From 0399c8ba5430d9b981f8aa5ff125a0ec55a88a74 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Thu, 18 Sep 2014 10:08:27 +0200
Subject: [PATCH] - Allow du running in logwatch_t read hwdata. - Allow
sys_admin capability for antivirus domians. - Use nagios_var_lib_t instead of
nagios_lib_t in nagios.fc. - Add support for pnp4nagios. - Add missing
labeling for /var/lib/cockpit. - Label resolv.conf as docker_share_t under
docker so we can read within a container - Remove labeling for rabbitmqctl -
setfscreate in pki.te is not capability class. - Allow virt domains to use
virtd tap FDs until we get proper handling in libvirtd. - Allow wine domains
to create cache dirs. - Allow newaliases to systemd inhibit pipes. - Add
fixes for pki-tomcat scriptlet handling. - Allow user domains to manage all
gnome home content - Allow locate to look at files/directories without
labels, and chr_file and blk_file on non dev file systems - Allow usbmuxd
chown capabilitiesllow locate to look at files/directories without labels,
and chr_file and blk_file on non dev file systems
---
policy-rawhide-base.patch | 5628 +++++++++++-----------------------
policy-rawhide-contrib.patch | 306 +-
selinux-policy.spec | 19 +-
3 files changed, 2013 insertions(+), 3940 deletions(-)
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index b5607422..24cc48b9 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -9590,7 +9590,7 @@ index b876c48..b2aed45 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..d79969b 100644
+index f962f76..693ce96 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -9846,7 +9846,50 @@ index f962f76..d79969b 100644
allow $1 non_security_file_type:file mounton;
')
-@@ -620,6 +786,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+@@ -582,6 +748,42 @@ interface(`files_getattr_all_files',`
+
+ ########################################
+ ##
++## Get the attributes of all chr files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_all_chr_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ getattr_chr_files_pattern($1, file_type, file_type)
++')
++
++########################################
++##
++## Get the attributes of all blk files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_all_blk_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ getattr_blk_files_pattern($1, file_type, file_type)
++')
++
++########################################
++##
+ ## Do not audit attempts to get the attributes
+ ## of all files.
+ ##
+@@ -620,6 +822,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
########################################
##
@@ -9910,7 +9953,7 @@ index f962f76..d79969b 100644
## Read all files.
##
##
-@@ -683,12 +906,125 @@ interface(`files_read_non_security_files',`
+@@ -683,88 +942,83 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -9921,59 +9964,92 @@ index f962f76..d79969b 100644
########################################
##
+-## Read all directories on the filesystem, except
+-## the listed exceptions.
+## Read/Write all inherited non-security files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The types to be excluded. Each type or attribute
+-## must be negated by the caller.
+-##
+-##
+##
-+#
+ #
+-interface(`files_read_all_dirs_except',`
+interface(`files_rw_inherited_non_security_files',`
-+ gen_require(`
+ gen_require(`
+- attribute file_type;
+ attribute non_security_file_type;
-+ ')
-+
+ ')
+
+- allow $1 { file_type $2 }:dir list_dir_perms;
+ allow $1 non_security_file_type:file { read write };
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read all files on the filesystem, except
+-## the listed exceptions.
+## Manage all non-security files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The types to be excluded. Each type or attribute
+-## must be negated by the caller.
+-##
+-##
+##
-+#
+ #
+-interface(`files_read_all_files_except',`
+interface(`files_manage_non_security_files',`
-+ gen_require(`
+ gen_require(`
+- attribute file_type;
+ attribute non_security_file_type;
-+ ')
-+
+ ')
+
+- read_files_pattern($1, { file_type $2 }, { file_type $2 })
+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read all symbolic links on the filesystem, except
+-## the listed exceptions.
+## Relabel all non-security files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The types to be excluded. Each type or attribute
+-## must be negated by the caller.
+-##
+-##
+##
-+#
+ #
+-interface(`files_read_all_symlinks_except',`
+interface(`files_relabel_non_security_files',`
-+ gen_require(`
+ gen_require(`
+- attribute file_type;
+ attribute non_security_file_type;
-+ ')
-+
+ ')
+
+- read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+ allow $1 { non_security_file_type }:dir list_dir_perms;
+ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
@@ -9986,41 +10062,51 @@ index f962f76..d79969b 100644
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of all symbolic links.
+## Search all base file dirs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -772,55 +1026,173 @@ interface(`files_read_all_symlinks_except',`
+ ##
+ ##
+ #
+-interface(`files_getattr_all_symlinks',`
+interface(`files_search_base_file_types',`
-+ gen_require(`
+ gen_require(`
+- attribute file_type;
+ attribute base_file_type;
-+ ')
-+
+ ')
+
+- getattr_lnk_files_pattern($1, file_type, file_type)
+ allow $1 base_file_type:dir search_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of all symbolic links.
+## Relabel all base file types.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`files_dontaudit_getattr_all_symlinks',`
+interface(`files_relabel_base_file_types',`
-+ gen_require(`
+ gen_require(`
+- attribute file_type;
+ attribute base_file_type;
-+ ')
-+
+ ')
+
+- dontaudit $1 file_type:lnk_file getattr;
+ allow $1 base_file_type:dir list_dir_perms;
+ relabel_dirs_pattern($1, base_file_type , base_file_type )
+ relabel_files_pattern($1, base_file_type , base_file_type )
@@ -10029,14 +10115,152 @@ index f962f76..d79969b 100644
+ relabel_sock_files_pattern($1, base_file_type , base_file_type )
+ relabel_blk_files_pattern($1, base_file_type , base_file_type )
+ relabel_chr_files_pattern($1, base_file_type , base_file_type )
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read all symbolic links.
++## Read all directories on the filesystem, except
++## the listed exceptions.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
++##
++##
++##
++##
++## The types to be excluded. Each type or attribute
++## must be negated by the caller.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_read_all_symlinks',`
++interface(`files_read_all_dirs_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+- dontaudit $1 file_type:lnk_file read;
++ allow $1 { file_type $2 }:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of non security symbolic links.
++## Read all files on the filesystem, except
++## the listed exceptions.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The types to be excluded. Each type or attribute
++## must be negated by the caller.
++##
++##
++#
++interface(`files_read_all_files_except',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ read_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+##
- ## Read all directories on the filesystem, except
- ## the listed exceptions.
++## Read all symbolic links on the filesystem, except
++## the listed exceptions.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The types to be excluded. Each type or attribute
++## must be negated by the caller.
++##
++##
++#
++interface(`files_read_all_symlinks_except',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
++')
++
++########################################
++##
++## Get the attributes of all symbolic links.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_all_symlinks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ getattr_lnk_files_pattern($1, file_type, file_type)
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of all symbolic links.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_getattr_all_symlinks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:lnk_file getattr;
++')
++
++########################################
++##
++## Do not audit attempts to read all symbolic links.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_all_symlinks',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:lnk_file read;
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of non security symbolic links.
##
-@@ -953,6 +1289,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+ ##
+ ##
+@@ -953,6 +1325,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
########################################
##
@@ -10062,29 +10286,24 @@ index f962f76..d79969b 100644
## Get the attributes of all named sockets.
##
##
-@@ -991,8 +1346,8 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1382,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
##
--## Do not audit attempts to get the attributes
--## of non security named sockets.
+## Do not audit attempts to read
+## of all named sockets.
- ##
- ##
- ##
-@@ -1000,12 +1355,50 @@ interface(`files_dontaudit_getattr_all_sockets',`
- ##
- ##
- #
--interface(`files_dontaudit_getattr_non_security_sockets',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_read_all_sockets',`
- gen_require(`
-- attribute non_security_file_type;
++ gen_require(`
+ attribute file_type;
- ')
-
-- dontaudit $1 non_security_file_type:sock_file getattr;
++ ')
++
+ dontaudit $1 file_type:sock_file read;
+')
+
@@ -10109,25 +10328,10 @@ index f962f76..d79969b 100644
+
+########################################
+##
-+## Do not audit attempts to get the attributes
-+## of non security named sockets.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_non_security_sockets',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:sock_file getattr;
- ')
-
- ########################################
-@@ -1073,10 +1466,8 @@ interface(`files_relabel_all_files',`
+ ## Do not audit attempts to get the attributes
+ ## of non security named sockets.
+ ##
+@@ -1073,10 +1502,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -10140,7 +10344,7 @@ index f962f76..d79969b 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1573,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1609,6 @@ interface(`files_list_all',`
########################################
##
@@ -10165,7 +10369,7 @@ index f962f76..d79969b 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,9 +1816,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1852,6 @@ interface(`files_relabel_non_auth_files',`
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -10175,7 +10379,7 @@ index f962f76..d79969b 100644
')
#############################################
-@@ -1601,6 +1971,24 @@ interface(`files_setattr_all_mountpoints',`
+@@ -1601,6 +2007,24 @@ interface(`files_setattr_all_mountpoints',`
########################################
##
@@ -10200,7 +10404,7 @@ index f962f76..d79969b 100644
## Do not audit attempts to set the attributes on all mount points.
##
##
-@@ -1691,6 +2079,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1691,6 +2115,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
@@ -10225,73 +10429,143 @@ index f962f76..d79969b 100644
## Do not audit attempts to write to mount points.
##
##
-@@ -1709,6 +2115,60 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1709,98 +2151,79 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
##
+-## List the contents of the root directory.
+## Do not audit attempts to unmount all mount points.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_unmount_all_mountpoints',`
-+ gen_require(`
-+ attribute mountpoint;
-+ ')
-+
-+ dontaudit $1 mountpoint:filesystem unmount;
-+')
-+
-+########################################
-+##
-+## Read all mountpoint symbolic links.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_all_mountpoint_symlinks',`
-+ gen_require(`
-+ attribute mountpoint;
-+ ')
-+
-+ allow $1 mountpoint:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+##
-+## Write all file type directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_all_dirs',`
-+ gen_require(`
-+ attribute file_type;
-+ ')
-+
-+ allow $1 file_type:dir write;
-+')
-+
-+########################################
-+##
- ## List the contents of the root directory.
##
##
-@@ -1725,6 +2185,23 @@ interface(`files_list_root',`
- allow $1 root_t:dir list_dir_perms;
- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`files_list_root',`
++interface(`files_dontaudit_unmount_all_mountpoints',`
+ gen_require(`
+- type root_t;
++ attribute mountpoint;
+ ')
+
+- allow $1 root_t:dir list_dir_perms;
+- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
++ dontaudit $1 mountpoint:filesystem unmount;
')
+
+ ########################################
+ ##
+-## Do not audit attempts to write to / dirs.
++## Read all mountpoint symbolic links.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_write_root_dirs',`
++interface(`files_read_all_mountpoint_symlinks',`
+ gen_require(`
+- type root_t;
++ attribute mountpoint;
+ ')
+
+- dontaudit $1 root_t:dir write;
++ allow $1 mountpoint:lnk_file read_lnk_file_perms;
+ ')
+
+-###################
+########################################
-+##
+ ##
+-## Do not audit attempts to write
+-## files in the root directory.
++## Write all file type directories.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_rw_root_dir',`
++interface(`files_write_all_dirs',`
+ gen_require(`
+- type root_t;
++ attribute file_type;
+ ')
+
+- dontaudit $1 root_t:dir rw_dir_perms;
++ allow $1 file_type:dir write;
+ ')
+
+ ########################################
+ ##
+-## Create an object in the root directory, with a private
+-## type using a type transition.
++## List the contents of the root directory.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The type of the object to be created.
+-##
+-##
+-##
+-##
+-## The object class of the object being created.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
+ #
+-interface(`files_root_filetrans',`
++interface(`files_list_root',`
+ gen_require(`
+ type root_t;
+ ')
+
+- filetrans_pattern($1, root_t, $2, $3, $4)
++ allow $1 root_t:dir list_dir_perms;
++ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
+-
+ ########################################
+ ##
+-## Do not audit attempts to read files in
+-## the root directory.
++## Do not audit attempts to write to / dirs.
+ ##
+ ##
+ ##
+@@ -1808,17 +2231,127 @@ interface(`files_root_filetrans',`
+ ##
+ ##
+ #
+-interface(`files_dontaudit_read_root_files',`
++interface(`files_write_root_dirs',`
+ gen_require(`
+ type root_t;
+ ')
+
+- dontaudit $1 root_t:file { getattr read };
++ allow $1 root_t:dir write;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read or write
+## Do not audit attempts to write to / dirs.
+##
+##
@@ -10300,20 +10574,35 @@ index f962f76..d79969b 100644
+##
+##
+#
-+interface(`files_write_root_dirs',`
++interface(`files_dontaudit_write_root_dirs',`
+ gen_require(`
+ type root_t;
+ ')
+
-+ allow $1 root_t:dir write;
++ dontaudit $1 root_t:dir write;
+')
-
- ########################################
- ##
-@@ -1765,6 +2242,26 @@ interface(`files_dontaudit_rw_root_dir',`
-
- ########################################
- ##
++
++###################
++##
++## Do not audit attempts to write
++## files in the root directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_rw_root_dir',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir rw_dir_perms;
++')
++
++########################################
++##
+## Do not audit attempts to check the
+## access on root directory.
