make (almost) all interface parameters required. move boot_t, system_map_t, and modules_object_t to files module. fd use interface renames, udp sendto interface renames.

refpolicy/Changelog

@@ -1,3 +1,6 @@
+- Make all interface parameters required.
+- Move boot_t, system_map_t, and modules_object_t to files module,
+  and move bootloader to admin layer.
 - Add semanage policy for semodule from Dan Walsh.
 - Remove allow_execmem from targeted policy domain_base_type().
 - Add users_extra and seusers support.

refpolicy/policy/modules/admin/acct.te

@@ -57,7 +57,7 @@ files_list_usr(acct_t)
 # for nscd
 files_dontaudit_search_pids(acct_t)
 
-init_use_fd(acct_t)
+init_use_fds(acct_t)
 init_use_script_ptys(acct_t)
 init_exec_script_files(acct_t)
 

refpolicy/policy/modules/admin/consoletype.te

@@ -36,7 +36,7 @@ allow consoletype_t self:sem create_sem_perms;
 allow consoletype_t self:msgq create_msgq_perms;
 allow consoletype_t self:msg { send receive };
 
-kernel_use_fd(consoletype_t)
+kernel_use_fds(consoletype_t)
 kernel_dontaudit_read_system_state(consoletype_t)
 
 fs_getattr_all_fs(consoletype_t)
@@ -46,7 +46,7 @@ fs_write_nfs_files(consoletype_t)
 term_use_console(consoletype_t)
 term_use_unallocated_ttys(consoletype_t)
 
-init_use_fd(consoletype_t)
+init_use_fds(consoletype_t)
 init_use_script_ptys(consoletype_t)
 init_use_script_fds(consoletype_t)
 init_write_script_pipes(consoletype_t)
@@ -68,7 +68,7 @@ ifdef(`distro_redhat',`
 ')
 
 optional_policy(`apm',`
-	apm_use_fd(consoletype_t)
+	apm_use_fds(consoletype_t)
 	apm_write_pipes(consoletype_t)
 ')
 
@@ -83,12 +83,12 @@ optional_policy(`cron',`
 
 optional_policy(`firstboot',`
 	files_read_etc_files(consoletype_t)
-	firstboot_use_fd(consoletype_t)
+	firstboot_use_fds(consoletype_t)
 	firstboot_write_pipes(consoletype_t)
 ')
 
 optional_policy(`logrotate',`
-	logrotate_dontaudit_use_fd(consoletype_t)
+	logrotate_dontaudit_use_fds(consoletype_t)
 ')
 
 optional_policy(`lpd',`

refpolicy/policy/modules/admin/ddcprobe.te

@@ -24,7 +24,7 @@ kernel_read_system_state(ddcprobe_t)
 kernel_read_kernel_sysctls(ddcprobe_t)
 kernel_change_ring_buffer_level(ddcprobe_t)
 
-bootloader_search_kernel_modules(ddcprobe_t)
+files_search_kernel_modules(ddcprobe_t)
 
 corecmd_list_sbin(ddcprobe_t)
 corecmd_list_bin(ddcprobe_t)

refpolicy/policy/modules/admin/dmesg.te

@@ -50,7 +50,7 @@ ifdef(`strict_policy',`
 	# for when /usr is not mounted:
 	files_dontaudit_search_isid_type_dirs(dmesg_t)
 
-	init_use_fd(dmesg_t)
+	init_use_fds(dmesg_t)
 	init_use_script_ptys(dmesg_t)
 
 	libs_use_ld_so(dmesg_t)

refpolicy/policy/modules/admin/dmidecode.te

@@ -30,7 +30,7 @@ files_list_usr(dmidecode_t)
 libs_use_ld_so(dmidecode_t)
 libs_use_shared_libs(dmidecode_t)
 
-locallogin_use_fd(dmidecode_t)
+locallogin_use_fds(dmidecode_t)
 
 ifdef(`targeted_policy',`
 	term_use_generic_ptys(dmidecode_t)

refpolicy/policy/modules/admin/firstboot.if

@@ -67,7 +67,7 @@ interface(`firstboot_run',`
 ##	</summary>
 ## </param>
 #
-interface(`firstboot_use_fd',`
+interface(`firstboot_use_fds',`
 	gen_require(`
 		type firstboot_t;
 	')
@@ -86,7 +86,7 @@ interface(`firstboot_use_fd',`
 ##	</summary>
 ## </param>
 #
-interface(`firstboot_dontaudit_use_fd',`
+interface(`firstboot_dontaudit_use_fds',`
 	gen_require(`
 		type firstboot_t;
 	')

refpolicy/policy/modules/admin/firstboot.te

@@ -88,7 +88,7 @@ libs_use_shared_libs(firstboot_t)
 libs_exec_ld_so(firstboot_t)
 libs_exec_lib_files(firstboot_t)
 
-locallogin_use_fd(firstboot_t)
+locallogin_use_fds(firstboot_t)
 
 logging_send_syslog_msg(firstboot_t)
 

refpolicy/policy/modules/admin/kudzu.te

@@ -35,7 +35,7 @@ files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
 
 allow kudzu_t kudzu_var_run_t:file create_file_perms;
 allow kudzu_t kudzu_var_run_t:dir create_dir_perms;
-files_pid_filetrans(kudzu_t,kudzu_var_run_t)
+files_pid_filetrans(kudzu_t,kudzu_var_run_t,file)
 
 kernel_change_ring_buffer_level(kudzu_t)
 kernel_list_proc(kudzu_t)
@@ -47,7 +47,7 @@ kernel_read_system_state(kudzu_t)
 kernel_rw_hotplug_sysctls(kudzu_t)
 kernel_rw_kernel_sysctl(kudzu_t)
 
-bootloader_read_kernel_modules(kudzu_t)
+files_read_kernel_modules(kudzu_t)
 
 dev_list_sysfs(kudzu_t)
 dev_read_usbfs(kudzu_t)
@@ -100,7 +100,7 @@ files_rw_etc_runtime_files(kudzu_t)
 # for file systems that are not yet mounted
 files_dontaudit_search_isid_type_dirs(kudzu_t)
 
-init_use_fd(kudzu_t)
+init_use_fds(kudzu_t)
 init_use_script_ptys(kudzu_t)
 init_stream_connect_script(kudzu_t)
 

refpolicy/policy/modules/admin/logrotate.if

@@ -82,7 +82,7 @@ interface(`logrotate_exec',`
 ##	</summary>
 ## </param>
 #
-interface(`logrotate_use_fd',`
+interface(`logrotate_use_fds',`
 	gen_require(`
 		type logrotate_t;
 	')
@@ -100,7 +100,7 @@ interface(`logrotate_use_fd',`
 ##	</summary>
 ## </param>
 #
-interface(`logrotate_dontaudit_use_fd',`
+interface(`logrotate_dontaudit_use_fds',`
 	gen_require(`
 		type logrotate_t;
 	')

refpolicy/policy/modules/admin/logrotate.te

@@ -51,7 +51,7 @@ allow logrotate_t self:msgq create_msgq_perms;
 allow logrotate_t self:msg { send receive };
 
 allow logrotate_t logrotate_lock_t:file create_file_perms;
-files_lock_filetrans(logrotate_t,logrotate_lock_t)
+files_lock_filetrans(logrotate_t,logrotate_lock_t,file)
 
 can_exec(logrotate_t, logrotate_tmp_t)
 
@@ -62,7 +62,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
 # for /var/lib/logrotate.status and /var/lib/logcheck
 allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms };
 allow logrotate_t logrotate_var_lib_t:file create_file_perms;
-files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t)
+files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
 
 kernel_read_system_state(logrotate_t)
 kernel_read_kernel_sysctls(logrotate_t)

refpolicy/policy/modules/admin/mrtg.te

@@ -97,7 +97,7 @@ fs_getattr_xattr_fs(mrtg_t)
 
 term_dontaudit_use_console(mrtg_t)
 
-init_use_fd(mrtg_t)
+init_use_fds(mrtg_t)
 init_use_script_ptys(mrtg_t)
 # for uptime
 init_read_utmp(mrtg_t)

refpolicy/policy/modules/admin/netutils.te

@@ -64,7 +64,7 @@ files_read_etc_files(netutils_t)
 # for nscd
 files_dontaudit_search_var(netutils_t)
 
-init_use_fd(netutils_t)
+init_use_fds(netutils_t)
 init_use_script_ptys(netutils_t)
 
 libs_use_ld_so(netutils_t)
@@ -131,7 +131,7 @@ sysnet_dns_name_resolve(ping_t)
 logging_send_syslog_msg(ping_t)
 
 ifdef(`hide_broken_symptoms',`
-	init_dontaudit_use_fd(ping_t)
+	init_dontaudit_use_fds(ping_t)
 ')
 
 ifdef(`targeted_policy',`
@@ -159,7 +159,7 @@ optional_policy(`pcmcia',`
 ')
 
 optional_policy(`hotplug',`
-	hotplug_use_fd(ping_t)
+	hotplug_use_fds(ping_t)
 ')
 
 ifdef(`TODO',`

refpolicy/policy/modules/admin/portage.te

@@ -55,7 +55,7 @@ allow portage_fetch_t portage_t:fifo_file rw_file_perms;
 allow portage_fetch_t portage_t:process sigchld;
 
 allow portage_t portage_log_t:file create_file_perms;
-logging_log_filetrans(portage_t,portage_log_t)
+logging_log_filetrans(portage_t,portage_log_t,file)
 
 # transition to sandbox for compiling
 domain_trans(portage_t,portage_exec_t,portage_sandbox_t)

refpolicy/policy/modules/admin/prelink.te

@@ -33,7 +33,7 @@ files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
 allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
 allow prelink_t prelink_log_t:file { create ra_file_perms };
 allow prelink_t prelink_log_t:lnk_file read;
-logging_log_filetrans(prelink_t, prelink_log_t)
+logging_log_filetrans(prelink_t, prelink_log_t, file)
 
 # prelink misc objects that are not system
 # libraries or entrypoints

refpolicy/policy/modules/admin/quota.te

@@ -51,7 +51,7 @@ files_getattr_all_sockets(quota_t)
 # Read /etc/mtab.
 files_read_etc_runtime_files(quota_t)
 
-init_use_fd(quota_t)
+init_use_fds(quota_t)
 init_use_script_ptys(quota_t)
 
 libs_use_ld_so(quota_t)

refpolicy/policy/modules/admin/readahead.te

@@ -23,7 +23,7 @@ allow readahead_t self:process signal_perms;
 
 allow readahead_t readahead_var_run_t:file create_file_perms;
 allow readahead_t readahead_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(readahead_t,readahead_var_run_t)
+files_pid_filetrans(readahead_t,readahead_var_run_t,file)
 
 kernel_read_kernel_sysctls(readahead_t)
 kernel_read_system_state(readahead_t)
@@ -56,7 +56,7 @@ term_dontaudit_use_console(readahead_t)
 
 auth_dontaudit_read_shadow(readahead_t)
 
-init_use_fd(readahead_t)
+init_use_fds(readahead_t)
 init_use_script_ptys(readahead_t)
 init_getattr_initctl(readahead_t)
 

refpolicy/policy/modules/admin/rpm.if

@@ -91,7 +91,7 @@ interface(`rpm_run',`
 ##	</summary>
 ## </param>
 #
-interface(`rpm_use_fd',`
+interface(`rpm_use_fds',`
 	gen_require(`
 		type rpm_t;
 	')

refpolicy/policy/modules/admin/rpm.te

@@ -184,7 +184,7 @@ ifdef(`targeted_policy',`
 	# conflicts since rpm_t is an alias of
 	# unconfined in the targeted policy
 	allow rpm_t rpm_log_t:file create_file_perms;
-	logging_log_filetrans(rpm_t,rpm_log_t)
+	logging_log_filetrans(rpm_t,rpm_log_t,file)
 ')
 
 optional_policy(`cron',`

refpolicy/policy/modules/admin/su.if

@@ -49,7 +49,7 @@ template(`su_restricted_domain_template', `
 
 	domain_use_interactive_fds($1_su_t)
 
-	init_dontaudit_use_fd($1_su_t)
+	init_dontaudit_use_fds($1_su_t)
 	init_dontaudit_use_script_ptys($1_su_t)
 	# Write to utmp.
 	init_rw_utmp($1_su_t)
@@ -168,7 +168,7 @@ template(`su_per_userdomain_template',`
 	files_search_var_lib($1_su_t)
 	files_dontaudit_getattr_tmp_dirs($1_su_t)
 
-	init_dontaudit_use_fd($1_su_t)
+	init_dontaudit_use_fds($1_su_t)
 	# Write to utmp.
 	init_rw_utmp($1_su_t)
 

refpolicy/policy/modules/admin/updfstab.te

@@ -20,7 +20,7 @@ dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
 allow updfstab_t self:process signal_perms;
 allow updfstab_t self:fifo_file { getattr read write ioctl };
 
-kernel_use_fd(updfstab_t)
+kernel_use_fds(updfstab_t)
 kernel_read_kernel_sysctls(updfstab_t)
 kernel_dontaudit_write_kernel_sysctl(updfstab_t)
 # for /proc/partitions
@@ -66,7 +66,7 @@ files_dontaudit_search_home(updfstab_t)
 # for /etc/mtab
 files_read_etc_runtime_files(updfstab_t)
 
-init_use_fd(updfstab_t)
+init_use_fds(updfstab_t)
 init_use_script_ptys(updfstab_t)
 
 libs_use_ld_so(updfstab_t)

refpolicy/policy/modules/admin/usbmodules.te

@@ -19,7 +19,7 @@ role system_r types usbmodules_t;
 
 kernel_list_proc(usbmodules_t)
 
