, var_lock_t, var_lock_t)
+- getattr_files_pattern($1, usr_t, usr_t)
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
')
-@@ -5791,13 +6998,12 @@ interface(`files_getattr_generic_locks',`
+
+ ########################################
+ ## <summary>
+-## Read generic files in /usr.
++## Do not audit attempts to get the attributes
++## of all tmp files.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Allow the specified domain to read generic
+-## files in /usr. These files are various program
+-## files that do not have more specific SELinux types.
+-## Some examples of these files are:
+-## </p>
+-## <ul>
+-## <li>/usr/include/*</li>
+-## <li>/usr/share/doc/*</li>
+-## <li>/usr/share/info/*</li>
+-## </ul>
+-## <p>
+-## Generally, it is safe for many domains to have
+-## this access.
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
## </param>
+-## <infoflow type="read" weight="10"/>
#
- interface(`files_delete_generic_locks',`
-- gen_require(`
-+ gen_require(`
- type var_t, var_lock_t;
-- ')
-+ ')
+-interface(`files_read_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ files_search_locks($1)
-+ delete_files_pattern($1, var_lock_t, var_lock_t)
+- allow $1 usr_t:dir list_dir_perms;
+- read_files_pattern($1, usr_t, usr_t)
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:file getattr;
')
########################################
-@@ -5816,9 +7022,7 @@ interface(`files_manage_generic_locks',`
- type var_t, var_lock_t;
+ ## <summary>
+-## Execute generic programs in /usr in the caller domain.
++## Allow attempts to get the attributes
++## of all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4860,55 +5590,58 @@ interface(`files_read_usr_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_exec_usr_files',`
++interface(`files_getattr_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
')
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-+ files_search_locks($1)
- manage_files_pattern($1, var_lock_t, var_lock_t)
+- allow $1 usr_t:dir list_dir_perms;
+- exec_files_pattern($1, usr_t, usr_t)
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:file getattr;
')
-@@ -5860,8 +7064,7 @@ interface(`files_read_all_locks',`
- type var_t, var_lock_t;
+ ########################################
+ ## <summary>
+-## dontaudit write of /usr files
++## Relabel to and from all temporary
++## file types.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_write_usr_files',`
++interface(`files_relabel_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
++ type var_t;
')
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ files_search_locks($1)
- allow $1 lockfile:dir list_dir_perms;
- read_files_pattern($1, lockfile, lockfile)
- read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +7086,7 @@ interface(`files_manage_all_locks',`
- type var_t, var_lock_t;
- ')
+- dontaudit $1 usr_t:file write;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ files_search_locks($1)
- manage_dirs_pattern($1, lockfile, lockfile)
- manage_files_pattern($1, lockfile, lockfile)
- manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +7123,7 @@ interface(`files_lock_filetrans',`
- type var_t, var_lock_t;
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete files in the /usr directory.
++## Do not audit attempts to get the attributes
++## of all tmp sock_file.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
')
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ files_search_locks($1)
- filetrans_pattern($1, var_lock_t, $2, $3, $4)
+- manage_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:sock_file getattr;
')
-@@ -5961,7 +7162,7 @@ interface(`files_setattr_pid_dirs',`
- type var_run_t;
+ ########################################
+ ## <summary>
+-## Relabel a file to the type used in /usr.
++## Read all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4916,67 +5649,70 @@ interface(`files_manage_usr_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_relabelto_usr_files',`
++interface(`files_read_all_tmp_files',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ files_search_pids($1)
- allow $1 var_run_t:dir setattr;
+- relabelto_files_pattern($1, usr_t, usr_t)
++ read_files_pattern($1, tmpfile, tmpfile)
')
-@@ -5981,18 +7182,56 @@ interface(`files_search_pids',`
- type var_t, var_run_t;
+ ########################################
+ ## <summary>
+-## Relabel a file from the type used in /usr.
++## Do not audit attempts to read or write
++## all leaked tmpfiles files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_relabelfrom_usr_files',`
++interface(`files_dontaudit_tmp_file_leaks',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
')
-+ allow $1 var_t:lnk_file read_lnk_file_perms;
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- search_dirs_pattern($1, var_t, var_run_t)
+- relabelfrom_files_pattern($1, usr_t, usr_t)
++ dontaudit $1 tmpfile:file rw_inherited_file_perms;
')
--########################################
-+######################################
+ ########################################
## <summary>
--## Do not audit attempts to search
--## the /var/run directory.
-+## Add and remove entries from pid directories.
+-## Read symbolic links in /usr.
++## Do allow attempts to read or write
++## all leaked tmpfiles files.
## </summary>
## <param name="domain">
--## <summary>
--## Domain to not audit.
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ allow $1 var_run_t:dir rw_dir_perms;
-+')
-+
-+#######################################
-+## <summary>
-+## Create generic pid directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_create_var_run_dirs',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir create_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to search
-+## the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-@@ -6007,6 +7246,25 @@ interface(`files_dontaudit_search_pids',`
+-interface(`files_read_usr_symlinks',`
++interface(`files_rw_tmp_file_leaks',`
+ gen_require(`
+- type usr_t;
++ attribute tmpfile;
+ ')
+
+- read_lnk_files_pattern($1, usr_t, usr_t)
++ allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
########################################
## <summary>
-+## Do not audit attempts to search
-+## the all /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ## List the contents of the runtime process
- ## ID directories (/var/run).
+-## Create objects in the /usr directory
++## Create an object in the tmp directories, with a private
++## type using a type transition.
## </summary>
-@@ -6021,7 +7279,7 @@ interface(`files_list_pids',`
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- ')
-
-@@ -6040,7 +7298,7 @@ interface(`files_read_generic_pids',`
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- read_files_pattern($1, var_run_t, var_run_t)
- ')
-@@ -6060,7 +7318,7 @@ interface(`files_write_generic_pid_pipes',`
- type var_run_t;
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
++## <param name="private type">
+ ## <summary>
+-## The type of the object to be created
++## The type of the object to be created.
+ ## </summary>
+ ## </param>
+-## <param name="object_class">
++## <param name="object">
+ ## <summary>
+-## The object class.
++## The object class of the object being created.