+##
@@ -10334,10 +10623,64 @@ index f962f76..d79969b 100644
+
+########################################
+##
- ## Create an object in the root directory, with a private
- ## type using a type transition.
++## Create an object in the root directory, with a private
++## type using a type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created.
++##
++##
++##
++##
++## The object class of the object being created.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`files_root_filetrans',`
++ gen_require(`
++ type root_t;
++ ')
++
++ filetrans_pattern($1, root_t, $2, $3, $4)
++')
++
++########################################
++##
++## Do not audit attempts to read files in
++## the root directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_root_files',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:file { getattr read };
++')
++
++########################################
++##
++## Do not audit attempts to read or write
+ ## files in the root directory.
##
-@@ -1892,25 +2389,25 @@ interface(`files_delete_root_dir_entry',`
+ ##
+@@ -1892,25 +2425,25 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -10369,7 +10712,7 @@ index f962f76..d79969b 100644
##
##
##
-@@ -1923,7 +2420,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2456,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10378,7 +10721,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -1946,6 +2443,42 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2479,42 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -10421,7 +10764,7 @@ index f962f76..d79969b 100644
## Get attributes of the /boot directory.
##
##
-@@ -2181,6 +2714,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2750,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10446,7 +10789,7 @@ index f962f76..d79969b 100644
######################################
##
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3196,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3232,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10471,7 +10814,7 @@ index f962f76..d79969b 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2716,6 +3285,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3321,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10479,7 +10822,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -2724,7 +3294,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3330,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -10488,7 +10831,7 @@ index f962f76..d79969b 100644
##
##
#
-@@ -2780,6 +3350,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3386,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -10514,7 +10857,7 @@ index f962f76..d79969b 100644
## Delete system configuration files in /etc.
##
##
-@@ -2798,6 +3387,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3423,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -10539,7 +10882,7 @@ index f962f76..d79969b 100644
## Execute generic files in /etc.
##
##
-@@ -2963,26 +3570,8 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3606,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -10561,14 +10904,10 @@ index f962f76..d79969b 100644
-
-########################################
-##
--## Read files in /etc that are dynamically
--## created on boot, such as mtab.
-+## Read files in /etc that are dynamically
-+## created on boot, such as mtab.
+ ## Read files in /etc that are dynamically
+ ## created on boot, such as mtab.
##
- ##
- ##
-@@ -3021,9 +3610,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3646,7 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -10579,7 +10918,7 @@ index f962f76..d79969b 100644
##
##
##
-@@ -3031,18 +3618,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3654,17 @@ interface(`files_read_etc_runtime_files',`
##
##
#
@@ -10601,7 +10940,7 @@ index f962f76..d79969b 100644
##
##
##
-@@ -3060,6 +3646,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3682,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
##
@@ -10628,7 +10967,7 @@ index f962f76..d79969b 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3077,6 +3683,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3719,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10636,7 +10975,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3098,6 +3705,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3741,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10644,84 +10983,110 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3142,10 +3750,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,34 +3786,34 @@ interface(`files_etc_filetrans_etc_runtime',`
#
interface(`files_getattr_isid_type_dirs',`
gen_require(`
- type file_t;
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Getattr all file opbjects on new filesystems
-+## that have not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_getattr_isid_type',`
-+ gen_require(`
+ type unlabeled_t;
')
- allow $1 file_t:dir getattr;
-+ allow $1 unlabeled_t:dir_file_class_set getattr;
-+')
-+
-+########################################
-+##
-+## Setattr of directories on new filesystems
-+## that have not yet been labeled.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_isid_type_dirs',`
-+ gen_require(`
-+ type unlabeled_t;
-+ ')
-+
-+ allow $1 unlabeled_t:dir setattr;
++ allow $1 unlabeled_t:dir getattr;
')
########################################
-@@ -3161,10 +3807,10 @@ interface(`files_getattr_isid_type_dirs',`
+ ##
+-## Do not audit attempts to search directories on new filesystems
++## Getattr all file opbjects on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
#
- interface(`files_dontaudit_search_isid_type_dirs',`
+-interface(`files_dontaudit_search_isid_type_dirs',`
++interface(`files_getattr_isid_type',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- dontaudit $1 file_t:dir search_dir_perms;
-+ dontaudit $1 unlabeled_t:dir search_dir_perms;
++ allow $1 unlabeled_t:dir_file_class_set getattr;
')
########################################
-@@ -3180,10 +3826,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+ ##
+-## List the contents of directories on new filesystems
++## Setattr of directories on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+@@ -3178,17 +3822,55 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+ ##
+ ##
#
- interface(`files_list_isid_type_dirs',`
+-interface(`files_list_isid_type_dirs',`
++interface(`files_setattr_isid_type_dirs',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- allow $1 file_t:dir list_dir_perms;
-+ allow $1 unlabeled_t:dir list_dir_perms;
++ allow $1 unlabeled_t:dir setattr;
')
########################################
-@@ -3199,10 +3845,10 @@ interface(`files_list_isid_type_dirs',`
+ ##
+-## Read and write directories on new filesystems
++## Do not audit attempts to search directories on new filesystems
++## that have not yet been labeled.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_isid_type_dirs',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ dontaudit $1 unlabeled_t:dir search_dir_perms;
++')
++
++########################################
++##
++## List the contents of directories on new filesystems
++## that have not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_list_isid_type_dirs',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Read and write directories on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+@@ -3199,10 +3881,10 @@ interface(`files_list_isid_type_dirs',`
#
interface(`files_rw_isid_type_dirs',`
gen_require(`
@@ -10734,7 +11099,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3218,10 +3864,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3900,66 @@ interface(`files_rw_isid_type_dirs',`
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
@@ -10777,8 +11142,9 @@ index f962f76..d79969b 100644
+interface(`files_mounton_isid',`
+ gen_require(`
+ type unlabeled_t;
-+ ')
-+
+ ')
+
+- delete_dirs_pattern($1, file_t, file_t)
+ allow $1 unlabeled_t:dir mounton;
+')
+
@@ -10796,14 +11162,13 @@ index f962f76..d79969b 100644
+interface(`files_relabelfrom_isid_type',`
+ gen_require(`
+ type unlabeled_t;
- ')
-
-- delete_dirs_pattern($1, file_t, file_t)
++ ')
++
+ dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
')
########################################
-@@ -3237,10 +3939,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +3975,10 @@ interface(`files_delete_isid_type_dirs',`
#
interface(`files_manage_isid_type_dirs',`
gen_require(`
@@ -10816,7 +11181,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3256,10 +3958,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +3994,29 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
@@ -10848,7 +11213,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3275,10 +3996,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +4032,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
@@ -10861,7 +11226,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3294,10 +4015,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4051,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
@@ -10874,7 +11239,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3313,10 +4034,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4070,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
@@ -10887,7 +11252,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3332,10 +4053,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4089,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
@@ -10900,7 +11265,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3351,10 +4072,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4108,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
@@ -10913,7 +11278,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3370,10 +4091,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4127,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
@@ -10926,7 +11291,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3389,10 +4110,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4146,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
@@ -10939,7 +11304,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3408,10 +4129,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4165,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
@@ -10952,7 +11317,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3427,10 +4148,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4184,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
@@ -10965,7 +11330,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3446,10 +4167,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4203,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
@@ -10978,7 +11343,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3465,10 +4186,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4222,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
@@ -11010,7 +11375,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3484,10 +4224,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4260,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
@@ -11023,7 +11388,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3503,10 +4243,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4279,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
@@ -11036,7 +11401,7 @@ index f962f76..d79969b 100644
')
########################################
-@@ -3552,6 +4292,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4328,27 @@ interface(`files_dontaudit_getattr_home_dir',`
########################################
##
@@ -11064,7 +11429,7 @@ index f962f76..d79969b 100644
## Search home directories root (/home).
##
##
-@@ -3814,20 +4575,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4611,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -11108,98 +11473,64 @@ index f962f76..d79969b 100644
')
########################################
-@@ -4217,174 +4996,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +5032,175 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
--########################################
+#######################################
- ##
--## Allow the specified type to associate
--## to a filesystem with the type of the
--## temporary directory (/tmp).
++##
+## Read manageable system configuration files in /etc
- ##
--##
--##
--## Type of the file to associate.
--##
++##
+##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_associate_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:filesystem associate;
++
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Get the attributes of the tmp directory (/tmp).
++##
+## Manage manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:dir getattr;
++
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+ files_filetrans_system_conf_named_files($1)
- ')
-
--########################################
++')
++
+#####################################
- ##
--## Do not audit attempts to get the
--## attributes of the tmp directory (/tmp).
++##
+## File name transition for system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t, usr_t;
+ ')
-
-- dontaudit $1 tmp_t:dir getattr;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -11220,129 +11551,87 @@ index f962f76..d79969b 100644
+ filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d")
+ filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d")
+ filetrans_pattern($1, usr_t, system_conf_t, dir, "repo")
- ')
-
--########################################
++')
++
+######################################
- ##
--## Search the tmp directory (/tmp).
++##
+## Relabel manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- allow $1 tmp_t:dir search_dir_perms;
++
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Do not audit attempts to search the tmp directory (/tmp).
++##
+## Relabel manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain to not audit.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- dontaudit $1 tmp_t:dir search_dir_perms;
++
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+###################################
- ##
--## Read the tmp directory (/tmp).
++##
+## Create files in /etc with the type used for
+## the manageable system config files.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## The type of the process performing this action.
+##
- ##
- #
--interface(`files_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:dir list_dir_perms;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Do not audit listing of the tmp directory (/tmp).
++##
+## Manage manageable system db files in /var/lib.
- ##
- ##
--##
--## Domain not to audit.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_manage_system_db_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-
-- dontaudit $1 tmp_t:dir list_dir_perms;
++
+ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
+ files_filetrans_system_db_named_files($1)
- ')
-
--########################################
++')
++
+#####################################
- ##
--## Remove entries from the tmp directory.
++##
+## File name transition for system db files in /var/lib.
- ##
- ##
++##
++##
+##
+## Domain allowed access.
+##
@@ -11357,106 +11646,67 @@ index f962f76..d79969b 100644
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
+')
+
-+########################################
-+##
-+## Allow the specified type to associate
-+## to a filesystem with the type of the
-+## temporary directory (/tmp).
-+##
-+##
- ##
--## Domain allowed access.
-+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_delete_tmp_dir_entry',`
-+interface(`files_associate_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
-- allow $1 tmp_t:dir del_entry_dir_perms;
-+ allow $1 tmp_t:filesystem associate;
- ')
+ ########################################
+ ##
+ ## Allow the specified type to associate
+@@ -4239,6 +5223,26 @@ interface(`files_associate_tmp',`
########################################
##
--## Read files in the tmp directory (/tmp).
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
- ##
--##
++##
+##
- ##
--## Domain allowed access.
++##
+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_read_generic_tmp_files',`
++##
++##
++#
+interface(`files_associate_rootfs',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type root_t;
- ')
-
-- read_files_pattern($1, tmp_t, tmp_t)
++ ')
++
+ allow $1 root_t:filesystem associate;
- ')
-
- ########################################
- ##
--## Manage temporary directories in /tmp.
-+## Get the attributes of the tmp directory (/tmp).
++')
++
++########################################
++##
+ ## Get the attributes of the tmp directory (/tmp).
##
##
- ##
-@@ -4392,53 +5215,56 @@ interface(`files_read_generic_tmp_files',`
- ##
- ##
- #
--interface(`files_manage_generic_tmp_dirs',`
-+interface(`files_getattr_tmp_dirs',`
- gen_require(`
+@@ -4252,17 +5256,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
-- manage_dirs_pattern($1, tmp_t, tmp_t)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir getattr;
+ allow $1 tmp_t:dir getattr;
')
########################################
##
--## Manage temporary files and directories in /tmp.
+## Do not audit attempts to check the
+## access on tmp files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_generic_tmp_files',`
++##
++##
++#
+interface(`files_dontaudit_access_check_tmp',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type etc_t;
- ')
-
-- manage_files_pattern($1, tmp_t, tmp_t)
++ ')
++
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## Read symbolic links in the tmp directory (/tmp).
-+## Do not audit attempts to get the
-+## attributes of the tmp directory (/tmp).
++')
++
++########################################
++##
+ ## Do not audit attempts to get the
+ ## attributes of the tmp directory (/tmp).
##
##
##
@@ -11465,221 +11715,85 @@ index f962f76..d79969b 100644
##
##
#
--interface(`files_read_generic_tmp_symlinks',`
-+interface(`files_dontaudit_getattr_tmp_dirs',`
- gen_require(`
+@@ -4289,6 +5313,8 @@ interface(`files_search_tmp',`
type tmp_t;
')
-- read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ dontaudit $1 tmp_t:dir getattr;
- ')
-
- ########################################
- ##
--## Read and write generic named sockets in the tmp directory (/tmp).