-bootloader_list_kernel_modules(usbmodules_t)
+files_list_kernel_modules(usbmodules_t)
 
 dev_list_usbfs(usbmodules_t)
 # allow usb device access
@@ -32,7 +32,7 @@ files_read_etc_files(usbmodules_t)
 term_read_console(usbmodules_t)
 term_write_console(usbmodules_t)
 
-init_use_fd(usbmodules_t)
+init_use_fds(usbmodules_t)
 
 libs_use_ld_so(usbmodules_t)
 libs_use_shared_libs(usbmodules_t)

refpolicy/policy/modules/admin/usermanage.te

@@ -217,7 +217,7 @@ selinux_compute_user_contexts(groupadd_t)
 term_use_all_user_ttys(groupadd_t)
 term_use_all_user_ptys(groupadd_t)
 
-init_use_fd(groupadd_t)
+init_use_fds(groupadd_t)
 init_read_utmp(groupadd_t)
 init_dontaudit_write_utmp(groupadd_t)
 
@@ -257,7 +257,7 @@ optional_policy(`nscd',`
 ')
 
 optional_policy(`rpm',`
-	rpm_use_fd(groupadd_t)
+	rpm_use_fds(groupadd_t)
 	rpm_rw_pipes(groupadd_t)
 ')
 
@@ -488,7 +488,7 @@ files_manage_etc_files(useradd_t)
 files_search_var_lib(useradd_t)
 files_relabel_etc_files(useradd_t)
 
-init_use_fd(useradd_t)
+init_use_fds(useradd_t)
 init_rw_utmp(useradd_t)
 
 libs_use_ld_so(useradd_t)
@@ -520,6 +520,6 @@ optional_policy(`nscd',`
 ')
 
 optional_policy(`rpm',`
-	rpm_use_fd(useradd_t)
+	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')

refpolicy/policy/modules/admin/vpn.te

@@ -42,7 +42,7 @@ files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
 
 allow vpnc_t vpnc_var_run_t:file create_file_perms;
 allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(vpnc_t,vpnc_var_run_t)
+files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
 
 kernel_read_system_state(vpnc_t)
 kernel_read_network_state(vpnc_t)
@@ -91,7 +91,7 @@ libs_exec_lib_files(vpnc_t)
 libs_use_ld_so(vpnc_t)
 libs_use_shared_libs(vpnc_t)
 
-locallogin_use_fd(vpnc_t)
+locallogin_use_fds(vpnc_t)
 
 logging_send_syslog_msg(vpnc_t)
 

refpolicy/policy/modules/apps/loadkeys.te

@@ -42,7 +42,7 @@ ifdef(`targeted_policy',`
 	libs_use_ld_so(loadkeys_t)
 	libs_use_shared_libs(loadkeys_t)
 
-	locallogin_use_fd(loadkeys_t)
+	locallogin_use_fds(loadkeys_t)
 
 	miscfiles_read_localization(loadkeys_t)
 ')

refpolicy/policy/modules/apps/lockdev.if

@@ -68,7 +68,7 @@ template(`lockdev_per_userdomain_template',`
 	allow $1_lockdev_t $2:process sigchld;
 
 	allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
-	files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t)
+	files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file)
 
 	files_read_all_locks($1_lockdev_t)
 

refpolicy/policy/modules/apps/uml.te

@@ -47,7 +47,7 @@ fs_search_auto_mountpoints(uml_switch_t)
 
 term_dontaudit_use_console(uml_switch_t)
 
-init_use_fd(uml_switch_t)
+init_use_fds(uml_switch_t)
 init_use_script_ptys(uml_switch_t)
 
 libs_use_ld_so(uml_switch_t)

refpolicy/policy/modules/apps/userhelper.if

@@ -41,6 +41,7 @@ template(`userhelper_per_userdomain_template',`
 	#
 	# Declarations
 	#
+
 	type $1_userhelper_t;
 	domain_type($1_userhelper_t)
 	domain_entry_file($1_userhelper_t,userhelper_exec_t)
@@ -105,7 +106,7 @@ template(`userhelper_per_userdomain_template',`
 
 	files_list_var_lib($1_userhelper_t)
 	# Write to utmp.
-	files_pid_filetrans($1_userhelper_t,initrc_var_run_t)
+	files_pid_filetrans($1_userhelper_t,initrc_var_run_t,file)
 	# Read the /etc/security/default_type file
 	files_read_etc_files($1_userhelper_t)
 	# Read /var.
@@ -141,7 +142,7 @@ template(`userhelper_per_userdomain_template',`
 	auth_search_pam_console_data($1_userhelper_t)
 
 	# Inherit descriptors from the current session.
-	init_use_fd($1_userhelper_t)
+	init_use_fds($1_userhelper_t)
 	# Write to utmp.
 	init_manage_utmp($1_userhelper_t)
 

refpolicy/policy/modules/apps/webalizer.te

@@ -54,7 +54,7 @@ files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
 
 allow webalizer_t webalizer_var_lib_t:file create_file_perms;
 allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t)
+files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
 
 kernel_read_kernel_sysctls(webalizer_t)
 kernel_read_system_state(webalizer_t)

refpolicy/policy/modules/kernel/bootloader.fc

@@ -1,17 +1,9 @@
 
-/vmlinuz.*		-l	gen_context(system_u:object_r:boot_t,s0)
-/initrd\.img.*		-l	gen_context(system_u:object_r:boot_t,s0)
-
-/boot(/.*)?			gen_context(system_u:object_r:boot_t,s0)
-/boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
-
 /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
 /etc/mkinitrd/scripts/.* --	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
-/lib(64)?/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
-
 /usr/sbin/mkinitrd	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
 /sbin/grub.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)

refpolicy/policy/modules/kernel/bootloader.if

@@ -55,198 +55,6 @@ interface(`bootloader_run',`
 	allow bootloader_t $3:chr_file rw_file_perms;
 ')
 
-########################################
-## <summary>
-##	Get attributes of the /boot directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`bootloader_getattr_boot_dirs',`
-	gen_require(`
-		type boot_t;
-	')
-
-	allow $1 boot_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get attributes
-##	of the /boot directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`bootloader_dontaudit_getattr_boot_dirs',`
-	gen_require(`
-		type boot_t;
-	')
-
-	dontaudit $1 boot_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Search the /boot directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_search_boot',`
-	gen_require(`
-		type boot_t;
-	')
-
-	allow $1 boot_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to search the /boot directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_dontaudit_search_boot',`
-	gen_require(`
-		type boot_t;
-	')
-
-	dontaudit $1 boot_t:dir search;
-')
-
-########################################
-## <summary>
-##	Read and write symbolic links
-##	in the /boot directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_rw_boot_symlinks',`
-	gen_require(`
-		type boot_t;
-	')
-
-	allow $1 boot_t:dir r_dir_perms;
-	allow $1 boot_t:lnk_file rw_file_perms;
-')
-
-########################################
-## <summary>
-##	Install a kernel into the /boot directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_create_kernel_img',`
-	gen_require(`
-		type boot_t;
-	')
-
-	allow $1 boot_t:dir ra_dir_perms;
-	allow $1 boot_t:file { getattr read write create };
-	allow $1 boot_t:lnk_file { getattr read create unlink };
-')
-
-########################################
-## <summary>
-##	Install a system.map into the /boot directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_create_kernel_symbol_table',`
-	gen_require(`
-		type boot_t, system_map_t;
-	')
-
-	allow $1 boot_t:dir ra_dir_perms;
-	allow $1 system_map_t:file { rw_file_perms create };
-')
-
-########################################
-## <summary>
-##	Read system.map in the /boot directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_read_kernel_symbol_table',`
-	gen_require(`
-		type boot_t, system_map_t;
-	')
-
-	allow $1 boot_t:dir r_dir_perms;
-	allow $1 system_map_t:file r_file_perms;
-
-	# cjp: this should be dropped:
-	allow $1 boot_t:file { getattr read };
-')
-
-########################################
-## <summary>
-##	Delete a kernel from /boot.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_delete_kernel',`
-	gen_require(`
-		type boot_t;
-	')
-
-	allow $1 boot_t:dir { r_dir_perms write remove_name };
-	allow $1 boot_t:file { getattr unlink };
-')
-
-########################################
-## <summary>
-##	Delete a system.map in the /boot directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_delete_kernel_symbol_table',`
-	gen_require(`
-		type boot_t, system_map_t;
-	')
-
-	allow $1 boot_t:dir { r_dir_perms write remove_name };
-	allow $1 system_map_t:file { getattr unlink };
-')
-
 ########################################
 ## <summary>
 ##	Read the bootloader configuration file.
@@ -324,142 +132,3 @@ interface(`bootloader_create_runtime_file',`
 	allow $1 boot_runtime_t:file { rw_file_perms create unlink };
 	type_transition $1 boot_t:file boot_runtime_t;
 ')
-
-########################################
-## <summary>
-##	Search the contents of the kernel module directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_search_kernel_modules',`
-	gen_require(`
-		type modules_object_t;
-	')
-
-	allow $1 modules_object_t:dir search;
-')
-
-########################################
-## <summary>
-##	List the contents of the kernel module directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_list_kernel_modules',`
-	gen_require(`
-		type modules_object_t;
-	')
-
-	allow $1 modules_object_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-##	Get the attributes of kernel module files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_getattr_kernel_modules',`
-	gen_require(`
-		type modules_object_t;
-	')
-
-	allow $1 modules_object_t:dir search;
-	allow $1 modules_object_t:dir getattr;
-')
-
-########################################
-## <summary>
-##	Read kernel module files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_read_kernel_modules',`
-	gen_require(`
-		type modules_object_t;
-	')
-
-	allow $1 modules_object_t:dir r_dir_perms;
-	allow $1 modules_object_t:lnk_file r_file_perms;
-	allow $1 modules_object_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-##	Write kernel module files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_write_kernel_modules',`
-	gen_require(`
-		attribute rw_kern_modules;
-		type modules_object_t;
-	')
-
-	allow $1 modules_object_t:dir r_dir_perms;
-	allow $1 modules_object_t:file { write append };
-
-	typeattribute $1 rw_kern_modules;
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete
-##	kernel module files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`bootloader_manage_kernel_modules',`
-	gen_require(`
-#		attribute rw_kern_modules;
-		type modules_object_t;
-	')
-
-	allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
-	allow $1 modules_object_t:dir rw_dir_perms;
-
-#	typeattribute $1 rw_kern_modules;
-')
-
-########################################
-#
-# bootloader_modules_filetrans(domain,privatetype,[class(es)])
-#
-interface(`bootloader_modules_filetrans',`
-	gen_require(`
-		type modules_object_t;
-	')
-
-	allow $1 modules_object_t:dir rw_dir_perms;
-
-	# if a class is specified use it, else use file as default
-	ifelse(`$3',`',`
-		type_transition $1 modules_object_t:file $2;
-	',`
-		type_transition $1 modules_object_t:$3 $2;
-	')
-')

refpolicy/policy/modules/kernel/bootloader.te

@@ -1,20 +1,11 @@
 
-policy_module(bootloader,1.1.3)
+policy_module(bootloader,1.1.4)
 
 ########################################
 #
 # Declarations
 #
 
-attribute rw_kern_modules;
-
-#
-# boot_t is the type for files in /boot
-#
-type boot_t;
-files_type(boot_t)
-files_mountpoint(boot_t)
-
 #
 # boot_runtime_t is the type for /boot/kernel.h,
 # which is automatically generated at boot time.
@@ -45,18 +36,6 @@ type bootloader_tmp_t;
 files_tmp_file(bootloader_tmp_t)
 dev_node(bootloader_tmp_t)
 
-# kernel modules
-type modules_object_t;
-files_type(modules_object_t)
-
-#neverallow ~rw_kern_modules modules_object_t:file { create append write };
-
-#
-# system_map_t is for the system.map files in /boot
-#
-type system_map_t;
-files_type(system_map_t)
-
 #
 # /var/log/ksyms
 # cjp: this probably can be removed, I do not
@@ -73,14 +52,10 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin
 allow bootloader_t self:process { sigkill sigstop signull signal };
 allow bootloader_t self:fifo_file rw_file_perms;
 
-allow bootloader_t boot_t:dir { create rw_dir_perms };
-allow bootloader_t boot_t:file create_file_perms;
-allow bootloader_t boot_t:lnk_file create_lnk_perms;
-
 allow bootloader_t bootloader_etc_t:file r_file_perms;
 # uncomment the following lines if you use "lilo -p"
-#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-#files_etc_filetrans(bootloader_t,bootloader_etc_t)
+#allow bootloader_t bootloader_etc_t:file manage_file_perms;
+#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
 
 allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
 allow bootloader_t bootloader_tmp_t:file create_file_perms;
@@ -89,11 +64,7 @@ allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
 allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
 files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
 # for tune2fs (cjp: ?)
-files_root_filetrans(bootloader_t,bootloader_tmp_t)
-
-allow bootloader_t modules_object_t:dir r_dir_perms;
-allow bootloader_t modules_object_t:file r_file_perms;
-allow bootloader_t modules_object_t:lnk_file r_file_perms;
+files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
 
 kernel_getattr_core_if(bootloader_t)
 kernel_read_system_state(bootloader_t)
@@ -127,12 +98,16 @@ corecmd_exec_shell(bootloader_t)
 domain_exec_all_entry_files(bootloader_t)
 domain_use_interactive_fds(bootloader_t)
 
+files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
 files_exec_etc_files(bootloader_t)
 files_read_etc_runtime_files(bootloader_t)
 files_read_usr_src_files(bootloader_t)
 files_read_usr_files(bootloader_t)
 files_read_var_files(bootloader_t)
+files_read_kernel_modules(bootloader_t)
 # for nscd
 files_dontaudit_search_pids(bootloader_t)
 