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -4985,35 +5721,50 @@ interface(`files_read_usr_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_usr_filetrans',`
++interface(`files_tmp_filetrans',`
+ gen_require(`
+- type usr_t;
++ type tmp_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ files_search_pids($1)
- allow $1 var_run_t:fifo_file write;
+- filetrans_pattern($1, usr_t, $2, $3, $4)
++ filetrans_pattern($1, tmp_t, $2, $3, $4)
')
-@@ -6122,7 +7380,6 @@ interface(`files_pid_filetrans',`
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search /usr/src.
++## Delete the contents of /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_src',`
++interface(`files_purge_tmp',`
+ gen_require(`
+- type src_t;
++ attribute tmpfile;
')
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- filetrans_pattern($1, var_run_t, $2, $3, $4)
+- dontaudit $1 src_t:dir search_dir_perms;
++ allow $1 tmpfile:dir list_dir_perms;
++ delete_dirs_pattern($1, tmpfile, tmpfile)
++ delete_files_pattern($1, tmpfile, tmpfile)
++ delete_lnk_files_pattern($1, tmpfile, tmpfile)
++ delete_fifo_files_pattern($1, tmpfile, tmpfile)
++ delete_sock_files_pattern($1, tmpfile, tmpfile)
++ delete_chr_files_pattern($1, tmpfile, tmpfile)
++ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_list_isid_type_dirs($1)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
++ files_delete_isid_type_symlinks($1)
++ files_delete_isid_type_fifo_files($1)
++ files_delete_isid_type_sock_files($1)
++ files_delete_isid_type_blk_files($1)
++ files_delete_isid_type_chr_files($1)
')
-@@ -6151,6 +7408,24 @@ interface(`files_pid_filetrans_lock_dir',`
-
########################################
## <summary>
-+## rw generic pid files inherited from another process
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_rw_inherited_generic_pid_files',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ allow $1 var_run_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Read and write generic process ID files.
+-## Get the attributes of files in /usr/src.
++## Set the attributes of the /usr directory.
## </summary>
## <param name="domain">
-@@ -6164,7 +7439,7 @@ interface(`files_rw_generic_pids',`
- type var_t, var_run_t;
+ ## <summary>
+@@ -5021,20 +5772,17 @@ interface(`files_dontaudit_search_src',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_usr_src_files',`
++interface(`files_setattr_usr_dirs',`
+ gen_require(`
+- type usr_t, src_t;
++ type usr_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ files_search_pids($1)
- list_dirs_pattern($1, var_t, var_run_t)
- rw_files_pattern($1, var_run_t, var_run_t)
+- getattr_files_pattern($1, src_t, src_t)
+-
+- # /usr/src/linux symlink:
+- read_lnk_files_pattern($1, usr_t, src_t)
++ allow $1 usr_t:dir setattr;
')
-@@ -6231,55 +7506,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
--## Read all process ID files.
-+## Relable all pid directories
+-## Read files in /usr/src.
++## Search the content of /usr.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -5042,20 +5790,18 @@ interface(`files_getattr_usr_src_files',`
## </summary>
## </param>
--## <rolecap/>
#
--interface(`files_read_all_pids',`
-+interface(`files_relabel_all_pid_dirs',`
+-interface(`files_read_usr_src_files',`
++interface(`files_search_usr',`
gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
+- type usr_t, src_t;
++ type usr_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
-+ relabel_dirs_pattern($1, pidfile, pidfile)
+ allow $1 usr_t:dir search_dir_perms;
+- read_files_pattern($1, { usr_t src_t }, src_t)
+- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+- allow $1 src_t:dir list_dir_perms;
')
########################################
## <summary>
--## Delete all process IDs.
-+## Delete all pid sockets
+-## Execute programs in /usr/src in the caller domain.
++## List the contents of generic
++## directories in /usr.
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -5063,38 +5809,35 @@ interface(`files_read_usr_src_files',`
## </summary>
## </param>
--## <rolecap/>
#
--interface(`files_delete_all_pids',`
-+interface(`files_delete_all_pid_sockets',`
+-interface(`files_exec_usr_src_files',`
++interface(`files_list_usr',`
gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
+- type usr_t, src_t;
++ type usr_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+ allow $1 pidfile:sock_file delete_sock_file_perms;
+- list_dirs_pattern($1, usr_t, src_t)
+- exec_files_pattern($1, src_t, src_t)
+- read_lnk_files_pattern($1, src_t, src_t)
++ allow $1 usr_t:dir list_dir_perms;
')
########################################
## <summary>
--## Delete all process ID directories.
-+## Create all pid sockets
+-## Install a system.map into the /boot directory.
++## Do not audit write of /usr dirs
## </summary>
## <param name="domain">
## <summary>
-@@ -6287,42 +7550,35 @@ interface(`files_delete_all_pids',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
--interface(`files_delete_all_pid_dirs',`
-+interface(`files_create_all_pid_sockets',`
+-interface(`files_create_kernel_symbol_table',`
++interface(`files_dontaudit_write_usr_dirs',`
gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
+- type boot_t, system_map_t;
++ type usr_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
-+ allow $1 pidfile:sock_file create_sock_file_perms;
+- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+- allow $1 system_map_t:file { create_file_perms rw_file_perms };
++ dontaudit $1 usr_t:dir write;
')
########################################
## <summary>
--## Create, read, write and delete all
--## var_run (pid) content
-+## Create all pid named pipes
+-## Read system.map in the /boot directory.
++## Add and remove entries from /usr directories.
## </summary>
## <param name="domain">
## <summary>
--## Domain alloed access.
-+## Domain allowed access.
+@@ -5102,37 +5845,36 @@ interface(`files_create_kernel_symbol_table',`
## </summary>
## </param>
#
--interface(`files_manage_all_pids',`
-+interface(`files_create_all_pid_pipes',`
+-interface(`files_read_kernel_symbol_table',`
++interface(`files_rw_usr_dirs',`
gen_require(`
- attribute pidfile;
+- type boot_t, system_map_t;
++ type usr_t;
')
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
+- allow $1 boot_t:dir list_dir_perms;
+- read_files_pattern($1, boot_t, system_map_t)
++ allow $1 usr_t:dir rw_dir_perms;
')
########################################
## <summary>
--## Mount filesystems on all polyinstantiation
--## member directories.
-+## Delete all pid named pipes
+-## Delete a system.map in the /boot directory.
++## Do not audit attempts to add and remove
++## entries from /usr directories.