-+## Search the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4446,35 +5272,37 @@ interface(`files_read_generic_tmp_symlinks',`
- ##
- ##
- #
--interface(`files_rw_generic_tmp_sockets',`
-+interface(`files_search_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
-- rw_sock_files_pattern($1, tmp_t, tmp_t)
+ fs_search_tmpfs($1)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:dir search_dir_perms;
')
- ########################################
- ##
--## Set the attributes of all tmp directories.
-+## Do not audit attempts to search the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_setattr_all_tmp_dirs',`
-+interface(`files_dontaudit_search_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+@@ -4325,6 +5351,7 @@ interface(`files_list_tmp',`
+ type tmp_t;
')
-- allow $1 tmpfile:dir { search_dir_perms setattr };
-+ dontaudit $1 tmp_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## List all tmp directories.
-+## Read the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4482,59 +5310,55 @@ interface(`files_setattr_all_tmp_dirs',`
- ##
- ##
- #
--interface(`files_list_all_tmp',`
-+interface(`files_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir list_dir_perms;
+ allow $1 tmp_t:dir list_dir_perms;
')
- ########################################
- ##
--## Relabel to and from all temporary
--## directory types.
-+## Do not audit listing of the tmp directory (/tmp).
+@@ -4334,7 +5361,7 @@ interface(`files_list_tmp',`
##
##
##
--## Domain allowed access.
+-## Domain not to audit.
+## Domain to not audit.
##
##
--##
#
--interface(`files_relabel_all_tmp_dirs',`
-+interface(`files_dontaudit_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
-+ dontaudit $1 tmp_t:dir list_dir_perms;
+@@ -4346,14 +5373,33 @@ interface(`files_dontaudit_list_tmp',`
+ dontaudit $1 tmp_t:dir list_dir_perms;
')
-########################################
+#######################################
##
--## Do not audit attempts to get the attributes
--## of all tmp files.
+-## Remove entries from the tmp directory.
+## Allow read and write to the tmp directory (/tmp).
##
##
-##
--## Domain not to audit.
+-## Domain allowed access.
-##
+##
+## Domain not to audit.
+##
- ##
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
-- gen_require(`
-- attribute tmpfile;
-- ')
++##
++#
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ ')
-
-- dontaudit $1 tmpfile:file getattr;
++
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
- ')
-
- ########################################
- ##
--## Allow attempts to get the attributes
--## of all tmp files.
++')
++
++########################################
++##
+## Remove entries from the tmp directory.
- ##
- ##
- ##
-@@ -4542,110 +5366,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
- ##
- ##
- #
--interface(`files_getattr_all_tmp_files',`
-+interface(`files_delete_tmp_dir_entry',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:file getattr;
-+ files_search_tmp($1)
-+ allow $1 tmp_t:dir del_entry_dir_perms;
- ')
-
- ########################################
- ##
--## Relabel to and from all temporary
--## file types.
-+## Read files in the tmp directory (/tmp).
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_tmp_files',`
-+interface(`files_read_generic_tmp_files',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_files_pattern($1, tmpfile, tmpfile)
-+ read_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of all tmp sock_file.
-+## Manage temporary directories in /tmp.
- ##
- ##
- ##
--## Domain not to audit.
++##
++##
++##
+## Domain allowed access.
- ##
++##
##
#
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+interface(`files_manage_generic_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5407,7 @@ interface(`files_delete_tmp_dir_entry',`
+ type tmp_t;
')
-- dontaudit $1 tmpfile:sock_file getattr;
-+ manage_dirs_pattern($1, tmp_t, tmp_t)
++ files_search_tmp($1)
+ allow $1 tmp_t:dir del_entry_dir_perms;
')
+@@ -4402,6 +5449,32 @@ interface(`files_manage_generic_tmp_dirs',`
+
########################################
##
--## Read all tmp files.
+## Allow shared library text relocations in tmp files.
- ##
++##
+##
+##
+## Allow shared library text relocations in tmp files.
@@ -11688,550 +11802,196 @@ index f962f76..d79969b 100644
+## This is added to support java policy.
+##
+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`files_read_all_tmp_files',`
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_execmod_tmp',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- read_files_pattern($1, tmpfile, tmpfile)
++ gen_require(`
++ attribute tmpfile;
++ ')
++
+ allow $1 tmpfile:file execmod;
- ')
-
- ########################################
- ##
--## Create an object in the tmp directories, with a private
--## type using a type transition.
-+## Manage temporary files and directories in /tmp.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_tmp_filetrans',`
-+interface(`files_manage_generic_tmp_files',`
- gen_require(`
- type tmp_t;
- ')
-
-- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ manage_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Delete the contents of /tmp.
-+## Read symbolic links in the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4653,22 +5465,17 @@ interface(`files_tmp_filetrans',`
- ##
- ##
- #
--interface(`files_purge_tmp',`
-+interface(`files_read_generic_tmp_symlinks',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-- delete_dirs_pattern($1, tmpfile, tmpfile)
-- delete_files_pattern($1, tmpfile, tmpfile)
-- delete_lnk_files_pattern($1, tmpfile, tmpfile)
-- delete_fifo_files_pattern($1, tmpfile, tmpfile)
-- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Set the attributes of the /usr directory.
-+## Read and write generic named sockets in the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4676,17 +5483,17 @@ interface(`files_purge_tmp',`
- ##
- ##
- #
--interface(`files_setattr_usr_dirs',`
-+interface(`files_rw_generic_tmp_sockets',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir setattr;
-+ rw_sock_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Search the content of /usr.
-+## Relabel a dir from the type used in /tmp.
- ##
- ##
- ##
-@@ -4694,18 +5501,17 @@ interface(`files_setattr_usr_dirs',`
- ##
- ##
- #
--interface(`files_search_usr',`
-+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir search_dir_perms;
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## List the contents of generic
--## directories in /usr.
-+## Relabel a file from the type used in /tmp.
- ##
- ##
- ##
-@@ -4713,35 +5519,35 @@ interface(`files_search_usr',`
- ##
- ##
- #
--interface(`files_list_usr',`
-+interface(`files_relabelfrom_tmp_files',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit write of /usr dirs
-+## Set the attributes of all tmp directories.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir write;
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
-
- ########################################
- ##
--## Add and remove entries from /usr directories.
-+## Allow caller to read inherited tmp files.
- ##
- ##
- ##
-@@ -4749,36 +5555,35 @@ interface(`files_dontaudit_write_usr_dirs',`
- ##
- ##
- #
--interface(`files_rw_usr_dirs',`
-+interface(`files_read_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
- ')
-
- ########################################
- ##
--## Do not audit attempts to add and remove
--## entries from /usr directories.
-+## Allow caller to append inherited tmp files.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_rw_usr_dirs',`
-+interface(`files_append_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file append_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete generic directories in /usr in the caller domain.
-+## Allow caller to read and write inherited tmp files.
- ##
- ##
- ##
-@@ -4786,17 +5591,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
- ##
- ##
- #
--interface(`files_delete_usr_dirs',`
-+interface(`files_rw_inherited_tmp_file',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- delete_dirs_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete generic files in /usr in the caller domain.
-+## List all tmp directories.
- ##
- ##
- ##
-@@ -4804,73 +5609,59 @@ interface(`files_delete_usr_dirs',`
- ##
- ##
- #
--interface(`files_delete_usr_files',`
-+interface(`files_list_all_tmp',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- delete_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of files in /usr.
-+## Relabel to and from all temporary
-+## directory types.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_getattr_usr_files',`
-+interface(`files_relabel_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- getattr_files_pattern($1, usr_t, usr_t)
--')
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
+')
++
++########################################
++##
+ ## Manage temporary files and directories in /tmp.
+ ##
+ ##
+@@ -4456,6 +5529,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
--## Read generic files in /usr.
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
- ##
--##
--##
--## Allow the specified domain to read generic
--## files in /usr. These files are various program
--## files that do not have more specific SELinux types.
--## Some examples of these files are:
--##
--##
--## - /usr/include/*
--## - /usr/share/doc/*
--## - /usr/share/info/*
--##
--##
--## Generally, it is safe for many domains to have
--## this access.
--##
--##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_read_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-- read_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file getattr;
- ')
-
- ########################################
- ##
--## Execute generic programs in /usr in the caller domain.
-+## Allow attempts to get the attributes
-+## of all tmp files.
- ##
- ##
- ##
-@@ -4878,55 +5669,58 @@ interface(`files_read_usr_files',`
- ##
- ##
- #
--interface(`files_exec_usr_files',`
-+interface(`files_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-- exec_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file getattr;
- ')
-
- ########################################
- ##
--## dontaudit write of /usr files
-+## Relabel to and from all temporary
-+## file types.
- ##
- ##
- ##
--## Domain to not audit.
++## Relabel a dir from the type used in /tmp.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_dontaudit_write_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- dontaudit $1 usr_t:file write;
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
- ')
++##
++##
++#
++interface(`files_relabelfrom_tmp_dirs',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++##
++## Relabel a file from the type used in /tmp.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_tmp_files',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++##
+ ## Set the attributes of all tmp directories.
+ ##
+ ##
+@@ -4474,6 +5583,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
--## Create, read, write, and delete files in the /usr directory.
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
++## Allow caller to read inherited tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file { append read_inherited_file_perms };
++')
++
++########################################
++##
++## Allow caller to append inherited tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_append_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file append_inherited_file_perms;
++')
++
++########################################
++##
++## Allow caller to read and write inherited tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_inherited_tmp_file',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## List all tmp directories.
+ ##
+ ##
+@@ -4519,7 +5682,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
--## Domain allowed access.
+-## Domain not to audit.
+## Domain to not audit.
##
##
#
--interface(`files_manage_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- manage_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:sock_file getattr;
- ')
-
- ########################################
- ##
--## Relabel a file to the type used in /usr.
-+## Read all tmp files.
+@@ -4579,7 +5742,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
-@@ -4934,67 +5728,70 @@ interface(`files_manage_usr_files',`
+-## Domain not to audit.
++## Domain to not audit.
##
##
#
--interface(`files_relabelto_usr_files',`
-+interface(`files_read_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- relabelto_files_pattern($1, usr_t, usr_t)
-+ read_files_pattern($1, tmpfile, tmpfile)
- ')
+@@ -4611,6 +5774,44 @@ interface(`files_read_all_tmp_files',`
########################################
##
--## Relabel a file from the type used in /usr.
+## Do not audit attempts to read or write
+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_relabelfrom_usr_files',`
++##
++##
++#
+interface(`files_dontaudit_tmp_file_leaks',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- relabelfrom_files_pattern($1, usr_t, usr_t)
++ ')
++
+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Read symbolic links in /usr.
++')
++
++########################################
++##
+## Do allow attempts to read or write
+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_usr_symlinks',`
++##
++##
++#
+interface(`files_rw_tmp_file_leaks',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- read_lnk_files_pattern($1, usr_t, usr_t)
++ ')
++
+ allow $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Create objects in the /usr directory
-+## Create an object in the tmp directories, with a private
-+## type using a type transition.
++')
++
++########################################
++##
+ ## Create an object in the tmp directories, with a private
+ ## type using a type transition.
##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+##
- ##
--## The type of the object to be created
-+## The type of the object to be created.
- ##
- ##
--##
-+##
- ##
--## The object class.
-+## The object class of the object being created.
- ##
- ##
- ##
-@@ -5003,35 +5800,50 @@ interface(`files_read_usr_symlinks',`
- ##
- ##
- #
--interface(`files_usr_filetrans',`
-+interface(`files_tmp_filetrans',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- filetrans_pattern($1, usr_t, $2, $3, $4)
-+ filetrans_pattern($1, tmp_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search /usr/src.
-+## Delete the contents of /tmp.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_src',`
-+interface(`files_purge_tmp',`
- gen_require(`
-- type src_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 src_t:dir search_dir_perms;
-+ allow $1 tmpfile:dir list_dir_perms;
-+ delete_dirs_pattern($1, tmpfile, tmpfile)
-+ delete_files_pattern($1, tmpfile, tmpfile)
-+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
-+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
-+ delete_sock_files_pattern($1, tmpfile, tmpfile)
+@@ -4664,6 +5865,16 @@ interface(`files_purge_tmp',`
+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ delete_sock_files_pattern($1, tmpfile, tmpfile)
+ delete_chr_files_pattern($1, tmpfile, tmpfile)
+ delete_blk_files_pattern($1, tmpfile, tmpfile)
+ files_list_isid_type_dirs($1)
@@ -12245,1459 +12005,155 @@ index f962f76..d79969b 100644
')
########################################
- ##
--## Get the attributes of files in /usr/src.
-+## Set the attributes of the /usr directory.
- ##
- ##
- ##
-@@ -5039,20 +5851,17 @@ interface(`files_dontaudit_search_src',`
- ##
- ##
- #
--interface(`files_getattr_usr_src_files',`
-+interface(`files_setattr_usr_dirs',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
-- getattr_files_pattern($1, src_t, src_t)
--
-- # /usr/src/linux symlink:
-- read_lnk_files_pattern($1, usr_t, src_t)
-+ allow $1 usr_t:dir setattr;
- ')
+@@ -5112,6 +6323,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
##
--## Read files in /usr/src.