@@ -157,11 +132,11 @@ seutil_dontaudit_search_config(bootloader_t)
 
 ifdef(`distro_debian',`
 	allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
-	allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
-	allow bootloader_t boot_t:file relabelfrom;
-
 	fs_list_tmpfs(bootloader_t)
 
+	files_relabel_kernel_modules(bootloader_t)
+	files_relabelfrom_boot_files(bootloader_t)
+	files_delete_kernel_modules(bootloader_t)
 	files_relabelto_usr_files(bootloader_t)
 	files_search_var_lib(bootloader_t)
 	# for /usr/share/initrd-tools/scripts

refpolicy/policy/modules/kernel/domain.if

@@ -77,7 +77,7 @@ interface(`domain_type',`
 	init_signull($1)
 
 	ifdef(`targeted_policy',`
-		unconfined_use_fd($1)
+		unconfined_use_fds($1)
 		unconfined_sigchld($1)
 	')
 
@@ -88,7 +88,7 @@ interface(`domain_type',`
 
 	# these 3 seem highly questionable:
 	optional_policy(`rpm',`
-		rpm_use_fd($1)
+		rpm_use_fds($1)
 		rpm_read_pipes($1)
 	')
 

refpolicy/policy/modules/kernel/files.fc

@@ -5,6 +5,8 @@
 /.*				gen_context(system_u:object_r:default_t,s0)
 /			-d	gen_context(system_u:object_r:root_t,s0)
 /\.journal			<<none>>
+/initrd\.img.*		-l	gen_context(system_u:object_r:boot_t,s0)
+/vmlinuz.*		-l	gen_context(system_u:object_r:boot_t,s0)
 
 ifdef(`distro_redhat',`
 /\.autofsck		--	gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -23,9 +25,11 @@ ifdef(`distro_suse',`
 #
 # /boot
 #
+/boot(/.*)?			gen_context(system_u:object_r:boot_t,s0)
 /boot/\.journal			<<none>>
 /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
 /boot/lost\+found/.*		<<none>>
+/boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
 
 #
 # /emul
@@ -100,6 +104,11 @@ HOME_ROOT/lost\+found/.*		<<none>>
 # initrd mount point, only used during boot
 /initrd			-d	gen_context(system_u:object_r:root_t,s0)
 
+#
+# /lib(64)?
+#
+/lib(64)?/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
+
 #
 # /lost+found
 #

refpolicy/policy/modules/kernel/files.if

@@ -845,7 +845,7 @@ interface(`files_manage_all_files',`
 
 	# satisfy the assertions:
 	seutil_create_bin_policy($1)
-	bootloader_manage_kernel_modules($1)
+	files_manage_kernel_modules($1)
 ')
 
 ########################################
@@ -953,7 +953,7 @@ interface(`files_list_root',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="private type">
@@ -961,10 +961,9 @@ interface(`files_list_root',`
 ##	The type of the object to be created.
 ##	</summary>
 ## </param>
-## <param name="object" optional="true">
+## <param name="object">
 ##	<summary>
-##	The object class of the object being created.  If
-##	no class is specified, file will be used.
+##	The object class of the object being created.
 ##	</summary>
 ## </param>
 #
@@ -974,12 +973,7 @@ interface(`files_root_filetrans',`
 	')
 
 	allow $1 root_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 root_t:file $2;
-	',`
-		type_transition $1 root_t:$3 $2;
-	')
+	type_transition $1 root_t:$3 $2;
 ')
 
 ########################################
@@ -1042,6 +1036,244 @@ interface(`files_unmount_rootfs',`
 	allow $1 root_t:filesystem unmount;
 ')
 
+########################################
+## <summary>
+##	Get attributes of the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_boot_dirs',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attributes
+##	of the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_boot_dirs',`
+	gen_require(`
+		type boot_t;
+	')
+
+	dontaudit $1 boot_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_boot',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_boot',`
+	gen_require(`
+		type boot_t;
+	')
+
+	dontaudit $1 boot_t:dir search;
+')
+
+########################################
+## <summary>
+##	Create directories in /boot
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_boot_dirs',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir { create rw_dir_perms };
+')
+
+########################################
+## <summary>
+##	Create a private type object in boot
+##	with an automatic type transition
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_boot_filetrans',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir rw_dir_perms;
+	type_transition $1 boot_t:$3 $2;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_boot_files',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir rw_dir_perms;
+	allow $1 boot_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Relabel from files in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelfrom_boot_files',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:file relabelfrom;
+')
+
+########################################
+## <summary>
+##	Read and write symbolic links
+##	in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_boot_symlinks',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir r_dir_perms;
+	allow $1 boot_t:lnk_file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete symbolic links
+##	in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_boot_symlinks',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir rw_dir_perms;
+	allow $1 boot_t:lnk_file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Install a kernel into the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_kernel_img',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir ra_dir_perms;
+	allow $1 boot_t:file { getattr read write create };
+	allow $1 boot_t:lnk_file { getattr read create unlink };
+')
+
+########################################
+## <summary>
+##	Delete a kernel from /boot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_kernel',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:dir { r_dir_perms write remove_name };
+	allow $1 boot_t:file { getattr unlink };
+')
+
 ########################################
 ## <summary>
 ##	Getattr of directories with the default file type.
@@ -1352,7 +1584,7 @@ interface(`files_manage_etc_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1500,7 +1732,7 @@ interface(`files_manage_etc_runtime_files',`
 
 ########################################
 #
-# files_etc_filetrans(domain,privatetype,[class(es)])
+# files_etc_filetrans(domain,privatetype,class(es))
 #
 interface(`files_etc_filetrans',`
 	gen_require(`
@@ -1508,11 +1740,7 @@ interface(`files_etc_filetrans',`
 	')
 
 	allow $1 etc_t:dir rw_dir_perms;
-	ifelse(`$3',`',`
-		type_transition $1 etc_t:file $2;
-	',`
-		type_transition $1 etc_t:$3 $2;
-	')
+	type_transition $1 etc_t:$3 $2;
 ')
 
 ########################################
@@ -1522,7 +1750,7 @@ interface(`files_etc_filetrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1541,7 +1769,7 @@ interface(`files_getattr_isid_type_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1560,7 +1788,7 @@ interface(`files_dontaudit_search_isid_type_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1579,7 +1807,7 @@ interface(`files_list_isid_type_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1598,7 +1826,7 @@ interface(`files_rw_isid_type_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1617,7 +1845,7 @@ interface(`files_manage_isid_type_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1636,7 +1864,7 @@ interface(`files_mounton_isid_type_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1656,7 +1884,7 @@ interface(`files_read_isid_type_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1676,7 +1904,7 @@ interface(`files_manage_isid_type_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1696,7 +1924,7 @@ interface(`files_manage_isid_type_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1716,7 +1944,7 @@ interface(`files_rw_isid_type_blk_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1736,7 +1964,7 @@ interface(`files_manage_isid_type_blk_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1756,7 +1984,7 @@ interface(`files_manage_isid_type_chr_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1794,7 +2022,7 @@ interface(`files_dontaudit_getattr_home_dir',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1850,7 +2078,7 @@ interface(`files_dontaudit_list_home',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -1868,7 +2096,7 @@ interface(`files_list_home',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="home_type">
@@ -1876,10 +2104,9 @@ interface(`files_list_home',`
 ##	The private type.
 ##	</summary>
 ## </param>
-## <param name="object" optional="true">
+## <param name="object">
 ##	<summary>
-##	The object class of the object being created.  If
-##	no class is specified, dir will be used.
+##	The class of the object being created.
 ##	</summary>
 ## </param>
 #
@@ -1889,13 +2116,7 @@ interface(`files_home_filetrans',`
 	')
 
 	allow $1 home_root_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 home_root_t:dir $2;
-	',`
-		type_transition $1 home_root_t:$3 $2;
-	')
-
+	type_transition $1 home_root_t:$3 $2;
 ')
 
 ########################################
@@ -1905,7 +2126,7 @@ interface(`files_home_filetrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2019,6 +2240,188 @@ interface(`files_manage_mnt_symlinks',`
 	allow $1 mnt_t:lnk_file create_lnk_perms;
 ')
 
+########################################
+## <summary>
+##	Search the contents of the kernel module directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_search_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir search;
+')
+
+########################################
+## <summary>
+##	List the contents of the kernel module directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_list_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Get the attributes of kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_getattr_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir search;
+	allow $1 modules_object_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Read kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir r_dir_perms;
+	allow $1 modules_object_t:lnk_file r_file_perms;
+	allow $1 modules_object_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Write kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_write_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir r_dir_perms;
+	allow $1 modules_object_t:file { write append };
+')
+
+########################################
+## <summary>
+##	Delete kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir { list_dir_perms write remove_name };
+	allow $1 modules_object_t:file unlink;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
+	allow $1 modules_object_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel from and to kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:file { relabelfrom relabelto };
+	allow $1 modules_object_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create objects in the kernel module directories
+##	with a private type via an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_kernel_modules_filetrans',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	allow $1 modules_object_t:dir rw_dir_perms;
+	type_transition $1 modules_object_t:$3 $2;
+')
+
 ########################################
 ## <summary>
 ##	List world-readable directories.
@@ -2154,7 +2557,7 @@ interface(`files_getattr_tmp_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2172,7 +2575,7 @@ interface(`files_dontaudit_getattr_tmp_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2190,7 +2593,7 @@ interface(`files_search_tmp',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2226,7 +2629,7 @@ interface(`files_dontaudit_list_tmp',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2245,7 +2648,7 @@ interface(`files_read_generic_tmp_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2264,7 +2667,7 @@ interface(`files_read_generic_tmp_symlinks',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2283,7 +2686,7 @@ interface(`files_rw_generic_tmp_sockets',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2297,7 +2700,7 @@ interface(`files_setattr_all_tmp_dirs',`
 
 ########################################
 #
-# files_tmp_filetrans(domain,private_type,[object class(es)])
+# files_tmp_filetrans(domain,private_type,object class(es))
 #
 interface(`files_tmp_filetrans',`
 	gen_require(`
@@ -2305,12 +2708,7 @@ interface(`files_tmp_filetrans',`
 	')
 
 	allow $1 tmp_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 tmp_t:file $2;
-	',`
-		type_transition $1 tmp_t:$3 $2;
-	')
+	type_transition $1 tmp_t:$3 $2;
 ')
 
 ########################################
@@ -2395,7 +2793,7 @@ interface(`files_read_usr_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2461,9 +2859,9 @@ interface(`files_read_usr_symlinks',`
 ##	The type of the object to be created
 ##	</summary>
 ## </param>
-## <param name="object_class" optional="true">
+## <param name="object_class">
 ##	<summary>
-##	The object class.  If not specified, file is used.
+##	The object class.
 ##	</summary>
 ## </param>
 #
@@ -2473,12 +2871,7 @@ interface(`files_usr_filetrans',`
 	')
 
 	allow $1 usr_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 usr_t:file $2;
-	',`
-		type_transition $1 usr_t:$3 $2;
-	')
+	type_transition $1 usr_t:$3 $2;
 ')
 
 ########################################
@@ -2487,7 +2880,7 @@ interface(`files_usr_filetrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2528,6 +2921,66 @@ interface(`files_read_usr_src_files',`
 	allow $1 src_t:{ file lnk_file } r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Install a system.map into the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_kernel_symbol_table',`
+	gen_require(`
+		type boot_t, system_map_t;
+	')
+
+	allow $1 boot_t:dir ra_dir_perms;
+	allow $1 system_map_t:file { rw_file_perms create };
+')
+
+########################################
+## <summary>
+##	Read system.map in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_kernel_symbol_table',`
+	gen_require(`
+		type boot_t, system_map_t;
+	')
+
+	allow $1 boot_t:dir r_dir_perms;
+	allow $1 system_map_t:file r_file_perms;
+
+	# cjp: this should be dropped:
+	allow $1 boot_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Delete a system.map in the /boot directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_kernel_symbol_table',`
+	gen_require(`
+		type boot_t, system_map_t;
+	')
+
+	allow $1 boot_t:dir { r_dir_perms write remove_name };
+	allow $1 system_map_t:file { getattr unlink };
+')
+
 ########################################
 ## <summary>
 ##	Search the contents of /var.
@@ -2626,7 +3079,7 @@ interface(`files_manage_var_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2711,9 +3164,9 @@ interface(`files_manage_var_symlinks',`
 ##	The type of the object to be created
 ##	</summary>
 ## </param>
-## <param name="object_class" optional="true">
+## <param name="object_class">
 ##	<summary>
-##	The object class.  If not specified, file is used.
+##	The object class.
 ##	</summary>
 ## </param>
 #
@@ -2723,12 +3176,7 @@ interface(`files_var_filetrans',`
 	')
 
 	allow $1 var_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 var_t:file $2;
-	',`
-		type_transition $1 var_t:$3 $2;
-	')
+	type_transition $1 var_t:$3 $2;
 ')
 
 ########################################
@@ -2737,7 +3185,7 @@ interface(`files_var_filetrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2756,7 +3204,7 @@ interface(`files_getattr_var_lib_dirs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -2801,9 +3249,9 @@ interface(`files_list_var_lib',`
 ##	The type of the object to be created
 ##	</summary>
 ## </param>
-## <param name="object_class" optional="true">
+## <param name="object_class">
 ##	<summary>
-##	The object class.  If not specified, file is used.
+##	The object class.
 ##	</summary>
 ## </param>
 #
@@ -2814,12 +3262,7 @@ interface(`files_var_lib_filetrans',`
 
 	allow $1 var_t:dir search_dir_perms;
 	allow $1 var_lib_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 var_lib_t:file $2;
-	',`
-		type_transition $1 var_lib_t:$3 $2;
-	')
+	type_transition $1 var_lib_t:$3 $2;
 ')
 