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,18 +7586,18 @@ interface(`files_manage_all_pids',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
--interface(`files_mounton_all_poly_members',`
-+interface(`files_delete_all_pid_pipes',`
+-interface(`files_delete_kernel_symbol_table',`
++interface(`files_dontaudit_rw_usr_dirs',`
gen_require(`
-- attribute polymember;
-+ attribute pidfile;
+- type boot_t, system_map_t;
++ type usr_t;
')
-- allow $1 polymember:dir mounton;
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
+- allow $1 boot_t:dir list_dir_perms;
+- delete_files_pattern($1, boot_t, system_map_t)
++ dontaudit $1 usr_t:dir rw_dir_perms;
')
########################################
## <summary>
--## Search the contents of generic spool
--## directories (/var/spool).
-+## manage all pidfile directories
-+## in the /var/run directory.
+-## Search the contents of /var.
++## Delete generic directories in /usr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -6349,37 +7605,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -5140,35 +5882,35 @@ interface(`files_delete_kernel_symbol_table',`
## </summary>
## </param>
#
--interface(`files_search_spool',`
-+interface(`files_manage_all_pid_dirs',`
+-interface(`files_search_var',`
++interface(`files_delete_usr_dirs',`
gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
+- type var_t;
++ type usr_t;
')
-- search_dirs_pattern($1, var_t, var_spool_t)
-+ manage_dirs_pattern($1,pidfile,pidfile)
+- allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, usr_t, usr_t)
')
-+
########################################
## <summary>
--## Do not audit attempts to search generic
--## spool directories.
-+## Read all process ID files.
+-## Do not audit attempts to write to /var.
++## Delete generic files in /usr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -12032,138 +12205,326 @@ index 64ff4d7..a47b644 100644
+## Domain allowed access.
## </summary>
## </param>
-+## <rolecap/>
#
--interface(`files_dontaudit_search_spool',`
-+interface(`files_read_all_pids',`
+-interface(`files_dontaudit_write_var_dirs',`
++interface(`files_delete_usr_files',`
gen_require(`
-- type var_spool_t;
-+ attribute pidfile;
-+ type var_t;
+- type var_t;
++ type usr_t;
')
-- dontaudit $1 var_spool_t:dir search_dir_perms;
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
+- dontaudit $1 var_t:dir write;
++ delete_files_pattern($1, usr_t, usr_t)
')
########################################
## <summary>
--## List the contents of generic spool
--## (/var/spool) directories.
-+## Relable all pid files
+-## Allow attempts to write to /var.dirs
++## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
## <summary>
-@@ -6387,18 +7646,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -5176,36 +5918,55 @@ interface(`files_dontaudit_write_var_dirs',`
## </summary>
## </param>
#
--interface(`files_list_spool',`
-+interface(`files_relabel_all_pid_files',`
+-interface(`files_write_var_dirs',`
++interface(`files_getattr_usr_files',`
gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
+- type var_t;
++ type usr_t;
')
-- list_dirs_pattern($1, var_t, var_spool_t)
-+ relabel_files_pattern($1, pidfile, pidfile)
+- allow $1 var_t:dir write;
++ getattr_files_pattern($1, usr_t, usr_t)
')
########################################
## <summary>
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
-+## Execute generic programs in /var/run in the caller domain.
+-## Do not audit attempts to search
+-## the contents of /var.
++## Read generic files in /usr.
## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to read generic
++## files in /usr. These files are various program
++## files that do not have more specific SELinux types.
++## Some examples of these files are:
++## </p>
++## <ul>
++## <li>/usr/include/*</li>
++## <li>/usr/share/doc/*</li>
++## <li>/usr/share/info/*</li>
++## </ul>
++## <p>
++## Generally, it is safe for many domains to have
++## this access.
++## </p>
++## </desc>
## <param name="domain">
## <summary>
-@@ -6406,18 +7664,18 @@ interface(`files_list_spool',`
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
++## <infoflow type="read" weight="10"/>
#
--interface(`files_manage_generic_spool_dirs',`
-+interface(`files_exec_generic_pid_files',`
+-interface(`files_dontaudit_search_var',`
++interface(`files_read_usr_files',`
gen_require(`
-- type var_t, var_spool_t;
-+ type var_run_t;
+- type var_t;
++ type usr_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+ exec_files_pattern($1, var_run_t, var_run_t)
+- dontaudit $1 var_t:dir search_dir_perms;
++ allow $1 usr_t:dir list_dir_perms;
++ read_files_pattern($1, usr_t, usr_t)
++ read_lnk_files_pattern($1, usr_t, usr_t)
')
########################################
## <summary>
--## Read generic spool files.
-+## manage all pidfiles
-+## in the /var/run directory.
+-## List the contents of /var.
++## Execute generic programs in /usr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
-@@ -6425,19 +7683,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -5213,36 +5974,37 @@ interface(`files_dontaudit_search_var',`
## </summary>
## </param>
#
--interface(`files_read_generic_spool',`
-+interface(`files_manage_all_pids',`
+-interface(`files_list_var',`
++interface(`files_exec_usr_files',`
gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
+- type var_t;
++ type usr_t;
')
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
-+ manage_files_pattern($1,pidfile,pidfile)
+- allow $1 var_t:dir list_dir_perms;
++ allow $1 usr_t:dir list_dir_perms;
++ exec_files_pattern($1, usr_t, usr_t)
++ read_lnk_files_pattern($1, usr_t, usr_t)
')
########################################
## <summary>
--## Create, read, write, and delete generic
--## spool files.
-+## Mount filesystems on all polyinstantiation
-+## member directories.
+-## Create, read, write, and delete directories
+-## in the /var directory.
++## dontaudit write of /usr files
## </summary>
## <param name="domain">
## <summary>
-@@ -6445,55 +7702,43 @@ interface(`files_read_generic_spool',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
--interface(`files_manage_generic_spool',`
-+interface(`files_mounton_all_poly_members',`
+-interface(`files_manage_var_dirs',`
++interface(`files_dontaudit_write_usr_files',`
gen_require(`
-- type var_t, var_spool_t;
-+ attribute polymember;
+- type var_t;
++ type usr_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
-+ allow $1 polymember:dir mounton;
+- allow $1 var_t:dir manage_dir_perms;
++ dontaudit $1 usr_t:file write;
')
########################################
## <summary>
--## Create objects in the spool directory
--## with a private type with a type transition.
-+## Delete all process IDs.