-+## Search the content of /usr.
- ##
- ##
- ##
-@@ -5060,20 +5869,18 @@ interface(`files_getattr_usr_src_files',`
- ##
- ##
- #
--interface(`files_read_usr_src_files',`
-+interface(`files_search_usr',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
- allow $1 usr_t:dir search_dir_perms;
-- read_files_pattern($1, { usr_t src_t }, src_t)
-- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-- allow $1 src_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Execute programs in /usr/src in the caller domain.
-+## List the contents of generic
-+## directories in /usr.
- ##
- ##
- ##
-@@ -5081,38 +5888,35 @@ interface(`files_read_usr_src_files',`
- ##
- ##
- #
--interface(`files_exec_usr_src_files',`
-+interface(`files_list_usr',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
-- list_dirs_pattern($1, usr_t, src_t)
-- exec_files_pattern($1, src_t, src_t)
-- read_lnk_files_pattern($1, src_t, src_t)
-+ allow $1 usr_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Install a system.map into the /boot directory.
-+## Do not audit write of /usr dirs
- ##
- ##
- ##
--## Domain allowed access.
++## Dontaudit getattr attempts on the system.map file
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_create_kernel_symbol_table',`
-+interface(`files_dontaudit_write_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-- allow $1 system_map_t:file { create_file_perms rw_file_perms };
-+ dontaudit $1 usr_t:dir write;
- ')
++##
++##
++#
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
++ gen_require(`
++ type system_map_t;
++ ')
++
++ dontaudit $1 system_map_t:file getattr;
++')
++
++########################################
++##
+ ## Read system.map in the /boot directory.
+ ##
+ ##
+@@ -5241,6 +6470,24 @@ interface(`files_list_var',`
########################################
##
--## Read system.map in the /boot directory.
-+## Add and remove entries from /usr directories.
- ##
- ##
- ##
-@@ -5120,37 +5924,36 @@ interface(`files_create_kernel_symbol_table',`
- ##
- ##
- #
--interface(`files_read_kernel_symbol_table',`
-+interface(`files_rw_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir list_dir_perms;
-- read_files_pattern($1, boot_t, system_map_t)
-+ allow $1 usr_t:dir rw_dir_perms;
- ')
-
- ########################################
- ##
--## Delete a system.map in the /boot directory.
-+## Do not audit attempts to add and remove
-+## entries from /usr directories.
- ##
- ##
- ##
--## Domain allowed access.
++## Do not audit listing of the var directory (/var).
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_delete_kernel_symbol_table',`
-+interface(`files_dontaudit_rw_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir list_dir_perms;
-- delete_files_pattern($1, boot_t, system_map_t)
-+ dontaudit $1 usr_t:dir rw_dir_perms;
- ')
-
- ########################################
- ##
--## Search the contents of /var.
-+## Delete generic directories in /usr in the caller domain.
++##
++##
++#
++interface(`files_dontaudit_list_var',`
++ gen_require(`
++ type var_t;
++ ')
++
++ dontaudit $1 var_t:dir list_dir_perms;
++')
++
++########################################
++##
+ ## Create, read, write, and delete directories
+ ## in the /var directory.
##
- ##
- ##
-@@ -5158,35 +5961,35 @@ interface(`files_delete_kernel_symbol_table',`
- ##
- ##
- #
--interface(`files_search_var',`
-+interface(`files_delete_usr_dirs',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to write to /var.
-+## Delete generic files in /usr in the caller domain.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_write_var_dirs',`
-+interface(`files_delete_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:dir write;
-+ delete_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Allow attempts to write to /var.dirs
-+## Get the attributes of files in /usr.
- ##
- ##
- ##
-@@ -5194,36 +5997,55 @@ interface(`files_dontaudit_write_var_dirs',`
- ##
- ##
- #
--interface(`files_write_var_dirs',`
-+interface(`files_getattr_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir write;
-+ getattr_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search
--## the contents of /var.
-+## Read generic files in /usr.
- ##
-+##
-+##
-+## Allow the specified domain to read generic
-+## files in /usr. These files are various program
-+## files that do not have more specific SELinux types.
-+## Some examples of these files are:
-+##
-+##
-+## - /usr/include/*
-+## - /usr/share/doc/*
-+## - /usr/share/info/*
-+##
-+##
-+## Generally, it is safe for many domains to have
-+## this access.
-+##
-+##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_dontaudit_search_var',`
-+interface(`files_read_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:dir search_dir_perms;
-+ allow $1 usr_t:dir list_dir_perms;
-+ read_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## List the contents of /var.
-+## Execute generic programs in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5231,36 +6053,37 @@ interface(`files_dontaudit_search_var',`
- ##
- ##
- #
--interface(`files_list_var',`
-+interface(`files_exec_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir list_dir_perms;
-+ allow $1 usr_t:dir list_dir_perms;
-+ exec_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete directories
--## in the /var directory.
-+## dontaudit write of /usr files
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_var_dirs',`
-+interface(`files_dontaudit_write_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir manage_dir_perms;
-+ dontaudit $1 usr_t:file write;
- ')
-
- ########################################
- ##
--## Read files in the /var directory.
-+## Create, read, write, and delete files in the /usr directory.
- ##
- ##
- ##
-@@ -5268,17 +6091,17 @@ interface(`files_manage_var_dirs',`
- ##
- ##
- #
--interface(`files_read_var_files',`
-+interface(`files_manage_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- read_files_pattern($1, var_t, var_t)
-+ manage_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Append files in the /var directory.
-+## Relabel a file to the type used in /usr.
- ##
- ##
- ##
-@@ -5286,17 +6109,17 @@ interface(`files_read_var_files',`
- ##
- ##
- #
--interface(`files_append_var_files',`
-+interface(`files_relabelto_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- append_files_pattern($1, var_t, var_t)
-+ relabelto_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Read and write files in the /var directory.
-+## Relabel a file from the type used in /usr.
- ##
- ##
- ##
-@@ -5304,73 +6127,86 @@ interface(`files_append_var_files',`
- ##
- ##
- #
--interface(`files_rw_var_files',`
-+interface(`files_relabelfrom_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- rw_files_pattern($1, var_t, var_t)
-+ relabelfrom_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and write
--## files in the /var directory.
-+## Read symbolic links in /usr.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_rw_var_files',`
-+interface(`files_read_usr_symlinks',`
- gen_require(`
-- type var_t;
-+ type usr_t;
+@@ -5328,7 +6575,7 @@ interface(`files_dontaudit_rw_var_files',`
+ type var_t;
')
- dontaudit $1 var_t:file rw_file_perms;
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files in the /var directory.
-+## Create objects in the /usr directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_manage_var_files',`
-+interface(`files_usr_filetrans',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- manage_files_pattern($1, var_t, var_t)
-+ filetrans_pattern($1, usr_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Read symbolic links in the /var directory.
-+## Do not audit attempts to search /usr/src.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_var_symlinks',`
-+interface(`files_dontaudit_search_src',`
- gen_require(`
-- type var_t;
-+ type src_t;
- ')
-
-- read_lnk_files_pattern($1, var_t, var_t)
-+ dontaudit $1 src_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete symbolic
--## links in the /var directory.
-+## Get the attributes of files in /usr/src.
- ##
- ##
- ##
-@@ -5378,50 +6214,41 @@ interface(`files_read_var_symlinks',`
- ##
- ##
- #
--interface(`files_manage_var_symlinks',`
-+interface(`files_getattr_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- manage_lnk_files_pattern($1, var_t, var_t)
-+ getattr_files_pattern($1, src_t, src_t)
-+
-+ # /usr/src/linux symlink:
-+ read_lnk_files_pattern($1, usr_t, src_t)
- ')
-
- ########################################
- ##
--## Create objects in the /var directory
-+## Read files in /usr/src.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
--## The object class.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_var_filetrans',`
-+interface(`files_read_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- filetrans_pattern($1, var_t, $2, $3, $4)
-+ allow $1 usr_t:dir search_dir_perms;
-+ read_files_pattern($1, { usr_t src_t }, src_t)
-+ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-+ allow $1 src_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of the /var/lib directory.
-+## Execute programs in /usr/src in the caller domain.
- ##
- ##
- ##
-@@ -5429,69 +6256,56 @@ interface(`files_var_filetrans',`
- ##
- ##
- #
--interface(`files_getattr_var_lib_dirs',`
-+interface(`files_exec_usr_src_files',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type usr_t, src_t;
- ')
-
-- getattr_dirs_pattern($1, var_t, var_lib_t)
-+ list_dirs_pattern($1, usr_t, src_t)
-+ exec_files_pattern($1, src_t, src_t)
-+ read_lnk_files_pattern($1, src_t, src_t)
- ')
-
- ########################################
- ##
--## Search the /var/lib directory.
-+## Install a system.map into the /boot directory.
- ##
--##
--##
--## Search the /var/lib directory. This is
--## necessary to access files or directories under
--## /var/lib that have a private type. For example, a
--## domain accessing a private library file in the
--## /var/lib directory:
--##
--##
--## allow mydomain_t mylibfile_t:file read_file_perms;
--## files_search_var_lib(mydomain_t)
--##
--##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_search_var_lib',`
-+interface(`files_create_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- search_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## contents of /var/lib.
-+## Dontaudit getattr attempts on the system.map file
- ##
- ##
- ##
- ## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_dontaudit_search_var_lib',`
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
- gen_require(`
-- type var_lib_t;
-+ type system_map_t;
- ')
-
-- dontaudit $1 var_lib_t:dir search_dir_perms;
-+ dontaudit $1 system_map_t:file getattr;
- ')
-
- ########################################
- ##
--## List the contents of the /var/lib directory.
-+## Read system.map in the /boot directory.
- ##
- ##
- ##
-@@ -5499,17 +6313,18 @@ interface(`files_dontaudit_search_var_lib',`
- ##
- ##
- #
--interface(`files_list_var_lib',`
-+interface(`files_read_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ read_files_pattern($1, boot_t, system_map_t)
- ')
-
--###########################################
-+########################################
- ##
--## Read-write /var/lib directories
-+## Delete a system.map in the /boot directory.
- ##
- ##
- ##
-@@ -5517,70 +6332,54 @@ interface(`files_list_var_lib',`
- ##
- ##
- #
--interface(`files_rw_var_lib_dirs',`
-+interface(`files_delete_kernel_symbol_table',`
- gen_require(`
-- type var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ delete_files_pattern($1, boot_t, system_map_t)
- ')
-
- ########################################
- ##
--## Create objects in the /var/lib directory
-+## Search the contents of /var.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
--## The object class.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_var_lib_filetrans',`
-+interface(`files_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Read generic files in /var/lib.
-+## Do not audit attempts to write to /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_var_lib_files',`
-+interface(`files_dontaudit_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_lib_t:dir list_dir_perms;
-- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ dontaudit $1 var_t:dir write;
- ')
-
- ########################################
- ##
--## Read generic symbolic links in /var/lib
-+## Allow attempts to write to /var.dirs
- ##
- ##
- ##
-@@ -5588,41 +6387,36 @@ interface(`files_read_var_lib_files',`
- ##
- ##
- #
--interface(`files_read_var_lib_symlinks',`
-+interface(`files_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ allow $1 var_t:dir write;
- ')
-
--# cjp: the next two interfaces really need to be fixed
--# in some way. They really neeed their own types.
--
- ########################################
- ##
--## Create, read, write, and delete the
--## pseudorandom number generator seed.
-+## Do not audit attempts to search
-+## the contents of /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_urandom_seed',`
-+interface(`files_dontaudit_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ dontaudit $1 var_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Allow domain to manage mount tables
--## necessary for rpcd, nfsd, etc.
-+## List the contents of /var.
- ##
- ##
- ##
-@@ -5630,36 +6424,36 @@ interface(`files_manage_urandom_seed',`
- ##
- ##
- #
--interface(`files_manage_mounttab',`
-+interface(`files_list_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Set the attributes of the generic lock directories.
-+## Do not audit listing of the var directory (/var).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_dontaudit_list_var',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ dontaudit $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Search the locks directory (/var/lock).
-+## Create, read, write, and delete directories
-+## in the /var directory.
- ##
- ##
- ##
-@@ -5667,38 +6461,35 @@ interface(`files_setattr_lock_dirs',`
- ##
- ##
- #
--interface(`files_search_locks',`
-+interface(`files_manage_var_dirs',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_t:dir manage_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## locks directory (/var/lock).
-+## Read files in the /var directory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_locks',`
-+interface(`files_read_var_files',`
- gen_require(`
-- type var_lock_t;
-+ type var_t;
- ')
-
-- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_lock_t:dir search_dir_perms;
-+ read_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## List generic lock directories.
-+## Append files in the /var directory.
- ##
- ##
- ##
-@@ -5706,19 +6497,17 @@ interface(`files_dontaudit_search_locks',`
- ##
- ##
- #
--interface(`files_list_locks',`
-+interface(`files_append_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_lock_t)
-+ append_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Add and remove entries in the /var/lock
--## directories.