 ########################################
@@ -3028,12 +3471,7 @@ interface(`files_lock_filetrans',`
 
 	allow $1 var_t:dir search;
 	allow $1 var_lock_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 var_lock_t:file $2;
-	',`
-		type_transition $1 var_lock_t:$3 $2;
-	')
+	type_transition $1 var_lock_t:$3 $2;
 ')
 
 ########################################
@@ -3111,12 +3549,7 @@ interface(`files_pid_filetrans',`
 
 	allow $1 var_t:dir search_dir_perms;
 	allow $1 var_run_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 var_run_t:file $2;
-	',`
-		type_transition $1 var_run_t:$3 $2;
-	')
+	type_transition $1 var_run_t:$3 $2;
 ')
 
 ########################################
@@ -3139,7 +3572,7 @@ interface(`files_rw_generic_pids',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -3157,7 +3590,7 @@ interface(`files_dontaudit_write_all_pids',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #

refpolicy/policy/modules/kernel/files.te

@@ -1,5 +1,5 @@
 
-policy_module(files,1.1.2)
+policy_module(files,1.1.3)
 
 ########################################
 #
@@ -36,6 +36,13 @@ attribute security_file_type;
 attribute tmpfile;
 attribute tmpfsfile;
 
+#
+# boot_t is the type for files in /boot
+#
+type boot_t;
+files_type(boot_t)
+files_mountpoint(boot_t)
+
 # default_t is the default type for files that do not
 # match any specification in the file_contexts configuration
 # other than the generic /.* specification.
@@ -93,6 +100,12 @@ type mnt_t, file_type, mountpoint;
 fs_associate(mnt_t)
 fs_associate_noxattr(mnt_t)
 
+#
+# modules_object_t is the type for kernel modules
+#
+type modules_object_t;
+files_type(modules_object_t)
+
 type no_access_t, file_type;
 fs_associate(no_access_t)
 fs_associate_noxattr(no_access_t)
@@ -122,6 +135,12 @@ type src_t, file_type, mountpoint;
 fs_associate(src_t)
 fs_associate_noxattr(src_t)
 
+#
+# system_map_t is for the system.map files in /boot
+#
+type system_map_t;
+files_type(system_map_t)
+
 #
 # tmp_t is the type of the temporary directories
 #

refpolicy/policy/modules/kernel/filesystem.if

@@ -2425,7 +2425,7 @@ interface(`fs_manage_tmpfs_dirs',`
 
 ########################################
 #
-# fs_tmpfs_filetrans(domain,derivedtype,[class])
+# fs_tmpfs_filetrans(domain,derivedtype,class)
 #
 interface(`fs_tmpfs_filetrans',`
 	gen_require(`
@@ -2434,12 +2434,7 @@ interface(`fs_tmpfs_filetrans',`
 
 	allow $2 tmpfs_t:filesystem associate;
 	allow $1 tmpfs_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 tmpfs_t:file $2;
-	',`
-		type_transition $1 tmpfs_t:$3 $2;
-	')
+	type_transition $1 tmpfs_t:$3 $2;
 ')
 
 ########################################

refpolicy/policy/modules/kernel/kernel.if

@@ -141,7 +141,7 @@ interface(`kernel_share_state',`
 ##	</summary>
 ## </param>
 #
-interface(`kernel_use_fd',`
+interface(`kernel_use_fds',`
 	gen_require(`
 		type kernel_t;
 	')
@@ -160,7 +160,7 @@ interface(`kernel_use_fd',`
 ##	</summary>
 ## </param>
 #
-interface(`kernel_dontaudit_use_fd',`
+interface(`kernel_dontaudit_use_fds',`
 	gen_require(`
 		type kernel_t;
 	')
@@ -250,7 +250,7 @@ interface(`kernel_tcp_recvfrom',`
 ##	</summary>
 ## </param>
 #
-interface(`kernel_udp_sendto',`
+interface(`kernel_udp_send',`
 	gen_require(`
 		type kernel_t;
 	')

refpolicy/policy/modules/kernel/storage.if

@@ -166,27 +166,6 @@ interface(`storage_dontaudit_write_fixed_disk',`
 	dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl };
 ')
 
-########################################
-## <summary>
-##	Create block devices in /dev with the fixed disk type.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`storage_create_fixed_disk',`
-	gen_require(`
-		attribute fixed_disk_raw_read, fixed_disk_raw_write;
-		type fixed_disk_device_t;
-	')
-
-	allow $1 fixed_disk_device_t:blk_file create_file_perms;
-	dev_filetrans($1,fixed_disk_device_t,blk_file)
-	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
-')
-
 ########################################
 ## <summary>
 ##	Create, read, write, and delete fixed disk device nodes.
@@ -208,28 +187,6 @@ interface(`storage_manage_fixed_disk',`
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')
 
-########################################
-## <summary>
-##	Create fixed disk device nodes on a tmpfs filesystem.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The type of the process performing this action.
-##	</summary>
-## </param>
-#
-interface(`storage_create_fixed_disk_tmpfs',`
-	gen_require(`
-		attribute fixed_disk_raw_read, fixed_disk_raw_write;
-		type fixed_disk_device_t;
-	')
-
-	allow $1 fixed_disk_device_t:blk_file create_file_perms;
-	fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file)
-
-	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
-')
-
 ########################################
 ## <summary>
 ##	Create block devices in /dev with the fixed disk type

refpolicy/policy/modules/services/apache.if

@@ -401,7 +401,7 @@ interface(`apache_sigchld',`
 ##	</summary>
 ## </param>
 #
-interface(`apache_use_fd',`
+interface(`apache_use_fds',`
 	gen_require(`
 		type httpd_t;
 	')

refpolicy/policy/modules/services/apache.te

@@ -166,14 +166,14 @@ allow httpd_t httpd_config_t:lnk_file { getattr read };
 can_exec(httpd_t, httpd_exec_t)
 
 allow httpd_t httpd_lock_t:file create_file_perms;
-files_lock_filetrans(httpd_t,httpd_lock_t)
+files_lock_filetrans(httpd_t,httpd_lock_t,file)
 
 allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
 allow httpd_t httpd_log_t:file { create ra_file_perms };
 allow httpd_t httpd_log_t:lnk_file read;
 # cjp: need to refine create interfaces to
 # cut this back to add_name only
-logging_log_filetrans(httpd_t,httpd_log_t)
+logging_log_filetrans(httpd_t,httpd_log_t,file)
 
 allow httpd_t httpd_modules_t:file rx_file_perms;
 allow httpd_t httpd_modules_t:dir r_dir_perms;
@@ -201,7 +201,7 @@ fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file
 
 allow httpd_t httpd_var_lib_t:file create_file_perms;
 allow httpd_t httpd_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(httpd_t,httpd_var_lib_t)
+files_var_lib_filetrans(httpd_t,httpd_var_lib_t,file)
 
 allow httpd_t httpd_var_run_t:file create_file_perms;
 allow httpd_t httpd_var_run_t:sock_file create_file_perms;
@@ -262,7 +262,7 @@ files_read_etc_files(httpd_t)
 # for tomcat
 files_read_var_lib_symlinks(httpd_t)
 
-init_use_fd(httpd_t)
+init_use_fds(httpd_t)
 init_use_script_ptys(httpd_t)
 
 libs_use_ld_so(httpd_t)

refpolicy/policy/modules/services/apm.if

@@ -34,7 +34,7 @@ interface(`apm_domtrans_client',`
 ##	</summary>
 ## </param>
 #
-interface(`apm_use_fd',`
+interface(`apm_use_fds',`
 	gen_require(`
 		type apmd_t;
 	')

refpolicy/policy/modules/services/apm.te

@@ -72,7 +72,7 @@ allow apmd_t self:unix_dgram_socket create_socket_perms;
 allow apmd_t self:unix_stream_socket create_stream_socket_perms;
 
 allow apmd_t apmd_log_t:file create_file_perms;
-logging_log_filetrans(apmd_t,apmd_log_t)
+logging_log_filetrans(apmd_t,apmd_log_t,file)
 
 allow apmd_t apmd_tmp_t:dir create_dir_perms;
 allow apmd_t apmd_tmp_t:file create_file_perms;
@@ -125,7 +125,7 @@ files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
 files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
 
 init_domtrans_script(apmd_t)
-init_use_fd(apmd_t)
+init_use_fds(apmd_t)
 init_use_script_ptys(apmd_t)
 init_rw_utmp(apmd_t)
 init_write_initctl(apmd_t)
@@ -151,7 +151,7 @@ userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
 
 ifdef(`distro_redhat',`
 	allow apmd_t apmd_lock_t:file create_file_perms;
-	files_lock_filetrans(apmd_t,apmd_lock_t)
+	files_lock_filetrans(apmd_t,apmd_lock_t,file)
 
 	can_exec(apmd_t, apmd_var_run_t)
 
@@ -176,7 +176,7 @@ ifdef(`distro_redhat',`
 ifdef(`distro_suse',`
 	allow apmd_t apmd_var_lib_t:file create_file_perms;
 	allow apmd_t apmd_var_lib_t:dir create_dir_perms;
-	files_var_lib_filetrans(apmd_t,apmd_var_lib_t)
+	files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file)
 ')
 
 ifdef(`targeted_policy',`
@@ -209,7 +209,7 @@ optional_policy(`dbus',`
 ')
 
 optional_policy(`logrotate',`
-	logrotate_use_fd(apmd_t)
+	logrotate_use_fds(apmd_t)
 ')
 
 optional_policy(`mta',`

refpolicy/policy/modules/services/arpwatch.te

@@ -43,7 +43,7 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
 
 allow arpwatch_t arpwatch_var_run_t:file create_file_perms;
 allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(arpwatch_t,arpwatch_var_run_t)
+files_pid_filetrans(arpwatch_t,arpwatch_var_run_t,file)
 
 kernel_read_kernel_sysctls(arpwatch_t)
 kernel_list_proc(arpwatch_t)
@@ -76,7 +76,7 @@ files_read_etc_files(arpwatch_t)
 files_read_usr_files(arpwatch_t)
 files_search_var_lib(arpwatch_t)
 
-init_use_fd(arpwatch_t)
+init_use_fds(arpwatch_t)
 init_use_script_ptys(arpwatch_t)
 
 libs_use_ld_so(arpwatch_t)

refpolicy/policy/modules/services/automount.te

@@ -42,7 +42,7 @@ allow automount_t automount_etc_t:file { getattr read };
 can_exec(automount_t, automount_etc_t)
 
 allow automount_t automount_lock_t:file create_file_perms;
-files_lock_filetrans(automount_t,automount_lock_t)
+files_lock_filetrans(automount_t,automount_lock_t,file)
 
 allow automount_t automount_tmp_t:dir create_dir_perms;
 allow automount_t automount_tmp_t:file create_file_perms;
@@ -50,12 +50,12 @@ files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
 
 # Allow automount to create and delete directories in / and /home
 allow automount_t automount_tmp_t:dir create_dir_perms;
-files_home_filetrans(automount_t,automount_tmp_t)
+files_home_filetrans(automount_t,automount_tmp_t,dir)
 files_root_filetrans(automount_t,automount_tmp_t,dir)
 
 allow automount_t automount_var_run_t:file create_file_perms;
 allow automount_t automount_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(automount_t,automount_var_run_t)
+files_pid_filetrans(automount_t,automount_var_run_t,file)
 
 kernel_read_kernel_sysctls(automount_t)
 kernel_read_fs_sysctls(automount_t)
@@ -63,7 +63,7 @@ kernel_read_proc_symlinks(automount_t)
 kernel_read_system_state(automount_t)
 kernel_list_proc(automount_t)
 
-bootloader_search_boot(automount_t)
+files_search_boot(automount_t)
 
 corecmd_exec_sbin(automount_t)
 corecmd_exec_bin(automount_t)
@@ -113,7 +113,7 @@ fs_manage_auto_mountpoints(automount_t)
 term_dontaudit_use_console(automount_t)
 term_dontaudit_getattr_pty_dirs(automount_t)
 
-init_use_fd(automount_t)
+init_use_fds(automount_t)
 init_use_script_ptys(automount_t)
 
 libs_use_ld_so(automount_t)

refpolicy/policy/modules/services/avahi.te

@@ -31,7 +31,7 @@ allow avahi_t self:udp_socket create_socket_perms;
 allow avahi_t avahi_var_run_t:sock_file create_file_perms;
 allow avahi_t avahi_var_run_t:file create_file_perms;
 allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr };
-files_pid_filetrans(avahi_t,avahi_var_run_t)
+files_pid_filetrans(avahi_t,avahi_var_run_t,file)
 
 kernel_read_kernel_sysctls(avahi_t)
 kernel_list_proc(avahi_t)
@@ -65,7 +65,7 @@ domain_use_interactive_fds(avahi_t)
 files_read_etc_files(avahi_t)
 files_read_etc_runtime_files(avahi_t)
 
-init_use_fd(avahi_t)
+init_use_fds(avahi_t)
 init_use_script_ptys(avahi_t)
 init_signal_script(avahi_t)
 init_signull_script(avahi_t)

refpolicy/policy/modules/services/bind.te

@@ -130,7 +130,7 @@ domain_use_interactive_fds(named_t)
 files_read_etc_files(named_t)
 files_read_etc_runtime_files(named_t)
 
-init_use_fd(named_t)
+init_use_fds(named_t)
 init_use_script_ptys(named_t)
 
 libs_use_ld_so(named_t)
@@ -255,7 +255,7 @@ domain_use_interactive_fds(ndc_t)
 files_read_etc_files(ndc_t)
 files_search_pids(ndc_t)
 