+-## Read files in the /var directory.
++## Create, read, write, and delete files in the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5250,17 +6012,17 @@ interface(`files_manage_var_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_files',`
++interface(`files_manage_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- read_files_pattern($1, var_t, var_t)
++ manage_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Append files in the /var directory.
++## Relabel a file to the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5268,17 +6030,17 @@ interface(`files_read_var_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_append_var_files',`
++interface(`files_relabelto_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- append_files_pattern($1, var_t, var_t)
++ relabelto_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write files in the /var directory.
++## Relabel a file from the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5286,73 +6048,86 @@ interface(`files_append_var_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_var_files',`
++interface(`files_relabelfrom_usr_files',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- rw_files_pattern($1, var_t, var_t)
++ relabelfrom_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and write
+-## files in the /var directory.
++## Read symbolic links in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_var_files',`
++interface(`files_read_usr_symlinks',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- dontaudit $1 var_t:file rw_file_perms;
++ read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete files in the /var directory.
++## Create objects in the /usr directory
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
--## <param name="file">
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`files_manage_var_files',`
++interface(`files_usr_filetrans',`
+ gen_require(`
+- type var_t;
++ type usr_t;
+ ')
+
+- manage_files_pattern($1, var_t, var_t)
++ filetrans_pattern($1, usr_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links in the /var directory.
++## Do not audit attempts to search /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_symlinks',`
++interface(`files_dontaudit_search_src',`
+ gen_require(`
+- type var_t;
++ type src_t;
+ ')
+
+- read_lnk_files_pattern($1, var_t, var_t)
++ dontaudit $1 src_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete symbolic
+-## links in the /var directory.
++## Get the attributes of files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5360,50 +6135,41 @@ interface(`files_read_var_symlinks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_var_symlinks',`
++interface(`files_getattr_usr_src_files',`
+ gen_require(`
+- type var_t;
++ type usr_t, src_t;
+ ')
+
+- manage_lnk_files_pattern($1, var_t, var_t)
++ getattr_files_pattern($1, src_t, src_t)
++
++ # /usr/src/linux symlink:
++ read_lnk_files_pattern($1, usr_t, src_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /var directory
++## Read files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
-## <summary>
--## Type to which the created node will be transitioned.
+-## The type of the object to be created
-## </summary>
-## </param>
--## <param name="class">
+-## <param name="object_class">
-## <summary>
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
+-## The object class.
-## </summary>
-## </param>
-## <param name="name" optional="true">
@@ -12171,86 +12532,1867 @@ index 64ff4d7..a47b644 100644
-## The name of the object being created.
-## </summary>
-## </param>
-+## <rolecap/>
#
--interface(`files_spool_filetrans',`
-+interface(`files_delete_all_pids',`
+-interface(`files_var_filetrans',`
++interface(`files_read_usr_src_files',`
gen_require(`
-- type var_t, var_spool_t;
-+ attribute pidfile;
-+ type var_t, var_run_t;
+- type var_t;
++ type usr_t, src_t;
+ ')
+
+- filetrans_pattern($1, var_t, $2, $3, $4)
++ allow $1 usr_t:dir search_dir_perms;
++ read_files_pattern($1, { usr_t src_t }, src_t)
++ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
++ allow $1 src_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of the /var/lib directory.
++## Execute programs in /usr/src in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5411,69 +6177,56 @@ interface(`files_var_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_var_lib_dirs',`
++interface(`files_exec_usr_src_files',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type usr_t, src_t;
+ ')
+
+- getattr_dirs_pattern($1, var_t, var_lib_t)
++ list_dirs_pattern($1, usr_t, src_t)
++ exec_files_pattern($1, src_t, src_t)
++ read_lnk_files_pattern($1, src_t, src_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the /var/lib directory.
++## Install a system.map into the /boot directory.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Search the /var/lib directory. This is
+-## necessary to access files or directories under
+-## /var/lib that have a private type. For example, a
+-## domain accessing a private library file in the
+-## /var/lib directory:
+-## </p>
+-## <p>
+-## allow mydomain_t mylibfile_t:file read_file_perms;
+-## files_search_var_lib(mydomain_t)
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_search_var_lib',`
++interface(`files_create_kernel_symbol_table',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- search_dirs_pattern($1, var_t, var_lib_t)
++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
++ allow $1 system_map_t:file { create_file_perms rw_file_perms };
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search the
+-## contents of /var/lib.
++## Dontaudit getattr attempts on the system.map file
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain to not audit.
+ ## </summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_dontaudit_search_var_lib',`
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
+ gen_require(`
+- type var_lib_t;
++ type system_map_t;
+ ')
+
+- dontaudit $1 var_lib_t:dir search_dir_perms;
++ dontaudit $1 system_map_t:file getattr;
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of the /var/lib directory.
++## Read system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5481,17 +6234,18 @@ interface(`files_dontaudit_search_var_lib',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_var_lib',`
++interface(`files_read_kernel_symbol_table',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- list_dirs_pattern($1, var_t, var_lib_t)
++ allow $1 boot_t:dir list_dir_perms;
++ read_files_pattern($1, boot_t, system_map_t)
+ ')
+
+-###########################################
++########################################
+ ## <summary>
+-## Read-write /var/lib directories
++## Delete a system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5499,70 +6253,54 @@ interface(`files_list_var_lib',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_var_lib_dirs',`
++interface(`files_delete_kernel_symbol_table',`
+ gen_require(`
+- type var_lib_t;
++ type boot_t, system_map_t;
+ ')
+
+- rw_dirs_pattern($1, var_lib_t, var_lib_t)
++ allow $1 boot_t:dir list_dir_perms;
++ delete_files_pattern($1, boot_t, system_map_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the /var/lib directory
++## Search the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
+-## <summary>
+-## The type of the object to be created
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
+-## The object class.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`files_var_lib_filetrans',`
++interface(`files_search_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
')
-+ files_search_pids($1)
allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+- filetrans_pattern($1, var_lib_t, $2, $3, $4)
')
########################################
## <summary>
--## Allow access to manage all polyinstantiated
--## directories on the system.
-+## Delete all process ID directories.
+-## Read generic files in /var/lib.
++## Do not audit attempts to write to /var.