-+## Read and write files in the /var directory.
- ##
- ##
- ##
-@@ -5726,60 +6515,54 @@ interface(`files_list_locks',`
- ##
- ##
- #
--interface(`files_rw_lock_dirs',`
-+interface(`files_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- rw_dirs_pattern($1, var_t, var_lock_t)
-+ rw_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Create lock directories
-+## Do not audit attempts to read and write
-+## files in the /var directory.
- ##
- ##
--##
--## Domain allowed access
-+##
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_create_lock_dirs',`
-+interface(`files_dontaudit_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- create_dirs_pattern($1, var_lock_t, var_lock_t)
+ dontaudit $1 var_t:file rw_inherited_file_perms;
')
########################################
- ##
--## Relabel to and from all lock directory types.
-+## Create, read, write, and delete files in the /var directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_lock_dirs',`
-+interface(`files_manage_var_files',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- relabel_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, var_t, var_t)
- ')
+@@ -5527,6 +6774,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
##
--## Get the attributes of generic lock files.
-+## Read symbolic links in the /var directory.
- ##
- ##
- ##
-@@ -5787,20 +6570,18 @@ interface(`files_relabel_all_lock_dirs',`
- ##
- ##
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_read_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 var_lock_t:dir list_dir_perms;
-- getattr_files_pattern($1, var_lock_t, var_lock_t)
-+ read_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Delete generic lock files.
-+## Create, read, write, and delete symbolic
-+## links in the /var directory.
- ##
- ##
- ##
-@@ -5808,165 +6589,156 @@ interface(`files_getattr_generic_locks',`
- ##
- ##
- #
--interface(`files_delete_generic_locks',`
-+interface(`files_manage_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ manage_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## lock files.
-+## Create objects in the /var directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_manage_generic_locks',`
-+interface(`files_var_filetrans',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-- manage_files_pattern($1, var_lock_t, var_lock_t)
-+ filetrans_pattern($1, var_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Delete all lock files.
-+## Get the attributes of the /var/lib directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_delete_all_locks',`
-+interface(`files_getattr_var_lib_dirs',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, lockfile, lockfile)
-+ getattr_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Read all lock files.
-+## Search the /var/lib directory.
- ##
-+##
-+##
-+## Search the /var/lib directory. This is
-+## necessary to access files or directories under
-+## /var/lib that have a private type. For example, a
-+## domain accessing a private library file in the
-+## /var/lib directory:
-+##
-+##
-+## allow mydomain_t mylibfile_t:file read_file_perms;
-+## files_search_var_lib(mydomain_t)
-+##
-+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_read_all_locks',`
-+interface(`files_search_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- allow $1 lockfile:dir list_dir_perms;
-- read_files_pattern($1, lockfile, lockfile)
-- read_lnk_files_pattern($1, lockfile, lockfile)
-+ search_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## manage all lock files.
-+## Do not audit attempts to search the
-+## contents of /var/lib.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
-+##
- #
--interface(`files_manage_all_locks',`
-+interface(`files_dontaudit_search_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- manage_dirs_pattern($1, lockfile, lockfile)
-- manage_files_pattern($1, lockfile, lockfile)
-- manage_lnk_files_pattern($1, lockfile, lockfile)
-+ dontaudit $1 var_lib_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Create an object in the locks directory, with a private
--## type using a type transition.
-+## List the contents of the /var/lib directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_lock_filetrans',`
-+interface(`files_list_var_lib',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+ list_dirs_pattern($1, var_t, var_lib_t)
- ')
-
--########################################
-+###########################################
- ##
--## Do not audit attempts to get the attributes
--## of the /var/run directory.
-+## Read-write /var/lib directories
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_pid_dirs',`
-+interface(`files_rw_var_lib_dirs',`
- gen_require(`
-- type var_run_t;
-+ type var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir getattr;
-+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Set the attributes of the /var/run directory.
+## Create directories in /var/lib
- ##
- ##
- ##
-@@ -5974,59 +6746,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_setattr_pid_dirs',`
-+interface(`files_create_var_lib_dirs',`
- gen_require(`
-- type var_run_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir setattr;
-+ allow $1 var_lib_t:dir { create rw_dir_perms };
- ')
-
-+
- ########################################
- ##
--## Search the contents of runtime process
--## ID directories (/var/run).
-+## Create objects in the /var/lib directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
++##
++##
+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_search_pids',`
-+interface(`files_var_lib_filetrans',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_run_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search
--## the /var/run directory.
-+## Read generic files in /var/lib.
- ##
- ##
- ##
--## Domain to not audit.
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_pids',`
-+interface(`files_read_var_lib_files',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
-+ allow $1 var_lib_t:dir list_dir_perms;
-+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
- ########################################
- ##
--## List the contents of the runtime process
--## ID directories (/var/run).
-+## Read generic symbolic links in /var/lib
++##
++##
++#
++interface(`files_create_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ allow $1 var_lib_t:dir { create rw_dir_perms };
++')
++
++
++########################################
++##
+ ## Create objects in the /var/lib directory
##
##
- ##
-@@ -6034,18 +6818,18 @@ interface(`files_dontaudit_search_pids',`
- ##
- ##
- #
--interface(`files_list_pids',`
-+interface(`files_read_var_lib_symlinks',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+@@ -5596,6 +6862,25 @@ interface(`files_read_var_lib_symlinks',`
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
- ########################################
- ##
--## Read generic process ID files.
++########################################
++##
+## manage generic symbolic links
+## in the /var/lib directory.
- ##
- ##
- ##
-@@ -6053,19 +6837,1172 @@ interface(`files_list_pids',`
- ##
- ##
- #
--interface(`files_read_generic_pids',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_manage_var_lib_symlinks',`
- gen_require(`
++ gen_require(`
+ type var_lib_t;
+ ')
+
+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
+')
+
-+# cjp: the next two interfaces really need to be fixed
-+# in some way. They really neeed their own types.
-+
-+########################################
-+##
-+## Create, read, write, and delete the
-+## pseudorandom number generator seed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_urandom_seed',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+##
-+## Allow domain to manage mount tables
-+## necessary for rpcd, nfsd, etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_mounttab',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+##
+ # cjp: the next two interfaces really need to be fixed
+ # in some way. They really neeed their own types.
+
+@@ -5641,7 +6926,7 @@ interface(`files_manage_mounttab',`
+
+ ########################################
+ ##
+-## Set the attributes of the generic lock directories.
+## List generic lock directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5649,12 +6934,13 @@ interface(`files_manage_mounttab',`
+ ##
+ ##
+ #
+-interface(`files_setattr_lock_dirs',`
+interface(`files_list_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+- setattr_dirs_pattern($1, var_t, var_lock_t)
+ files_search_locks($1)
+ list_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Search the locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ ')
+
+ ########################################
+@@ -5672,6 +6958,7 @@ interface(`files_search_locks',`
+ type var_t, var_lock_t;
+ ')
+
+ files_search_pids($1)
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the
-+## locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_lock_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_lock_t)
+ ')
+@@ -5698,7 +6985,26 @@ interface(`files_dontaudit_search_locks',`
+
+ ########################################
+ ##
+-## List generic lock directories.
+## Do not audit attempts to read/write inherited
+## locks (/var/lock).
+##
@@ -13718,100 +12174,65 @@ index f962f76..d79969b 100644
+########################################
+##
+## Set the attributes of the /var/lock directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5706,13 +7012,12 @@ interface(`files_dontaudit_search_locks',`
+ ##
+ ##
+ #
+-interface(`files_list_locks',`
+interface(`files_setattr_lock_dirs',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_lock_t;
+ type var_lock_t;
-+ ')
-+
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_lock_t)
+ allow $1 var_lock_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Add and remove entries in the /var/lock
-+## directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ ')
+
+ ########################################
+@@ -5731,7 +7036,7 @@ interface(`files_rw_lock_dirs',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ files_search_locks($1)
-+ rw_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create lock directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_create_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ create_dirs_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Relabel to and from all lock directory types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_lock_dirs',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_dirs_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
+ rw_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+@@ -5764,7 +7069,6 @@ interface(`files_create_lock_dirs',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`files_relabel_all_lock_dirs',`
+ gen_require(`
+@@ -5779,7 +7083,7 @@ interface(`files_relabel_all_lock_dirs',`
+
+ ########################################
+ ##
+-## Get the attributes of generic lock files.
+## Relabel to and from all lock file types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5787,13 +7091,33 @@ interface(`files_relabel_all_lock_dirs',`
+ ##
+ ##
+ #
+-interface(`files_getattr_generic_locks',`
+interface(`files_relabel_all_lock_files',`
-+ gen_require(`
+ gen_require(`
+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ relabel_files_pattern($1, lockfile, lockfile)
+')
+
@@ -13831,210 +12252,86 @@ index f962f76..d79969b 100644
+ ')
+
+ files_search_locks($1)
-+ allow $1 var_lock_t:dir list_dir_perms;
-+ getattr_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete generic lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_generic_locks',`
+ allow $1 var_lock_t:dir list_dir_perms;
+ getattr_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+@@ -5809,13 +7133,12 @@ interface(`files_getattr_generic_locks',`
+ ##
+ #
+ interface(`files_delete_generic_locks',`
+- gen_require(`
+ gen_require(`
-+ type var_t, var_lock_t;
+ type var_t, var_lock_t;
+- ')
+ ')
-+
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
+ files_search_locks($1)
+ delete_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ ')
+
+ ########################################
+@@ -5834,9 +7157,7 @@ interface(`files_manage_generic_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
+ files_search_locks($1)
-+ manage_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ delete_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Read all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
+ manage_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+@@ -5878,8 +7199,7 @@ interface(`files_read_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ files_search_locks($1)
-+ allow $1 lockfile:dir list_dir_perms;
-+ read_files_pattern($1, lockfile, lockfile)
-+ read_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## manage all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1, lockfile, lockfile)
+ read_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5901,8 +7221,7 @@ interface(`files_manage_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ files_search_locks($1)
-+ manage_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, lockfile, lockfile)
-+ manage_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Create an object in the locks directory, with a private
-+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_lock_filetrans',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5939,8 +7258,7 @@ interface(`files_lock_filetrans',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ files_search_locks($1)
-+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of the /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Set the attributes of the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
+ ')
+
+@@ -5979,7 +7297,7 @@ interface(`files_setattr_pid_dirs',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ allow $1 var_run_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Search the contents of runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
+ allow $1 var_run_t:dir setattr;
+ ')
+
+@@ -5999,10 +7317,48 @@ interface(`files_search_pids',`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:lnk_file read_lnk_file_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_run_t)
-+')
-+
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+######################################
+##
+## Add and remove entries from pid directories.
@@ -14072,28 +12369,13 @@ index f962f76..d79969b 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
-+########################################
-+##
-+## Do not audit attempts to search
-+## the /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_pids',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
+ ########################################
+ ##
+ ## Do not audit attempts to search
+@@ -6025,6 +7381,25 @@ interface(`files_dontaudit_search_pids',`
+
+ ########################################
+ ##
+## Do not audit attempts to search
+## the all /var/run directory.
+##
@@ -14113,149 +12395,48 @@ index f962f76..d79969b 100644
+
+########################################
+##
-+## List the contents of the runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ##
+@@ -6039,7 +7414,7 @@ interface(`files_list_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Read generic process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
+ list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+@@ -6058,7 +7433,7 @@ interface(`files_read_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ read_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Write named generic process ID pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_generic_pid_pipes',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
+ list_dirs_pattern($1, var_t, var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6078,7 +7453,7 @@ interface(`files_write_generic_pid_pipes',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ allow $1 var_run_t:fifo_file write;
-+')
-+
-+########################################
-+##
-+## Create an object in the process ID directory, with a private type.
-+##
-+##
-+##
-+## Create an object in the process ID directory (e.g., /var/run)
-+## with a private type. Typically this is used for creating
-+## private PID files in /var/run with the private type instead
-+## of the general PID file type. To accomplish this goal,
-+## either the program must be SELinux-aware, or use this interface.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+## - files_pid_file()
-+##
-+##
-+## Example usage with a domain that can create and
-+## write its PID file with a private PID file type in the
-+## /var/run directory:
-+##
-+##
-+## type mypidfile_t;
-+## files_pid_file(mypidfile_t)
-+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-+## files_pid_filetrans(mydomain_t, mypidfile_t, file)
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+##
-+#
-+interface(`files_pid_filetrans',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_run_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Create a generic lock directory within the run directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_pid_filetrans_lock_dir',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ files_pid_filetrans($1, var_lock_t, dir, $2)
-+')
-+
-+########################################
-+##
+ allow $1 var_run_t:fifo_file write;
+ ')
+
+@@ -6140,7 +7515,6 @@ interface(`files_pid_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
+ ')
+
+@@ -6169,6 +7543,24 @@ interface(`files_pid_filetrans_lock_dir',`
+
+ ########################################
+ ##
+## rw generic pid files inherited from another process
+##
+##
@@ -14274,340 +12455,402 @@ index f962f76..d79969b 100644
+
+########################################
+##
-+## Read and write generic process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
+ ## Read and write generic process ID files.