-init_use_fd(ndc_t)
+init_use_fds(ndc_t)
 init_use_script_ptys(ndc_t)
 
 libs_use_ld_so(ndc_t)
@@ -289,5 +289,5 @@ optional_policy(`nscd',`
 ')
 
 optional_policy(`ppp',`
-	ppp_dontaudit_use_fd(ndc_t)
+	ppp_dontaudit_use_fds(ndc_t)
 ')

refpolicy/policy/modules/services/bluetooth.te

@@ -69,7 +69,7 @@ allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
 allow bluetooth_helper_t bluetooth_t:process sigchld;
 
 allow bluetooth_t bluetooth_lock_t:file create_file_perms;
-files_lock_filetrans(bluetooth_t,bluetooth_lock_t)
+files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
 
 allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
 allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
@@ -77,7 +77,7 @@ files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
 
 allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
 allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
-files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t)
+files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,file)
 
 allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
 allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
@@ -120,7 +120,7 @@ files_read_etc_files(bluetooth_t)
 files_read_etc_runtime_files(bluetooth_t)
 files_read_usr_files(bluetooth_t)
 
-init_use_fd(bluetooth_t)
+init_use_fds(bluetooth_t)
 init_use_script_ptys(bluetooth_t)
 
 libs_use_ld_so(bluetooth_t)

refpolicy/policy/modules/services/canna.te

@@ -38,7 +38,7 @@ logging_log_filetrans(canna_t,canna_log_t,{ file dir })
 allow canna_t canna_var_lib_t:dir create_dir_perms;
 allow canna_t canna_var_lib_t:file create_file_perms;
 allow canna_t canna_var_lib_t:lnk_file create_lnk_perms;
-files_var_lib_filetrans(canna_t,canna_var_lib_t)
+files_var_lib_filetrans(canna_t,canna_var_lib_t,file)
 
 allow canna_t canna_var_run_t:dir rw_dir_perms;
 allow canna_t canna_var_run_t:file create_file_perms;
@@ -72,7 +72,7 @@ files_read_usr_files(canna_t)
 files_search_tmp(canna_t)
 files_dontaudit_read_root_files(canna_t)
 
-init_use_fd(canna_t)
+init_use_fds(canna_t)
 init_use_script_ptys(canna_t)
 
 libs_use_ld_so(canna_t)

refpolicy/policy/modules/services/comsat.te

@@ -37,7 +37,7 @@ files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir })
 
 allow comsat_t comsat_var_run_t:file create_file_perms;
 allow comsat_t comsat_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(comsat_t,comsat_var_run_t)
+files_pid_filetrans(comsat_t,comsat_var_run_t,file)
 
 kernel_read_kernel_sysctls(comsat_t)
 kernel_read_network_state(comsat_t)

refpolicy/policy/modules/services/cpucontrol.te

@@ -45,7 +45,7 @@ domain_use_interactive_fds(cpucontrol_t)
 
 files_list_usr(cpucontrol_t)
 
-init_use_fd(cpucontrol_t)
+init_use_fds(cpucontrol_t)
 init_use_script_ptys(cpucontrol_t)
 
 libs_use_ld_so(cpucontrol_t)
@@ -97,7 +97,7 @@ files_read_etc_files(cpuspeed_t)
 files_read_etc_runtime_files(cpuspeed_t)
 files_list_usr(cpuspeed_t)
 
-init_use_fd(cpuspeed_t)
+init_use_fds(cpuspeed_t)
 init_use_script_ptys(cpuspeed_t)
 
 libs_use_ld_so(cpuspeed_t)

refpolicy/policy/modules/services/cron.if

@@ -89,7 +89,7 @@ template(`cron_per_userdomain_template',`
 	kernel_read_kernel_sysctls($1_crond_t)
 
 	# ps does not need to access /boot when run from cron
-	bootloader_dontaudit_search_boot($1_crond_t)
+	files_dontaudit_search_boot($1_crond_t)
 
 	corenet_tcp_sendrecv_all_if($1_crond_t)
 	corenet_raw_sendrecv_all_if($1_crond_t)
@@ -352,7 +352,7 @@ interface(`cron_system_entry',`
 ##	</summary>
 ## </param>
 #
-interface(`cron_use_fd',`
+interface(`cron_use_fds',`
 	gen_require(`
 		type crond_t;
 	')

refpolicy/policy/modules/services/cron.te

@@ -80,7 +80,7 @@ allow crond_t self:msgq create_msgq_perms;
 allow crond_t self:msg { send receive };
 
 allow crond_t crond_var_run_t:file create_file_perms;
-files_pid_filetrans(crond_t,crond_var_run_t)
+files_pid_filetrans(crond_t,crond_var_run_t,file)
 
 allow crond_t cron_spool_t:dir rw_dir_perms;
 allow crond_t cron_spool_t:file r_file_perms;
@@ -119,7 +119,7 @@ files_list_usr(crond_t)
 files_search_var_lib(crond_t)
 files_search_default(crond_t)
 
-init_use_fd(crond_t)
+init_use_fds(crond_t)
 init_use_script_ptys(crond_t)
 init_rw_utmp(crond_t)
 
@@ -247,11 +247,11 @@ ifdef(`targeted_policy',`
 
 	# Write /var/lock/makewhatis.lock.
 	allow system_crond_t system_crond_lock_t:file create_file_perms;
-	files_lock_filetrans(system_crond_t,system_crond_lock_t)
+	files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
 
 	# write temporary files
 	allow system_crond_t system_crond_tmp_t:file create_file_perms;
-	files_tmp_filetrans(system_crond_t,system_crond_tmp_t)
+	files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
 
 	# write temporary files in crond tmp dir:
 	allow system_crond_t crond_tmp_t:dir rw_dir_perms;
@@ -266,7 +266,7 @@ ifdef(`targeted_policy',`
 	kernel_read_software_raid_state(system_crond_t)
 
 	# ps does not need to access /boot when run from cron
-	bootloader_dontaudit_search_boot(system_crond_t)
+	files_dontaudit_search_boot(system_crond_t)
 
 	corenet_tcp_sendrecv_all_if(system_crond_t)
 	corenet_raw_sendrecv_all_if(system_crond_t)
@@ -314,7 +314,7 @@ ifdef(`targeted_policy',`
 	# /var/spool/anacron and /var/spool/slrnpull.
 	files_manage_generic_spool(system_crond_t)
 
-	init_use_fd(system_crond_t)
+	init_use_fds(system_crond_t)
 	init_use_script_fds(system_crond_t)
 	init_use_script_ptys(system_crond_t)
 	init_read_utmp(system_crond_t)

refpolicy/policy/modules/services/cups.te

@@ -110,7 +110,7 @@ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
 
 allow cupsd_t cupsd_var_run_t:file create_file_perms;
 allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cupsd_t,cupsd_var_run_t)
+files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
 
 allow cupsd_t hplip_var_run_t:file { read getattr };
 
@@ -170,7 +170,7 @@ files_list_world_readable(cupsd_t)
 files_read_world_readable_files(cupsd_t)
 files_read_world_readable_symlinks(cupsd_t)
 
-init_use_fd(cupsd_t)
+init_use_fds(cupsd_t)
 init_use_script_ptys(cupsd_t)
 init_exec_script_files(cupsd_t)
 
@@ -303,7 +303,7 @@ files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_fil
 
 allow ptal_t ptal_var_run_t:file create_file_perms;
 allow ptal_t ptal_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ptal_t,ptal_var_run_t)
+files_pid_filetrans(ptal_t,ptal_var_run_t,file)
 
 kernel_read_kernel_sysctls(ptal_t)
 kernel_list_proc(ptal_t)
@@ -332,7 +332,7 @@ domain_use_interactive_fds(ptal_t)
 files_read_etc_files(ptal_t)
 files_read_etc_runtime_files(ptal_t)
 
-init_use_fd(ptal_t)
+init_use_fds(ptal_t)
 init_use_script_ptys(ptal_t)
 
 libs_use_ld_so(ptal_t)
@@ -390,7 +390,7 @@ files_search_etc(hplip_t)
 
 allow hplip_t hplip_var_run_t:file create_file_perms;
 allow hplip_t hplip_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(hplip_t,hplip_var_run_t)
+files_pid_filetrans(hplip_t,hplip_var_run_t,file)
 
 kernel_read_system_state(hplip_t)
 kernel_read_kernel_sysctls(hplip_t)
@@ -429,7 +429,7 @@ files_read_etc_files(hplip_t)
 files_read_etc_runtime_files(hplip_t)
 files_read_usr_files(hplip_t)
 
-init_use_fd(hplip_t)
+init_use_fds(hplip_t)
 init_use_script_ptys(hplip_t)
 
 libs_use_ld_so(hplip_t)
@@ -497,7 +497,7 @@ dontaudit cupsd_config_t cupsd_t:process ptrace;
 
 allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms;
 allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t)
+files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
 
 can_exec(cupsd_config_t, cupsd_config_exec_t) 
 
@@ -511,7 +511,7 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms;
 allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
 allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
 allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
-files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t)
+files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
 
 allow cupsd_config_t cupsd_var_run_t:file { getattr read };
 
@@ -548,7 +548,7 @@ files_read_usr_files(cupsd_config_t)
 files_read_etc_files(cupsd_config_t)
 files_read_etc_runtime_files(cupsd_config_t)
 
-init_use_fd(cupsd_config_t)
+init_use_fds(cupsd_config_t)
 init_use_script_ptys(cupsd_config_t)
 
 libs_use_ld_so(cupsd_config_t)
@@ -602,7 +602,7 @@ optional_policy(`hostname',`
 ')
 
 optional_policy(`logrotate',`
-	logrotate_use_fd(cupsd_config_t)
+	logrotate_use_fds(cupsd_config_t)
 ')
 
 optional_policy(`nis',`
@@ -682,7 +682,7 @@ files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
 
 allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms;
 allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t)
+files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file)
 
 allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
 allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms;

refpolicy/policy/modules/services/cvs.te

@@ -42,7 +42,7 @@ files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
 
 allow cvs_t cvs_var_run_t:file create_file_perms;
 allow cvs_t cvs_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cvs_t,cvs_var_run_t)
+files_pid_filetrans(cvs_t,cvs_var_run_t,file)
 
 kernel_read_kernel_sysctls(cvs_t)
 kernel_read_system_state(cvs_t)

refpolicy/policy/modules/services/cyrus.te

@@ -48,7 +48,7 @@ files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
 
 allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
 allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
-files_pid_filetrans(cyrus_t,cyrus_var_run_t)
+files_pid_filetrans(cyrus_t,cyrus_var_run_t,file)
 
 allow cyrus_t cyrus_var_run_t:dir rw_dir_perms;
 allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
@@ -91,7 +91,7 @@ files_list_var_lib(cyrus_t)
 files_read_etc_files(cyrus_t)
 files_read_etc_runtime_files(cyrus_t)
 
-init_use_fd(cyrus_t)
+init_use_fds(cyrus_t)
 init_use_script_ptys(cyrus_t)
 
 libs_use_ld_so(cyrus_t)

refpolicy/policy/modules/services/dbskk.te

@@ -43,7 +43,7 @@ files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir })
 
 allow dbskkd_t dbskkd_var_run_t:file create_file_perms;
 allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dbskkd_t,dbskkd_var_run_t)
+files_pid_filetrans(dbskkd_t,dbskkd_var_run_t,file)
 
 kernel_read_kernel_sysctls(dbskkd_t)
 kernel_read_system_state(dbskkd_t)

refpolicy/policy/modules/services/dbus.te

@@ -52,7 +52,7 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
 allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms;
 allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
 allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t)
+files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
 
 kernel_read_system_state(system_dbusd_t)
 kernel_read_kernel_sysctls(system_dbusd_t)
@@ -93,7 +93,7 @@ files_read_etc_files(system_dbusd_t)
 files_list_home(system_dbusd_t)
 files_read_usr_files(system_dbusd_t)
 
-init_use_fd(system_dbusd_t)
+init_use_fds(system_dbusd_t)
 init_use_script_ptys(system_dbusd_t)
 
 libs_use_ld_so(system_dbusd_t)

refpolicy/policy/modules/services/dhcp.te

@@ -41,7 +41,7 @@ can_exec(dhcpd_t,dhcpd_exec_t)
 
 allow dhcpd_t dhcpd_state_t:dir rw_dir_perms;
 allow dhcpd_t dhcpd_state_t:file create_file_perms;
-sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t)
+sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t,file)
 
 allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms;
 allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
@@ -49,7 +49,7 @@ files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
 
 allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
 allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dhcpd_t,dhcpd_var_run_t)
+files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file)
 
 kernel_read_system_state(dhcpd_t)
 kernel_read_kernel_sysctls(dhcpd_t)
@@ -89,7 +89,7 @@ files_read_usr_files(dhcpd_t)
 files_read_etc_runtime_files(dhcpd_t)
 files_search_var_lib(dhcpd_t)
 
-init_use_fd(dhcpd_t)
+init_use_fds(dhcpd_t)
 init_use_script_ptys(dhcpd_t)
 
 libs_use_ld_so(dhcpd_t)

refpolicy/policy/modules/services/dictd.te

@@ -67,7 +67,7 @@ files_search_var_lib(dictd_t)
 # for checking for nscd
 files_dontaudit_search_pids(dictd_t)
 