## </summary>
## <param name="domain">
## <summary>
-@@ -6501,53 +7746,68 @@ interface(`files_spool_filetrans',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
--interface(`files_polyinstantiate_all',`
-+interface(`files_delete_all_pid_dirs',`
+-interface(`files_read_var_lib_files',`
++interface(`files_dontaudit_write_var_dirs',`
gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
-+ attribute pidfile;
-+ type var_t, var_run_t;
+- type var_t, var_lib_t;
++ type var_t;
')
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
+- allow $1 var_lib_t:dir list_dir_perms;
+- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ dontaudit $1 var_t:dir write;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic symbolic links in /var/lib
++## Allow attempts to write to /var.dirs
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5570,41 +6308,36 @@ interface(`files_read_var_lib_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_symlinks',`
++interface(`files_write_var_dirs',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ allow $1 var_t:dir write;
+ ')
+
+-# cjp: the next two interfaces really need to be fixed
+-# in some way. They really neeed their own types.
-
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete the
+-## pseudorandom number generator seed.
++## Do not audit attempts to search
++## the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_urandom_seed',`
++interface(`files_dontaudit_search_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_lib_t, var_lib_t)
++ dontaudit $1 var_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow domain to manage mount tables
+-## necessary for rpcd, nfsd, etc.
++## List the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5612,36 +6345,36 @@ interface(`files_manage_urandom_seed',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_mounttab',`
++interface(`files_list_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_lib_t, var_lib_t)
++ allow $1 var_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of the generic lock directories.
++## Do not audit listing of the var directory (/var).
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_dontaudit_list_var',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- setattr_dirs_pattern($1, var_t, var_lock_t)
++ dontaudit $1 var_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the locks directory (/var/lock).
++## Create, read, write, and delete directories
++## in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5649,38 +6382,35 @@ interface(`files_setattr_lock_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_locks',`
++interface(`files_manage_var_dirs',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- search_dirs_pattern($1, var_t, var_lock_t)
++ allow $1 var_t:dir manage_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search the
+-## locks directory (/var/lock).
++## Read files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_locks',`
++interface(`files_read_var_files',`
+ gen_require(`
+- type var_lock_t;
++ type var_t;
+ ')
+
+- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_lock_t:dir search_dir_perms;
++ read_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List generic lock directories.
++## Append files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5688,19 +6418,17 @@ interface(`files_dontaudit_search_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_locks',`
++interface(`files_append_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_lock_t)
++ append_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Add and remove entries in the /var/lock
+-## directories.
++## Read and write files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5708,60 +6436,54 @@ interface(`files_list_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_lock_dirs',`
++interface(`files_rw_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- rw_dirs_pattern($1, var_t, var_lock_t)
++ rw_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create lock directories
++## Do not audit attempts to read and write
++## files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access
++## <summary>
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_create_lock_dirs',`
++interface(`files_dontaudit_rw_var_files',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- create_dirs_pattern($1, var_lock_t, var_lock_t)
++ dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Relabel to and from all lock directory types.
++## Create, read, write, and delete files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_lock_dirs',`
++interface(`files_manage_var_files',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- relabel_dirs_pattern($1, lockfile, lockfile)
++ manage_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Get the attributes of generic lock files.
++## Read symbolic links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5769,20 +6491,18 @@ interface(`files_relabel_all_lock_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_read_var_symlinks',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 var_lock_t:dir list_dir_perms;
+- getattr_files_pattern($1, var_lock_t, var_lock_t)
++ read_lnk_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete generic lock files.
++## Create, read, write, and delete symbolic
++## links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5790,185 +6510,207 @@ interface(`files_getattr_generic_locks',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_generic_locks',`
++interface(`files_manage_var_symlinks',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
++ manage_lnk_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## lock files.
++## Create objects in the /var directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`files_manage_generic_locks',`
++interface(`files_var_filetrans',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
+- manage_files_pattern($1, var_lock_t, var_lock_t)
++ filetrans_pattern($1, var_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all lock files.
++## Get the attributes of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_locks',`
++interface(`files_getattr_var_lib_dirs',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, lockfile, lockfile)
++ getattr_dirs_pattern($1, var_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all lock files.
++## Search the /var/lib directory.
+ ## </summary>
++## <desc>
++## <p>
++## Search the /var/lib directory. This is
++## necessary to access files or directories under
++## /var/lib that have a private type. For example, a
++## domain accessing a private library file in the
++## /var/lib directory:
++## </p>
++## <p>
++## allow mydomain_t mylibfile_t:file read_file_perms;
++## files_search_var_lib(mydomain_t)
++## </p>
++## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_read_all_locks',`
++interface(`files_search_var_lib',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- allow $1 lockfile:dir list_dir_perms;
+- read_files_pattern($1, lockfile, lockfile)
+- read_lnk_files_pattern($1, lockfile, lockfile)
++ search_dirs_pattern($1, var_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## manage all lock files.
++## Do not audit attempts to search the
++## contents of /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_manage_all_locks',`
++interface(`files_dontaudit_search_var_lib',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_lib_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- manage_dirs_pattern($1, lockfile, lockfile)
+- manage_files_pattern($1, lockfile, lockfile)
+- manage_lnk_files_pattern($1, lockfile, lockfile)
++ dontaudit $1 var_lib_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the locks directory, with a private
+-## type using a type transition.
++## List the contents of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+-## <summary>
+-## The type of the object to be created.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+-## </summary>
+-## </param>
+ #
+-interface(`files_lock_filetrans',`
++interface(`files_list_var_lib',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- filetrans_pattern($1, var_lock_t, $2, $3, $4)
++ list_dirs_pattern($1, var_t, var_lib_t)
+ ')
+
+-########################################
++###########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of the /var/run directory.
++## Read-write /var/lib directories
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_pid_dirs',`
++interface(`files_rw_var_lib_dirs',`
+ gen_require(`
+- type var_run_t;
++ type var_lib_t;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir getattr;
++ rw_dirs_pattern($1, var_lib_t, var_lib_t)
++')
++
++#######################################
++## <summary>
++## Create directories in /var/lib
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++ allow $1 var_lib_t:dir { create rw_dir_perms };
+ ')
+
+ ########################################
+ ## <summary>
+-## Set the attributes of the /var/run directory.
++## Create objects in the /var/lib directory
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <param name="file_type">
++## <summary>
++## The type of the object to be created
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The object class.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`files_setattr_pid_dirs',`
++interface(`files_var_lib_filetrans',`
+ gen_require(`
+- type var_run_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir setattr;
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_lib_t, $2, $3, $4)
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of runtime process
+-## ID directories (/var/run).