+ ##
+ ##
+@@ -6182,7 +7574,7 @@ interface(`files_rw_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ rw_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes of
-+## daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file getattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write to daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_write_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file write;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to ioctl daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_ioctl_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file ioctl;
-+')
-+
-+########################################
-+##
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6249,55 +7641,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+
+ ########################################
+ ##
+-## Read all process ID files.
+## Relable all pid directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`files_read_all_pids',`
+interface(`files_relabel_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
+ relabel_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Delete all process IDs.
+## Delete all pid sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`files_delete_all_pids',`
+interface(`files_delete_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ allow $1 pidfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Delete all process ID directories.
+## Create all pid sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6305,42 +7685,35 @@ interface(`files_delete_all_pids',`
+ ##
+ ##
+ #
+-interface(`files_delete_all_pid_dirs',`
+interface(`files_create_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
+ allow $1 pidfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Create all pid named pipes
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain alloed access.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`files_manage_all_pids',`
+interface(`files_create_all_pid_pipes',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Delete all pid named pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6348,18 +7721,18 @@ interface(`files_manage_all_pids',`
+ ##
+ ##
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_pid_pipes',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Search the contents of generic spool
+-## directories (/var/spool).
+## manage all pidfile directories
+## in the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6367,37 +7740,40 @@ interface(`files_mounton_all_poly_members',`
+ ##
+ ##
+ #
+-interface(`files_search_spool',`
+interface(`files_manage_all_pid_dirs',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
+ manage_dirs_pattern($1,pidfile,pidfile)
-+')
+ ')
+
+
-+
-+########################################
-+##
+ ########################################
+ ##
+-## Do not audit attempts to search generic
+-## spool directories.
+## Read all process ID files.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+##
-+#
+ #
+-interface(`files_dontaudit_search_spool',`
+interface(`files_read_all_pids',`
-+ gen_require(`
+ gen_require(`
+- type var_spool_t;
+ attribute pidfile;
+ type var_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List the contents of generic spool
+-## (/var/spool) directories.
+## Relable all pid files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6405,18 +7781,17 @@ interface(`files_dontaudit_search_spool',`
+ ##
+ ##
+ #
+-interface(`files_list_spool',`
+interface(`files_relabel_all_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+ relabel_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
+## Execute generic programs in /var/run in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6424,18 +7799,18 @@ interface(`files_list_spool',`
+ ##
+ ##
+ #
+-interface(`files_manage_generic_spool_dirs',`
+interface(`files_exec_generic_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ type var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read generic spool files.
+## manage all pidfiles
+## in the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6443,19 +7818,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ##
+ ##
+ #
+-interface(`files_read_generic_spool',`
+interface(`files_manage_all_pids',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
+ manage_files_pattern($1,pidfile,pidfile)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete generic
+-## spool files.
+## Mount filesystems on all polyinstantiation
+## member directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6463,55 +7837,43 @@ interface(`files_read_generic_spool',`
+ ##
+ ##
+ #
+-interface(`files_manage_generic_spool',`
+interface(`files_mounton_all_poly_members',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute polymember;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
+ allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create objects in the spool directory
+-## with a private type with a type transition.
+## Delete all process IDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## Type to which the created node will be transitioned.
+-##
+-##
+-##
+-##
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
+##
-+#
+ #
+-interface(`files_spool_filetrans',`
+interface(`files_delete_all_pids',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
+ type var_t, var_run_t;
-+ ')
-+
+ ')
+
+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
+## Delete all process ID directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6519,53 +7881,68 @@ interface(`files_spool_filetrans',`
+ ##
+ ##
+ #
+-interface(`files_polyinstantiate_all',`
+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
+ attribute pidfile;
- type var_t, var_run_t;
++ type var_t, var_run_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-+
+
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+########################################
+##
+## Make the specified type a file
@@ -14650,27 +12893,31 @@ index f962f76..d79969b 100644
+interface(`files_spool_file',`
+ gen_require(`
+ attribute spoolfile;
-+ ')
+ ')
+
+ files_type($1)
+ typeattribute $1 spoolfile;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Unconfined access to files.
+## Create all spool sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6573,10 +7950,819 @@ interface(`files_polyinstantiate_all',`
+ ##
+ ##
+ #
+-interface(`files_unconfined',`
+interface(`files_create_all_spool_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute files_unconfined_type;
+ attribute spoolfile;
-+ ')
-+
+ ')
+
+- typeattribute $1 files_unconfined_type;
+ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
@@ -14749,35 +12996,29 @@ index f962f76..d79969b 100644
+ ')
+
+ dontaudit $1 var_spool_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Write named generic process ID pipes
++')
++
++########################################
++##
+## List the contents of generic spool
+## (/var/spool) directories.
- ##
- ##
- ##
-@@ -6073,43 +8010,189 @@ interface(`files_read_generic_pids',`
- ##
- ##
- #
--interface(`files_write_generic_pid_pipes',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_list_spool',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
++ ')
++
+ list_dirs_pattern($1, var_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Create an object in the process ID directory, with a private type.
++')
++
++########################################
++##
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
+##
@@ -14947,40 +13188,17 @@ index f962f76..d79969b 100644
+########################################
+##
+## Create a core files in /
- ##
- ##
- ##
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
--##
--##
--## Related interfaces:
--##
--##
--## - files_pid_file()
--##
--##
--## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
--##
--##
--## type mypidfile_t;
--## files_pid_file(mypidfile_t)
--## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
--## files_pid_filetrans(mydomain_t, mypidfile_t, file)
++##
++##
++##
+## Create a core file in /,
- ##
- ##
- ##
-@@ -6117,14 +8200,82 @@ interface(`files_write_generic_pid_pipes',`
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
+#
+interface(`files_manage_root_files',`
@@ -15050,401 +13268,291 @@ index f962f76..d79969b 100644
+##
+##
+##
- ##
--## The type of the object to be created.
++##
+## Type of the directory to be transitioned from
- ##
- ##
- ##
- ##
--## The object class of the object being created.
++##
++##
++##
++##
+## The class of the object being created.
- ##
- ##
- ##
-@@ -6132,65 +8283,56 @@ interface(`files_write_generic_pid_pipes',`
- ## The name of the object being created.
- ##
- ##
--##
- #
--interface(`files_pid_filetrans',`
-- gen_require(`
-- type var_t, var_run_t;
-- ')
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
+interface(`files_filetrans_lib',`
+ gen_require(`
+ type lib_t, lib_t;
+ ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_run_t, $2, $3, $4)
++
+ filetrans_pattern($1, $2, lib_t, $3, $4)
- ')
-
- ########################################
- ##
--## Create a generic lock directory within the run directories
++')
++
++########################################
++##
+## manage generic symbolic links
+## in the /var/run directory.
- ##
- ##
--##
--## Domain allowed access
--##
--##
--##
- ##
--## The name of the object being created.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_pid_filetrans_lock_dir',`
++##
++##
++#
+interface(`files_manage_generic_pids_symlinks',`
- gen_require(`
-- type var_lock_t;
++ gen_require(`
+ type var_run_t;
- ')
-
-- files_pid_filetrans($1, var_lock_t, dir, $2)
++ ')
++
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
- ')
-
- ########################################
- ##
--## Read and write generic process ID files.
++')
++
++########################################
++##
+## Do not audit attempts to getattr
+## all tmpfs files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_rw_generic_pids',`
++##
++##
++#
+interface(`files_dontaudit_getattr_tmpfs_files',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- rw_files_pattern($1, var_run_t, var_run_t)
++ ')
++
+ allow $1 tmpfsfile:file getattr;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes of
--## daemon runtime data files.
++')
++
++########################################
++##
+## Allow read write all tmpfs files
- ##
- ##
- ##
-@@ -6198,19 +8340,17 @@ interface(`files_rw_generic_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_pids',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_rw_tmpfs_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file getattr;
++ ')
++
+ allow $1 tmpfsfile:file { read write };
- ')
-
- ########################################
- ##
--## Do not audit attempts to write to daemon runtime data files.
++')
++
++########################################
++##
+## Do not audit attempts to read security files
- ##
- ##
- ##
-@@ -6218,38 +8358,43 @@ interface(`files_dontaudit_getattr_all_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_write_all_pids',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_read_security_files',`
- gen_require(`
-- attribute pidfile;
++ gen_require(`
+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file write;
++ ')
++
+ dontaudit $1 security_file_type:file read_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to ioctl daemon runtime data files.
++')
++
++########################################
++##
+## rw any files inherited from another process
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
++##
++##
+##
+##
+## Object type.
+##
+##
- #
--interface(`files_dontaudit_ioctl_all_pids',`
++#
+interface(`files_rw_all_inherited_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file ioctl;
++ ')
++
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
- ##
--## Read all process ID files.
++')
++
++########################################
++##
+## Allow any file point to be the entrypoint of this domain
- ##
- ##
- ##
-@@ -6258,127 +8403,111 @@ interface(`files_dontaudit_ioctl_all_pids',`
- ##
- ##
- #
--interface(`files_read_all_pids',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
+interface(`files_entrypoint_all_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
- ')
--
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
++ ')
+ allow $1 file_type:file entrypoint;
- ')
-
- ########################################
- ##
--## Delete all process IDs.
++')
++
++########################################
++##
+## Do not audit attempts to rw inherited file perms
+## of non security files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_delete_all_pids',`
++##
++##
++#
+interface(`files_dontaudit_all_non_security_leaks',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ ')
++
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete all process ID directories.
++')
++
++########################################
++##
+## Do not audit attempts to read or write
+## all leaked files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_delete_all_pid_dirs',`
++##
++##
++#
+interface(`files_dontaudit_leaks',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
++ ')
++
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
- ')
-
- ########################################
- ##
--## Create, read, write and delete all
--## var_run (pid) content
++')
++
++########################################
++##
+## Allow domain to create_file_ass all types
- ##
- ##
- ##
--## Domain alloed access.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_manage_all_pids',`
++##
++##
++#
+interface(`files_create_as_is_all_files',`
- gen_require(`
-- attribute pidfile;
++ gen_require(`
+ attribute file_type;
+ class kernel_service create_files_as;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
++ ')
++
+ allow $1 file_type:kernel_service create_files_as;
- ')
-
- ########################################
- ##
--## Mount filesystems on all polyinstantiation
--## member directories.
++')
++
++########################################
++##
+## Do not audit attempts to check the
+## access on all files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_mounton_all_poly_members',`
++##
++##
++#
+interface(`files_dontaudit_all_access_check',`
- gen_require(`
-- attribute polymember;
++ gen_require(`
+ attribute file_type;
- ')
-
-- allow $1 polymember:dir mounton;
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## Search the contents of generic spool
--## directories (/var/spool).
++')
++
++########################################
++##
+## Do not audit attempts to write to all files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_search_spool',`
++##
++##
++#
+interface(`files_dontaudit_write_all_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set write;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search generic
--## spool directories.
++')
++
++########################################
++##
+## Allow domain to delete to all files
- ##
- ##
- ##
-@@ -6386,132 +8515,189 @@ interface(`files_search_spool',`
- ##
- ##
- #
--interface(`files_dontaudit_search_spool',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_delete_all_non_security_files',`
- gen_require(`
-- type var_spool_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- dontaudit $1 var_spool_t:dir search_dir_perms;
++ ')
++
+ allow $1 non_security_file_type:dir del_entry_dir_perms;
+ allow $1 non_security_file_type:file_class_set delete_file_perms;
- ')
-
- ########################################
- ##
--## List the contents of generic spool
--## (/var/spool) directories.
++')
++
++########################################
++##
+## Allow domain to delete to all dirs
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_spool',`
++##
++##
++#
+interface(`files_delete_all_non_security_dirs',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
++')
++
++########################################
++##
+## Transition named content in the var_run_t directory
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_manage_generic_spool_dirs',`
++##
++##
++#
+interface(`files_filetrans_named_content',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ type etc_t;
+ type mnt_t;
+ type usr_t;
@@ -15453,10 +13561,8 @@ index f962f76..d79969b 100644
+ type var_run_t;
+ type var_lock_t;
+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ files_pid_filetrans($1, mnt_t, dir, "media")
+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -15494,15 +13600,13 @@ index f962f76..d79969b 100644
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+ files_var_filetrans($1, tmp_t, dir, "tmp")
+ files_var_filetrans($1, var_run_t, dir, "run")
- ')
-
- ########################################
- ##
--## Read generic spool files.
++')
++
++########################################
++##
+## Make the specified type a
+## base file.
- ##
--##
++##
+##
+##
+## Identify file type as base file type. Tools will use this attribute,
@@ -15510,25 +13614,20 @@ index f962f76..d79969b 100644
+##
+##
+##
- ##
--## Domain allowed access.
++##
+## Type to be used as a base files.