-init_use_fd(dictd_t)
+init_use_fds(dictd_t)
 init_use_script_ptys(dictd_t)
 
 libs_use_ld_so(dictd_t)

refpolicy/policy/modules/services/distcc.te

@@ -32,7 +32,7 @@ allow distccd_t self:tcp_socket create_stream_socket_perms;
 allow distccd_t self:udp_socket create_socket_perms;
 
 allow distccd_t distccd_log_t:file create_file_perms;
-logging_log_filetrans(distccd_t,distccd_log_t)
+logging_log_filetrans(distccd_t,distccd_log_t,file)
 
 allow distccd_t distccd_tmp_t:dir create_dir_perms;
 allow distccd_t distccd_tmp_t:file create_file_perms;
@@ -40,7 +40,7 @@ files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir })
 
 allow distccd_t distccd_var_run_t:file create_file_perms;
 allow distccd_t distccd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(distccd_t,distccd_var_run_t)
+files_pid_filetrans(distccd_t,distccd_var_run_t,file)
 
 kernel_read_system_state(distccd_t)
 kernel_read_kernel_sysctls(distccd_t)
@@ -73,7 +73,7 @@ domain_use_interactive_fds(distccd_t)
 files_read_etc_files(distccd_t)
 files_read_etc_runtime_files(distccd_t)
 
-init_use_fd(distccd_t)
+init_use_fds(distccd_t)
 init_use_script_ptys(distccd_t)
 
 libs_use_ld_so(distccd_t)

refpolicy/policy/modules/services/dovecot.te

@@ -65,7 +65,7 @@ allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms;
 allow dovecot_t dovecot_var_run_t:file create_file_perms;
 allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
 allow dovecot_t dovecot_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dovecot_t,dovecot_var_run_t)
+files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
 
 kernel_read_kernel_sysctls(dovecot_t)
 kernel_read_system_state(dovecot_t)
@@ -97,7 +97,7 @@ files_search_spool(dovecot_t)
 files_search_tmp(dovecot_t)
 files_dontaudit_list_default(dovecot_t)
 
-init_use_fd(dovecot_t)
+init_use_fds(dovecot_t)
 init_use_script_ptys(dovecot_t)
 init_getattr_utmp(dovecot_t)
 

refpolicy/policy/modules/services/fetchmail.te

@@ -34,11 +34,11 @@ allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
 allow fetchmail_t fetchmail_etc_t:file r_file_perms;
 
 allow fetchmail_t fetchmail_uidl_cache_t:file create_file_perms;
-mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t)
+mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t,file)
 
 allow fetchmail_t fetchmail_var_run_t:file create_file_perms;
 allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(fetchmail_t,fetchmail_var_run_t)
+files_pid_filetrans(fetchmail_t,fetchmail_var_run_t,file)
 
 kernel_read_kernel_sysctls(fetchmail_t)
 kernel_list_proc(fetchmail_t)
@@ -76,7 +76,7 @@ term_dontaudit_use_console(fetchmail_t)
 
 domain_use_interactive_fds(fetchmail_t)
 
-init_use_fd(fetchmail_t)
+init_use_fds(fetchmail_t)
 init_use_script_ptys(fetchmail_t)
 
 libs_use_ld_so(fetchmail_t)

refpolicy/policy/modules/services/finger.te

@@ -34,14 +34,14 @@ allow fingerd_t self:unix_stream_socket create_socket_perms;
 
 allow fingerd_t fingerd_var_run_t:file create_file_perms;
 allow fingerd_t fingerd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(fingerd_t,fingerd_var_run_t)
+files_pid_filetrans(fingerd_t,fingerd_var_run_t,file)
 
 allow fingerd_t fingerd_etc_t:file r_file_perms;
 allow fingerd_t fingerd_etc_t:dir r_dir_perms;
 allow fingerd_t fingerd_etc_t:lnk_file { getattr read };
 
 allow fingerd_t fingerd_log_t:file create_file_perms;
-logging_log_filetrans(fingerd_t,fingerd_log_t)
+logging_log_filetrans(fingerd_t,fingerd_log_t,file)
 
 kernel_read_kernel_sysctls(fingerd_t)
 kernel_read_system_state(fingerd_t)
@@ -83,7 +83,7 @@ files_read_etc_runtime_files(fingerd_t)
 
 init_read_utmp(fingerd_t)
 init_dontaudit_write_utmp(fingerd_t)
-init_use_fd(fingerd_t)
+init_use_fds(fingerd_t)
 init_use_script_ptys(fingerd_t)
 
 libs_use_ld_so(fingerd_t)

refpolicy/policy/modules/services/ftp.te

@@ -59,11 +59,11 @@ fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }
 
 allow ftpd_t ftpd_var_run_t:file create_file_perms;
 allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ftpd_t,ftpd_var_run_t)
+files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
 
 # Create and modify /var/log/xferlog.
 allow ftpd_t xferlog_t:file create_file_perms;
-logging_log_filetrans(ftpd_t,xferlog_t)
+logging_log_filetrans(ftpd_t,xferlog_t,file)
 
 kernel_read_kernel_sysctls(ftpd_t)
 kernel_read_system_state(ftpd_t)
@@ -111,7 +111,7 @@ auth_append_login_records(ftpd_t)
 #kerberized ftp requires the following
 auth_write_login_records(ftpd_t)
 
-init_use_fd(ftpd_t)
+init_use_fds(ftpd_t)
 init_use_script_ptys(ftpd_t)
 
 libs_use_ld_so(ftpd_t)
@@ -165,7 +165,7 @@ tunable_policy(`ftp_home_dir',`
 
 tunable_policy(`ftpd_is_daemon',`
 	allow ftpd_t ftpd_lock_t:file create_file_perms;
-	files_lock_filetrans(ftpd_t,ftpd_lock_t)
+	files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
 
 	corenet_tcp_bind_ftp_port(ftpd_t)
 ')

refpolicy/policy/modules/services/gpm.te

@@ -39,7 +39,7 @@ allow gpm_t gpm_tmp_t:file create_file_perms;
 files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
 
 allow gpm_t gpm_var_run_t:file create_file_perms;
-files_pid_filetrans(gpm_t,gpm_var_run_t)
+files_pid_filetrans(gpm_t,gpm_var_run_t,file)
 
 allow gpm_t gpmctl_t:sock_file create_file_perms;
 allow gpm_t gpmctl_t:fifo_file create_file_perms;
@@ -65,7 +65,7 @@ term_dontaudit_use_console(gpm_t)
 
 domain_use_interactive_fds(gpm_t)
 
-init_use_fd(gpm_t)
+init_use_fds(gpm_t)
 init_use_script_ptys(gpm_t)
 
 libs_use_ld_so(gpm_t)

refpolicy/policy/modules/services/hal.if

@@ -34,7 +34,7 @@ interface(`hal_domtrans',`
 ##	</summary>
 ## </param>
 #
-interface(`hal_dgram_sendto',`
+interface(`hal_dgram_send',`
 	gen_require(`
 		type hald_t;
 	')

refpolicy/policy/modules/services/hal.te

@@ -42,7 +42,7 @@ files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
 
 allow hald_t hald_var_run_t:file create_file_perms;
 allow hald_t hald_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(hald_t,hald_var_run_t)
+files_pid_filetrans(hald_t,hald_var_run_t,file)
 
 kernel_read_system_state(hald_t)
 kernel_read_network_state(hald_t)
@@ -50,7 +50,7 @@ kernel_read_kernel_sysctls(hald_t)
 kernel_read_fs_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
 
-bootloader_search_boot(hald_t)
+files_search_boot(hald_t)
 
 corecmd_exec_bin(hald_t)
 corecmd_exec_sbin(hald_t)
@@ -114,7 +114,7 @@ term_dontaudit_ioctl_unallocated_ttys(hald_t)
 term_dontaudit_use_unallocated_ttys(hald_t)
 term_dontaudit_use_generic_ptys(hald_t)
 
-init_use_fd(hald_t)
+init_use_fds(hald_t)
 init_use_script_ptys(hald_t)
 init_domtrans_script(hald_t)
 init_write_initctl(hald_t)

refpolicy/policy/modules/services/howl.te

@@ -27,7 +27,7 @@ allow howl_t self:udp_socket create_socket_perms;
 
 allow howl_t howl_var_run_t:file create_file_perms;
 allow howl_t howl_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(howl_t,howl_var_run_t)
+files_pid_filetrans(howl_t,howl_var_run_t,file)
 
 kernel_read_network_state(howl_t)
 kernel_read_kernel_sysctls(howl_t)
@@ -60,7 +60,7 @@ domain_use_interactive_fds(howl_t)
 
 files_read_etc_files(howl_t)
 
-init_use_fd(howl_t)
+init_use_fds(howl_t)
 init_use_script_ptys(howl_t)
 init_rw_utmp(howl_t)
 

refpolicy/policy/modules/services/i18n_input.te

@@ -30,7 +30,7 @@ allow i18n_input_t self:udp_socket create_socket_perms;
 allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
 allow i18n_input_t i18n_input_var_run_t:file create_file_perms;
 allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(i18n_input_t,i18n_input_var_run_t)
+files_pid_filetrans(i18n_input_t,i18n_input_var_run_t,file)
 
 can_exec(i18n_input_t, i18n_input_exec_t)
 
@@ -69,7 +69,7 @@ files_read_etc_files(i18n_input_t)
 files_read_etc_runtime_files(i18n_input_t)
 files_read_usr_files(i18n_input_t)
 
-init_use_fd(i18n_input_t)
+init_use_fds(i18n_input_t)
 init_use_script_ptys(i18n_input_t)
 init_stream_connect_script(i18n_input_t)
 

refpolicy/policy/modules/services/inetd.if

@@ -165,7 +165,7 @@ interface(`inetd_service_domain',`
 ##	</summary>
 ## </param>
 #
-interface(`inetd_use_fd',`
+interface(`inetd_use_fds',`
 	gen_require(`
 		type inetd_t;
 	')
@@ -227,7 +227,7 @@ interface(`inetd_domtrans_child',`
 ##	</summary>
 ## </param>
 #
-interface(`inetd_udp_sendto',`
+interface(`inetd_udp_send',`
 	gen_require(`
 		type inetd_t;
 	')

refpolicy/policy/modules/services/inetd.te

@@ -43,14 +43,14 @@ allow inetd_t self:tcp_socket create_stream_socket_perms;
 allow inetd_t self:udp_socket { connect connected_socket_perms };
 
 allow inetd_t inetd_log_t:file create_file_perms;
-logging_log_filetrans(inetd_t,inetd_log_t)
+logging_log_filetrans(inetd_t,inetd_log_t,file)
 
 allow inetd_t inetd_tmp_t:dir create_dir_perms;
 allow inetd_t inetd_tmp_t:file create_file_perms;
 files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir })
 
 allow inetd_t inetd_var_run_t:file create_file_perms;
-files_pid_filetrans(inetd_t,inetd_var_run_t)
+files_pid_filetrans(inetd_t,inetd_var_run_t,file)
 
 kernel_read_kernel_sysctls(inetd_t)
 kernel_list_proc(inetd_t)
@@ -106,7 +106,7 @@ domain_use_interactive_fds(inetd_t)
 
 files_read_etc_files(inetd_t)
 
-init_use_fd(inetd_t)
+init_use_fds(inetd_t)
 init_use_script_ptys(inetd_t)
 
 libs_use_ld_so(inetd_t)
@@ -179,7 +179,7 @@ files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir })
 
 allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
 allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(inetd_child_t,inetd_child_var_run_t)
+files_pid_filetrans(inetd_child_t,inetd_child_var_run_t,file)
 
 kernel_read_kernel_sysctls(inetd_child_t)
 kernel_read_system_state(inetd_child_t)

refpolicy/policy/modules/services/inn.te

@@ -45,16 +45,16 @@ can_exec(innd_t, innd_exec_t)
 
 allow innd_t innd_log_t:file manage_file_perms;
 allow innd_t innd_log_t:dir { setattr rw_dir_perms };
-logging_log_filetrans(innd_t,innd_log_t)
+logging_log_filetrans(innd_t,innd_log_t,file)
 
 allow innd_t innd_var_lib_t:dir create_dir_perms;
 allow innd_t innd_var_lib_t:file create_file_perms;
-files_var_lib_filetrans(innd_t,innd_var_lib_t)
+files_var_lib_filetrans(innd_t,innd_var_lib_t,file)
 
 allow innd_t innd_var_run_t:dir create_dir_perms;
 allow innd_t innd_var_run_t:file create_file_perms;
 allow innd_t innd_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(innd_t,innd_var_run_t)
+files_pid_filetrans(innd_t,innd_var_run_t,file)
 
 allow innd_t news_spool_t:dir create_dir_perms;
 allow innd_t news_spool_t:file create_file_perms;
@@ -97,7 +97,7 @@ files_read_etc_files(innd_t)
 files_read_etc_runtime_files(innd_t)
 files_read_usr_files(innd_t)
 
-init_use_fd(innd_t)
+init_use_fds(innd_t)
 init_use_script_ptys(innd_t)
 
 libs_use_ld_so(innd_t)

refpolicy/policy/modules/services/irqbalance.te

@@ -23,7 +23,7 @@ allow irqbalance_t self:process signal_perms;
 
 allow irqbalance_t irqbalance_var_run_t:file create_file_perms;
 allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(irqbalance_t,irqbalance_var_run_t)
+files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file)
 
 kernel_read_system_state(irqbalance_t)
 kernel_read_kernel_sysctls(irqbalance_t)
@@ -41,7 +41,7 @@ term_dontaudit_use_console(irqbalance_t)
 
 domain_use_interactive_fds(irqbalance_t)
 