++## Read generic files in /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5976,39 +6718,37 @@ interface(`files_setattr_pid_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_pids',`
++interface(`files_read_var_lib_files',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- search_dirs_pattern($1, var_t, var_run_t)
++ allow $1 var_lib_t:dir list_dir_perms;
++ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search
+-## the /var/run directory.
++## Read generic symbolic links in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_pids',`
++interface(`files_read_var_lib_symlinks',`
+ gen_require(`
+- type var_run_t;
++ type var_t, var_lib_t;
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir search_dir_perms;
++ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of the runtime process
+-## ID directories (/var/run).
++## manage generic symbolic links
++## in the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6016,18 +6756,21 @@ interface(`files_dontaudit_search_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
++interface(`files_manage_var_lib_symlinks',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_lib_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
+ ')
+
++# cjp: the next two interfaces really need to be fixed
++# in some way. They really neeed their own types.
++
+ ########################################
+ ## <summary>
+-## Read generic process ID files.
++## Create, read, write, and delete the
++## pseudorandom number generator seed.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6035,19 +6778,19 @@ interface(`files_list_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_pids',`
++interface(`files_manage_urandom_seed',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_t, var_lib_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_lib_t, var_lib_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Write named generic process ID pipes
++## Allow domain to manage mount tables
++## necessary for rpcd, nfsd, etc.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6055,58 +6798,1223 @@ interface(`files_read_generic_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_write_generic_pid_pipes',`
++interface(`files_manage_mounttab',`
++ gen_require(`
++ type var_t, var_lib_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_lib_t, var_lib_t)
++')
++
++########################################
++## <summary>
++## List generic lock directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ list_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Search the locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ search_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search the
++## locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_lock_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read/write inherited
++## locks (/var/lock).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Set the attributes of the /var/lock directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_setattr_lock_dirs',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ allow $1 var_lock_t:dir setattr;
++')
++
++########################################
++## <summary>
++## Add and remove entries in the /var/lock
++## directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_lock_dirs',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ rw_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Create lock directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`files_create_lock_dirs',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ create_dirs_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Relabel to and from all lock directory types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_all_lock_dirs',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ relabel_dirs_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Relabel to and from all lock file types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_all_lock_files',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ relabel_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Get the attributes of generic lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_getattr_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ allow $1 var_lock_t:dir list_dir_perms;
++ getattr_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Delete generic lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ delete_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete generic
++## lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ manage_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## Delete all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ delete_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Read all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ allow $1 lockfile:dir list_dir_perms;
++ read_files_pattern($1, lockfile, lockfile)
++ read_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## manage all lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_all_locks',`
++ gen_require(`
++ attribute lockfile;
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ manage_dirs_pattern($1, lockfile, lockfile)
++ manage_files_pattern($1, lockfile, lockfile)
++ manage_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++## Create an object in the locks directory, with a private
++## type using a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_lock_filetrans',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
++ filetrans_pattern($1, var_lock_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the attributes
++## of the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_run_t:dir getattr;
++')
++
++########################################
++## <summary>
++## Set the attributes of the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_setattr_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_run_t:dir setattr;
++')
++
++########################################
++## <summary>
++## Search the contents of runtime process
++## ID directories (/var/run).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:lnk_file read_lnk_file_perms;
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ search_dirs_pattern($1, var_t, var_run_t)
++')
++
++######################################
++## <summary>
++## Add and remove entries from pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++## <summary>
++## Create generic pid directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_var_run_dirs',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir create_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search
++## the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_pids',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_run_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to search
++## the all /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_search_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ dontaudit $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## List the contents of the runtime process
++## ID directories (/var/run).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, var_t, var_run_t)
++')
++
++########################################
++## <summary>
++## Read generic process ID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_generic_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, var_t, var_run_t)
++ read_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++## Write named generic process ID pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_write_generic_pid_pipes',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_run_t:fifo_file write;
++')
++
++########################################
++## <summary>
++## Create an object in the process ID directory, with a private type.
++## </summary>
++## <desc>
++## <p>
++## Create an object in the process ID directory (e.g., /var/run)
++## with a private type. Typically this is used for creating
++## private PID files in /var/run with the private type instead
++## of the general PID file type. To accomplish this goal,
++## either the program must be SELinux-aware, or use this interface.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>files_pid_file()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create and
++## write its PID file with a private PID file type in the
++## /var/run directory:
++## </p>
++## <p>
++## type mypidfile_t;
++## files_pid_file(mypidfile_t)
++## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
++## files_pid_filetrans(mydomain_t, mypidfile_t, file)
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++## <infoflow type="write" weight="10"/>
++#
++interface(`files_pid_filetrans',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ filetrans_pattern($1, var_run_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## Create a generic lock directory within the run directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_pid_filetrans_lock_dir',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ files_pid_filetrans($1, var_lock_t, dir, $2)
++')
++
++########################################
++## <summary>
++## rw generic pid files inherited from another process
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_inherited_generic_pid_files',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Read and write generic process ID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_generic_pids',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ files_search_pids($1)
++ list_dirs_pattern($1, var_t, var_run_t)
++ rw_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to get the attributes of
++## daemon runtime data files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file getattr;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to write to daemon runtime data files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_write_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file write;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to ioctl daemon runtime data files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_ioctl_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 pidfile:file ioctl;
++')
++
++########################################
++## <summary>
++## Relable all pid directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ relabel_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++## Delete all pid sockets
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_pid_sockets',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ allow $1 pidfile:sock_file delete_sock_file_perms;
++')
++
++########################################
++## <summary>
++## Create all pid sockets
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_all_pid_sockets',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ allow $1 pidfile:sock_file create_sock_file_perms;
++')
++
++########################################
++## <summary>
++## Create all pid named pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_create_all_pid_pipes',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Delete all pid named pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_pid_pipes',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## manage all pidfile directories
++## in the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ manage_dirs_pattern($1,pidfile,pidfile)
++')
++
++
++########################################
++## <summary>
++## Read all process ID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_read_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_t;
++ ')
++
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++## Relable all pid files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabel_all_pid_files',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ relabel_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
++## Execute generic programs in /var/run in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_exec_generic_pid_files',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
++ exec_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++## manage all pidfiles
++## in the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ manage_files_pattern($1,pidfile,pidfile)
++')
++
++########################################
++## <summary>
++## Mount filesystems on all polyinstantiation
++## member directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_mounton_all_poly_members',`
++ gen_require(`
++ attribute polymember;
++ ')
++
++ allow $1 polymember:dir mounton;
++')
++
++########################################
++## <summary>
++## Delete all process IDs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++## Delete all process ID directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ type var_t, var_run_t;
++ ')
++
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
++
+########################################
+## <summary>
+## Make the specified type a file
@@ -12293,31 +14435,27 @@ index 64ff4d7..a47b644 100644
+interface(`files_spool_file',`
+ gen_require(`
+ attribute spoolfile;
- ')
++ ')
+
+ files_type($1)
+ typeattribute $1 spoolfile;
- ')
-
- ########################################
- ## <summary>
--## Unconfined access to files.
