From 1c1ac67f93fbaaa6d23af852546d3c27c5ebf614 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 2 Mar 2006 23:41:11 +0000 Subject: [PATCH] make (almost) all interface parameters required. move boot_t, system_map_t, and modules_object_t to files module. fd use interface renames, udp sendto interface renames. --- refpolicy/Changelog | 3 + refpolicy/policy/modules/admin/acct.te | 2 +- refpolicy/policy/modules/admin/consoletype.te | 10 +- refpolicy/policy/modules/admin/ddcprobe.te | 2 +- refpolicy/policy/modules/admin/dmesg.te | 2 +- refpolicy/policy/modules/admin/dmidecode.te | 2 +- refpolicy/policy/modules/admin/firstboot.if | 4 +- refpolicy/policy/modules/admin/firstboot.te | 2 +- refpolicy/policy/modules/admin/kudzu.te | 6 +- refpolicy/policy/modules/admin/logrotate.if | 4 +- refpolicy/policy/modules/admin/logrotate.te | 4 +- refpolicy/policy/modules/admin/mrtg.te | 2 +- refpolicy/policy/modules/admin/netutils.te | 6 +- refpolicy/policy/modules/admin/portage.te | 2 +- refpolicy/policy/modules/admin/prelink.te | 2 +- refpolicy/policy/modules/admin/quota.te | 2 +- refpolicy/policy/modules/admin/readahead.te | 4 +- refpolicy/policy/modules/admin/rpm.if | 2 +- refpolicy/policy/modules/admin/rpm.te | 2 +- refpolicy/policy/modules/admin/su.if | 4 +- refpolicy/policy/modules/admin/updfstab.te | 4 +- refpolicy/policy/modules/admin/usbmodules.te | 4 +- refpolicy/policy/modules/admin/usermanage.te | 8 +- refpolicy/policy/modules/admin/vpn.te | 4 +- refpolicy/policy/modules/apps/loadkeys.te | 2 +- refpolicy/policy/modules/apps/lockdev.if | 2 +- refpolicy/policy/modules/apps/uml.te | 2 +- refpolicy/policy/modules/apps/userhelper.if | 5 +- refpolicy/policy/modules/apps/webalizer.te | 2 +- refpolicy/policy/modules/kernel/bootloader.fc | 8 - refpolicy/policy/modules/kernel/bootloader.if | 331 --------- refpolicy/policy/modules/kernel/bootloader.te | 47 +- refpolicy/policy/modules/kernel/domain.if | 4 +- refpolicy/policy/modules/kernel/files.fc | 9 + refpolicy/policy/modules/kernel/files.if | 637 +++++++++++++++--- refpolicy/policy/modules/kernel/files.te | 21 +- refpolicy/policy/modules/kernel/filesystem.if | 9 +- refpolicy/policy/modules/kernel/kernel.if | 6 +- refpolicy/policy/modules/kernel/storage.if | 43 -- refpolicy/policy/modules/services/apache.if | 2 +- refpolicy/policy/modules/services/apache.te | 8 +- refpolicy/policy/modules/services/apm.if | 2 +- refpolicy/policy/modules/services/apm.te | 10 +- refpolicy/policy/modules/services/arpwatch.te | 4 +- .../policy/modules/services/automount.te | 10 +- refpolicy/policy/modules/services/avahi.te | 4 +- refpolicy/policy/modules/services/bind.te | 6 +- .../policy/modules/services/bluetooth.te | 6 +- refpolicy/policy/modules/services/canna.te | 4 +- refpolicy/policy/modules/services/comsat.te | 2 +- .../policy/modules/services/cpucontrol.te | 4 +- refpolicy/policy/modules/services/cron.if | 4 +- refpolicy/policy/modules/services/cron.te | 12 +- refpolicy/policy/modules/services/cups.te | 22 +- refpolicy/policy/modules/services/cvs.te | 2 +- refpolicy/policy/modules/services/cyrus.te | 4 +- refpolicy/policy/modules/services/dbskk.te | 2 +- refpolicy/policy/modules/services/dbus.te | 4 +- refpolicy/policy/modules/services/dhcp.te | 6 +- refpolicy/policy/modules/services/dictd.te | 2 +- refpolicy/policy/modules/services/distcc.te | 6 +- refpolicy/policy/modules/services/dovecot.te | 4 +- .../policy/modules/services/fetchmail.te | 6 +- refpolicy/policy/modules/services/finger.te | 6 +- refpolicy/policy/modules/services/ftp.te | 8 +- refpolicy/policy/modules/services/gpm.te | 4 +- refpolicy/policy/modules/services/hal.if | 2 +- refpolicy/policy/modules/services/hal.te | 6 +- refpolicy/policy/modules/services/howl.te | 4 +- .../policy/modules/services/i18n_input.te | 4 +- refpolicy/policy/modules/services/inetd.if | 4 +- refpolicy/policy/modules/services/inetd.te | 8 +- refpolicy/policy/modules/services/inn.te | 8 +- .../policy/modules/services/irqbalance.te | 4 +- refpolicy/policy/modules/services/kerberos.te | 12 +- refpolicy/policy/modules/services/ktalk.te | 2 +- refpolicy/policy/modules/services/ldap.te | 6 +- refpolicy/policy/modules/services/lpd.te | 8 +- refpolicy/policy/modules/services/mailman.if | 4 +- refpolicy/policy/modules/services/mailman.te | 2 +- refpolicy/policy/modules/services/mta.if | 12 +- refpolicy/policy/modules/services/mysql.te | 6 +- .../policy/modules/services/networkmanager.te | 2 +- refpolicy/policy/modules/services/nis.te | 12 +- refpolicy/policy/modules/services/nscd.te | 4 +- refpolicy/policy/modules/services/ntp.te | 6 +- refpolicy/policy/modules/services/openct.te | 4 +- refpolicy/policy/modules/services/pegasus.te | 4 +- refpolicy/policy/modules/services/portmap.te | 8 +- refpolicy/policy/modules/services/postfix.if | 18 +- refpolicy/policy/modules/services/postfix.te | 6 +- .../policy/modules/services/postgresql.te | 6 +- refpolicy/policy/modules/services/ppp.if | 4 +- refpolicy/policy/modules/services/ppp.te | 16 +- refpolicy/policy/modules/services/privoxy.te | 6 +- refpolicy/policy/modules/services/procmail.te | 2 +- refpolicy/policy/modules/services/radius.te | 4 +- refpolicy/policy/modules/services/radvd.te | 4 +- refpolicy/policy/modules/services/rdisc.te | 2 +- refpolicy/policy/modules/services/rlogin.te | 2 +- refpolicy/policy/modules/services/roundup.te | 6 +- refpolicy/policy/modules/services/rpc.if | 2 +- refpolicy/policy/modules/services/rpc.te | 4 +- refpolicy/policy/modules/services/rsync.te | 2 +- refpolicy/policy/modules/services/samba.te | 20 +- refpolicy/policy/modules/services/sasl.te | 4 +- refpolicy/policy/modules/services/sendmail.te | 4 +- refpolicy/policy/modules/services/slrnpull.te | 6 +- refpolicy/policy/modules/services/smartmon.te | 4 +- refpolicy/policy/modules/services/snmp.te | 10 +- .../policy/modules/services/spamassassin.te | 4 +- refpolicy/policy/modules/services/squid.te | 8 +- refpolicy/policy/modules/services/ssh.if | 4 +- refpolicy/policy/modules/services/ssh.te | 2 +- refpolicy/policy/modules/services/stunnel.te | 4 +- refpolicy/policy/modules/services/sysstat.te | 2 +- refpolicy/policy/modules/services/telnet.te | 2 +- refpolicy/policy/modules/services/tftp.te | 4 +- refpolicy/policy/modules/services/timidity.te | 2 +- refpolicy/policy/modules/services/uucp.te | 2 +- refpolicy/policy/modules/services/xfs.te | 4 +- refpolicy/policy/modules/services/xserver.if | 6 +- refpolicy/policy/modules/services/xserver.te | 6 +- refpolicy/policy/modules/services/zebra.te | 2 +- refpolicy/policy/modules/system/authlogin.te | 8 +- refpolicy/policy/modules/system/clock.te | 2 +- .../policy/modules/system/daemontools.te | 4 +- refpolicy/policy/modules/system/fstools.te | 4 +- refpolicy/policy/modules/system/getty.if | 2 +- refpolicy/policy/modules/system/getty.te | 6 +- refpolicy/policy/modules/system/hostname.te | 2 +- refpolicy/policy/modules/system/hotplug.if | 8 +- refpolicy/policy/modules/system/hotplug.te | 8 +- refpolicy/policy/modules/system/init.if | 19 +- refpolicy/policy/modules/system/init.te | 16 +- refpolicy/policy/modules/system/ipsec.te | 15 +- refpolicy/policy/modules/system/iptables.te | 8 +- refpolicy/policy/modules/system/locallogin.if | 4 +- refpolicy/policy/modules/system/locallogin.te | 4 +- refpolicy/policy/modules/system/logging.if | 8 +- refpolicy/policy/modules/system/logging.te | 18 +- refpolicy/policy/modules/system/lvm.te | 13 +- refpolicy/policy/modules/system/modutils.if | 4 +- refpolicy/policy/modules/system/modutils.te | 20 +- refpolicy/policy/modules/system/mount.if | 2 +- refpolicy/policy/modules/system/mount.te | 4 +- refpolicy/policy/modules/system/pcmcia.te | 8 +- refpolicy/policy/modules/system/raid.te | 4 +- .../policy/modules/system/selinuxutil.te | 10 +- refpolicy/policy/modules/system/sysnetwork.if | 11 +- refpolicy/policy/modules/system/sysnetwork.te | 12 +- refpolicy/policy/modules/system/udev.if | 2 +- refpolicy/policy/modules/system/udev.te | 8 +- refpolicy/policy/modules/system/unconfined.if | 6 +- refpolicy/policy/modules/system/userdomain.if | 24 +- refpolicy/policy/modules/system/userdomain.te | 2 +- refpolicy/policy/support/obj_perm_sets.spt | 3 +- 157 files changed, 987 insertions(+), 967 deletions(-) diff --git a/refpolicy/Changelog b/refpolicy/Changelog index e3cb5e15..3b78632f 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,6 @@ +- Make all interface parameters required. +- Move boot_t, system_map_t, and modules_object_t to files module, + and move bootloader to admin layer. - Add semanage policy for semodule from Dan Walsh. - Remove allow_execmem from targeted policy domain_base_type(). - Add users_extra and seusers support. diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index 4697a9ab..8716138b 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -57,7 +57,7 @@ files_list_usr(acct_t) # for nscd files_dontaudit_search_pids(acct_t) -init_use_fd(acct_t) +init_use_fds(acct_t) init_use_script_ptys(acct_t) init_exec_script_files(acct_t) diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 8d9cf0de..7157fb45 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -36,7 +36,7 @@ allow consoletype_t self:sem create_sem_perms; allow consoletype_t self:msgq create_msgq_perms; allow consoletype_t self:msg { send receive }; -kernel_use_fd(consoletype_t) +kernel_use_fds(consoletype_t) kernel_dontaudit_read_system_state(consoletype_t) fs_getattr_all_fs(consoletype_t) @@ -46,7 +46,7 @@ fs_write_nfs_files(consoletype_t) term_use_console(consoletype_t) term_use_unallocated_ttys(consoletype_t) -init_use_fd(consoletype_t) +init_use_fds(consoletype_t) init_use_script_ptys(consoletype_t) init_use_script_fds(consoletype_t) init_write_script_pipes(consoletype_t) @@ -68,7 +68,7 @@ ifdef(`distro_redhat',` ') optional_policy(`apm',` - apm_use_fd(consoletype_t) + apm_use_fds(consoletype_t) apm_write_pipes(consoletype_t) ') @@ -83,12 +83,12 @@ optional_policy(`cron',` optional_policy(`firstboot',` files_read_etc_files(consoletype_t) - firstboot_use_fd(consoletype_t) + firstboot_use_fds(consoletype_t) firstboot_write_pipes(consoletype_t) ') optional_policy(`logrotate',` - logrotate_dontaudit_use_fd(consoletype_t) + logrotate_dontaudit_use_fds(consoletype_t) ') optional_policy(`lpd',` diff --git a/refpolicy/policy/modules/admin/ddcprobe.te b/refpolicy/policy/modules/admin/ddcprobe.te index c0503417..67982aaa 100644 --- a/refpolicy/policy/modules/admin/ddcprobe.te +++ b/refpolicy/policy/modules/admin/ddcprobe.te @@ -24,7 +24,7 @@ kernel_read_system_state(ddcprobe_t) kernel_read_kernel_sysctls(ddcprobe_t) kernel_change_ring_buffer_level(ddcprobe_t) -bootloader_search_kernel_modules(ddcprobe_t) +files_search_kernel_modules(ddcprobe_t) corecmd_list_sbin(ddcprobe_t) corecmd_list_bin(ddcprobe_t) diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index 5c068a78..52413bd7 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -50,7 +50,7 @@ ifdef(`strict_policy',` # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(dmesg_t) - init_use_fd(dmesg_t) + init_use_fds(dmesg_t) init_use_script_ptys(dmesg_t) libs_use_ld_so(dmesg_t) diff --git a/refpolicy/policy/modules/admin/dmidecode.te b/refpolicy/policy/modules/admin/dmidecode.te index d638cfb9..839896f1 100644 --- a/refpolicy/policy/modules/admin/dmidecode.te +++ b/refpolicy/policy/modules/admin/dmidecode.te @@ -30,7 +30,7 @@ files_list_usr(dmidecode_t) libs_use_ld_so(dmidecode_t) libs_use_shared_libs(dmidecode_t) -locallogin_use_fd(dmidecode_t) +locallogin_use_fds(dmidecode_t) ifdef(`targeted_policy',` term_use_generic_ptys(dmidecode_t) diff --git a/refpolicy/policy/modules/admin/firstboot.if b/refpolicy/policy/modules/admin/firstboot.if index b5450695..42144562 100644 --- a/refpolicy/policy/modules/admin/firstboot.if +++ b/refpolicy/policy/modules/admin/firstboot.if @@ -67,7 +67,7 @@ interface(`firstboot_run',` ## ## # -interface(`firstboot_use_fd',` +interface(`firstboot_use_fds',` gen_require(` type firstboot_t; ') @@ -86,7 +86,7 @@ interface(`firstboot_use_fd',` ## ## # -interface(`firstboot_dontaudit_use_fd',` +interface(`firstboot_dontaudit_use_fds',` gen_require(` type firstboot_t; ') diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te index 5ca6a160..85984d58 100644 --- a/refpolicy/policy/modules/admin/firstboot.te +++ b/refpolicy/policy/modules/admin/firstboot.te @@ -88,7 +88,7 @@ libs_use_shared_libs(firstboot_t) libs_exec_ld_so(firstboot_t) libs_exec_lib_files(firstboot_t) -locallogin_use_fd(firstboot_t) +locallogin_use_fds(firstboot_t) logging_send_syslog_msg(firstboot_t) diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index 8425e542..600ee0ba 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -35,7 +35,7 @@ files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file }) allow kudzu_t kudzu_var_run_t:file create_file_perms; allow kudzu_t kudzu_var_run_t:dir create_dir_perms; -files_pid_filetrans(kudzu_t,kudzu_var_run_t) +files_pid_filetrans(kudzu_t,kudzu_var_run_t,file) kernel_change_ring_buffer_level(kudzu_t) kernel_list_proc(kudzu_t) @@ -47,7 +47,7 @@ kernel_read_system_state(kudzu_t) kernel_rw_hotplug_sysctls(kudzu_t) kernel_rw_kernel_sysctl(kudzu_t) -bootloader_read_kernel_modules(kudzu_t) +files_read_kernel_modules(kudzu_t) dev_list_sysfs(kudzu_t) dev_read_usbfs(kudzu_t) @@ -100,7 +100,7 @@ files_rw_etc_runtime_files(kudzu_t) # for file systems that are not yet mounted files_dontaudit_search_isid_type_dirs(kudzu_t) -init_use_fd(kudzu_t) +init_use_fds(kudzu_t) init_use_script_ptys(kudzu_t) init_stream_connect_script(kudzu_t) diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if index b9c680a0..988ddfca 100644 --- a/refpolicy/policy/modules/admin/logrotate.if +++ b/refpolicy/policy/modules/admin/logrotate.if @@ -82,7 +82,7 @@ interface(`logrotate_exec',` ## ## # -interface(`logrotate_use_fd',` +interface(`logrotate_use_fds',` gen_require(` type logrotate_t; ') @@ -100,7 +100,7 @@ interface(`logrotate_use_fd',` ## ## # -interface(`logrotate_dontaudit_use_fd',` +interface(`logrotate_dontaudit_use_fds',` gen_require(` type logrotate_t; ') diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 52b29262..61040ce0 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -51,7 +51,7 @@ allow logrotate_t self:msgq create_msgq_perms; allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file create_file_perms; -files_lock_filetrans(logrotate_t,logrotate_lock_t) +files_lock_filetrans(logrotate_t,logrotate_lock_t,file) can_exec(logrotate_t, logrotate_tmp_t) @@ -62,7 +62,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) # for /var/lib/logrotate.status and /var/lib/logcheck allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms }; allow logrotate_t logrotate_var_lib_t:file create_file_perms; -files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t) +files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) kernel_read_system_state(logrotate_t) kernel_read_kernel_sysctls(logrotate_t) diff --git a/refpolicy/policy/modules/admin/mrtg.te b/refpolicy/policy/modules/admin/mrtg.te index 1389d4c9..dcf042be 100644 --- a/refpolicy/policy/modules/admin/mrtg.te +++ b/refpolicy/policy/modules/admin/mrtg.te @@ -97,7 +97,7 @@ fs_getattr_xattr_fs(mrtg_t) term_dontaudit_use_console(mrtg_t) -init_use_fd(mrtg_t) +init_use_fds(mrtg_t) init_use_script_ptys(mrtg_t) # for uptime init_read_utmp(mrtg_t) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index e707217e..aa1edd91 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -64,7 +64,7 @@ files_read_etc_files(netutils_t) # for nscd files_dontaudit_search_var(netutils_t) -init_use_fd(netutils_t) +init_use_fds(netutils_t) init_use_script_ptys(netutils_t) libs_use_ld_so(netutils_t) @@ -131,7 +131,7 @@ sysnet_dns_name_resolve(ping_t) logging_send_syslog_msg(ping_t) ifdef(`hide_broken_symptoms',` - init_dontaudit_use_fd(ping_t) + init_dontaudit_use_fds(ping_t) ') ifdef(`targeted_policy',` @@ -159,7 +159,7 @@ optional_policy(`pcmcia',` ') optional_policy(`hotplug',` - hotplug_use_fd(ping_t) + hotplug_use_fds(ping_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te index 2d33bf9d..e83d18d7 100644 --- a/refpolicy/policy/modules/admin/portage.te +++ b/refpolicy/policy/modules/admin/portage.te @@ -55,7 +55,7 @@ allow portage_fetch_t portage_t:fifo_file rw_file_perms; allow portage_fetch_t portage_t:process sigchld; allow portage_t portage_log_t:file create_file_perms; -logging_log_filetrans(portage_t,portage_log_t) +logging_log_filetrans(portage_t,portage_log_t,file) # transition to sandbox for compiling domain_trans(portage_t,portage_exec_t,portage_sandbox_t) diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te index cff29190..93cfcb17 100644 --- a/refpolicy/policy/modules/admin/prelink.te +++ b/refpolicy/policy/modules/admin/prelink.te @@ -33,7 +33,7 @@ files_var_lib_filetrans(prelink_t, prelink_cache_t, file) allow prelink_t prelink_log_t:dir { setattr rw_dir_perms }; allow prelink_t prelink_log_t:file { create ra_file_perms }; allow prelink_t prelink_log_t:lnk_file read; -logging_log_filetrans(prelink_t, prelink_log_t) +logging_log_filetrans(prelink_t, prelink_log_t, file) # prelink misc objects that are not system # libraries or entrypoints diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te index 0c740a37..dcc02b2f 100644 --- a/refpolicy/policy/modules/admin/quota.te +++ b/refpolicy/policy/modules/admin/quota.te @@ -51,7 +51,7 @@ files_getattr_all_sockets(quota_t) # Read /etc/mtab. files_read_etc_runtime_files(quota_t) -init_use_fd(quota_t) +init_use_fds(quota_t) init_use_script_ptys(quota_t) libs_use_ld_so(quota_t) diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index 8db168f0..bba6ad62 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -23,7 +23,7 @@ allow readahead_t self:process signal_perms; allow readahead_t readahead_var_run_t:file create_file_perms; allow readahead_t readahead_var_run_t:dir rw_dir_perms; -files_pid_filetrans(readahead_t,readahead_var_run_t) +files_pid_filetrans(readahead_t,readahead_var_run_t,file) kernel_read_kernel_sysctls(readahead_t) kernel_read_system_state(readahead_t) @@ -56,7 +56,7 @@ term_dontaudit_use_console(readahead_t) auth_dontaudit_read_shadow(readahead_t) -init_use_fd(readahead_t) +init_use_fds(readahead_t) init_use_script_ptys(readahead_t) init_getattr_initctl(readahead_t) diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index aef93912..a6fc3ff2 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -91,7 +91,7 @@ interface(`rpm_run',` ## ## # -interface(`rpm_use_fd',` +interface(`rpm_use_fds',` gen_require(` type rpm_t; ') diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 16570df3..d38ab560 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -184,7 +184,7 @@ ifdef(`targeted_policy',` # conflicts since rpm_t is an alias of # unconfined in the targeted policy allow rpm_t rpm_log_t:file create_file_perms; - logging_log_filetrans(rpm_t,rpm_log_t) + logging_log_filetrans(rpm_t,rpm_log_t,file) ') optional_policy(`cron',` diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 63baa2e3..6cce4e98 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -49,7 +49,7 @@ template(`su_restricted_domain_template', ` domain_use_interactive_fds($1_su_t) - init_dontaudit_use_fd($1_su_t) + init_dontaudit_use_fds($1_su_t) init_dontaudit_use_script_ptys($1_su_t) # Write to utmp. init_rw_utmp($1_su_t) @@ -168,7 +168,7 @@ template(`su_per_userdomain_template',` files_search_var_lib($1_su_t) files_dontaudit_getattr_tmp_dirs($1_su_t) - init_dontaudit_use_fd($1_su_t) + init_dontaudit_use_fds($1_su_t) # Write to utmp. init_rw_utmp($1_su_t) diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index c3e32d10..b76f18a9 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -20,7 +20,7 @@ dontaudit updfstab_t self:capability { sys_admin sys_tty_config }; allow updfstab_t self:process signal_perms; allow updfstab_t self:fifo_file { getattr read write ioctl }; -kernel_use_fd(updfstab_t) +kernel_use_fds(updfstab_t) kernel_read_kernel_sysctls(updfstab_t) kernel_dontaudit_write_kernel_sysctl(updfstab_t) # for /proc/partitions @@ -66,7 +66,7 @@ files_dontaudit_search_home(updfstab_t) # for /etc/mtab files_read_etc_runtime_files(updfstab_t) -init_use_fd(updfstab_t) +init_use_fds(updfstab_t) init_use_script_ptys(updfstab_t) libs_use_ld_so(updfstab_t) diff --git a/refpolicy/policy/modules/admin/usbmodules.te b/refpolicy/policy/modules/admin/usbmodules.te index 46672a06..50a298dd 100644 --- a/refpolicy/policy/modules/admin/usbmodules.te +++ b/refpolicy/policy/modules/admin/usbmodules.te @@ -19,7 +19,7 @@ role system_r types usbmodules_t; kernel_list_proc(usbmodules_t) -bootloader_list_kernel_modules(usbmodules_t) +files_list_kernel_modules(usbmodules_t) dev_list_usbfs(usbmodules_t) # allow usb device access @@ -32,7 +32,7 @@ files_read_etc_files(usbmodules_t) term_read_console(usbmodules_t) term_write_console(usbmodules_t) -init_use_fd(usbmodules_t) +init_use_fds(usbmodules_t) libs_use_ld_so(usbmodules_t) libs_use_shared_libs(usbmodules_t) diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index f2efebf9..6867ce0a 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -217,7 +217,7 @@ selinux_compute_user_contexts(groupadd_t) term_use_all_user_ttys(groupadd_t) term_use_all_user_ptys(groupadd_t) -init_use_fd(groupadd_t) +init_use_fds(groupadd_t) init_read_utmp(groupadd_t) init_dontaudit_write_utmp(groupadd_t) @@ -257,7 +257,7 @@ optional_policy(`nscd',` ') optional_policy(`rpm',` - rpm_use_fd(groupadd_t) + rpm_use_fds(groupadd_t) rpm_rw_pipes(groupadd_t) ') @@ -488,7 +488,7 @@ files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) files_relabel_etc_files(useradd_t) -init_use_fd(useradd_t) +init_use_fds(useradd_t) init_rw_utmp(useradd_t) libs_use_ld_so(useradd_t) @@ -520,6 +520,6 @@ optional_policy(`nscd',` ') optional_policy(`rpm',` - rpm_use_fd(useradd_t) + rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te index 42be63bc..b659fa47 100644 --- a/refpolicy/policy/modules/admin/vpn.te +++ b/refpolicy/policy/modules/admin/vpn.te @@ -42,7 +42,7 @@ files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir }) allow vpnc_t vpnc_var_run_t:file create_file_perms; allow vpnc_t vpnc_var_run_t:dir rw_dir_perms; -files_pid_filetrans(vpnc_t,vpnc_var_run_t) +files_pid_filetrans(vpnc_t,vpnc_var_run_t,file) kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) @@ -91,7 +91,7 @@ libs_exec_lib_files(vpnc_t) libs_use_ld_so(vpnc_t) libs_use_shared_libs(vpnc_t) -locallogin_use_fd(vpnc_t) +locallogin_use_fds(vpnc_t) logging_send_syslog_msg(vpnc_t) diff --git a/refpolicy/policy/modules/apps/loadkeys.te b/refpolicy/policy/modules/apps/loadkeys.te index 01fa47d8..8e7daf33 100644 --- a/refpolicy/policy/modules/apps/loadkeys.te +++ b/refpolicy/policy/modules/apps/loadkeys.te @@ -42,7 +42,7 @@ ifdef(`targeted_policy',` libs_use_ld_so(loadkeys_t) libs_use_shared_libs(loadkeys_t) - locallogin_use_fd(loadkeys_t) + locallogin_use_fds(loadkeys_t) miscfiles_read_localization(loadkeys_t) ') diff --git a/refpolicy/policy/modules/apps/lockdev.if b/refpolicy/policy/modules/apps/lockdev.if index f2c078d3..d0c4e732 100644 --- a/refpolicy/policy/modules/apps/lockdev.if +++ b/refpolicy/policy/modules/apps/lockdev.if @@ -68,7 +68,7 @@ template(`lockdev_per_userdomain_template',` allow $1_lockdev_t $2:process sigchld; allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms; - files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t) + files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file) files_read_all_locks($1_lockdev_t) diff --git a/refpolicy/policy/modules/apps/uml.te b/refpolicy/policy/modules/apps/uml.te index db58cf3e..bd99059c 100644 --- a/refpolicy/policy/modules/apps/uml.te +++ b/refpolicy/policy/modules/apps/uml.te @@ -47,7 +47,7 @@ fs_search_auto_mountpoints(uml_switch_t) term_dontaudit_use_console(uml_switch_t) -init_use_fd(uml_switch_t) +init_use_fds(uml_switch_t) init_use_script_ptys(uml_switch_t) libs_use_ld_so(uml_switch_t) diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if index ac9f2055..e5aa7009 100644 --- a/refpolicy/policy/modules/apps/userhelper.if +++ b/refpolicy/policy/modules/apps/userhelper.if @@ -41,6 +41,7 @@ template(`userhelper_per_userdomain_template',` # # Declarations # + type $1_userhelper_t; domain_type($1_userhelper_t) domain_entry_file($1_userhelper_t,userhelper_exec_t) @@ -105,7 +106,7 @@ template(`userhelper_per_userdomain_template',` files_list_var_lib($1_userhelper_t) # Write to utmp. - files_pid_filetrans($1_userhelper_t,initrc_var_run_t) + files_pid_filetrans($1_userhelper_t,initrc_var_run_t,file) # Read the /etc/security/default_type file files_read_etc_files($1_userhelper_t) # Read /var. @@ -141,7 +142,7 @@ template(`userhelper_per_userdomain_template',` auth_search_pam_console_data($1_userhelper_t) # Inherit descriptors from the current session. - init_use_fd($1_userhelper_t) + init_use_fds($1_userhelper_t) # Write to utmp. init_manage_utmp($1_userhelper_t) diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te index 6200fae1..a0aab80d 100644 --- a/refpolicy/policy/modules/apps/webalizer.te +++ b/refpolicy/policy/modules/apps/webalizer.te @@ -54,7 +54,7 @@ files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir }) allow webalizer_t webalizer_var_lib_t:file create_file_perms; allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms; -files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t) +files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file) kernel_read_kernel_sysctls(webalizer_t) kernel_read_system_state(webalizer_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.fc b/refpolicy/policy/modules/kernel/bootloader.fc index 392176f5..bcedf95e 100644 --- a/refpolicy/policy/modules/kernel/bootloader.fc +++ b/refpolicy/policy/modules/kernel/bootloader.fc @@ -1,17 +1,9 @@ -/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) -/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) - -/boot(/.*)? gen_context(system_u:object_r:boot_t,s0) -/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) - /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/lib(64)?/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) - /usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 9927a33a..8f6707be 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -55,198 +55,6 @@ interface(`bootloader_run',` allow bootloader_t $3:chr_file rw_file_perms; ') -######################################## -## -## Get attributes of the /boot directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`bootloader_getattr_boot_dirs',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir getattr; -') - -######################################## -## -## Do not audit attempts to get attributes -## of the /boot directory. -## -## -## -## Domain to not audit. -## -## -# -interface(`bootloader_dontaudit_getattr_boot_dirs',` - gen_require(` - type boot_t; - ') - - dontaudit $1 boot_t:dir getattr; -') - -######################################## -## -## Search the /boot directory. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_search_boot',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir search_dir_perms; -') - -######################################## -## -## Do not audit attempts to search the /boot directory. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_dontaudit_search_boot',` - gen_require(` - type boot_t; - ') - - dontaudit $1 boot_t:dir search; -') - -######################################## -## -## Read and write symbolic links -## in the /boot directory. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_rw_boot_symlinks',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir r_dir_perms; - allow $1 boot_t:lnk_file rw_file_perms; -') - -######################################## -## -## Install a kernel into the /boot directory. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_create_kernel_img',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir ra_dir_perms; - allow $1 boot_t:file { getattr read write create }; - allow $1 boot_t:lnk_file { getattr read create unlink }; -') - -######################################## -## -## Install a system.map into the /boot directory. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_create_kernel_symbol_table',` - gen_require(` - type boot_t, system_map_t; - ') - - allow $1 boot_t:dir ra_dir_perms; - allow $1 system_map_t:file { rw_file_perms create }; -') - -######################################## -## -## Read system.map in the /boot directory. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_read_kernel_symbol_table',` - gen_require(` - type boot_t, system_map_t; - ') - - allow $1 boot_t:dir r_dir_perms; - allow $1 system_map_t:file r_file_perms; - - # cjp: this should be dropped: - allow $1 boot_t:file { getattr read }; -') - -######################################## -## -## Delete a kernel from /boot. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_delete_kernel',` - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir { r_dir_perms write remove_name }; - allow $1 boot_t:file { getattr unlink }; -') - -######################################## -## -## Delete a system.map in the /boot directory. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_delete_kernel_symbol_table',` - gen_require(` - type boot_t, system_map_t; - ') - - allow $1 boot_t:dir { r_dir_perms write remove_name }; - allow $1 system_map_t:file { getattr unlink }; -') - ######################################## ## ## Read the bootloader configuration file. @@ -324,142 +132,3 @@ interface(`bootloader_create_runtime_file',` allow $1 boot_runtime_t:file { rw_file_perms create unlink }; type_transition $1 boot_t:file boot_runtime_t; ') - -######################################## -## -## Search the contents of the kernel module directories. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_search_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir search; -') - -######################################## -## -## List the contents of the kernel module directories. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_list_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir r_dir_perms; -') - -######################################## -## -## Get the attributes of kernel module files. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_getattr_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir search; - allow $1 modules_object_t:dir getattr; -') - -######################################## -## -## Read kernel module files. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_read_kernel_modules',` - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir r_dir_perms; - allow $1 modules_object_t:lnk_file r_file_perms; - allow $1 modules_object_t:file r_file_perms; -') - -######################################## -## -## Write kernel module files. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_write_kernel_modules',` - gen_require(` - attribute rw_kern_modules; - type modules_object_t; - ') - - allow $1 modules_object_t:dir r_dir_perms; - allow $1 modules_object_t:file { write append }; - - typeattribute $1 rw_kern_modules; -') - -######################################## -## -## Create, read, write, and delete -## kernel module files. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`bootloader_manage_kernel_modules',` - gen_require(` -# attribute rw_kern_modules; - type modules_object_t; - ') - - allow $1 modules_object_t:file { rw_file_perms create setattr unlink }; - allow $1 modules_object_t:dir rw_dir_perms; - -# typeattribute $1 rw_kern_modules; -') - -######################################## -# -# bootloader_modules_filetrans(domain,privatetype,[class(es)]) -# -interface(`bootloader_modules_filetrans',` - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir rw_dir_perms; - - # if a class is specified use it, else use file as default - ifelse(`$3',`',` - type_transition $1 modules_object_t:file $2; - ',` - type_transition $1 modules_object_t:$3 $2; - ') -') diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 3a510c1f..a0e3d9c8 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -1,20 +1,11 @@ -policy_module(bootloader,1.1.3) +policy_module(bootloader,1.1.4) ######################################## # # Declarations # -attribute rw_kern_modules; - -# -# boot_t is the type for files in /boot -# -type boot_t; -files_type(boot_t) -files_mountpoint(boot_t) - # # boot_runtime_t is the type for /boot/kernel.h, # which is automatically generated at boot time. @@ -45,18 +36,6 @@ type bootloader_tmp_t; files_tmp_file(bootloader_tmp_t) dev_node(bootloader_tmp_t) -# kernel modules -type modules_object_t; -files_type(modules_object_t) - -#neverallow ~rw_kern_modules modules_object_t:file { create append write }; - -# -# system_map_t is for the system.map files in /boot -# -type system_map_t; -files_type(system_map_t) - # # /var/log/ksyms # cjp: this probably can be removed, I do not @@ -73,14 +52,10 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin allow bootloader_t self:process { sigkill sigstop signull signal }; allow bootloader_t self:fifo_file rw_file_perms; -allow bootloader_t boot_t:dir { create rw_dir_perms }; -allow bootloader_t boot_t:file create_file_perms; -allow bootloader_t boot_t:lnk_file create_lnk_perms; - allow bootloader_t bootloader_etc_t:file r_file_perms; # uncomment the following lines if you use "lilo -p" -#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -#files_etc_filetrans(bootloader_t,bootloader_etc_t) +#allow bootloader_t bootloader_etc_t:file manage_file_perms; +#files_etc_filetrans(bootloader_t,bootloader_etc_t,file) allow bootloader_t bootloader_tmp_t:dir create_dir_perms; allow bootloader_t bootloader_tmp_t:file create_file_perms; @@ -89,11 +64,7 @@ allow bootloader_t bootloader_tmp_t:blk_file create_file_perms; allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms; files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file }) # for tune2fs (cjp: ?) -files_root_filetrans(bootloader_t,bootloader_tmp_t) - -allow bootloader_t modules_object_t:dir r_dir_perms; -allow bootloader_t modules_object_t:file r_file_perms; -allow bootloader_t modules_object_t:lnk_file r_file_perms; +files_root_filetrans(bootloader_t,bootloader_tmp_t,file) kernel_getattr_core_if(bootloader_t) kernel_read_system_state(bootloader_t) @@ -127,12 +98,16 @@ corecmd_exec_shell(bootloader_t) domain_exec_all_entry_files(bootloader_t) domain_use_interactive_fds(bootloader_t) +files_create_boot_dirs(bootloader_t) +files_manage_boot_files(bootloader_t) +files_manage_boot_symlinks(bootloader_t) files_read_etc_files(bootloader_t) files_exec_etc_files(bootloader_t) files_read_etc_runtime_files(bootloader_t) files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) files_read_var_files(bootloader_t) +files_read_kernel_modules(bootloader_t) # for nscd files_dontaudit_search_pids(bootloader_t) @@ -157,11 +132,11 @@ seutil_dontaudit_search_config(bootloader_t) ifdef(`distro_debian',` allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; - allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; - allow bootloader_t boot_t:file relabelfrom; - fs_list_tmpfs(bootloader_t) + files_relabel_kernel_modules(bootloader_t) + files_relabelfrom_boot_files(bootloader_t) + files_delete_kernel_modules(bootloader_t) files_relabelto_usr_files(bootloader_t) files_search_var_lib(bootloader_t) # for /usr/share/initrd-tools/scripts diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if index 5d84f07e..9b8c0f37 100644 --- a/refpolicy/policy/modules/kernel/domain.if +++ b/refpolicy/policy/modules/kernel/domain.if @@ -77,7 +77,7 @@ interface(`domain_type',` init_signull($1) ifdef(`targeted_policy',` - unconfined_use_fd($1) + unconfined_use_fds($1) unconfined_sigchld($1) ') @@ -88,7 +88,7 @@ interface(`domain_type',` # these 3 seem highly questionable: optional_policy(`rpm',` - rpm_use_fd($1) + rpm_use_fds($1) rpm_read_pipes($1) ') diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc index f9032b40..fcc484fe 100644 --- a/refpolicy/policy/modules/kernel/files.fc +++ b/refpolicy/policy/modules/kernel/files.fc @@ -5,6 +5,8 @@ /.* gen_context(system_u:object_r:default_t,s0) / -d gen_context(system_u:object_r:root_t,s0) /\.journal <> +/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0) +/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0) ifdef(`distro_redhat',` /\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -23,9 +25,11 @@ ifdef(`distro_suse',` # # /boot # +/boot(/.*)? gen_context(system_u:object_r:boot_t,s0) /boot/\.journal <> /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255) /boot/lost\+found/.* <> +/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) # # /emul @@ -100,6 +104,11 @@ HOME_ROOT/lost\+found/.* <> # initrd mount point, only used during boot /initrd -d gen_context(system_u:object_r:root_t,s0) +# +# /lib(64)? +# +/lib(64)?/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) + # # /lost+found # diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 126f85de..8853e044 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -845,7 +845,7 @@ interface(`files_manage_all_files',` # satisfy the assertions: seutil_create_bin_policy($1) - bootloader_manage_kernel_modules($1) + files_manage_kernel_modules($1) ') ######################################## @@ -953,7 +953,7 @@ interface(`files_list_root',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -961,10 +961,9 @@ interface(`files_list_root',` ## The type of the object to be created. ## ## -## +## ## -## The object class of the object being created. If -## no class is specified, file will be used. +## The object class of the object being created. ## ## # @@ -974,12 +973,7 @@ interface(`files_root_filetrans',` ') allow $1 root_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 root_t:file $2; - ',` - type_transition $1 root_t:$3 $2; - ') + type_transition $1 root_t:$3 $2; ') ######################################## @@ -1042,6 +1036,244 @@ interface(`files_unmount_rootfs',` allow $1 root_t:filesystem unmount; ') +######################################## +## +## Get attributes of the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_boot_dirs',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir getattr; +') + +######################################## +## +## Do not audit attempts to get attributes +## of the /boot directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_getattr_boot_dirs',` + gen_require(` + type boot_t; + ') + + dontaudit $1 boot_t:dir getattr; +') + +######################################## +## +## Search the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_search_boot',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir search_dir_perms; +') + +######################################## +## +## Do not audit attempts to search the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_search_boot',` + gen_require(` + type boot_t; + ') + + dontaudit $1 boot_t:dir search; +') + +######################################## +## +## Create directories in /boot +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_boot_dirs',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir { create rw_dir_perms }; +') + +######################################## +## +## Create a private type object in boot +## with an automatic type transition +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +# +interface(`files_boot_filetrans',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir rw_dir_perms; + type_transition $1 boot_t:$3 $2; +') + +######################################## +## +## Create, read, write, and delete files +## in the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_boot_files',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir rw_dir_perms; + allow $1 boot_t:file manage_file_perms; +') + +######################################## +## +## Relabel from files in the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelfrom_boot_files',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:file relabelfrom; +') + +######################################## +## +## Read and write symbolic links +## in the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rw_boot_symlinks',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir r_dir_perms; + allow $1 boot_t:lnk_file rw_file_perms; +') + +######################################## +## +## Create, read, write, and delete symbolic links +## in the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_boot_symlinks',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir rw_dir_perms; + allow $1 boot_t:lnk_file manage_file_perms; +') + +######################################## +## +## Install a kernel into the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_kernel_img',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir ra_dir_perms; + allow $1 boot_t:file { getattr read write create }; + allow $1 boot_t:lnk_file { getattr read create unlink }; +') + +######################################## +## +## Delete a kernel from /boot. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_kernel',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir { r_dir_perms write remove_name }; + allow $1 boot_t:file { getattr unlink }; +') + ######################################## ## ## Getattr of directories with the default file type. @@ -1352,7 +1584,7 @@ interface(`files_manage_etc_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1500,7 +1732,7 @@ interface(`files_manage_etc_runtime_files',` ######################################## # -# files_etc_filetrans(domain,privatetype,[class(es)]) +# files_etc_filetrans(domain,privatetype,class(es)) # interface(`files_etc_filetrans',` gen_require(` @@ -1508,11 +1740,7 @@ interface(`files_etc_filetrans',` ') allow $1 etc_t:dir rw_dir_perms; - ifelse(`$3',`',` - type_transition $1 etc_t:file $2; - ',` - type_transition $1 etc_t:$3 $2; - ') + type_transition $1 etc_t:$3 $2; ') ######################################## @@ -1522,7 +1750,7 @@ interface(`files_etc_filetrans',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1541,7 +1769,7 @@ interface(`files_getattr_isid_type_dirs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1560,7 +1788,7 @@ interface(`files_dontaudit_search_isid_type_dirs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1579,7 +1807,7 @@ interface(`files_list_isid_type_dirs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1598,7 +1826,7 @@ interface(`files_rw_isid_type_dirs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1617,7 +1845,7 @@ interface(`files_manage_isid_type_dirs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1636,7 +1864,7 @@ interface(`files_mounton_isid_type_dirs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1656,7 +1884,7 @@ interface(`files_read_isid_type_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1676,7 +1904,7 @@ interface(`files_manage_isid_type_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1696,7 +1924,7 @@ interface(`files_manage_isid_type_symlinks',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1716,7 +1944,7 @@ interface(`files_rw_isid_type_blk_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1736,7 +1964,7 @@ interface(`files_manage_isid_type_blk_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1756,7 +1984,7 @@ interface(`files_manage_isid_type_chr_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1794,7 +2022,7 @@ interface(`files_dontaudit_getattr_home_dir',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1850,7 +2078,7 @@ interface(`files_dontaudit_list_home',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -1868,7 +2096,7 @@ interface(`files_list_home',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -1876,10 +2104,9 @@ interface(`files_list_home',` ## The private type. ## ## -## +## ## -## The object class of the object being created. If -## no class is specified, dir will be used. +## The class of the object being created. ## ## # @@ -1889,13 +2116,7 @@ interface(`files_home_filetrans',` ') allow $1 home_root_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 home_root_t:dir $2; - ',` - type_transition $1 home_root_t:$3 $2; - ') - + type_transition $1 home_root_t:$3 $2; ') ######################################## @@ -1905,7 +2126,7 @@ interface(`files_home_filetrans',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2019,6 +2240,188 @@ interface(`files_manage_mnt_symlinks',` allow $1 mnt_t:lnk_file create_lnk_perms; ') +######################################## +## +## Search the contents of the kernel module directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_search_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:dir search; +') + +######################################## +## +## List the contents of the kernel module directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_list_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:dir r_dir_perms; +') + +######################################## +## +## Get the attributes of kernel module files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getattr_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:dir search; + allow $1 modules_object_t:dir getattr; +') + +######################################## +## +## Read kernel module files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:dir r_dir_perms; + allow $1 modules_object_t:lnk_file r_file_perms; + allow $1 modules_object_t:file r_file_perms; +') + +######################################## +## +## Write kernel module files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_write_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:dir r_dir_perms; + allow $1 modules_object_t:file { write append }; +') + +######################################## +## +## Delete kernel module files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:dir { list_dir_perms write remove_name }; + allow $1 modules_object_t:file unlink; +') + +######################################## +## +## Create, read, write, and delete +## kernel module files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:file { rw_file_perms create setattr unlink }; + allow $1 modules_object_t:dir rw_dir_perms; +') + +######################################## +## +## Relabel from and to kernel module files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:file { relabelfrom relabelto }; + allow $1 modules_object_t:dir list_dir_perms; +') + +######################################## +## +## Create