-init_use_fd(irqbalance_t)
+init_use_fds(irqbalance_t)
 init_use_script_ptys(irqbalance_t)
 
 libs_use_ld_so(irqbalance_t)

refpolicy/policy/modules/services/kerberos.te

@@ -62,7 +62,7 @@ allow kadmind_t self:tcp_socket connected_stream_socket_perms;
 allow kadmind_t self:udp_socket create_socket_perms;
 
 allow kadmind_t kadmind_log_t:file create_file_perms;
-logging_log_filetrans(kadmind_t,kadmind_log_t)
+logging_log_filetrans(kadmind_t,kadmind_log_t,file)
 
 allow kadmind_t krb5_conf_t:file r_file_perms;
 dontaudit kadmind_t krb5_conf_t:file write;
@@ -81,7 +81,7 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
 
 allow kadmind_t kadmind_var_run_t:file create_file_perms;
 allow kadmind_t kadmind_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(kadmind_t,kadmind_var_run_t)
+files_pid_filetrans(kadmind_t,kadmind_var_run_t,file)
 
 kernel_read_kernel_sysctls(kadmind_t)
 kernel_list_proc(kadmind_t)
@@ -116,7 +116,7 @@ domain_use_interactive_fds(kadmind_t)
 
 files_read_etc_files(kadmind_t)
 
-init_use_fd(kadmind_t)
+init_use_fds(kadmind_t)
 init_use_script_ptys(kadmind_t)
 
 libs_use_ld_so(kadmind_t)
@@ -172,7 +172,7 @@ allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
 dontaudit krb5kdc_t krb5kdc_conf_t:file write;
 
 allow krb5kdc_t krb5kdc_log_t:file create_file_perms;
-logging_log_filetrans(krb5kdc_t,krb5kdc_log_t)
+logging_log_filetrans(krb5kdc_t,krb5kdc_log_t,file)
 
 allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
 dontaudit krb5kdc_t krb5kdc_principal_t:file write;
@@ -183,7 +183,7 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
 
 allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms;
 allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t)
+files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t,file)
 
 kernel_read_system_state(krb5kdc_t)
 kernel_read_kernel_sysctls(krb5kdc_t)
@@ -216,7 +216,7 @@ domain_use_interactive_fds(krb5kdc_t)
 
 files_read_etc_files(krb5kdc_t)
 
-init_use_fd(krb5kdc_t)
+init_use_fds(krb5kdc_t)
 init_use_script_ptys(krb5kdc_t)
 
 libs_use_ld_so(krb5kdc_t)

refpolicy/policy/modules/services/ktalk.te

@@ -44,7 +44,7 @@ files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
 
 allow ktalkd_t ktalkd_var_run_t:file create_file_perms;
 allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ktalkd_t,ktalkd_var_run_t)
+files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file)
 
 kernel_read_kernel_sysctls(ktalkd_t)
 kernel_read_system_state(ktalkd_t)

refpolicy/policy/modules/services/ldap.te

@@ -59,7 +59,7 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
 allow slapd_t slapd_etc_t:file { getattr read };
 
 allow slapd_t slapd_lock_t:file create_file_perms;
-files_lock_filetrans(slapd_t,slapd_lock_t)
+files_lock_filetrans(slapd_t,slapd_lock_t,file)
 
 # Allow access to write the replication log (should tighten this)
 allow slapd_t slapd_replog_t:dir create_dir_perms;
@@ -72,7 +72,7 @@ files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
 
 allow slapd_t slapd_var_run_t:file create_file_perms;
 allow slapd_t slapd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(slapd_t,slapd_var_run_t)
+files_pid_filetrans(slapd_t,slapd_var_run_t,file)
 
 kernel_read_system_state(slapd_t)
 kernel_read_kernel_sysctls(slapd_t)
@@ -107,7 +107,7 @@ files_read_etc_runtime_files(slapd_t)
 files_read_usr_files(slapd_t)
 files_list_var_lib(slapd_t)
 
-init_use_fd(slapd_t)
+init_use_fds(slapd_t)
 init_use_script_ptys(slapd_t)
 
 libs_use_ld_so(slapd_t)

refpolicy/policy/modules/services/lpd.te

@@ -49,7 +49,7 @@ allow checkpc_t self:process { fork signal_perms };
 allow checkpc_t self:unix_stream_socket create_socket_perms;
 
 allow checkpc_t checkpc_log_t:file create_file_perms;
-logging_log_filetrans(checkpc_t,checkpc_log_t)
+logging_log_filetrans(checkpc_t,checkpc_log_t,file)
 
 allow checkpc_t lpd_var_run_t:dir { search getattr };
 files_search_pids(checkpc_t)
@@ -92,7 +92,7 @@ files_read_etc_runtime_files(checkpc_t)
 
 init_use_script_ptys(checkpc_t)
 # Allow access to /dev/console through the fd:
-init_use_fd(checkpc_t)
+init_use_fds(checkpc_t)
 
 libs_use_ld_so(checkpc_t)
 libs_use_shared_libs(checkpc_t)
@@ -135,7 +135,7 @@ files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
 allow lpd_t lpd_var_run_t:dir rw_dir_perms;
 allow lpd_t lpd_var_run_t:file create_file_perms;
 allow lpd_t lpd_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(lpd_t,lpd_var_run_t)
+files_pid_filetrans(lpd_t,lpd_var_run_t,file)
 
 # Write to /var/spool/lpd.
 allow lpd_t print_spool_t:dir rw_dir_perms;
@@ -201,7 +201,7 @@ files_read_var_lib_symlinks(lpd_t)
 # config files for lpd are of type etc_t, probably should change this
 files_read_etc_files(lpd_t)
 
-init_use_fd(lpd_t)
+init_use_fds(lpd_t)
 init_use_script_ptys(lpd_t)
 
 libs_use_ld_so(lpd_t)

refpolicy/policy/modules/services/mailman.if

@@ -37,11 +37,11 @@ template(`mailman_domain_template', `
 
 	allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
 	allow mailman_$1_t mailman_lock_t:file create_file_perms;
-	files_lock_filetrans(mailman_$1_t,mailman_lock_t)
+	files_lock_filetrans(mailman_$1_t,mailman_lock_t,file)
 
 	allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
 	allow mailman_$1_t mailman_log_t:file create_file_perms;
-	logging_log_filetrans(mailman_$1_t,mailman_log_t)
+	logging_log_filetrans(mailman_$1_t,mailman_log_t,file)
 
 	allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
 	allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;

refpolicy/policy/modules/services/mailman.te

@@ -49,7 +49,7 @@ optional_policy(`apache',`
 	mta_tcp_connect_all_mailservers(mailman_cgi_t)
 
 	apache_sigchld(mailman_cgi_t)
-	apache_use_fd(mailman_cgi_t)
+	apache_use_fds(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
 	apache_search_sys_script_state(mailman_cgi_t)
 ')

refpolicy/policy/modules/services/mta.if

@@ -654,10 +654,9 @@ interface(`mta_dontaudit_getattr_spool_files',`
 ##	The type of the object to be created.
 ##	</summary>
 ## </param>
-## <param name="object" optional="true">
+## <param name="object">
 ##	<summary>
-##	The object class of the object being created.  If
-##	no class is specified, file will be used.
+##	The object class of the object being created.
 ##	</summary>
 ## </param>
 #
@@ -668,12 +667,7 @@ interface(`mta_spool_filetrans',`
 
 	files_search_spool($1)
 	allow $1 mail_spool_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 mail_spool_t:file $2;
-	',`
-		type_transition $1 mail_spool_t:$3 $2;
-	')
+	type_transition $1 mail_spool_t:$3 $2;
 ')
 
 #######################################

refpolicy/policy/modules/services/mysql.te

@@ -49,7 +49,7 @@ allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
 allow mysqld_t mysqld_etc_t:dir list_dir_perms;
 
 allow mysqld_t mysqld_log_t:file create_file_perms;
-logging_log_filetrans(mysqld_t,mysqld_log_t)
+logging_log_filetrans(mysqld_t,mysqld_log_t,file)
 
 allow mysqld_t mysqld_tmp_t:dir create_dir_perms;
 allow mysqld_t mysqld_tmp_t:file create_file_perms;
@@ -58,7 +58,7 @@ files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
 allow mysqld_t mysqld_var_run_t:dir rw_dir_perms;
 allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
 allow mysqld_t mysqld_var_run_t:file create_file_perms;
-files_pid_filetrans(mysqld_t,mysqld_var_run_t)
+files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)
 
 kernel_list_proc(mysqld_t)
 kernel_read_kernel_sysctls(mysqld_t)
@@ -94,7 +94,7 @@ files_read_etc_files(mysqld_t)
 files_read_usr_files(mysqld_t)
 files_search_var_lib(mysqld_t)
 
-init_use_fd(mysqld_t)
+init_use_fds(mysqld_t)
 init_use_script_ptys(mysqld_t)
 
 libs_use_ld_so(mysqld_t)

refpolicy/policy/modules/services/networkmanager.te

@@ -79,7 +79,7 @@ files_read_etc_files(NetworkManager_t)
 files_read_etc_runtime_files(NetworkManager_t)
 files_read_usr_files(NetworkManager_t)
 
-init_use_fd(NetworkManager_t)
+init_use_fds(NetworkManager_t)
 init_use_script_ptys(NetworkManager_t)
 init_read_utmp(NetworkManager_t)
 init_domtrans_script(NetworkManager_t)

refpolicy/policy/modules/services/nis.te

@@ -58,7 +58,7 @@ files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
 
 allow ypbind_t ypbind_var_run_t:file manage_file_perms;
 allow ypbind_t ypbind_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ypbind_t,ypbind_var_run_t)
+files_pid_filetrans(ypbind_t,ypbind_var_run_t,file)
 
 allow ypbind_t var_yp_t:dir rw_dir_perms;
 allow ypbind_t var_yp_t:file create_file_perms;
@@ -99,7 +99,7 @@ domain_use_interactive_fds(ypbind_t)
 files_read_etc_files(ypbind_t)
 files_list_var(ypbind_t)
 
-init_use_fd(ypbind_t)
+init_use_fds(ypbind_t)
 init_use_script_ptys(ypbind_t)
 init_udp_send_script(ypbind_t)
 
@@ -151,7 +151,7 @@ allow yppasswdd_t self:udp_socket create_socket_perms;
 
 allow yppasswdd_t yppasswdd_var_run_t:file create_file_perms;
 allow yppasswdd_t yppasswdd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t)
+files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t,file)
 
 allow yppasswdd_t var_yp_t:dir rw_dir_perms;
 allow yppasswdd_t var_yp_t:file create_file_perms;
@@ -200,7 +200,7 @@ files_read_etc_files(yppasswdd_t)
 files_read_etc_runtime_files(yppasswdd_t)
 files_relabel_etc_files(yppasswdd_t)
 
-init_use_fd(yppasswdd_t)
+init_use_fds(yppasswdd_t)
 init_use_script_ptys(yppasswdd_t)
 init_udp_send_script(yppasswdd_t)
 
@@ -260,7 +260,7 @@ files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
 
 allow ypserv_t ypserv_var_run_t:dir rw_dir_perms;
 allow ypserv_t ypserv_var_run_t:file manage_file_perms;
-files_pid_filetrans(ypserv_t,ypserv_var_run_t)
+files_pid_filetrans(ypserv_t,ypserv_var_run_t,file)
 
 kernel_read_kernel_sysctls(ypserv_t)
 kernel_list_proc(ypserv_t)
@@ -295,7 +295,7 @@ domain_use_interactive_fds(ypserv_t)
 
 files_read_var_files(ypserv_t)
 
-init_use_fd(ypserv_t)
+init_use_fds(ypserv_t)
 init_use_script_ptys(ypserv_t)
 init_udp_send_script(ypserv_t)
 

refpolicy/policy/modules/services/nscd.te

@@ -45,7 +45,7 @@ allow nscd_t self:udp_socket create_socket_perms;
 allow nscd_t self:nscd { admin getstat };
 
 allow nscd_t nscd_log_t:file create_file_perms;
-logging_log_filetrans(nscd_t,nscd_log_t)
+logging_log_filetrans(nscd_t,nscd_log_t,file)
 
 allow nscd_t nscd_var_run_t:file create_file_perms;
 allow nscd_t nscd_var_run_t:sock_file create_file_perms;
@@ -93,7 +93,7 @@ domain_use_interactive_fds(nscd_t)
 files_read_etc_files(nscd_t)
 files_read_generic_tmp_symlinks(nscd_t)
 
-init_use_fd(nscd_t)
+init_use_fds(nscd_t)
 init_use_script_ptys(nscd_t)
 
 libs_use_ld_so(nscd_t)

refpolicy/policy/modules/services/ntp.te

@@ -58,7 +58,7 @@ files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
 
 allow ntpd_t ntpd_var_run_t:file create_file_perms;
 allow ntpd_t ntpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ntpd_t,ntpd_var_run_t)
+files_pid_filetrans(ntpd_t,ntpd_var_run_t,file)
 
 kernel_read_kernel_sysctls(ntpd_t)
 kernel_read_system_state(ntpd_t)
@@ -100,7 +100,7 @@ files_read_usr_files(ntpd_t)
 files_list_var_lib(ntpd_t)
 
 init_exec_script_files(ntpd_t)
-init_use_fd(ntpd_t)
+init_use_fds(ntpd_t)
 init_use_script_ptys(ntpd_t)
 
 libs_use_ld_so(ntpd_t)
@@ -128,7 +128,7 @@ optional_policy(`cron',`
 ')
 
 optional_policy(`firstboot',`
-	firstboot_dontaudit_use_fd(ntpd_t)
+	firstboot_dontaudit_use_fds(ntpd_t)
 ')
 
 optional_policy(`logrotate',`

refpolicy/policy/modules/services/openct.te

@@ -23,7 +23,7 @@ allow openct_t self:process signal_perms;
 
 allow openct_t openct_var_run_t:file create_file_perms;
 allow openct_t openct_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(openct_t,openct_var_run_t)
+files_pid_filetrans(openct_t,openct_var_run_t,file)
 
 kernel_read_kernel_sysctls(openct_t)
 kernel_list_proc(openct_t)
@@ -43,7 +43,7 @@ fs_search_auto_mountpoints(openct_t)
 
 term_dontaudit_use_console(openct_t)
 