++')
++
++########################################
++## <summary>
+## Create all spool sockets
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -6555,10 +7815,785 @@ interface(`files_polyinstantiate_all',`
- ## </summary>
- ## </param>
- #
--interface(`files_unconfined',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_create_all_spool_sockets',`
- gen_require(`
-- attribute files_unconfined_type;
++ gen_require(`
+ attribute spoolfile;
- ')
-
-- typeattribute $1 files_unconfined_type;
++ ')
++
+ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
@@ -12377,10 +14515,11 @@ index 64ff4d7..a47b644 100644
+ ')
+
+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the process ID directory, with a private type.
+## Do not audit attempts to search generic
+## spool directories.
+## </summary>
@@ -12402,12 +14541,39 @@ index 64ff4d7..a47b644 100644
+## <summary>
+## List the contents of generic spool
+## (/var/spool) directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+-## <desc>
+-## <p>
+-## Create an object in the process ID directory (e.g., /var/run)
+-## with a private type. Typically this is used for creating
+-## private PID files in /var/run with the private type instead
+-## of the general PID file type. To accomplish this goal,
+-## either the program must be SELinux-aware, or use this interface.
+-## </p>
+-## <p>
+-## Related interfaces:
+-## </p>
+-## <ul>
+-## <li>files_pid_file()</li>
+-## </ul>
+-## <p>
+-## Example usage with a domain that can create and
+-## write its PID file with a private PID file type in the
+-## /var/run directory:
+-## </p>
+-## <p>
+-## type mypidfile_t;
+-## files_pid_file(mypidfile_t)
+-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+-## files_pid_filetrans(mydomain_t, mypidfile_t, file)
+-## </p>
+-## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+#
+interface(`files_list_spool',`
+ gen_require(`
@@ -12423,10 +14589,12 @@ index 64ff4d7..a47b644 100644
+## spool directories (/var/spool).
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The type of the object to be created.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="object">
+#
+interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
@@ -12442,7 +14610,8 @@ index 64ff4d7..a47b644 100644
+## Read generic spool files.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The object class of the object being created.
+## Domain allowed access.
+## </summary>
+## </param>
@@ -12495,14 +14664,19 @@ index 64ff4d7..a47b644 100644
+## <summary>
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -6114,44 +8022,165 @@ interface(`files_write_generic_pid_pipes',`
+ ## The name of the object being created.
+ ## </summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`files_pid_filetrans',`
+- gen_require(`
+- type var_t, var_run_t;
+- ')
+interface(`files_spool_filetrans',`
+ gen_require(`
+ type var_t, var_spool_t;
@@ -12629,296 +14803,401 @@ index 64ff4d7..a47b644 100644
+ gen_require(`
+ type default_t;
+ ')
-+
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- filetrans_pattern($1, var_run_t, $2, $3, $4)
+ allow $1 default_t:dir create;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create a generic lock directory within the run directories
+## Create, default_t objects with an automatic
+## type transition.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access
+## <summary>
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+## <param name="object">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## The class of the object being created.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_pid_filetrans_lock_dir',`
+- gen_require(`
+- type var_lock_t;
+- ')
+interface(`files_root_filetrans_default',`
+ gen_require(`
+ type root_t, default_t;
+ ')
-+
+
+- files_pid_filetrans($1, var_lock_t, dir, $2)
+ filetrans_pattern($1, root_t, default_t, $2)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write generic process ID files.
+## manage generic symbolic links
+## in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6159,20 +8188,18 @@ interface(`files_pid_filetrans_lock_dir',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_rw_generic_pids',`
+interface(`files_manage_generic_pids_symlinks',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_run_t;
+ type var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- rw_files_pattern($1, var_run_t, var_run_t)
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes of
+-## daemon runtime data files.
+## Do not audit attempts to getattr
+## all tmpfs files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6180,19 +8207,17 @@ interface(`files_rw_generic_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_pids',`
+interface(`files_dontaudit_getattr_tmpfs_files',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_run_t;
+ attribute tmpfsfile;
-+ ')
-+
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file getattr;
+ allow $1 tmpfsfile:file getattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to write to daemon runtime data files.
+## Allow read write all tmpfs files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6200,18 +8225,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_all_pids',`
+interface(`files_rw_tmpfs_files',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+ attribute tmpfsfile;
-+ ')
-+
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file write;
+ allow $1 tmpfsfile:file { read write };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to ioctl daemon runtime data files.
+## Do not audit attempts to read security files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6219,41 +8243,43 @@ interface(`files_dontaudit_write_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_ioctl_all_pids',`
+interface(`files_dontaudit_read_security_files',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_run_t;
+ attribute security_file_type;
-+ ')
-+
-+ dontaudit $1 security_file_type:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 pidfile:file ioctl;
++ dontaudit $1 security_file_type:file read_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all process ID files.
+## rw any files inherited from another process
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+## <param name="object_type">
+## <summary>
+## Object type.
+## </summary>
+## </param>
-+#
+ #
+-interface(`files_read_all_pids',`
+interface(`files_rw_all_inherited_files',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process IDs.
+## Allow any file point to be the entrypoint of this domain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6262,67 +8288,55 @@ interface(`files_read_all_pids',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
+interface(`files_entrypoint_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
+ attribute file_type;
-+ ')
+ ')
+-
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ allow $1 file_type:file entrypoint;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process ID directories.