- ##
- ##
++##
++##
+##
- #
--interface(`files_read_generic_spool',`
++#
+interface(`files_base_file',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_file_type;
- ')
++ ')
+ files_type($1)
+ typeattribute $1 base_file_type;
+')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
++
+########################################
+##
+## Make the specified type a
@@ -15552,155 +13651,82 @@ index f962f76..d79969b 100644
+ ')
+ files_base_file($1)
+ typeattribute $1 base_ro_file_type;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool files.
++')
++
++########################################
++##
+## Read all ro base files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`files_manage_generic_spool',`
++#
+interface(`files_read_all_base_ro_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_ro_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
+ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
+ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
- ')
-
- ########################################
- ##
--## Create objects in the spool directory
--## with a private type with a type transition.
++')
++
++########################################
++##
+## Execute all base ro files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Type to which the created node will be transitioned.
--##
--##
--##
--##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`files_spool_filetrans',`
++#
+interface(`files_exec_all_base_ro_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_ro_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ ')
++
+ can_exec($1, base_ro_file_type)
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++##
+## Allow the specified domain to modify the systemd configuration of
+## any file.
- ##
- ##
- ##
-@@ -6519,53 +8705,17 @@ interface(`files_spool_filetrans',`
- ##
- ##
- #
--interface(`files_polyinstantiate_all',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_config_all_files',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
--
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-- ')
++ ')
++
+ allow $1 file_type:service all_service_perms;
- ')
-
- ########################################
- ##
--## Unconfined access to files.
++')
++
++########################################
++##
+## Get the status of etc_t files
- ##
- ##
- ##
-@@ -6573,10 +8723,10 @@ interface(`files_polyinstantiate_all',`
- ##
- ##
- #
--interface(`files_unconfined',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_status_etc',`
- gen_require(`
-- attribute files_unconfined_type;
++ gen_require(`
+ type etc_t;
- ')
-
-- typeattribute $1 files_unconfined_type;
++ ')
++
+ allow $1 etc_t:service status;
')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 8a3e7dba..5a3fddc1 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2998,7 +2998,7 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..83590aa
+index 0000000..8cc6120
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,273 @@
@@ -3068,7 +3068,7 @@ index 0000000..83590aa
+# antivirus domain local policy
+#
+
-+allow antivirus_domain self:capability { dac_override chown kill setgid setuid };
++allow antivirus_domain self:capability { dac_override chown kill setgid setuid sys_admin };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
@@ -13677,10 +13677,10 @@ index 5f306dd..e01156f 100644
')
diff --git a/cockpit.fc b/cockpit.fc
new file mode 100644
-index 0000000..b71de28
+index 0000000..bb87537
--- /dev/null
+++ b/cockpit.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,10 @@
+# cockpit stuff
+
+/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
@@ -13689,6 +13689,8 @@ index 0000000..b71de28
+/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+
+/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
++
++/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0)
diff --git a/cockpit.if b/cockpit.if
new file mode 100644
index 0000000..573dcae
@@ -24321,10 +24323,10 @@ index 0000000..fd679a1
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..76eb32e
+index 0000000..2a614ed
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,364 @@
+@@ -0,0 +1,365 @@
+
+## The open-source application container engine.
+
@@ -24622,6 +24624,7 @@ index 0000000..76eb32e
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
+')
+
@@ -30749,10 +30752,10 @@ index e39de43..5edcb83 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index ab09d61..c416ef4 100644
+index ab09d61..0734f6b 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,52 +1,78 @@
+@@ -1,52 +1,76 @@
-## GNU network object model environment.
+## GNU network object model environment (GNOME)
@@ -30843,42 +30846,44 @@ index ab09d61..c416ef4 100644
#
template(`gnome_role_template',`
- gen_require(`
+- attribute gnomedomain, gkeyringd_domain;
+ gen_require(`
- attribute gnomedomain, gkeyringd_domain;
++ attribute gnomedomain, gkeyringd_domain, gnome_home_type;
attribute_role gconfd_roles;
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
-+ type gnome_home_t;
-+ type gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t;
++ type gkeyringd_exec_t, gkeyringd_tmp_t;
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
- type gconf_home_t;
-+ class dbus send_msg;
+- type gconf_home_t;
++ class dbus send_msg;
')
########################################
-@@ -76,12 +102,12 @@ template(`gnome_role_template',`
+@@ -74,14 +98,11 @@ template(`gnome_role_template',`
- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
+ domtrans_pattern($3, gconfd_exec_t, gconfd_t)
+
+- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
+- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
-
+-
- allow $3 gconfd_t:process { ptrace signal_perms };
+ allow $3 gconfd_t:process { signal_perms };
-+ allow $3 gconfd_t:unix_stream_socket connectto;
++ allow $3 gconfd_t:unix_stream_socket connectto;
ps_process_pattern($3, gconfd_t)
+
########################################
#
# Gkeyringd policy
-@@ -89,37 +115,85 @@ template(`gnome_role_template',`
+@@ -89,37 +110,85 @@ template(`gnome_role_template',`
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
-+ allow $3 { gnome_home_t gkeyringd_gnome_home_t gkeyringd_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
-+ allow $3 { gnome_home_t gkeyringd_gnome_home_t }:file { relabel_file_perms manage_file_perms };
++ allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
++ allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:file { relabel_file_perms manage_file_perms };
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
@@ -30970,7 +30975,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -127,18 +201,18 @@ template(`gnome_role_template',`
+@@ -127,18 +196,18 @@ template(`gnome_role_template',`
##
##
#
@@ -30994,7 +30999,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -146,119 +220,114 @@ interface(`gnome_exec_gconf',`
+@@ -146,119 +215,114 @@ interface(`gnome_exec_gconf',`
##
##
#
@@ -31151,7 +31156,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -266,15 +335,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -266,15 +330,21 @@ interface(`gnome_create_generic_home_dirs',`
##
##
#
@@ -31178,7 +31183,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -282,57 +357,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -282,57 +352,89 @@ interface(`gnome_setattr_config_dirs',`
##
##
#
@@ -31286,7 +31291,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -340,15 +447,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -340,15 +442,18 @@ interface(`gnome_read_generic_home_content',`
##
##
#
@@ -31310,7 +31315,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -356,22 +466,18 @@ interface(`gnome_manage_config',`
+@@ -356,22 +461,18 @@ interface(`gnome_manage_config',`
##
##
#
@@ -31338,7 +31343,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -379,53 +485,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -379,53 +480,37 @@ interface(`gnome_manage_generic_home_content',`
##
##
#
@@ -31400,7 +31405,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -433,17 +523,18 @@ interface(`gnome_home_filetrans',`
+@@ -433,17 +518,18 @@ interface(`gnome_home_filetrans',`
##
##
#
@@ -31423,7 +31428,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -451,23 +542,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -451,23 +537,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
##
##
#
@@ -31451,7 +31456,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -475,22 +561,18 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,22 +556,18 @@ interface(`gnome_read_generic_gconf_home_content',`
##
##
#
@@ -31478,7 +31483,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -498,79 +580,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+@@ -498,79 +575,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
##
##
#
@@ -31576,7 +31581,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -579,12 +641,12 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -579,12 +636,12 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
##
@@ -31591,7 +31596,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -593,18 +655,18 @@ interface(`gnome_home_filetrans_gnome_home',`
+@@ -593,18 +650,18 @@ interface(`gnome_home_filetrans_gnome_home',`
##
##
#
@@ -31616,7 +31621,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -612,46 +674,80 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -612,46 +669,80 @@ interface(`gnome_gconf_home_filetrans',`
##
##
#
@@ -31714,7 +31719,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -659,46 +755,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
+@@ -659,46 +750,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
##
##
#
@@ -31739,22 +31744,22 @@ index ab09d61..c416ef4 100644
##
-##
+##
- ##
--## The prefix of the user domain (e.g., user
--## is the prefix for user_t).
++##
+## Domain allowed access.
+##
+##
+##
-+##
+ ##
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+## The class of the object to be created.
-+##
-+##
+ ##
+ ##
+##
+##
+## The name of the object being created.
- ##
- ##
++##
++##
+#
+interface(`gnome_admin_home_gconf_filetrans',`
+ gen_require(`
@@ -31796,7 +31801,7 @@ index ab09d61..c416ef4 100644
##
##
##
-@@ -706,12 +820,985 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -706,12 +815,985 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
@@ -31806,10 +31811,8 @@ index ab09d61..c416ef4 100644
- attribute gkeyringd_domain;
- type gnome_keyring_tmp_t;
+ type gconf_etc_t;
- ')
-
-- files_search_tmp($1)
-- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
++ ')
++
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+ files_search_etc($1)
@@ -31950,9 +31953,10 @@ index ab09d61..c416ef4 100644
+interface(`gnome_list_gkeyringd_tmp_dirs',`
+ gen_require(`
+ type gkeyringd_tmp_t;
-+ ')
-+
-+ files_search_tmp($1)
+ ')
+
+ files_search_tmp($1)
+- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
+')
+
@@ -41933,7 +41937,7 @@ index be0ab84..3ebbcc0 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index ab65034..28f63b5 100644
+index ab65034..dd17cb0 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
@@ -41981,12 +41985,13 @@ index ab65034..28f63b5 100644
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
-@@ -100,23 +108,14 @@ libs_read_lib_files(logwatch_t)
+@@ -100,23 +108,16 @@ libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
-miscfiles_read_localization(logwatch_t)
--
++miscfiles_read_hwdata(logwatch_t)
+
selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
@@ -42005,7 +42010,7 @@ index ab65034..28f63b5 100644
corenet_sendrecv_smtp_client_packets(logwatch_t)
corenet_tcp_connect_smtp_port(logwatch_t)
corenet_tcp_sendrecv_smtp_port(logwatch_t)
-@@ -160,6 +159,12 @@ optional_policy(`
+@@ -160,6 +161,12 @@ optional_policy(`
')
optional_policy(`
@@ -42018,7 +42023,7 @@ index ab65034..28f63b5 100644
rpc_search_nfs_state_data(logwatch_t)
')
-@@ -187,6 +192,19 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -187,6 +194,19 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -49813,7 +49818,7 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c..58ba0ce 100644
+index ff1d68c..c8070da 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -49954,7 +49959,8 @@ index ff1d68c..58ba0ce 100644
init_use_script_ptys(system_mail_t)
+init_dontaudit_rw_stream_socket(system_mail_t)
-+
+
+-userdom_use_user_terminals(system_mail_t)
+userdom_use_inherited_user_terminals(system_mail_t)
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
@@ -49964,8 +49970,7 @@ index ff1d68c..58ba0ce 100644
+
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
-
--userdom_use_user_terminals(system_mail_t)
++
+logging_append_all_logs(system_mail_t)
+
+logging_send_syslog_msg(system_mail_t)
@@ -50078,7 +50083,18 @@ index ff1d68c..58ba0ce 100644
')
optional_policy(`
-@@ -287,42 +331,36 @@ optional_policy(`
+@@ -279,6 +323,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_write_inhibit_pipes(system_mail_t)
++')
++
++optional_policy(`
+ userdom_dontaudit_use_user_ptys(system_mail_t)
+
+ optional_policy(`
+@@ -287,42 +335,36 @@ optional_policy(`
')
optional_policy(`
@@ -50131,7 +50147,7 @@ index ff1d68c..58ba0ce 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -331,44 +369,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,44 +373,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -50201,7 +50217,7 @@ index ff1d68c..58ba0ce 100644
')
optional_policy(`
-@@ -381,24 +423,49 @@ optional_policy(`
+@@ -381,24 +427,49 @@ optional_policy(`
########################################
#
@@ -52385,15 +52401,16 @@ index 0000000..79f1250
+
+fs_getattr_xattr_fs(naemon_t)
diff --git a/nagios.fc b/nagios.fc
-index d78dfc3..02f18ac 100644
+index d78dfc3..40e1c77 100644
--- a/nagios.fc
+++ b/nagios.fc
-@@ -1,88 +1,109 @@
+@@ -1,88 +1,113 @@
-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/icinga(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
++/etc/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
@@ -52423,8 +52440,11 @@ index d78dfc3..02f18ac 100644
+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/icinga(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/var/log/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
++/var/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
++
+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
+
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
@@ -52806,7 +52826,7 @@ index 0641e97..cad402c 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 7b3e682..6d966d5 100644
+index 7b3e682..a22a321 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -52884,17 +52904,18 @@ index 7b3e682..6d966d5 100644
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
-@@ -110,7 +118,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+@@ -110,7 +118,9 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
-+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file})
++manage_sock_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
++files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file })
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
-@@ -123,7 +132,6 @@ kernel_read_software_raid_state(nagios_t)
+@@ -123,7 +133,6 @@ kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
@@ -52902,7 +52923,7 @@ index 7b3e682..6d966d5 100644