objects in the kernel module directories +## with a private type via an automatic type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +# +interface(`files_kernel_modules_filetrans',` + gen_require(` + type modules_object_t; + ') + + allow $1 modules_object_t:dir rw_dir_perms; + type_transition $1 modules_object_t:$3 $2; +') + ######################################## ## ## List world-readable directories. @@ -2154,7 +2557,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2172,7 +2575,7 @@ interface(`files_dontaudit_getattr_tmp_dirs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2190,7 +2593,7 @@ interface(`files_search_tmp',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2226,7 +2629,7 @@ interface(`files_dontaudit_list_tmp',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2245,7 +2648,7 @@ interface(`files_read_generic_tmp_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2264,7 +2667,7 @@ interface(`files_read_generic_tmp_symlinks',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2283,7 +2686,7 @@ interface(`files_rw_generic_tmp_sockets',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2297,7 +2700,7 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## # -# files_tmp_filetrans(domain,private_type,[object class(es)]) +# files_tmp_filetrans(domain,private_type,object class(es)) # interface(`files_tmp_filetrans',` gen_require(` @@ -2305,12 +2708,7 @@ interface(`files_tmp_filetrans',` ') allow $1 tmp_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 tmp_t:file $2; - ',` - type_transition $1 tmp_t:$3 $2; - ') + type_transition $1 tmp_t:$3 $2; ') ######################################## @@ -2395,7 +2793,7 @@ interface(`files_read_usr_files',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2461,9 +2859,9 @@ interface(`files_read_usr_symlinks',` ## The type of the object to be created ## ## -## +## ## -## The object class. If not specified, file is used. +## The object class. ## ## # @@ -2473,12 +2871,7 @@ interface(`files_usr_filetrans',` ') allow $1 usr_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 usr_t:file $2; - ',` - type_transition $1 usr_t:$3 $2; - ') + type_transition $1 usr_t:$3 $2; ') ######################################## @@ -2487,7 +2880,7 @@ interface(`files_usr_filetrans',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2528,6 +2921,66 @@ interface(`files_read_usr_src_files',` allow $1 src_t:{ file lnk_file } r_file_perms; ') +######################################## +## +## Install a system.map into the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_kernel_symbol_table',` + gen_require(` + type boot_t, system_map_t; + ') + + allow $1 boot_t:dir ra_dir_perms; + allow $1 system_map_t:file { rw_file_perms create }; +') + +######################################## +## +## Read system.map in the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_read_kernel_symbol_table',` + gen_require(` + type boot_t, system_map_t; + ') + + allow $1 boot_t:dir r_dir_perms; + allow $1 system_map_t:file r_file_perms; + + # cjp: this should be dropped: + allow $1 boot_t:file { getattr read }; +') + +######################################## +## +## Delete a system.map in the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_kernel_symbol_table',` + gen_require(` + type boot_t, system_map_t; + ') + + allow $1 boot_t:dir { r_dir_perms write remove_name }; + allow $1 system_map_t:file { getattr unlink }; +') + ######################################## ## ## Search the contents of /var. @@ -2626,7 +3079,7 @@ interface(`files_manage_var_dirs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2711,9 +3164,9 @@ interface(`files_manage_var_symlinks',` ## The type of the object to be created ## ## -## +## ## -## The object class. If not specified, file is used. +## The object class. ## ## # @@ -2723,12 +3176,7 @@ interface(`files_var_filetrans',` ') allow $1 var_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 var_t:file $2; - ',` - type_transition $1 var_t:$3 $2; - ') + type_transition $1 var_t:$3 $2; ') ######################################## @@ -2737,7 +3185,7 @@ interface(`files_var_filetrans',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2756,7 +3204,7 @@ interface(`files_getattr_var_lib_dirs',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -2801,9 +3249,9 @@ interface(`files_list_var_lib',` ## The type of the object to be created ## ## -## +## ## -## The object class. If not specified, file is used. +## The object class. ## ## # @@ -2814,12 +3262,7 @@ interface(`files_var_lib_filetrans',` allow $1 var_t:dir search_dir_perms; allow $1 var_lib_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 var_lib_t:file $2; - ',` - type_transition $1 var_lib_t:$3 $2; - ') + type_transition $1 var_lib_t:$3 $2; ') ######################################## @@ -3028,12 +3471,7 @@ interface(`files_lock_filetrans',` allow $1 var_t:dir search; allow $1 var_lock_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 var_lock_t:file $2; - ',` - type_transition $1 var_lock_t:$3 $2; - ') + type_transition $1 var_lock_t:$3 $2; ') ######################################## @@ -3111,12 +3549,7 @@ interface(`files_pid_filetrans',` allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 var_run_t:file $2; - ',` - type_transition $1 var_run_t:$3 $2; - ') + type_transition $1 var_run_t:$3 $2; ') ######################################## @@ -3139,7 +3572,7 @@ interface(`files_rw_generic_pids',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # @@ -3157,7 +3590,7 @@ interface(`files_dontaudit_write_all_pids',` ## ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te index b1d1756b..a8968cfc 100644 --- a/refpolicy/policy/modules/kernel/files.te +++ b/refpolicy/policy/modules/kernel/files.te @@ -1,5 +1,5 @@ -policy_module(files,1.1.2) +policy_module(files,1.1.3) ######################################## # @@ -36,6 +36,13 @@ attribute security_file_type; attribute tmpfile; attribute tmpfsfile; +# +# boot_t is the type for files in /boot +# +type boot_t; +files_type(boot_t) +files_mountpoint(boot_t) + # default_t is the default type for files that do not # match any specification in the file_contexts configuration # other than the generic /.* specification. @@ -93,6 +100,12 @@ type mnt_t, file_type, mountpoint; fs_associate(mnt_t) fs_associate_noxattr(mnt_t) +# +# modules_object_t is the type for kernel modules +# +type modules_object_t; +files_type(modules_object_t) + type no_access_t, file_type; fs_associate(no_access_t) fs_associate_noxattr(no_access_t) @@ -122,6 +135,12 @@ type src_t, file_type, mountpoint; fs_associate(src_t) fs_associate_noxattr(src_t) +# +# system_map_t is for the system.map files in /boot +# +type system_map_t; +files_type(system_map_t) + # # tmp_t is the type of the temporary directories # diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index c1d5981d..d7b2f862 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -2425,7 +2425,7 @@ interface(`fs_manage_tmpfs_dirs',` ######################################## # -# fs_tmpfs_filetrans(domain,derivedtype,[class]) +# fs_tmpfs_filetrans(domain,derivedtype,class) # interface(`fs_tmpfs_filetrans',` gen_require(` @@ -2434,12 +2434,7 @@ interface(`fs_tmpfs_filetrans',` allow $2 tmpfs_t:filesystem associate; allow $1 tmpfs_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 tmpfs_t:file $2; - ',` - type_transition $1 tmpfs_t:$3 $2; - ') + type_transition $1 tmpfs_t:$3 $2; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 839d7973..3ffe0cdf 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -141,7 +141,7 @@ interface(`kernel_share_state',` ## ## # -interface(`kernel_use_fd',` +interface(`kernel_use_fds',` gen_require(` type kernel_t; ') @@ -160,7 +160,7 @@ interface(`kernel_use_fd',` ## ## # -interface(`kernel_dontaudit_use_fd',` +interface(`kernel_dontaudit_use_fds',` gen_require(` type kernel_t; ') @@ -250,7 +250,7 @@ interface(`kernel_tcp_recvfrom',` ## ## # -interface(`kernel_udp_sendto',` +interface(`kernel_udp_send',` gen_require(` type kernel_t; ') diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index 10336935..f8c62e49 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -166,27 +166,6 @@ interface(`storage_dontaudit_write_fixed_disk',` dontaudit $1 fixed_disk_device_t:blk_file { write append ioctl }; ') -######################################## -## -## Create block devices in /dev with the fixed disk type. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`storage_create_fixed_disk',` - gen_require(` - attribute fixed_disk_raw_read, fixed_disk_raw_write; - type fixed_disk_device_t; - ') - - allow $1 fixed_disk_device_t:blk_file create_file_perms; - dev_filetrans($1,fixed_disk_device_t,blk_file) - typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; -') - ######################################## ## ## Create, read, write, and delete fixed disk device nodes. @@ -208,28 +187,6 @@ interface(`storage_manage_fixed_disk',` typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') -######################################## -## -## Create fixed disk device nodes on a tmpfs filesystem. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`storage_create_fixed_disk_tmpfs',` - gen_require(` - attribute fixed_disk_raw_read, fixed_disk_raw_write; - type fixed_disk_device_t; - ') - - allow $1 fixed_disk_device_t:blk_file create_file_perms; - fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file) - - typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; -') - ######################################## ## ## Create block devices in /dev with the fixed disk type diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index efb84b4e..54371313 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -401,7 +401,7 @@ interface(`apache_sigchld',` ## ## # -interface(`apache_use_fd',` +interface(`apache_use_fds',` gen_require(` type httpd_t; ') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index bdd38b4f..3fc702d3 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -166,14 +166,14 @@ allow httpd_t httpd_config_t:lnk_file { getattr read }; can_exec(httpd_t, httpd_exec_t) allow httpd_t httpd_lock_t:file create_file_perms; -files_lock_filetrans(httpd_t,httpd_lock_t) +files_lock_filetrans(httpd_t,httpd_lock_t,file) allow httpd_t httpd_log_t:dir { setattr rw_dir_perms }; allow httpd_t httpd_log_t:file { create ra_file_perms }; allow httpd_t httpd_log_t:lnk_file read; # cjp: need to refine create interfaces to # cut this back to add_name only -logging_log_filetrans(httpd_t,httpd_log_t) +logging_log_filetrans(httpd_t,httpd_log_t,file) allow httpd_t httpd_modules_t:file rx_file_perms; allow httpd_t httpd_modules_t:dir r_dir_perms; @@ -201,7 +201,7 @@ fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file allow httpd_t httpd_var_lib_t:file create_file_perms; allow httpd_t httpd_var_lib_t:dir rw_dir_perms; -files_var_lib_filetrans(httpd_t,httpd_var_lib_t) +files_var_lib_filetrans(httpd_t,httpd_var_lib_t,file) allow httpd_t httpd_var_run_t:file create_file_perms; allow httpd_t httpd_var_run_t:sock_file create_file_perms; @@ -262,7 +262,7 @@ files_read_etc_files(httpd_t) # for tomcat files_read_var_lib_symlinks(httpd_t) -init_use_fd(httpd_t) +init_use_fds(httpd_t) init_use_script_ptys(httpd_t) libs_use_ld_so(httpd_t) diff --git a/refpolicy/policy/modules/services/apm.if b/refpolicy/policy/modules/services/apm.if index 60a56f6d..8fd6d54a 100644 --- a/refpolicy/policy/modules/services/apm.if +++ b/refpolicy/policy/modules/services/apm.if @@ -34,7 +34,7 @@ interface(`apm_domtrans_client',` ## ## # -interface(`apm_use_fd',` +interface(`apm_use_fds',` gen_require(` type apmd_t; ') diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index f0c11c05..19ec27c2 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -72,7 +72,7 @@ allow apmd_t self:unix_dgram_socket create_socket_perms; allow apmd_t self:unix_stream_socket create_stream_socket_perms; allow apmd_t apmd_log_t:file create_file_perms; -logging_log_filetrans(apmd_t,apmd_log_t) +logging_log_filetrans(apmd_t,apmd_log_t,file) allow apmd_t apmd_tmp_t:dir create_dir_perms; allow apmd_t apmd_tmp_t:file create_file_perms; @@ -125,7 +125,7 @@ files_dontaudit_getattr_all_pipes(apmd_t) # Excessive? files_dontaudit_getattr_all_sockets(apmd_t) # Excessive? init_domtrans_script(apmd_t) -init_use_fd(apmd_t) +init_use_fds(apmd_t) init_use_script_ptys(apmd_t) init_rw_utmp(apmd_t) init_write_initctl(apmd_t) @@ -151,7 +151,7 @@ userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive? ifdef(`distro_redhat',` allow apmd_t apmd_lock_t:file create_file_perms; - files_lock_filetrans(apmd_t,apmd_lock_t) + files_lock_filetrans(apmd_t,apmd_lock_t,file) can_exec(apmd_t, apmd_var_run_t) @@ -176,7 +176,7 @@ ifdef(`distro_redhat',` ifdef(`distro_suse',` allow apmd_t apmd_var_lib_t:file create_file_perms; allow apmd_t apmd_var_lib_t:dir create_dir_perms; - files_var_lib_filetrans(apmd_t,apmd_var_lib_t) + files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file) ') ifdef(`targeted_policy',` @@ -209,7 +209,7 @@ optional_policy(`dbus',` ') optional_policy(`logrotate',` - logrotate_use_fd(apmd_t) + logrotate_use_fds(apmd_t) ') optional_policy(`mta',` diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te index c8c92099..a53702ca 100644 --- a/refpolicy/policy/modules/services/arpwatch.te +++ b/refpolicy/policy/modules/services/arpwatch.te @@ -43,7 +43,7 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) allow arpwatch_t arpwatch_var_run_t:file create_file_perms; allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms; -files_pid_filetrans(arpwatch_t,arpwatch_var_run_t) +files_pid_filetrans(arpwatch_t,arpwatch_var_run_t,file) kernel_read_kernel_sysctls(arpwatch_t) kernel_list_proc(arpwatch_t) @@ -76,7 +76,7 @@ files_read_etc_files(arpwatch_t) files_read_usr_files(arpwatch_t) files_search_var_lib(arpwatch_t) -init_use_fd(arpwatch_t) +init_use_fds(arpwatch_t) init_use_script_ptys(arpwatch_t) libs_use_ld_so(arpwatch_t) diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index acf8578c..7d6e2991 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -42,7 +42,7 @@ allow automount_t automount_etc_t:file { getattr read }; can_exec(automount_t, automount_etc_t) allow automount_t automount_lock_t:file create_file_perms; -files_lock_filetrans(automount_t,automount_lock_t) +files_lock_filetrans(automount_t,automount_lock_t,file) allow automount_t automount_tmp_t:dir create_dir_perms; allow automount_t automount_tmp_t:file create_file_perms; @@ -50,12 +50,12 @@ files_tmp_filetrans(automount_t, automount_tmp_t, { file dir }) # Allow automount to create and delete directories in / and /home allow automount_t automount_tmp_t:dir create_dir_perms; -files_home_filetrans(automount_t,automount_tmp_t) +files_home_filetrans(automount_t,automount_tmp_t,dir) files_root_filetrans(automount_t,automount_tmp_t,dir) allow automount_t automount_var_run_t:file create_file_perms; allow automount_t automount_var_run_t:dir rw_dir_perms; -files_pid_filetrans(automount_t,automount_var_run_t) +files_pid_filetrans(automount_t,automount_var_run_t,file) kernel_read_kernel_sysctls(automount_t) kernel_read_fs_sysctls(automount_t) @@ -63,7 +63,7 @@ kernel_read_proc_symlinks(automount_t) kernel_read_system_state(automount_t) kernel_list_proc(automount_t) -bootloader_search_boot(automount_t) +files_search_boot(automount_t) corecmd_exec_sbin(automount_t) corecmd_exec_bin(automount_t) @@ -113,7 +113,7 @@ fs_manage_auto_mountpoints(automount_t) term_dontaudit_use_console(automount_t) term_dontaudit_getattr_pty_dirs(automount_t) -init_use_fd(automount_t) +init_use_fds(automount_t) init_use_script_ptys(automount_t) libs_use_ld_so(automount_t) diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te index 1ebdfcbb..060f8ce6 100644 --- a/refpolicy/policy/modules/services/avahi.te +++ b/refpolicy/policy/modules/services/avahi.te @@ -31,7 +31,7 @@ allow avahi_t self:udp_socket create_socket_perms; allow avahi_t avahi_var_run_t:sock_file create_file_perms; allow avahi_t avahi_var_run_t:file create_file_perms; allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr }; -files_pid_filetrans(avahi_t,avahi_var_run_t) +files_pid_filetrans(avahi_t,avahi_var_run_t,file) kernel_read_kernel_sysctls(avahi_t) kernel_list_proc(avahi_t) @@ -65,7 +65,7 @@ domain_use_interactive_fds(avahi_t) files_read_etc_files(avahi_t) files_read_etc_runtime_files(avahi_t) -init_use_fd(avahi_t) +init_use_fds(avahi_t) init_use_script_ptys(avahi_t) init_signal_script(avahi_t) init_signull_script(avahi_t) diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index f79ebe7e..bd782482 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -130,7 +130,7 @@ domain_use_interactive_fds(named_t) files_read_etc_files(named_t) files_read_etc_runtime_files(named_t) -init_use_fd(named_t) +init_use_fds(named_t) init_use_script_ptys(named_t) libs_use_ld_so(named_t) @@ -255,7 +255,7 @@ domain_use_interactive_fds(ndc_t) files_read_etc_files(ndc_t) files_search_pids(ndc_t) -init_use_fd(ndc_t) +init_use_fds(ndc_t) init_use_script_ptys(ndc_t) libs_use_ld_so(ndc_t) @@ -289,5 +289,5 @@ optional_policy(`nscd',` ') optional_policy(`ppp',` - ppp_dontaudit_use_fd(ndc_t) + ppp_dontaudit_use_fds(ndc_t) ') diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 4215207c..0f05c05b 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -69,7 +69,7 @@ allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms; allow bluetooth_helper_t bluetooth_t:process sigchld; allow bluetooth_t bluetooth_lock_t:file create_file_perms; -files_lock_filetrans(bluetooth_t,bluetooth_lock_t) +files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file) allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms; allow bluetooth_t bluetooth_tmp_t:file create_file_perms; @@ -77,7 +77,7 @@ files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir }) allow bluetooth_t bluetooth_var_lib_t:file create_file_perms; allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms; -files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t) +files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,file) allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms; allow bluetooth_t bluetooth_var_run_t:file create_file_perms; @@ -120,7 +120,7 @@ files_read_etc_files(bluetooth_t) files_read_etc_runtime_files(bluetooth_t) files_read_usr_files(bluetooth_t) -init_use_fd(bluetooth_t) +init_use_fds(bluetooth_t) init_use_script_ptys(bluetooth_t) libs_use_ld_so(bluetooth_t) diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index e8dd2f87..acac47b6 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -38,7 +38,7 @@ logging_log_filetrans(canna_t,canna_log_t,{ file dir }) allow canna_t canna_var_lib_t:dir create_dir_perms; allow canna_t canna_var_lib_t:file create_file_perms; allow canna_t canna_var_lib_t:lnk_file create_lnk_perms; -files_var_lib_filetrans(canna_t,canna_var_lib_t) +files_var_lib_filetrans(canna_t,canna_var_lib_t,file) allow canna_t canna_var_run_t:dir rw_dir_perms; allow canna_t canna_var_run_t:file create_file_perms; @@ -72,7 +72,7 @@ files_read_usr_files(canna_t) files_search_tmp(canna_t) files_dontaudit_read_root_files(canna_t) -init_use_fd(canna_t) +init_use_fds(canna_t) init_use_script_ptys(canna_t) libs_use_ld_so(canna_t) diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te index 57286885..77512c8a 100644 --- a/refpolicy/policy/modules/services/comsat.te +++ b/refpolicy/policy/modules/services/comsat.te @@ -37,7 +37,7 @@ files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir }) allow comsat_t comsat_var_run_t:file create_file_perms; allow comsat_t comsat_var_run_t:dir rw_dir_perms; -files_pid_filetrans(comsat_t,comsat_var_run_t) +files_pid_filetrans(comsat_t,comsat_var_run_t,file) kernel_read_kernel_sysctls(comsat_t) kernel_read_network_state(comsat_t) diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te index 92cbb0bb..adf69e39 100644 --- a/refpolicy/policy/modules/services/cpucontrol.te +++ b/refpolicy/policy/modules/services/cpucontrol.te @@ -45,7 +45,7 @@ domain_use_interactive_fds(cpucontrol_t) files_list_usr(cpucontrol_t) -init_use_fd(cpucontrol_t) +init_use_fds(cpucontrol_t) init_use_script_ptys(cpucontrol_t) libs_use_ld_so(cpucontrol_t) @@ -97,7 +97,7 @@ files_read_etc_files(cpuspeed_t) files_read_etc_runtime_files(cpuspeed_t) files_list_usr(cpuspeed_t) -init_use_fd(cpuspeed_t) +init_use_fds(cpuspeed_t) init_use_script_ptys(cpuspeed_t) libs_use_ld_so(cpuspeed_t) diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 289c073f..dd65944a 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -89,7 +89,7 @@ template(`cron_per_userdomain_template',` kernel_read_kernel_sysctls($1_crond_t) # ps does not need to access /boot when run from cron - bootloader_dontaudit_search_boot($1_crond_t) + files_dontaudit_search_boot($1_crond_t) corenet_tcp_sendrecv_all_if($1_crond_t) corenet_raw_sendrecv_all_if($1_crond_t) @@ -352,7 +352,7 @@ interface(`cron_system_entry',` ## ## # -interface(`cron_use_fd',` +interface(`cron_use_fds',` gen_require(` type crond_t; ') diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 12725ce6..2696a16b 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -80,7 +80,7 @@ allow crond_t self:msgq create_msgq_perms; allow crond_t self:msg { send receive }; allow crond_t crond_var_run_t:file create_file_perms; -files_pid_filetrans(crond_t,crond_var_run_t) +files_pid_filetrans(crond_t,crond_var_run_t,file) allow crond_t cron_spool_t:dir rw_dir_perms; allow crond_t cron_spool_t:file r_file_perms; @@ -119,7 +119,7 @@ files_list_usr(crond_t) files_search_var_lib(crond_t) files_search_default(crond_t) -init_use_fd(crond_t) +init_use_fds(crond_t) init_use_script_ptys(crond_t) init_rw_utmp(crond_t) @@ -247,11 +247,11 @@ ifdef(`targeted_policy',` # Write /var/lock/makewhatis.lock. allow system_crond_t system_crond_lock_t:file create_file_perms; - files_lock_filetrans(system_crond_t,system_crond_lock_t) + files_lock_filetrans(system_crond_t,system_crond_lock_t,file) # write temporary files allow system_crond_t system_crond_tmp_t:file create_file_perms; - files_tmp_filetrans(system_crond_t,system_crond_tmp_t) + files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file) # write temporary files in crond tmp dir: allow system_crond_t crond_tmp_t:dir rw_dir_perms; @@ -266,7 +266,7 @@ ifdef(`targeted_policy',` kernel_read_software_raid_state(system_crond_t) # ps does not need to access /boot when run from cron - bootloader_dontaudit_search_boot(system_crond_t) + files_dontaudit_search_boot(system_crond_t) corenet_tcp_sendrecv_all_if(system_crond_t) corenet_raw_sendrecv_all_if(system_crond_t) @@ -314,7 +314,7 @@ ifdef(`targeted_policy',` # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_crond_t) - init_use_fd(system_crond_t) + init_use_fds(system_crond_t) init_use_script_fds(system_crond_t) init_use_script_ptys(system_crond_t) init_read_utmp(system_crond_t) diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 8429050e..13163e11 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -110,7 +110,7 @@ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) allow cupsd_t cupsd_var_run_t:file create_file_perms; allow cupsd_t cupsd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(cupsd_t,cupsd_var_run_t) +files_pid_filetrans(cupsd_t,cupsd_var_run_t,file) allow cupsd_t hplip_var_run_t:file { read getattr }; @@ -170,7 +170,7 @@ files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -init_use_fd(cupsd_t) +init_use_fds(cupsd_t) init_use_script_ptys(cupsd_t) init_exec_script_files(cupsd_t) @@ -303,7 +303,7 @@ files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_fil allow ptal_t ptal_var_run_t:file create_file_perms; allow ptal_t ptal_var_run_t:dir rw_dir_perms; -files_pid_filetrans(ptal_t,ptal_var_run_t) +files_pid_filetrans(ptal_t,ptal_var_run_t,file) kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) @@ -332,7 +332,7 @@ domain_use_interactive_fds(ptal_t) files_read_etc_files(ptal_t) files_read_etc_runtime_files(ptal_t) -init_use_fd(ptal_t) +init_use_fds(ptal_t) init_use_script_ptys(ptal_t) libs_use_ld_so(ptal_t) @@ -390,7 +390,7 @@ files_search_etc(hplip_t) allow hplip_t hplip_var_run_t:file create_file_perms; allow hplip_t hplip_var_run_t:dir rw_dir_perms; -files_pid_filetrans(hplip_t,hplip_var_run_t) +files_pid_filetrans(hplip_t,hplip_var_run_t,file) kernel_read_system_state(hplip_t) kernel_read_kernel_sysctls(hplip_t) @@ -429,7 +429,7 @@ files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) -init_use_fd(hplip_t) +init_use_fds(hplip_t) init_use_script_ptys(hplip_t) libs_use_ld_so(hplip_t) @@ -497,7 +497,7 @@ dontaudit cupsd_config_t cupsd_t:process ptrace; allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms; allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms; -files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t) +files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file) can_exec(cupsd_config_t, cupsd_config_exec_t) @@ -511,7 +511,7 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms; allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms; allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms; allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms; -files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t) +files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file) allow cupsd_config_t cupsd_var_run_t:file { getattr read }; @@ -548,7 +548,7 @@ files_read_usr_files(cupsd_config_t) files_read_etc_files(cupsd_config_t) files_read_etc_runtime_files(cupsd_config_t) -init_use_fd(cupsd_config_t) +init_use_fds(cupsd_config_t) init_use_script_ptys(cupsd_config_t) libs_use_ld_so(cupsd_config_t) @@ -602,7 +602,7 @@ optional_policy(`hostname',` ') optional_policy(`logrotate',` - logrotate_use_fd(cupsd_config_t) + logrotate_use_fds(cupsd_config_t) ') optional_policy(`nis',` @@ -682,7 +682,7 @@ files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir }) allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms; allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t) +files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file) allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms; allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms; diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te index f2a985e8..d2ec4d0c 100644 --- a/refpolicy/policy/modules/services/cvs.te +++ b/refpolicy/policy/modules/services/cvs.te @@ -42,7 +42,7 @@ files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir }) allow cvs_t cvs_var_run_t:file create_file_perms; allow cvs_t cvs_var_run_t:dir rw_dir_perms; -files_pid_filetrans(cvs_t,cvs_var_run_t) +files_pid_filetrans(cvs_t,cvs_var_run_t,file) kernel_read_kernel_sysctls(cvs_t) kernel_read_system_state(cvs_t) diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te index 7462a07d..171a7e76 100644 --- a/refpolicy/policy/modules/services/cyrus.te +++ b/refpolicy/policy/modules/services/cyrus.te @@ -48,7 +48,7 @@ files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir }) allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms; -files_pid_filetrans(cyrus_t,cyrus_var_run_t) +files_pid_filetrans(cyrus_t,cyrus_var_run_t,file) allow cyrus_t cyrus_var_run_t:dir rw_dir_perms; allow cyrus_t cyrus_var_run_t:sock_file create_file_perms; @@ -91,7 +91,7 @@ files_list_var_lib(cyrus_t) files_read_etc_files(cyrus_t) files_read_etc_runtime_files(cyrus_t) -init_use_fd(cyrus_t) +init_use_fds(cyrus_t) init_use_script_ptys(cyrus_t) libs_use_ld_so(cyrus_t) diff --git a/refpolicy/policy/modules/services/dbskk.te b/refpolicy/policy/modules/services/dbskk.te index de7dffa9..090a6617 100644 --- a/refpolicy/policy/modules/services/dbskk.te +++ b/refpolicy/policy/modules/services/dbskk.te @@ -43,7 +43,7 @@ files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir }) allow dbskkd_t dbskkd_var_run_t:file create_file_perms; allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(dbskkd_t,dbskkd_var_run_t) +files_pid_filetrans(dbskkd_t,dbskkd_var_run_t,file) kernel_read_kernel_sysctls(dbskkd_t) kernel_read_system_state(dbskkd_t) diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index 817e0b87..e969d8af 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -52,7 +52,7 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms; allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms; allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t) +files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file) kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) @@ -93,7 +93,7 @@ files_read_etc_files(system_dbusd_t) files_list_home(system_dbusd_t) files_read_usr_files(system_dbusd_t) -init_use_fd(system_dbusd_t) +init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) libs_use_ld_so(system_dbusd_t) diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index 501a0641..d9e0cb90 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -41,7 +41,7 @@ can_exec(dhcpd_t,dhcpd_exec_t) allow dhcpd_t dhcpd_state_t:dir rw_dir_perms; allow dhcpd_t dhcpd_state_t:file create_file_perms; -sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t) +sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t,file) allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms; allow dhcpd_t dhcpd_tmp_t:file create_file_perms; @@ -49,7 +49,7 @@ files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir }) allow dhcpd_t dhcpd_var_run_t:file create_file_perms; allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(dhcpd_t,dhcpd_var_run_t) +files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file) kernel_read_system_state(dhcpd_t) kernel_read_kernel_sysctls(dhcpd_t) @@ -89,7 +89,7 @@ files_read_usr_files(dhcpd_t) files_read_etc_runtime_files(dhcpd_t) files_search_var_lib(dhcpd_t) -init_use_fd(dhcpd_t) +init_use_fds(dhcpd_t) init_use_script_ptys(dhcpd_t) libs_use_ld_so(dhcpd_t) diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te index d79bf4f2..f00e31d5 100644 --- a/refpolicy/policy/modules/services/dictd.te +++ b/refpolicy/policy/modules/services/dictd.te @@ -67,7 +67,7 @@ files_search_var_lib(dictd_t) # for checking for nscd files_dontaudit_search_pids(dictd_t) -init_use_fd(dictd_t) +init_use_fds(dictd_t) init_use_script_ptys(dictd_t) libs_use_ld_so(dictd_t) diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te index 5ba39e20..2a491e48 100644 --- a/refpolicy/policy/modules/services/distcc.te +++ b/refpolicy/policy/modules/services/distcc.te @@ -32,7 +32,7 @@ allow distccd_t self:tcp_socket create_stream_socket_perms; allow distccd_t self:udp_socket create_socket_perms; allow distccd_t distccd_log_t:file create_file_perms; -logging_log_filetrans(distccd_t,distccd_log_t) +logging_log_filetrans(distccd_t,distccd_log_t,file) allow distccd_t distccd_tmp_t:dir create_dir_perms; allow distccd_t distccd_tmp_t:file create_file_perms; @@ -40,7 +40,7 @@ files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir }) allow distccd_t distccd_var_run_t:file create_file_perms; allow distccd_t distccd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(distccd_t,distccd_var_run_t) +files_pid_filetrans(distccd_t,distccd_var_run_t,file) kernel_read_system_state(distccd_t) kernel_read_kernel_sysctls(distccd_t) @@ -73,7 +73,7 @@ domain_use_interactive_fds(distccd_t) files_read_etc_files(distccd_t) files_read_etc_runtime_files(distccd_t) -init_use_fd(distccd_t) +init_use_fds(distccd_t) init_use_script_ptys(distccd_t) libs_use_ld_so(distccd_t) diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index f1703b46..3eff293c 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -65,7 +65,7 @@ allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms; allow dovecot_t dovecot_var_run_t:file create_file_perms; allow dovecot_t dovecot_var_run_t:sock_file create_file_perms; allow dovecot_t dovecot_var_run_t:dir rw_dir_perms; -files_pid_filetrans(dovecot_t,dovecot_var_run_t) +files_pid_filetrans(dovecot_t,dovecot_var_run_t,file) kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) @@ -97,7 +97,7 @@ files_search_spool(dovecot_t) files_search_tmp(dovecot_t) files_dontaudit_list_default(dovecot_t) -init_use_fd(dovecot_t) +init_use_fds(dovecot_t) init_use_script_ptys(dovecot_t) init_getattr_utmp(dovecot_t) diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te index bda2585c..2a722e68 100644 --- a/refpolicy/policy/modules/services/fetchmail.te +++ b/refpolicy/policy/modules/services/fetchmail.te @@ -34,11 +34,11 @@ allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms; allow fetchmail_t fetchmail_etc_t:file r_file_perms; allow fetchmail_t fetchmail_uidl_cache_t:file create_file_perms; -mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t) +mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t,file) allow fetchmail_t fetchmail_var_run_t:file create_file_perms; allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms; -files_pid_filetrans(fetchmail_t,fetchmail_var_run_t) +files_pid_filetrans(fetchmail_t,fetchmail_var_run_t,file) kernel_read_kernel_sysctls(fetchmail_t) kernel_list_proc(fetchmail_t) @@ -76,7 +76,7 @@ term_dontaudit_use_console(fetchmail_t) domain_use_interactive_fds(fetchmail_t) -init_use_fd(fetchmail_t) +init_use_fds(fetchmail_t) init_use_script_ptys(fetchmail_t) libs_use_ld_so(fetchmail_t) diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index c6bae035..fad79af8 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -34,14 +34,14 @@ allow fingerd_t self:unix_stream_socket create_socket_perms; allow fingerd_t fingerd_var_run_t:file create_file_perms; allow fingerd_t fingerd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(fingerd_t,fingerd_var_run_t) +files_pid_filetrans(fingerd_t,fingerd_var_run_t,file) allow fingerd_t fingerd_etc_t:file r_file_perms; allow fingerd_t fingerd_etc_t:dir r_dir_perms; allow fingerd_t fingerd_etc_t:lnk_file { getattr read }; allow fingerd_t fingerd_log_t:file create_file_perms; -logging_log_filetrans(fingerd_t,fingerd_log_t) +logging_log_filetrans(fingerd_t,fingerd_log_t,file) kernel_read_kernel_sysctls(fingerd_t) kernel_read_system_state(fingerd_t) @@ -83,7 +83,7 @@ files_read_etc_runtime_files(fingerd_t) init_read_utmp(fingerd_t) init_dontaudit_write_utmp(fingerd_t) -init_use_fd(fingerd_t) +init_use_fds(fingerd_t) init_use_script_ptys(fingerd_t) libs_use_ld_so(fingerd_t) diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index eccdf546..252024e9 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -59,11 +59,11 @@ fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file } allow ftpd_t ftpd_var_run_t:file create_file_perms; allow ftpd_t ftpd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(ftpd_t,ftpd_var_run_t) +files_pid_filetrans(ftpd_t,ftpd_var_run_t,file) # Create and modify /var/log/xferlog. allow ftpd_t xferlog_t:file create_file_perms; -logging_log_filetrans(ftpd_t,xferlog_t) +logging_log_filetrans(ftpd_t,xferlog_t,file) kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) @@ -111,7 +111,7 @@ auth_append_login_records(ftpd_t) #kerberized ftp requires the following auth_write_login_records(ftpd_t) -init_use_fd(ftpd_t) +init_use_fds(ftpd_t) init_use_script_ptys(ftpd_t) libs_use_ld_so(ftpd_t) @@ -165,7 +165,7 @@ tunable_policy(`ftp_home_dir',` tunable_policy(`ftpd_is_daemon',` allow ftpd_t ftpd_lock_t:file create_file_perms; - files_lock_filetrans(ftpd_t,ftpd_lock_t) + files_lock_filetrans(ftpd_t,ftpd_lock_t,file) corenet_tcp_bind_ftp_port(ftpd_t) ') diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index 37fa597c..4fae74d9 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -39,7 +39,7 @@ allow gpm_t gpm_tmp_t:file create_file_perms; files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir }) allow gpm_t gpm_var_run_t:file create_file_perms; -files_pid_filetrans(gpm_t,gpm_var_run_t) +files_pid_filetrans(gpm_t,gpm_var_run_t,file) allow gpm_t gpmctl_t:sock_file create_file_perms; allow gpm_t gpmctl_t:fifo_file create_file_perms; @@ -65,7 +65,7 @@ term_dontaudit_use_console(gpm_t) domain_use_interactive_fds(gpm_t) -init_use_fd(gpm_t) +init_use_fds(gpm_t) init_use_script_ptys(gpm_t) libs_use_ld_so(gpm_t) diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if index f4ee9629..f4f54f9e 100644 --- a/refpolicy/policy/modules/services/hal.if +++ b/refpolicy/policy/modules/services/hal.if @@ -34,7 +34,7 @@ interface(`hal_domtrans',` ## ## # -interface(`hal_dgram_sendto',` +interface(`hal_dgram_send',` gen_require(` type hald_t; ') diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 83cc6008..c8f5882f 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -42,7 +42,7 @@ files_tmp_filetrans(hald_t, hald_tmp_t, { file dir }) allow hald_t hald_var_run_t:file create_file_perms; allow hald_t hald_var_run_t:dir rw_dir_perms; -files_pid_filetrans(hald_t,hald_var_run_t) +files_pid_filetrans(hald_t,hald_var_run_t,file) kernel_read_system_state(hald_t) kernel_read_network_state(hald_t) @@ -50,7 +50,7 @@ kernel_read_kernel_sysctls(hald_t) kernel_read_fs_sysctls(hald_t) kernel_write_proc_files(hald_t) -bootloader_search_boot(hald_t) +files_search_boot(hald_t) corecmd_exec_bin(hald_t) corecmd_exec_sbin(hald_t) @@ -114,7 +114,7 @@ term_dontaudit_ioctl_unallocated_ttys(hald_t) term_dontaudit_use_unallocated_ttys(hald_t) term_dontaudit_use_generic_ptys(hald_t) -init_use_fd(hald_t) +init_use_fds(hald_t) init_use_script_ptys(hald_t) init_domtrans_script(hald_t) init_write_initctl(hald_t) diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index d49c0bee..c174c49a 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -27,7 +27,7 @@ allow howl_t self:udp_socket create_socket_perms; allow howl_t howl_var_run_t:file create_file_perms; allow howl_t howl_var_run_t:dir rw_dir_perms; -files_pid_filetrans(howl_t,howl_var_run_t) +files_pid_filetrans(howl_t,howl_var_run_t,file) kernel_read_network_state(howl_t) kernel_read_kernel_sysctls(howl_t) @@ -60,7 +60,7 @@ domain_use_interactive_fds(howl_t) files_read_etc_files(howl_t) -init_use_fd(howl_t) +init_use_fds(howl_t) init_use_script_ptys(howl_t) init_rw_utmp(howl_t) diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te index 8e7904ae..76b204d0 100644 --- a/refpolicy/policy/modules/services/i18n_input.te +++ b/refpolicy/policy/modules/services/i18n_input.te @@ -30,7 +30,7 @@ allow i18n_input_t self:udp_socket create_socket_perms; allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms; allow i18n_input_t i18n_input_var_run_t:file create_file_perms; allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms; -files_pid_filetrans(i18n_input_t,i18n_input_var_run_t) +files_pid_filetrans(i18n_input_t,i18n_input_var_run_t,file) can_exec(i18n_input_t, i18n_input_exec_t) @@ -69,7 +69,7 @@ files_read_etc_files(i18n_input_t) files_read_etc_runtime_files(i18n_input_t) files_read_usr_files(i18n_input_t) -init_use_fd(i18n_input_t) +init_use_fds(i18n_input_t) init_use_script_ptys(i18n_input_t) init_stream_connect_script(i18n_input_t) diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if index 9c0b1dd4..5974b1c8 100644 --- a/refpolicy/policy/modules/services/inetd.if +++ b/refpolicy/policy/modules/services/inetd.if @@ -165,7 +165,7 @@ interface(`inetd_service_domain',` ## ## # -interface(`inetd_use_fd',` +interface(`inetd_use_fds',` gen_require(` type inetd_t; ') @@ -227,7 +227,7 @@ interface(`inetd_domtrans_child',` ## ## # -interface(`inetd_udp_sendto',` +interface(`inetd_udp_send',` gen_require(` type inetd_t; ') diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 767e5df7..2df83f3a 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -43,14 +43,14 @@ allow inetd_t self:tcp_socket create_stream_socket_perms; allow inetd_t self:udp_socket { connect connected_socket_perms }; allow inetd_t inetd_log_t:file create_file_perms; -logging_log_filetrans(inetd_t,inetd_log_t) +logging_log_filetrans(inetd_t,inetd_log_t,file) allow inetd_t inetd_tmp_t:dir create_dir_perms; allow inetd_t inetd_tmp_t:file create_file_perms; files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir }) allow inetd_t inetd_var_run_t:file create_file_perms; -files_pid_filetrans(inetd_t,inetd_var_run_t) +files_pid_filetrans(inetd_t,inetd_var_run_t,file) kernel_read_kernel_sysctls(inetd_t) kernel_list_proc(inetd_t) @@ -106,7 +106,7 @@ domain_use_interactive_fds(inetd_t) files_read_etc_files(inetd_t) -init_use_fd(inetd_t) +init_use_fds(inetd_t) init_use_script_ptys(inetd_t) libs_use_ld_so(inetd_t) @@ -179,7 +179,7 @@ files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir }) allow inetd_child_t inetd_child_var_run_t:file create_file_perms; allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms; -files_pid_filetrans(inetd_child_t,inetd_child_var_run_t) +files_pid_filetrans(inetd_child_t,inetd_child_var_run_t,file) kernel_read_kernel_sysctls(inetd_child_t) kernel_read_system_state(inetd_child_t) diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index af05b806..a83d9d27 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -45,16 +45,16 @@ can_exec(innd_t, innd_exec_t) allow innd_t innd_log_t:file manage_file_perms; allow innd_t innd_log_t:dir { setattr rw_dir_perms }; -logging_log_filetrans(innd_t,innd_log_t) +logging_log_filetrans(innd_t,innd_log_t,file) allow innd_t innd_var_lib_t:dir create_dir_perms; allow innd_t innd_var_lib_t:file create_file_perms; -files_var_lib_filetrans(innd_t,innd_var_lib_t) +files_var_lib_filetrans(innd_t,innd_var_lib_t,file) allow innd_t innd_var_run_t:dir create_dir_perms; allow innd_t innd_var_run_t:file create_file_perms; allow innd_t innd_var_run_t:sock_file create_file_perms; -files_pid_filetrans(innd_t,innd_var_run_t) +files_pid_filetrans(innd_t,innd_var_run_t,file) allow innd_t news_spool_t:dir create_dir_perms; allow innd_t news_spool_t:file create_file_perms; @@ -97,7 +97,7 @@ files_read_etc_files(innd_t) files_read_etc_runtime_files(innd_t) files_read_usr_files(innd_t) -init_use_fd(innd_t) +init_use_fds(innd_t) init_use_script_ptys(innd_t) libs_use_ld_so(innd_t) diff --git a/refpolicy/policy/modules/services/irqbalance.te b/refpolicy/policy/modules/services/irqbalance.te index 477dcd97..f470ec4e 100644 --- a/refpolicy/policy/modules/services/irqbalance.te +++ b/refpolicy/policy/modules/services/irqbalance.te @@ -23,7 +23,7 @@ allow irqbalance_t self:process signal_perms; allow irqbalance_t irqbalance_var_run_t:file create_file_perms; allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms; -files_pid_filetrans(irqbalance_t,irqbalance_var_run_t) +files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file) kernel_read_system_state(irqbalance_t) kernel_read_kernel_sysctls(irqbalance_t) @@ -41,7 +41,7 @@ term_dontaudit_use_console(irqbalance_t) domain_use_interactive_fds(irqbalance_t) -init_use_fd(irqbalance_t) +init_use_fds(irqbalance_t) init_use_script_ptys(irqbalance_t) libs_use_ld_so(irqbalance_t) diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index 3a22cbf8..2374b889 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -62,7 +62,7 @@ allow kadmind_t self:tcp_socket connected_stream_socket_perms; allow kadmind_t self:udp_socket create_socket_perms; allow kadmind_t kadmind_log_t:file create_file_perms; -logging_log_filetrans(kadmind_t,kadmind_log_t) +logging_log_filetrans(kadmind_t,kadmind_log_t,file) allow kadmind_t krb5_conf_t:file r_file_perms; dontaudit kadmind_t krb5_conf_t:file write; @@ -81,7 +81,7 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) allow kadmind_t kadmind_var_run_t:file create_file_perms; allow kadmind_t kadmind_var_run_t:dir rw_dir_perms; -files_pid_filetrans(kadmind_t,kadmind_var_run_t) +files_pid_filetrans(kadmind_t,kadmind_var_run_t,file) kernel_read_kernel_sysctls(kadmind_t) kernel_list_proc(kadmind_t) @@ -116,7 +116,7 @@ domain_use_interactive_fds(kadmind_t) files_read_etc_files(kadmind_t) -init_use_fd(kadmind_t) +init_use_fds(kadmind_t) init_use_script_ptys(kadmind_t) libs_use_ld_so(kadmind_t) @@ -172,7 +172,7 @@ allow krb5kdc_t krb5kdc_conf_t:file r_file_perms; dontaudit krb5kdc_t krb5kdc_conf_t:file write; allow krb5kdc_t krb5kdc_log_t:file create_file_perms; -logging_log_filetrans(krb5kdc_t,krb5kdc_log_t) +logging_log_filetrans(krb5kdc_t,krb5kdc_log_t,file) allow krb5kdc_t krb5kdc_principal_t:file r_file_perms; dontaudit krb5kdc_t krb5kdc_principal_t:file write; @@ -183,7 +183,7 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms; allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms; -files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t) +files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t,file) kernel_read_system_state(krb5kdc_t) kernel_read_kernel_sysctls(krb5kdc_t) @@ -216,7 +216,7 @@ domain_use_interactive_fds(krb5kdc_t) files_read_etc_files(krb5kdc_t) -init_use_fd(krb5kdc_t) +init_use_fds(krb5kdc_t) init_use_script_ptys(krb5kdc_t) libs_use_ld_so(krb5kdc_t) diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te index 7e2ee1ab..5bdf774a 100644 --- a/refpolicy/policy/modules/services/ktalk.te +++ b/refpolicy/policy/modules/services/ktalk.te @@ -44,7 +44,7 @@ files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir }) allow ktalkd_t ktalkd_var_run_t:file create_file_perms; allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(ktalkd_t,ktalkd_var_run_t) +files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file) kernel_read_kernel_sysctls(ktalkd_t) kernel_read_system_state(ktalkd_t) diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index ac2a3567..290da676 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -59,7 +59,7 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms; allow slapd_t slapd_etc_t:file { getattr read }; allow slapd_t slapd_lock_t:file create_file_perms; -files_lock_filetrans(slapd_t,slapd_lock_t) +files_lock_filetrans(slapd_t,slapd_lock_t,file) # Allow access to write the replication log (should tighten this) allow slapd_t slapd_replog_t:dir create_dir_perms; @@ -72,7 +72,7 @@ files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) allow slapd_t slapd_var_run_t:file create_file_perms; allow slapd_t slapd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(slapd_t,slapd_var_run_t) +files_pid_filetrans(slapd_t,slapd_var_run_t,file) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) @@ -107,7 +107,7 @@ files_read_etc_runtime_files(slapd_t) files_read_usr_files(slapd_t) files_list_var_lib(slapd_t) -init_use_fd(slapd_t) +init_use_fds(slapd_t) init_use_script_ptys(slapd_t) libs_use_ld_so(slapd_t) diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index