-init_use_fd(openct_t)
+init_use_fds(openct_t)
 init_use_script_ptys(openct_t)
 
 libs_use_ld_so(openct_t)

refpolicy/policy/modules/services/pegasus.te

@@ -59,7 +59,7 @@ files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
 allow pegasus_t pegasus_var_run_t:file create_file_perms;
 allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
 allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(pegasus_t,pegasus_var_run_t)
+files_pid_filetrans(pegasus_t,pegasus_var_run_t,file)
 
 kernel_read_kernel_sysctls(pegasus_t)
 kernel_read_fs_sysctls(pegasus_t)
@@ -97,7 +97,7 @@ files_list_var_lib(pegasus_t)
 files_read_var_lib_files(pegasus_t)
 files_read_var_lib_symlinks(pegasus_t)
 
-init_use_fd(pegasus_t)
+init_use_fds(pegasus_t)
 init_use_script_ptys(pegasus_t)
 init_rw_utmp(pegasus_t)
 

refpolicy/policy/modules/services/portmap.te

@@ -40,7 +40,7 @@ files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
 
 allow portmap_t portmap_var_run_t:file create_file_perms;
 allow portmap_t portmap_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(portmap_t,portmap_var_run_t)
+files_pid_filetrans(portmap_t,portmap_var_run_t,file)
 
 kernel_read_kernel_sysctls(portmap_t)
 kernel_list_proc(portmap_t)
@@ -80,7 +80,7 @@ domain_use_interactive_fds(portmap_t)
 
 files_read_etc_files(portmap_t)
 
-init_use_fd(portmap_t)
+init_use_fds(portmap_t)
 init_use_script_ptys(portmap_t)
 init_udp_send(portmap_t)
 init_udp_send_script(portmap_t)
@@ -104,7 +104,7 @@ ifdef(`targeted_policy', `
 ')
 
 optional_policy(`inetd',`
-	inetd_udp_sendto(portmap_t)
+	inetd_udp_send(portmap_t)
 ')
 
 optional_policy(`mount',`
@@ -162,7 +162,7 @@ allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
 allow portmap_helper_t self:udp_socket create_socket_perms;
 
 allow portmap_helper_t portmap_var_run_t:file create_file_perms;
-files_pid_filetrans(portmap_helper_t,portmap_var_run_t)
+files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
 
 corenet_tcp_sendrecv_all_if(portmap_helper_t)
 corenet_udp_sendrecv_all_if(portmap_helper_t)

refpolicy/policy/modules/services/postfix.if

@@ -45,7 +45,7 @@ template(`postfix_domain_template',`
 	allow postfix_$1_t postfix_spool_t:dir r_dir_perms;
 
 	allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
-	files_pid_filetrans(postfix_$1_t,postfix_var_run_t)
+	files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file)
 
 	kernel_read_system_state(postfix_$1_t)
 	kernel_read_network_state(postfix_$1_t)
@@ -72,7 +72,7 @@ template(`postfix_domain_template',`
 	files_search_spool(postfix_$1_t)
 	files_getattr_tmp_dirs(postfix_$1_t)
 
-	init_use_fd(postfix_$1_t)
+	init_use_fds(postfix_$1_t)
 	init_sigchld(postfix_$1_t)
 
 	libs_use_ld_so(postfix_$1_t)
@@ -209,10 +209,9 @@ interface(`postfix_read_config',`
 ##	The type of the object to be created.
 ##	</summary>
 ## </param>
-## <param name="object" optional="true">
+## <param name="object">
 ##	<summary>
-##	The object class of the object being created.  If
-##	no class is specified, file will be used.
+##	The object class of the object being created.
 ##	</summary>
 ## </param>
 #
@@ -223,12 +222,7 @@ interface(`postfix_config_filetrans',`
 
 	files_search_etc($1)
 	allow $1 postfix_etc_t:dir rw_dir_perms;
-
-	ifelse(`$3',`',`
-		type_transition $1 postfix_etc_t:file $2;
-	',`
-		type_transition $1 postfix_etc_t:$3 $2;
-	')
+	type_transition $1 postfix_etc_t:$3 $2;
 ')
 
 ########################################
@@ -263,7 +257,7 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
 ##	</summary>
 ## </param>
 #
-interface(`postfix_dontaudit_use_fd',`
+interface(`postfix_dontaudit_use_fds',`
 	gen_require(`
 		type postfix_master_t;
 	')

refpolicy/policy/modules/services/postfix.te

@@ -361,7 +361,7 @@ tunable_policy(`read_default_t',`
 ')
 
 optional_policy(`locallogin',`
-	locallogin_dontaudit_use_fd(postfix_map_t)
+	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
 
 # a "run" interface needs to be
@@ -438,14 +438,14 @@ ifdef(`targeted_policy', `
 ')
 
 optional_policy(`crond',`
-	cron_use_fd(postfix_postdrop_t)
+	cron_use_fds(postfix_postdrop_t)
 	cron_rw_pipes(postfix_postdrop_t)
 	cron_use_system_job_fds(postfix_postdrop_t)
 	cron_rw_system_job_pipes(postfix_postdrop_t)
 ')
 
 optional_policy(`ppp',`
-	ppp_use_fd(postfix_postqueue_t)
+	ppp_use_fds(postfix_postqueue_t)
 	ppp_sigchld(postfix_postqueue_t)
 ')
 

refpolicy/policy/modules/services/postgresql.te

@@ -58,7 +58,7 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
 can_exec(postgresql_t, postgresql_exec_t )
 
 allow postgresql_t postgresql_lock_t:file create_file_perms;
-files_lock_filetrans(postgresql_t,postgresql_lock_t)
+files_lock_filetrans(postgresql_t,postgresql_lock_t,file)
 
 allow postgresql_t postgresql_log_t:dir rw_dir_perms;
 allow postgresql_t postgresql_log_t:file create_file_perms;
@@ -75,7 +75,7 @@ fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file
 allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
 allow postgresql_t postgresql_var_run_t:file create_file_perms;
 allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(postgresql_t,postgresql_var_run_t)
+files_pid_filetrans(postgresql_t,postgresql_var_run_t,file)
 
 kernel_read_kernel_sysctls(postgresql_t)
 kernel_read_system_state(postgresql_t)
@@ -122,7 +122,7 @@ files_read_etc_runtime_files(postgresql_t)
 files_read_usr_files(postgresql_t)
 
 init_read_utmp(postgresql_t)
-init_use_fd(postgresql_t)
+init_use_fds(postgresql_t)
 init_use_script_ptys(postgresql_t)
 
 libs_use_ld_so(postgresql_t)

refpolicy/policy/modules/services/ppp.if

@@ -10,7 +10,7 @@
 ##	</summary>
 ## </param>
 #
-interface(`ppp_use_fd',`
+interface(`ppp_use_fds',`
 	gen_require(`
 		type pppd_t;
 	')
@@ -29,7 +29,7 @@ interface(`ppp_use_fd',`
 ##	</summary>
 ## </param>
 #
-interface(`ppp_dontaudit_use_fd',`
+interface(`ppp_dontaudit_use_fds',`
 	gen_require(`
 		type pppd_t;
 	')

refpolicy/policy/modules/services/ppp.te

@@ -80,15 +80,15 @@ allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
 allow pppd_t pppd_etc_t:dir rw_dir_perms;
 allow pppd_t pppd_etc_t:file r_file_perms;
 allow pppd_t pppd_etc_t:lnk_file { getattr read };
-files_etc_filetrans(pppd_t,pppd_etc_t)
+files_etc_filetrans(pppd_t,pppd_etc_t,file)
 
 allow pppd_t pppd_etc_rw_t:file create_file_perms;
 
 allow pppd_t pppd_lock_t:file create_file_perms;
-files_lock_filetrans(pppd_t,pppd_lock_t)
+files_lock_filetrans(pppd_t,pppd_lock_t,file)
 
 allow pppd_t pppd_log_t:file create_file_perms;
-logging_log_filetrans(pppd_t,pppd_log_t)
+logging_log_filetrans(pppd_t,pppd_log_t,file)
 
 allow pppd_t pppd_tmp_t:dir create_dir_perms;
 allow pppd_t pppd_tmp_t:file create_file_perms;
@@ -96,7 +96,7 @@ files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
 
 allow pppd_t pppd_var_run_t:dir rw_dir_perms;
 allow pppd_t pppd_var_run_t:file create_file_perms;
-files_pid_filetrans(pppd_t,pppd_var_run_t)
+files_pid_filetrans(pppd_t,pppd_var_run_t,file)
 
 allow pppd_t pptp_t:process signal;
 
@@ -155,7 +155,7 @@ files_read_etc_files(pppd_t)
 
 init_read_utmp(pppd_t)
 init_dontaudit_write_utmp(pppd_t)
-init_use_fd(pppd_t)
+init_use_fds(pppd_t)
 init_use_script_ptys(pppd_t)
 
 libs_use_ld_so(pppd_t)
@@ -248,12 +248,12 @@ can_exec(pptp_t, pppd_etc_rw_t)
 allow pptp_t pppd_log_t:file append;
 
 allow pptp_t pptp_log_t:file create_file_perms;
-logging_log_filetrans(pptp_t,pptp_log_t)
+logging_log_filetrans(pptp_t,pptp_log_t,file)
 
 allow pptp_t pptp_var_run_t:file create_file_perms;
 allow pptp_t pptp_var_run_t:dir rw_dir_perms;
 allow pptp_t pptp_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(pptp_t,pptp_var_run_t)
+files_pid_filetrans(pptp_t,pptp_var_run_t,file)
 
 kernel_list_proc(pptp_t)
 kernel_read_kernel_sysctls(pptp_t)
@@ -281,7 +281,7 @@ term_use_ptmx(pptp_t)
 
 domain_use_interactive_fds(pptp_t)
 
-init_use_fd(pptp_t)
+init_use_fds(pptp_t)
 init_use_script_ptys(pptp_t)
 
 libs_use_ld_so(pptp_t)

refpolicy/policy/modules/services/privoxy.te

@@ -32,11 +32,11 @@ allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
 
 allow privoxy_t privoxy_log_t:file create_file_perms;
 allow privoxy_t privoxy_log_t:dir rw_dir_perms;
-logging_log_filetrans(privoxy_t,privoxy_log_t)
+logging_log_filetrans(privoxy_t,privoxy_log_t,file)
 
 allow privoxy_t privoxy_var_run_t:file create_file_perms;
 allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(privoxy_t,privoxy_var_run_t)
+files_pid_filetrans(privoxy_t,privoxy_var_run_t,file)
 
 kernel_read_kernel_sysctls(privoxy_t)
 kernel_list_proc(privoxy_t)
@@ -63,7 +63,7 @@ domain_use_interactive_fds(privoxy_t)
 
 files_read_etc_files(privoxy_t)
 
-init_use_fd(privoxy_t)
+init_use_fds(privoxy_t)
 init_use_script_ptys(privoxy_t)
 
 libs_use_ld_so(privoxy_t)

refpolicy/policy/modules/services/procmail.te

@@ -90,7 +90,7 @@ optional_policy(`nscd',`
 optional_policy(`postfix',`
 	# for a bug in the postfix local program
 	postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
-	postfix_dontaudit_use_fd(procmail_t)
+	postfix_dontaudit_use_fds(procmail_t)
 ')
 
 optional_policy(`sendmail',`

refpolicy/policy/modules/services/radius.te

@@ -45,7 +45,7 @@ logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
 
 allow radiusd_t radiusd_var_run_t:file create_file_perms;
 allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(radiusd_t,radiusd_var_run_t)
+files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
 
 kernel_read_kernel_sysctls(radiusd_t)
 kernel_read_system_state(radiusd_t)
@@ -86,7 +86,7 @@ files_read_usr_files(radiusd_t)
 files_read_etc_files(radiusd_t)
 files_read_etc_runtime_files(radiusd_t)
 
-init_use_fd(radiusd_t)
+init_use_fds(radiusd_t)
 init_use_script_ptys(radiusd_t)
 
 libs_use_ld_so(radiusd_t)

refpolicy/policy/modules/services/radvd.te

@@ -32,7 +32,7 @@ allow radvd_t radvd_etc_t:file { getattr read };
 
 allow radvd_t radvd_var_run_t:file create_file_perms;
 allow radvd_t radvd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(radvd_t,radvd_var_run_t)
+files_pid_filetrans(radvd_t,radvd_var_run_t,file)
 
 kernel_read_kernel_sysctls(radvd_t)
 kernel_read_net_sysctls(radvd_t)
@@ -63,7 +63,7 @@ domain_use_interactive_fds(radvd_t)
 files_read_etc_files(radvd_t)
 files_list_usr(radvd_t)
 
-init_use_fd(radvd_t)
+init_use_fds(radvd_t)
 init_use_script_ptys(radvd_t)
 
 libs_use_ld_so(radvd_t)

refpolicy/policy/modules/services/rdisc.te

@@ -44,7 +44,7 @@ domain_use_interactive_fds(rdisc_t)
 
 files_read_etc_files(rdisc_t)
 
-init_use_fd(rdisc_t)
+init_use_fds(rdisc_t)
 init_use_script_ptys(rdisc_t)
 
 libs_use_ld_so(rdisc_t)

refpolicy/policy/modules/services/rlogin.te

@@ -45,7 +45,7 @@ files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
 
 allow rlogind_t rlogind_var_run_t:file create_file_perms;
 allow rlogind_t rlogind_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(rlogind_t,rlogind_var_run_t)
+files_pid_filetrans(rlogind_t,rlogind_var_run_t,file)
 
 kernel_read_kernel_sysctls(rlogind_t)
 kernel_read_system_state(rlogind_t)