+## Do not audit attempts to rw inherited file perms
+## of non security files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
+interface(`files_dontaudit_all_non_security_leaks',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+- type var_t, var_run_t;
+ attribute non_security_file_type;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Do not audit attempts to read or write
+## all leaked files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain alloed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
+interface(`files_dontaudit_leaks',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Allow domain to create_file_ass all types
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6330,37 +8344,37 @@ interface(`files_manage_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_create_as_is_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute file_type;
+ class kernel_service create_files_as;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 file_type:kernel_service create_files_as;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Search the contents of generic spool
+-## directories (/var/spool).
+## Do not audit attempts to check the
+## access on all files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
+interface(`files_dontaudit_all_access_check',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
+ dontaudit $1 file_type:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to search generic
+-## spool directories.
+## Do not audit attempts to write to all files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6368,132 +8382,207 @@ interface(`files_search_spool',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_spool',`
+interface(`files_dontaudit_write_all_files',`
-+ gen_require(`
+ gen_require(`
+- type var_spool_t;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
+ dontaudit $1 file_type:dir_file_class_set write;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## List the contents of generic spool
+-## (/var/spool) directories.
+## Allow domain to delete to all files
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
+interface(`files_delete_all_non_security_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute non_security_file_type;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+ allow $1 non_security_file_type:dir del_entry_dir_perms;
+ allow $1 non_security_file_type:file_class_set delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
+## Allow domain to delete to all dirs
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
+interface(`files_delete_all_non_security_dirs',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute non_security_file_type;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Read generic spool files.
+## Transition named content in the var_run_t directory
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
+interface(`files_filetrans_named_content',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ type etc_t;
+ type mnt_t;
+ type usr_t;
@@ -12927,8 +15206,10 @@ index 64ff4d7..a47b644 100644
+ type var_run_t;
+ type var_lock_t;
+ type tmp_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
+ files_pid_filetrans($1, mnt_t, dir, "media")
+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -12966,13 +15247,16 @@ index 64ff4d7..a47b644 100644
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+ files_var_filetrans($1, tmp_t, dir, "tmp")
+ files_var_filetrans($1, var_run_t, dir, "run")
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete generic
+-## spool files.
+## Make the specified type a
+## base file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+## <desc>
+## <p>
+## Identify file type as base file type. Tools will use this attribute,
@@ -12980,35 +15264,51 @@ index 64ff4d7..a47b644 100644
+## </p>
+## </desc>
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Domain allowed access.
+## Type to be used as a base files.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <infoflow type="none"/>
-+#
+ #
+-interface(`files_manage_generic_spool',`
+interface(`files_base_file',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute base_file_type;
-+ ')
+ ')
+-
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
+ files_type($1)
+ typeattribute $1 base_file_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in the spool directory
+-## with a private type with a type transition.
+## Make the specified type a
+## base read only file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="file">
+## <desc>
+## <p>
+## Make the specified type readable for all domains.
+## </p>
+## </desc>
+## <param name="file_type">
-+## <summary>
+ ## <summary>
+-## Type to which the created node will be transitioned.
+## Type to be used as a base read only files.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="class">
+## <infoflow type="none"/>
+#
+interface(`files_ro_base_file',`
@@ -13024,10 +15324,13 @@ index 64ff4d7..a47b644 100644
+## Read all ro base files.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="name" optional="true">
+## <rolecap/>
+#
+interface(`files_read_all_base_ro_files',`
@@ -13045,54 +15348,104 @@ index 64ff4d7..a47b644 100644
+## Execute all base ro files.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`files_spool_filetrans',`
+interface(`files_exec_all_base_ro_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute base_ro_file_type;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ can_exec($1, base_ro_file_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
+## Allow the specified domain to modify the systemd configuration of
+## any file.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6501,53 +8590,17 @@ interface(`files_spool_filetrans',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
+interface(`files_config_all_files',`
-+ gen_require(`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
+ attribute file_type;
-+ ')
-+
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+-
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+- ')
+ allow $1 file_type:service all_service_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Unconfined access to files.
+## Get the status of etc_t files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6555,10 +8608,10 @@ interface(`files_polyinstantiate_all',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_unconfined',`
+interface(`files_status_etc',`
-+ gen_require(`
+ gen_require(`
+- attribute files_unconfined_type;
+ type etc_t;
-+ ')
-+
+ ')
+
+- typeattribute $1 files_unconfined_type;
+ allow $1 etc_t:service status;
')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 57f52be..9e1d01a 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -89010,15 +89010,16 @@ index cbfe369..6594af3 100644
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
-index 0000000..77ae4f3
+index 0000000..660fcd2
--- /dev/null
+++ b/snapper.fc
-@@ -0,0 +1,7 @@
+@@ -0,0 +1,8 @@
+HOME_DIR/\.snapshots -d gen_context(system_u:object_r:snapperd_home_t,s0)
+
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
+
+/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0)
++/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0)
+
+/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
diff --git a/snapper.if b/snapper.if
@@ -89071,10 +89072,10 @@ index 0000000..94105ee
+')
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 0000000..5fad225
+index 0000000..3591c8e
--- /dev/null
+++ b/snapper.te
-@@ -0,0 +1,73 @@
+@@ -0,0 +1,81 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@@ -89126,6 +89127,10 @@ index 0000000..5fad225
+corecmd_exec_shell(snapperd_t)
+corecmd_exec_bin(snapperd_t)
+
++files_write_all_dirs(snapperd_t)
++files_setattr_all_mountpoints(snapperd_t)
++files_relabelto_all_mountpoints(snapperd_t)
++files_relabelfrom_isid_type(snapperd_t)
+files_read_all_files(snapperd_t)
+files_list_all(snapperd_t)
+
@@ -89148,6 +89153,10 @@ index 0000000..5fad225
+optional_policy(`
+ lvm_domtrans(snapperd_t)
+')
++
++optional_policy(`
++ unconfined_domain(snapperd_t)
++')
diff --git a/snmp.fc b/snmp.fc
index c73fa24..50d80f4 100644
--- a/snmp.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 91ea267..9c1e89f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 127%{?dist}
+Release: 128%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Feb 26 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-128
+- Make snapperd as unconfined domain and add additional fixes for it
+- Remove nsplugin.pp module on upgrade
+
* Tue Feb 25 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-127
- Add snapperd_home_t for HOME_DIR/.snapshots directory
- Make sosreport as unconfined domain
More information about the scm-commits
mailing list