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,7 +151,6 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,7 +152,6 @@ domain_read_all_domains_state(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
@@ -52910,7 +52931,7 @@ index 7b3e682..6d966d5 100644
files_search_spool(nagios_t)
fs_getattr_all_fs(nagios_t)
-@@ -153,8 +160,6 @@ auth_use_nsswitch(nagios_t)
+@@ -153,8 +161,6 @@ auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
@@ -52919,7 +52940,7 @@ index 7b3e682..6d966d5 100644
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
-@@ -178,35 +183,37 @@ optional_policy(`
+@@ -178,35 +184,37 @@ optional_policy(`
#
# CGI local policy
#
@@ -52975,7 +52996,7 @@ index 7b3e682..6d966d5 100644
')
########################################
-@@ -229,9 +236,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+@@ -229,9 +237,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
@@ -52986,7 +53007,7 @@ index 7b3e682..6d966d5 100644
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
-@@ -252,8 +259,8 @@ dev_read_urand(nrpe_t)
+@@ -252,8 +260,8 @@ dev_read_urand(nrpe_t)
domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
@@ -52996,7 +53017,7 @@ index 7b3e682..6d966d5 100644
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -262,8 +269,6 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,8 +270,6 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
@@ -53005,7 +53026,7 @@ index 7b3e682..6d966d5 100644
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
-@@ -310,15 +315,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +316,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -53024,7 +53045,7 @@ index 7b3e682..6d966d5 100644
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +350,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +351,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
@@ -53034,7 +53055,7 @@ index 7b3e682..6d966d5 100644
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
-@@ -357,9 +365,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +366,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
@@ -53048,7 +53069,7 @@ index 7b3e682..6d966d5 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -391,6 +401,11 @@ optional_policy(`
+@@ -391,6 +402,11 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
@@ -53060,7 +53081,7 @@ index 7b3e682..6d966d5 100644
')
optional_policy(`
-@@ -411,6 +426,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -411,6 +427,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -53068,7 +53089,7 @@ index 7b3e682..6d966d5 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,14 +436,18 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,14 +437,18 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@@ -53089,7 +53110,7 @@ index 7b3e682..6d966d5 100644
#######################################
#
# Event local policy
-@@ -442,11 +462,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,11 +463,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -65000,10 +65021,10 @@ index 0000000..798efb6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..d9513e4
+index 0000000..0cb8f0a
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,279 @@
+@@ -0,0 +1,280 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -65077,9 +65098,9 @@ index 0000000..d9513e4
+# pki-tomcat local policy
+#
+
-+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid };
+dontaudit pki_tomcat_t self:capability net_admin;
-+allow pki_tomcat_t self:process { signal setsched signull execmem };
++allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };
+
+allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
+allow pki_tomcat_t self:tcp_socket { accept listen };
@@ -65090,6 +65111,7 @@ index 0000000..d9513e4
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
++allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabelfrom_file_perms;
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
@@ -76487,10 +76509,10 @@ index f47c8e8..3710974 100644
+ dbus_connect_system_bus(quota_nld_t)
')
diff --git a/rabbitmq.fc b/rabbitmq.fc
-index c5ad6de..2bf7656 100644
+index c5ad6de..af2d46f 100644
--- a/rabbitmq.fc
+++ b/rabbitmq.fc
-@@ -1,10 +1,19 @@
+@@ -1,10 +1,18 @@
/etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0)
-/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
@@ -76499,7 +76521,6 @@ index c5ad6de..2bf7656 100644
+/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
+
+/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
-+/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmqctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
+
+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
@@ -92206,18 +92227,23 @@ index e2544e1..d3fbd78 100644
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/slocate.te b/slocate.te
-index 7292dc0..103278d 100644
+index 7292dc0..26fc8f4 100644
--- a/slocate.te
+++ b/slocate.te
-@@ -44,6 +44,7 @@ dev_getattr_all_blk_files(locate_t)
+@@ -44,8 +44,12 @@ dev_getattr_all_blk_files(locate_t)
dev_getattr_all_chr_files(locate_t)
files_list_all(locate_t)
+files_list_isid_type_dirs(locate_t)
++files_getattr_isid_type(locate_t)
files_dontaudit_read_all_symlinks(locate_t)
files_getattr_all_files(locate_t)
++files_getattr_all_chr_files(locate_t)
++files_getattr_all_blk_files(locate_t)
files_getattr_all_pipes(locate_t)
-@@ -62,7 +63,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
+ files_getattr_all_sockets(locate_t)
+ files_read_etc_runtime_files(locate_t)
+@@ -62,7 +66,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
auth_use_nsswitch(locate_t)
@@ -92225,7 +92251,7 @@ index 7292dc0..103278d 100644
ifdef(`enable_mls',`
files_dontaudit_getattr_all_dirs(locate_t)
-@@ -71,3 +71,8 @@ ifdef(`enable_mls',`
+@@ -71,3 +74,8 @@ ifdef(`enable_mls',`
optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')
@@ -100952,7 +100978,7 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 34a8917..85774c6 100644
+index 34a8917..21add3e 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles;
@@ -100977,7 +101003,8 @@ index 34a8917..85774c6 100644
# Local policy
#
- allow usbmuxd_t self:capability { kill setgid setuid };
+-allow usbmuxd_t self:capability { kill setgid setuid };
++allow usbmuxd_t self:capability { chown kill setgid setuid };
+dontaudit usbmuxd_t self:capability sys_resource;
allow usbmuxd_t self:process { signal signull };
allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
@@ -104077,7 +104104,7 @@ index facdee8..c43ef2e 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..b1e7d75 100644
+index f03dcf5..fe1bceb 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,227 @@
@@ -104378,7 +104405,7 @@ index f03dcf5..b1e7d75 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -153,299 +230,134 @@ ifdef(`enable_mls',`
+@@ -153,299 +230,135 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -104742,6 +104769,7 @@ index f03dcf5..b1e7d75 100644
+allow virt_domain virtd_t:fd use;
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
++allow virt_domain virtd_t:tun_socket attach_queue;
+
+can_exec(virtd_t, qemu_exec_t)
+can_exec(virt_domain, qemu_exec_t)
@@ -104755,7 +104783,7 @@ index f03dcf5..b1e7d75 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -455,42 +367,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +368,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -104802,7 +104830,7 @@ index f03dcf5..b1e7d75 100644
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -503,23 +402,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,23 +403,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -104833,7 +104861,7 @@ index f03dcf5..b1e7d75 100644
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -527,24 +423,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +424,16 @@ corecmd_exec_shell(virtd_t)
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -104861,7 +104889,7 @@ index f03dcf5..b1e7d75 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,22 +443,27 @@ dev_rw_vhost(virtd_t)
+@@ -555,22 +444,27 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -104894,7 +104922,7 @@ index f03dcf5..b1e7d75 100644
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
-@@ -601,15 +494,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +495,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -104914,7 +104942,7 @@ index f03dcf5..b1e7d75 100644
selinux_validate_context(virtd_t)
-@@ -620,18 +516,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +517,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -104951,7 +104979,7 @@ index f03dcf5..b1e7d75 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -640,7 +544,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +545,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -104960,7 +104988,7 @@ index f03dcf5..b1e7d75 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -665,20 +569,12 @@ optional_policy(`
+@@ -665,20 +570,12 @@ optional_policy(`
')
optional_policy(`
@@ -104981,7 +105009,7 @@ index f03dcf5..b1e7d75 100644
')
optional_policy(`
-@@ -691,20 +587,26 @@ optional_policy(`
+@@ -691,20 +588,26 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@@ -105012,7 +105040,7 @@ index f03dcf5..b1e7d75 100644
')
optional_policy(`
-@@ -712,11 +614,18 @@ optional_policy(`
+@@ -712,11 +615,18 @@ optional_policy(`
')
optional_policy(`
@@ -105031,7 +105059,7 @@ index f03dcf5..b1e7d75 100644
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
-@@ -727,11 +636,19 @@ optional_policy(`
+@@ -727,11 +637,19 @@ optional_policy(`
')
optional_policy(`
@@ -105053,7 +105081,7 @@ index f03dcf5..b1e7d75 100644
kernel_write_xen_state(virtd_t)
xen_exec(virtd_t)
-@@ -746,44 +663,277 @@ optional_policy(`
+@@ -746,44 +664,277 @@ optional_policy(`
udev_read_pid_files(virtd_t)
')
@@ -105353,7 +105381,7 @@ index f03dcf5..b1e7d75 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +944,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +945,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -105380,7 +105408,7 @@ index f03dcf5..b1e7d75 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +964,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +965,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -105414,7 +105442,7 @@ index f03dcf5..b1e7d75 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1001,20 @@ optional_policy(`
+@@ -856,14 +1002,20 @@ optional_policy(`
')
optional_policy(`
@@ -105436,7 +105464,7 @@ index f03dcf5..b1e7d75 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -888,49 +1039,65 @@ optional_policy(`
+@@ -888,49 +1040,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -105520,7 +105548,7 @@ index f03dcf5..b1e7d75 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1109,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1110,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -105540,7 +105568,7 @@ index f03dcf5..b1e7d75 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1130,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1131,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -105564,7 +105592,7 @@ index f03dcf5..b1e7d75 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1155,317 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1156,317 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -106020,7 +106048,7 @@ index f03dcf5..b1e7d75 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1174,12 +1478,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1479,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -106035,7 +106063,7 @@ index f03dcf5..b1e7d75 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1192,9 +1496,8 @@ optional_policy(`
+@@ -1192,9 +1497,8 @@ optional_policy(`
########################################
#
@@ -106046,7 +106074,7 @@ index f03dcf5..b1e7d75 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1510,219 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1511,219 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -107573,7 +107601,7 @@ index fd2b6cc..938c4a7 100644
+')
+
diff --git a/wine.te b/wine.te
-index 491b87b..72ce165 100644
+index 491b87b..2a79df4 100644
--- a/wine.te
+++ b/wine.te
@@ -14,10 +14,11 @@ policy_module(wine, 1.11.0)
@@ -107589,7 +107617,7 @@ index 491b87b..72ce165 100644
type wine_exec_t;
userdom_user_application_domain(wine_t, wine_exec_t)
role wine_roles types wine_t;
-@@ -25,56 +26,59 @@ role wine_roles types wine_t;
+@@ -25,56 +26,63 @@ role wine_roles types wine_t;
type wine_home_t;
userdom_user_home_content(wine_home_t)
@@ -107601,30 +107629,30 @@ index 491b87b..72ce165 100644
# Local policy
#
+domain_mmap_low(wine_t)
-
--allow wine_t self:process { execstack execmem execheap };
--allow wine_t self:fifo_file manage_fifo_file_perms;
++
+optional_policy(`
+ unconfined_domain(wine_t)
+')
--can_exec(wine_t, wine_exec_t)
+-allow wine_t self:process { execstack execmem execheap };
+-allow wine_t self:fifo_file manage_fifo_file_perms;
--userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
+-can_exec(wine_t, wine_exec_t)
+########################################
+#
+# Common wine domain policy
+#
--manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
--manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
--files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
+allow wine_domain self:process { execstack execmem execheap };
+allow wine_domain self:fifo_file manage_fifo_file_perms;
--domain_mmap_low(wine_t)
+-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+can_exec(wine_domain, wine_exec_t)
-+
+
+-domain_mmap_low(wine_t)
+manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_lnk_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
@@ -107659,19 +107687,21 @@ index 491b87b..72ce165 100644
optional_policy(`
- rtkit_scheduled(wine_t)
-+ rtkit_scheduled(wine_domain)
++ gnome_create_generic_cache_dir(wine_domain)
')
optional_policy(`
- unconfined_domain(wine_t)
++ rtkit_scheduled(wine_domain)
+ ')
+
+ optional_policy(`
+- xserver_read_xdm_pid(wine_t)
+- xserver_rw_shm(wine_t)
+ xserver_read_xdm_pid(wine_domain)
+ xserver_rw_shm(wine_domain)
')
-
--optional_policy(`
-- xserver_read_xdm_pid(wine_t)
-- xserver_rw_shm(wine_t)
--')
++
diff --git a/wireshark.te b/wireshark.te
index ff6ef38..436d3bf 100644
--- a/wireshark.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index af65997f..6ee3ce09 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 81%{?dist}
+Release: 82%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Sep 18 2014 Miroslav Grepl 3.13.1-82
+- Allow du running in logwatch_t read hwdata.
+- Allow sys_admin capability for antivirus domians.
+- Use nagios_var_lib_t instead of nagios_lib_t in nagios.fc.
+- Add support for pnp4nagios.
+- Add missing labeling for /var/lib/cockpit.
+- Label resolv.conf as docker_share_t under docker so we can read within a container
+- Remove labeling for rabbitmqctl
+- setfscreate in pki.te is not capability class.
+- Allow virt domains to use virtd tap FDs until we get proper handling in libvirtd.
+- Allow wine domains to create cache dirs.
+- Allow newaliases to systemd inhibit pipes.
+- Add fixes for pki-tomcat scriptlet handling.
+- Allow user domains to manage all gnome home content
+- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
+- Allow usbmuxd chown capabilitiesllow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
+
* Thu Sep 11 2014 Lukas Vrabec 3.13.1-81
- Label /usr/lib/erlang/erts.*/bin files as bin_t
- Added changes related to rabbitmq daemon.