ef2913ce..0a79ccbf 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -49,7 +49,7 @@ allow checkpc_t self:process { fork signal_perms }; allow checkpc_t self:unix_stream_socket create_socket_perms; allow checkpc_t checkpc_log_t:file create_file_perms; -logging_log_filetrans(checkpc_t,checkpc_log_t) +logging_log_filetrans(checkpc_t,checkpc_log_t,file) allow checkpc_t lpd_var_run_t:dir { search getattr }; files_search_pids(checkpc_t) @@ -92,7 +92,7 @@ files_read_etc_runtime_files(checkpc_t) init_use_script_ptys(checkpc_t) # Allow access to /dev/console through the fd: -init_use_fd(checkpc_t) +init_use_fds(checkpc_t) libs_use_ld_so(checkpc_t) libs_use_shared_libs(checkpc_t) @@ -135,7 +135,7 @@ files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) allow lpd_t lpd_var_run_t:dir rw_dir_perms; allow lpd_t lpd_var_run_t:file create_file_perms; allow lpd_t lpd_var_run_t:sock_file create_file_perms; -files_pid_filetrans(lpd_t,lpd_var_run_t) +files_pid_filetrans(lpd_t,lpd_var_run_t,file) # Write to /var/spool/lpd. allow lpd_t print_spool_t:dir rw_dir_perms; @@ -201,7 +201,7 @@ files_read_var_lib_symlinks(lpd_t) # config files for lpd are of type etc_t, probably should change this files_read_etc_files(lpd_t) -init_use_fd(lpd_t) +init_use_fds(lpd_t) init_use_script_ptys(lpd_t) libs_use_ld_so(lpd_t) diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if index b63b6104..750ff554 100644 --- a/refpolicy/policy/modules/services/mailman.if +++ b/refpolicy/policy/modules/services/mailman.if @@ -37,11 +37,11 @@ template(`mailman_domain_template', ` allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; allow mailman_$1_t mailman_lock_t:file create_file_perms; - files_lock_filetrans(mailman_$1_t,mailman_lock_t) + files_lock_filetrans(mailman_$1_t,mailman_lock_t,file) allow mailman_$1_t mailman_log_t:dir rw_dir_perms; allow mailman_$1_t mailman_log_t:file create_file_perms; - logging_log_filetrans(mailman_$1_t,mailman_log_t) + logging_log_filetrans(mailman_$1_t,mailman_log_t,file) allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms; allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te index de1c2484..b81fb4dc 100644 --- a/refpolicy/policy/modules/services/mailman.te +++ b/refpolicy/policy/modules/services/mailman.te @@ -49,7 +49,7 @@ optional_policy(`apache',` mta_tcp_connect_all_mailservers(mailman_cgi_t) apache_sigchld(mailman_cgi_t) - apache_use_fd(mailman_cgi_t) + apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) apache_search_sys_script_state(mailman_cgi_t) ') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 3888dce6..ec6a483a 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -654,10 +654,9 @@ interface(`mta_dontaudit_getattr_spool_files',` ## The type of the object to be created. ## ## -## +## ## -## The object class of the object being created. If -## no class is specified, file will be used. +## The object class of the object being created. ## ## # @@ -668,12 +667,7 @@ interface(`mta_spool_filetrans',` files_search_spool($1) allow $1 mail_spool_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 mail_spool_t:file $2; - ',` - type_transition $1 mail_spool_t:$3 $2; - ') + type_transition $1 mail_spool_t:$3 $2; ') ####################################### diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index 0e3f1cdf..af86f548 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -49,7 +49,7 @@ allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file create_file_perms; -logging_log_filetrans(mysqld_t,mysqld_log_t) +logging_log_filetrans(mysqld_t,mysqld_log_t,file) allow mysqld_t mysqld_tmp_t:dir create_dir_perms; allow mysqld_t mysqld_tmp_t:file create_file_perms; @@ -58,7 +58,7 @@ files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) allow mysqld_t mysqld_var_run_t:dir rw_dir_perms; allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; allow mysqld_t mysqld_var_run_t:file create_file_perms; -files_pid_filetrans(mysqld_t,mysqld_var_run_t) +files_pid_filetrans(mysqld_t,mysqld_var_run_t,file) kernel_list_proc(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) @@ -94,7 +94,7 @@ files_read_etc_files(mysqld_t) files_read_usr_files(mysqld_t) files_search_var_lib(mysqld_t) -init_use_fd(mysqld_t) +init_use_fds(mysqld_t) init_use_script_ptys(mysqld_t) libs_use_ld_so(mysqld_t) diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index 7529c391..4787e34b 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -79,7 +79,7 @@ files_read_etc_files(NetworkManager_t) files_read_etc_runtime_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) -init_use_fd(NetworkManager_t) +init_use_fds(NetworkManager_t) init_use_script_ptys(NetworkManager_t) init_read_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index f2a9f22c..b5d97a9f 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -58,7 +58,7 @@ files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir }) allow ypbind_t ypbind_var_run_t:file manage_file_perms; allow ypbind_t ypbind_var_run_t:dir rw_dir_perms; -files_pid_filetrans(ypbind_t,ypbind_var_run_t) +files_pid_filetrans(ypbind_t,ypbind_var_run_t,file) allow ypbind_t var_yp_t:dir rw_dir_perms; allow ypbind_t var_yp_t:file create_file_perms; @@ -99,7 +99,7 @@ domain_use_interactive_fds(ypbind_t) files_read_etc_files(ypbind_t) files_list_var(ypbind_t) -init_use_fd(ypbind_t) +init_use_fds(ypbind_t) init_use_script_ptys(ypbind_t) init_udp_send_script(ypbind_t) @@ -151,7 +151,7 @@ allow yppasswdd_t self:udp_socket create_socket_perms; allow yppasswdd_t yppasswdd_var_run_t:file create_file_perms; allow yppasswdd_t yppasswdd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t) +files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t,file) allow yppasswdd_t var_yp_t:dir rw_dir_perms; allow yppasswdd_t var_yp_t:file create_file_perms; @@ -200,7 +200,7 @@ files_read_etc_files(yppasswdd_t) files_read_etc_runtime_files(yppasswdd_t) files_relabel_etc_files(yppasswdd_t) -init_use_fd(yppasswdd_t) +init_use_fds(yppasswdd_t) init_use_script_ptys(yppasswdd_t) init_udp_send_script(yppasswdd_t) @@ -260,7 +260,7 @@ files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir }) allow ypserv_t ypserv_var_run_t:dir rw_dir_perms; allow ypserv_t ypserv_var_run_t:file manage_file_perms; -files_pid_filetrans(ypserv_t,ypserv_var_run_t) +files_pid_filetrans(ypserv_t,ypserv_var_run_t,file) kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) @@ -295,7 +295,7 @@ domain_use_interactive_fds(ypserv_t) files_read_var_files(ypserv_t) -init_use_fd(ypserv_t) +init_use_fds(ypserv_t) init_use_script_ptys(ypserv_t) init_udp_send_script(ypserv_t) diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 96048620..1f1230d6 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -45,7 +45,7 @@ allow nscd_t self:udp_socket create_socket_perms; allow nscd_t self:nscd { admin getstat }; allow nscd_t nscd_log_t:file create_file_perms; -logging_log_filetrans(nscd_t,nscd_log_t) +logging_log_filetrans(nscd_t,nscd_log_t,file) allow nscd_t nscd_var_run_t:file create_file_perms; allow nscd_t nscd_var_run_t:sock_file create_file_perms; @@ -93,7 +93,7 @@ domain_use_interactive_fds(nscd_t) files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) -init_use_fd(nscd_t) +init_use_fds(nscd_t) init_use_script_ptys(nscd_t) libs_use_ld_so(nscd_t) diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 1bc5d909..74925017 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -58,7 +58,7 @@ files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) allow ntpd_t ntpd_var_run_t:file create_file_perms; allow ntpd_t ntpd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(ntpd_t,ntpd_var_run_t) +files_pid_filetrans(ntpd_t,ntpd_var_run_t,file) kernel_read_kernel_sysctls(ntpd_t) kernel_read_system_state(ntpd_t) @@ -100,7 +100,7 @@ files_read_usr_files(ntpd_t) files_list_var_lib(ntpd_t) init_exec_script_files(ntpd_t) -init_use_fd(ntpd_t) +init_use_fds(ntpd_t) init_use_script_ptys(ntpd_t) libs_use_ld_so(ntpd_t) @@ -128,7 +128,7 @@ optional_policy(`cron',` ') optional_policy(`firstboot',` - firstboot_dontaudit_use_fd(ntpd_t) + firstboot_dontaudit_use_fds(ntpd_t) ') optional_policy(`logrotate',` diff --git a/refpolicy/policy/modules/services/openct.te b/refpolicy/policy/modules/services/openct.te index 57bf22bc..b6ccdd82 100644 --- a/refpolicy/policy/modules/services/openct.te +++ b/refpolicy/policy/modules/services/openct.te @@ -23,7 +23,7 @@ allow openct_t self:process signal_perms; allow openct_t openct_var_run_t:file create_file_perms; allow openct_t openct_var_run_t:dir rw_dir_perms; -files_pid_filetrans(openct_t,openct_var_run_t) +files_pid_filetrans(openct_t,openct_var_run_t,file) kernel_read_kernel_sysctls(openct_t) kernel_list_proc(openct_t) @@ -43,7 +43,7 @@ fs_search_auto_mountpoints(openct_t) term_dontaudit_use_console(openct_t) -init_use_fd(openct_t) +init_use_fds(openct_t) init_use_script_ptys(openct_t) libs_use_ld_so(openct_t) diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te index e1eb1711..6c44a03f 100644 --- a/refpolicy/policy/modules/services/pegasus.te +++ b/refpolicy/policy/modules/services/pegasus.te @@ -59,7 +59,7 @@ files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) allow pegasus_t pegasus_var_run_t:file create_file_perms; allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; allow pegasus_t pegasus_var_run_t:dir rw_dir_perms; -files_pid_filetrans(pegasus_t,pegasus_var_run_t) +files_pid_filetrans(pegasus_t,pegasus_var_run_t,file) kernel_read_kernel_sysctls(pegasus_t) kernel_read_fs_sysctls(pegasus_t) @@ -97,7 +97,7 @@ files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) files_read_var_lib_symlinks(pegasus_t) -init_use_fd(pegasus_t) +init_use_fds(pegasus_t) init_use_script_ptys(pegasus_t) init_rw_utmp(pegasus_t) diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index 46bddd5d..6284f4dc 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -40,7 +40,7 @@ files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir }) allow portmap_t portmap_var_run_t:file create_file_perms; allow portmap_t portmap_var_run_t:dir rw_dir_perms; -files_pid_filetrans(portmap_t,portmap_var_run_t) +files_pid_filetrans(portmap_t,portmap_var_run_t,file) kernel_read_kernel_sysctls(portmap_t) kernel_list_proc(portmap_t) @@ -80,7 +80,7 @@ domain_use_interactive_fds(portmap_t) files_read_etc_files(portmap_t) -init_use_fd(portmap_t) +init_use_fds(portmap_t) init_use_script_ptys(portmap_t) init_udp_send(portmap_t) init_udp_send_script(portmap_t) @@ -104,7 +104,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`inetd',` - inetd_udp_sendto(portmap_t) + inetd_udp_send(portmap_t) ') optional_policy(`mount',` @@ -162,7 +162,7 @@ allow portmap_helper_t self:tcp_socket create_stream_socket_perms; allow portmap_helper_t self:udp_socket create_socket_perms; allow portmap_helper_t portmap_var_run_t:file create_file_perms; -files_pid_filetrans(portmap_helper_t,portmap_var_run_t) +files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file) corenet_tcp_sendrecv_all_if(portmap_helper_t) corenet_udp_sendrecv_all_if(portmap_helper_t) diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index fe36911a..2202fc74 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -45,7 +45,7 @@ template(`postfix_domain_template',` allow postfix_$1_t postfix_spool_t:dir r_dir_perms; allow postfix_$1_t postfix_var_run_t:file manage_file_perms; - files_pid_filetrans(postfix_$1_t,postfix_var_run_t) + files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file) kernel_read_system_state(postfix_$1_t) kernel_read_network_state(postfix_$1_t) @@ -72,7 +72,7 @@ template(`postfix_domain_template',` files_search_spool(postfix_$1_t) files_getattr_tmp_dirs(postfix_$1_t) - init_use_fd(postfix_$1_t) + init_use_fds(postfix_$1_t) init_sigchld(postfix_$1_t) libs_use_ld_so(postfix_$1_t) @@ -209,10 +209,9 @@ interface(`postfix_read_config',` ## The type of the object to be created. ## ## -## +## ## -## The object class of the object being created. If -## no class is specified, file will be used. +## The object class of the object being created. ## ## # @@ -223,12 +222,7 @@ interface(`postfix_config_filetrans',` files_search_etc($1) allow $1 postfix_etc_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 postfix_etc_t:file $2; - ',` - type_transition $1 postfix_etc_t:$3 $2; - ') + type_transition $1 postfix_etc_t:$3 $2; ') ######################################## @@ -263,7 +257,7 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',` ## ## # -interface(`postfix_dontaudit_use_fd',` +interface(`postfix_dontaudit_use_fds',` gen_require(` type postfix_master_t; ') diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index b38aeee6..7e924674 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -361,7 +361,7 @@ tunable_policy(`read_default_t',` ') optional_policy(`locallogin',` - locallogin_dontaudit_use_fd(postfix_map_t) + locallogin_dontaudit_use_fds(postfix_map_t) ') # a "run" interface needs to be @@ -438,14 +438,14 @@ ifdef(`targeted_policy', ` ') optional_policy(`crond',` - cron_use_fd(postfix_postdrop_t) + cron_use_fds(postfix_postdrop_t) cron_rw_pipes(postfix_postdrop_t) cron_use_system_job_fds(postfix_postdrop_t) cron_rw_system_job_pipes(postfix_postdrop_t) ') optional_policy(`ppp',` - ppp_use_fd(postfix_postqueue_t) + ppp_use_fds(postfix_postqueue_t) ppp_sigchld(postfix_postqueue_t) ') diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te index 4a9ca6ef..faf817a1 100644 --- a/refpolicy/policy/modules/services/postgresql.te +++ b/refpolicy/policy/modules/services/postgresql.te @@ -58,7 +58,7 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file create_file_perms; -files_lock_filetrans(postgresql_t,postgresql_lock_t) +files_lock_filetrans(postgresql_t,postgresql_lock_t,file) allow postgresql_t postgresql_log_t:dir rw_dir_perms; allow postgresql_t postgresql_log_t:file create_file_perms; @@ -75,7 +75,7 @@ fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file allow postgresql_t postgresql_var_run_t:dir rw_dir_perms; allow postgresql_t postgresql_var_run_t:file create_file_perms; allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; -files_pid_filetrans(postgresql_t,postgresql_var_run_t) +files_pid_filetrans(postgresql_t,postgresql_var_run_t,file) kernel_read_kernel_sysctls(postgresql_t) kernel_read_system_state(postgresql_t) @@ -122,7 +122,7 @@ files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) init_read_utmp(postgresql_t) -init_use_fd(postgresql_t) +init_use_fds(postgresql_t) init_use_script_ptys(postgresql_t) libs_use_ld_so(postgresql_t) diff --git a/refpolicy/policy/modules/services/ppp.if b/refpolicy/policy/modules/services/ppp.if index 76a4fe43..aa2bc56a 100644 --- a/refpolicy/policy/modules/services/ppp.if +++ b/refpolicy/policy/modules/services/ppp.if @@ -10,7 +10,7 @@ ## ## # -interface(`ppp_use_fd',` +interface(`ppp_use_fds',` gen_require(` type pppd_t; ') @@ -29,7 +29,7 @@ interface(`ppp_use_fd',` ## ## # -interface(`ppp_dontaudit_use_fd',` +interface(`ppp_dontaudit_use_fds',` gen_require(` type pppd_t; ') diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index 864bdc30..62f156d9 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -80,15 +80,15 @@ allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr }; allow pppd_t pppd_etc_t:dir rw_dir_perms; allow pppd_t pppd_etc_t:file r_file_perms; allow pppd_t pppd_etc_t:lnk_file { getattr read }; -files_etc_filetrans(pppd_t,pppd_etc_t) +files_etc_filetrans(pppd_t,pppd_etc_t,file) allow pppd_t pppd_etc_rw_t:file create_file_perms; allow pppd_t pppd_lock_t:file create_file_perms; -files_lock_filetrans(pppd_t,pppd_lock_t) +files_lock_filetrans(pppd_t,pppd_lock_t,file) allow pppd_t pppd_log_t:file create_file_perms; -logging_log_filetrans(pppd_t,pppd_log_t) +logging_log_filetrans(pppd_t,pppd_log_t,file) allow pppd_t pppd_tmp_t:dir create_dir_perms; allow pppd_t pppd_tmp_t:file create_file_perms; @@ -96,7 +96,7 @@ files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) allow pppd_t pppd_var_run_t:dir rw_dir_perms; allow pppd_t pppd_var_run_t:file create_file_perms; -files_pid_filetrans(pppd_t,pppd_var_run_t) +files_pid_filetrans(pppd_t,pppd_var_run_t,file) allow pppd_t pptp_t:process signal; @@ -155,7 +155,7 @@ files_read_etc_files(pppd_t) init_read_utmp(pppd_t) init_dontaudit_write_utmp(pppd_t) -init_use_fd(pppd_t) +init_use_fds(pppd_t) init_use_script_ptys(pppd_t) libs_use_ld_so(pppd_t) @@ -248,12 +248,12 @@ can_exec(pptp_t, pppd_etc_rw_t) allow pptp_t pppd_log_t:file append; allow pptp_t pptp_log_t:file create_file_perms; -logging_log_filetrans(pptp_t,pptp_log_t) +logging_log_filetrans(pptp_t,pptp_log_t,file) allow pptp_t pptp_var_run_t:file create_file_perms; allow pptp_t pptp_var_run_t:dir rw_dir_perms; allow pptp_t pptp_var_run_t:sock_file create_file_perms; -files_pid_filetrans(pptp_t,pptp_var_run_t) +files_pid_filetrans(pptp_t,pptp_var_run_t,file) kernel_list_proc(pptp_t) kernel_read_kernel_sysctls(pptp_t) @@ -281,7 +281,7 @@ term_use_ptmx(pptp_t) domain_use_interactive_fds(pptp_t) -init_use_fd(pptp_t) +init_use_fds(pptp_t) init_use_script_ptys(pptp_t) libs_use_ld_so(pptp_t) diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index df6d6e4d..8146e06e 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -32,11 +32,11 @@ allow privoxy_t privoxy_etc_rw_t:file rw_file_perms; allow privoxy_t privoxy_log_t:file create_file_perms; allow privoxy_t privoxy_log_t:dir rw_dir_perms; -logging_log_filetrans(privoxy_t,privoxy_log_t) +logging_log_filetrans(privoxy_t,privoxy_log_t,file) allow privoxy_t privoxy_var_run_t:file create_file_perms; allow privoxy_t privoxy_var_run_t:dir rw_dir_perms; -files_pid_filetrans(privoxy_t,privoxy_var_run_t) +files_pid_filetrans(privoxy_t,privoxy_var_run_t,file) kernel_read_kernel_sysctls(privoxy_t) kernel_list_proc(privoxy_t) @@ -63,7 +63,7 @@ domain_use_interactive_fds(privoxy_t) files_read_etc_files(privoxy_t) -init_use_fd(privoxy_t) +init_use_fds(privoxy_t) init_use_script_ptys(privoxy_t) libs_use_ld_so(privoxy_t) diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te index a5fd87cd..495fa90a 100644 --- a/refpolicy/policy/modules/services/procmail.te +++ b/refpolicy/policy/modules/services/procmail.te @@ -90,7 +90,7 @@ optional_policy(`nscd',` optional_policy(`postfix',` # for a bug in the postfix local program postfix_dontaudit_rw_local_tcp_sockets(procmail_t) - postfix_dontaudit_use_fd(procmail_t) + postfix_dontaudit_use_fds(procmail_t) ') optional_policy(`sendmail',` diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te index 01ebb546..5955b4d4 100644 --- a/refpolicy/policy/modules/services/radius.te +++ b/refpolicy/policy/modules/services/radius.te @@ -45,7 +45,7 @@ logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir }) allow radiusd_t radiusd_var_run_t:file create_file_perms; allow radiusd_t radiusd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(radiusd_t,radiusd_var_run_t) +files_pid_filetrans(radiusd_t,radiusd_var_run_t,file) kernel_read_kernel_sysctls(radiusd_t) kernel_read_system_state(radiusd_t) @@ -86,7 +86,7 @@ files_read_usr_files(radiusd_t) files_read_etc_files(radiusd_t) files_read_etc_runtime_files(radiusd_t) -init_use_fd(radiusd_t) +init_use_fds(radiusd_t) init_use_script_ptys(radiusd_t) libs_use_ld_so(radiusd_t) diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te index c80d3bfc..ab311e8d 100644 --- a/refpolicy/policy/modules/services/radvd.te +++ b/refpolicy/policy/modules/services/radvd.te @@ -32,7 +32,7 @@ allow radvd_t radvd_etc_t:file { getattr read }; allow radvd_t radvd_var_run_t:file create_file_perms; allow radvd_t radvd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(radvd_t,radvd_var_run_t) +files_pid_filetrans(radvd_t,radvd_var_run_t,file) kernel_read_kernel_sysctls(radvd_t) kernel_read_net_sysctls(radvd_t) @@ -63,7 +63,7 @@ domain_use_interactive_fds(radvd_t) files_read_etc_files(radvd_t) files_list_usr(radvd_t) -init_use_fd(radvd_t) +init_use_fds(radvd_t) init_use_script_ptys(radvd_t) libs_use_ld_so(radvd_t) diff --git a/refpolicy/policy/modules/services/rdisc.te b/refpolicy/policy/modules/services/rdisc.te index 913ad87e..1a734f77 100644 --- a/refpolicy/policy/modules/services/rdisc.te +++ b/refpolicy/policy/modules/services/rdisc.te @@ -44,7 +44,7 @@ domain_use_interactive_fds(rdisc_t) files_read_etc_files(rdisc_t) -init_use_fd(rdisc_t) +init_use_fds(rdisc_t) init_use_script_ptys(rdisc_t) libs_use_ld_so(rdisc_t) diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te index 3ad6d0c3..3c93e1a0 100644 --- a/refpolicy/policy/modules/services/rlogin.te +++ b/refpolicy/policy/modules/services/rlogin.te @@ -45,7 +45,7 @@ files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir }) allow rlogind_t rlogind_var_run_t:file create_file_perms; allow rlogind_t rlogind_var_run_t:dir rw_dir_perms; -files_pid_filetrans(rlogind_t,rlogind_var_run_t) +files_pid_filetrans(rlogind_t,rlogind_var_run_t,file) kernel_read_kernel_sysctls(rlogind_t) kernel_read_system_state(rlogind_t) diff --git a/refpolicy/policy/modules/services/roundup.te b/refpolicy/policy/modules/services/roundup.te index 50168fb0..d1ab3af7 100644 --- a/refpolicy/policy/modules/services/roundup.te +++ b/refpolicy/policy/modules/services/roundup.te @@ -30,11 +30,11 @@ allow roundup_t self:udp_socket create_socket_perms; allow roundup_t roundup_var_run_t:file create_file_perms; allow roundup_t roundup_var_run_t:dir rw_dir_perms; -files_pid_filetrans(roundup_t,roundup_var_run_t) +files_pid_filetrans(roundup_t,roundup_var_run_t,file) allow roundup_t roundup_var_lib_t:file create_file_perms; allow roundup_t roundup_var_lib_t:dir rw_dir_perms; -files_var_lib_filetrans(roundup_t,roundup_var_lib_t) +files_var_lib_filetrans(roundup_t,roundup_var_lib_t,file) kernel_read_kernel_sysctls(roundup_t) kernel_list_proc(roundup_t) @@ -73,7 +73,7 @@ fs_search_auto_mountpoints(roundup_t) term_dontaudit_use_console(roundup_t) -init_use_fd(roundup_t) +init_use_fds(roundup_t) init_use_script_ptys(roundup_t) libs_use_ld_so(roundup_t) diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if index 7beabd41..60833647 100644 --- a/refpolicy/policy/modules/services/rpc.if +++ b/refpolicy/policy/modules/services/rpc.if @@ -81,7 +81,7 @@ template(`rpc_domain_template', ` files_search_var($1_t) files_search_var_lib($1_t) - init_use_fd($1_t) + init_use_fds($1_t) init_use_script_ptys($1_t) libs_use_ld_so($1_t) diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te index 741c6127..7fa0f464 100644 --- a/refpolicy/policy/modules/services/rpc.te +++ b/refpolicy/policy/modules/services/rpc.te @@ -43,7 +43,7 @@ allow rpcd_t self:file { getattr read }; allow rpcd_t rpcd_var_run_t:file manage_file_perms; allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr }; -files_pid_filetrans(rpcd_t,rpcd_var_run_t) +files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) kernel_search_network_state(rpcd_t) # for rpc.rquotad @@ -84,7 +84,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) -kernel_udp_sendto(nfsd_t) +kernel_udp_send(nfsd_t) kernel_tcp_recvfrom(nfsd_t) corenet_udp_bind_generic_port(nfsd_t) diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index 2939b65a..240ce5b1 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -48,7 +48,7 @@ files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) allow rsync_t rsync_var_run_t:file create_file_perms; allow rsync_t rsync_var_run_t:dir rw_dir_perms; -files_pid_filetrans(rsync_t,rsync_var_run_t) +files_pid_filetrans(rsync_t,rsync_var_run_t,file) kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 9d723485..ee4dc117 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -219,7 +219,7 @@ allow smbd_t nmbd_var_run_t:file rw_file_perms; allow smbd_t smbd_var_run_t:dir create_dir_perms; allow smbd_t smbd_var_run_t:file create_file_perms; allow smbd_t smbd_var_run_t:sock_file create_file_perms; -files_pid_filetrans(smbd_t,smbd_var_run_t) +files_pid_filetrans(smbd_t,smbd_var_run_t,file) allow smbd_t winbind_var_run_t:sock_file { read write getattr }; @@ -268,7 +268,7 @@ files_search_spool(smbd_t) # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -init_use_fd(smbd_t) +init_use_fds(smbd_t) init_use_script_ptys(smbd_t) libs_use_ld_so(smbd_t) @@ -356,7 +356,7 @@ allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow nmbd_t nmbd_var_run_t:file create_file_perms; allow nmbd_t nmbd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(nmbd_t,nmbd_var_run_t) +files_pid_filetrans(nmbd_t,nmbd_var_run_t,file) allow nmbd_t samba_etc_t:dir { search getattr }; allow nmbd_t samba_etc_t:file { getattr read }; @@ -402,7 +402,7 @@ domain_use_interactive_fds(nmbd_t) files_read_usr_files(nmbd_t) files_read_etc_files(nmbd_t) -init_use_fd(nmbd_t) +init_use_fds(nmbd_t) init_use_script_ptys(nmbd_t) libs_use_ld_so(nmbd_t) @@ -500,13 +500,13 @@ files_read_etc_files(smbmount_t) miscfiles_read_localization(smbmount_t) -mount_use_fd(smbmount_t) +mount_use_fds(smbmount_t) mount_send_nfs_client_request(smbmount_t) libs_use_ld_so(smbmount_t) libs_use_shared_libs(smbmount_t) -locallogin_use_fd(smbmount_t) +locallogin_use_fds(smbmount_t) logging_search_logs(smbmount_t) @@ -563,7 +563,7 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) allow swat_t swat_var_run_t:file create_file_perms; allow swat_t swat_var_run_t:dir rw_dir_perms; -files_pid_filetrans(swat_t,swat_var_run_t) +files_pid_filetrans(swat_t,swat_var_run_t,file) allow swat_t winbind_exec_t:file execute; @@ -652,7 +652,7 @@ allow winbind_t samba_var_t:file create_file_perms; allow winbind_t samba_var_t:lnk_file create_lnk_perms; allow winbind_t winbind_log_t:file create_file_perms; -logging_log_filetrans(winbind_t,winbind_log_t) +logging_log_filetrans(winbind_t,winbind_log_t,file) allow winbind_t winbind_tmp_t:dir create_dir_perms; allow winbind_t winbind_tmp_t:file create_file_perms; @@ -661,7 +661,7 @@ files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) allow winbind_t winbind_var_run_t:file create_file_perms; allow winbind_t winbind_var_run_t:sock_file create_file_perms; allow winbind_t winbind_var_run_t:dir rw_dir_perms; -files_pid_filetrans(winbind_t,winbind_var_run_t) +files_pid_filetrans(winbind_t,winbind_var_run_t,file) kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) @@ -694,7 +694,7 @@ domain_use_interactive_fds(winbind_t) files_read_etc_files(winbind_t) -init_use_fd(winbind_t) +init_use_fds(winbind_t) init_use_script_ptys(winbind_t) libs_use_ld_so(winbind_t) diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index f45f555d..44719ba3 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -29,7 +29,7 @@ allow saslauthd_t self:tcp_socket create_socket_perms; allow saslauthd_t saslauthd_var_run_t:file create_file_perms; allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(saslauthd_t,saslauthd_var_run_t) +files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file) kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) @@ -62,7 +62,7 @@ files_search_var_lib(saslauthd_t) files_dontaudit_getattr_home_dir(saslauthd_t) files_dontaudit_getattr_tmp_dirs(saslauthd_t) -init_use_fd(saslauthd_t) +init_use_fds(saslauthd_t) init_use_script_ptys(saslauthd_t) init_dontaudit_stream_connect_script(saslauthd_t) diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index a03daf57..f6a15db1 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -74,7 +74,7 @@ files_search_spool(sendmail_t) # for piping mail to a command files_read_etc_runtime_files(sendmail_t) -init_use_fd(sendmail_t) +init_use_fds(sendmail_t) init_use_script_ptys(sendmail_t) # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console init_read_utmp(sendmail_t) @@ -113,7 +113,7 @@ ifdef(`targeted_policy',` files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock }; - files_pid_filetrans(sendmail_t,sendmail_var_run_t) + files_pid_filetrans(sendmail_t,sendmail_var_run_t,file) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/slrnpull.te b/refpolicy/policy/modules/services/slrnpull.te index da215c10..e25afb6f 100644 --- a/refpolicy/policy/modules/services/slrnpull.te +++ b/refpolicy/policy/modules/services/slrnpull.te @@ -28,7 +28,7 @@ dontaudit slrnpull_t self:capability sys_tty_config; allow slrnpull_t self:process signal_perms; allow slrnpull_t slrnpull_log_t:file create_file_perms; -logging_log_filetrans(slrnpull_t,slrnpull_log_t) +logging_log_filetrans(slrnpull_t,slrnpull_log_t,file) allow slrnpull_t slrnpull_spool_t:dir rw_dir_perms; allow slrnpull_t slrnpull_spool_t:dir create_dir_perms; @@ -38,7 +38,7 @@ files_search_spool(slrnpull_t) allow slrnpull_t slrnpull_var_run_t:file create_file_perms; allow slrnpull_t slrnpull_var_run_t:dir rw_dir_perms; -files_pid_filetrans(slrnpull_t,slrnpull_var_run_t) +files_pid_filetrans(slrnpull_t,slrnpull_var_run_t,file) kernel_list_proc(slrnpull_t) kernel_read_kernel_sysctls(slrnpull_t) @@ -55,7 +55,7 @@ fs_search_auto_mountpoints(slrnpull_t) term_dontaudit_use_console(slrnpull_t) -init_use_fd(slrnpull_t) +init_use_fds(slrnpull_t) init_use_script_ptys(slrnpull_t) libs_use_ld_so(slrnpull_t) diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te index d0b84a13..5791d1e9 100644 --- a/refpolicy/policy/modules/services/smartmon.te +++ b/refpolicy/policy/modules/services/smartmon.te @@ -35,7 +35,7 @@ files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir }) allow fsdaemon_t fsdaemon_var_run_t:file create_file_perms; allow fsdaemon_t fsdaemon_var_run_t:dir rw_dir_perms; -files_pid_filetrans(fsdaemon_t,fsdaemon_var_run_t) +files_pid_filetrans(fsdaemon_t,fsdaemon_var_run_t,file) kernel_read_kernel_sysctls(fsdaemon_t) kernel_read_software_raid_state(fsdaemon_t) @@ -71,7 +71,7 @@ storage_raw_write_fixed_disk(fsdaemon_t) term_dontaudit_use_console(fsdaemon_t) term_dontaudit_search_ptys(fsdaemon_t) -init_use_fd(fsdaemon_t) +init_use_fds(fsdaemon_t) init_use_script_ptys(fsdaemon_t) libs_use_ld_so(fsdaemon_t) diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index db1fd25b..d5470237 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -36,18 +36,18 @@ allow snmpd_t self:udp_socket connected_stream_socket_perms; allow snmpd_t snmpd_etc_t:file { getattr read }; allow snmpd_t snmpd_log_t:file create_file_perms; -logging_log_filetrans(snmpd_t,snmpd_log_t) +logging_log_filetrans(snmpd_t,snmpd_log_t,file) allow snmpd_t snmpd_var_lib_t:file create_file_perms; allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms; allow snmpd_t snmpd_var_lib_t:dir create_dir_perms; -files_usr_filetrans(snmpd_t,snmpd_var_lib_t) +files_usr_filetrans(snmpd_t,snmpd_var_lib_t,file) files_var_filetrans(snmpd_t,snmpd_var_lib_t,{ file dir sock_file }) -files_var_lib_filetrans(snmpd_t,snmpd_var_lib_t) +files_var_lib_filetrans(snmpd_t,snmpd_var_lib_t,file) allow snmpd_t snmpd_var_run_t:file create_file_perms; allow snmpd_t snmpd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(snmpd_t,snmpd_var_run_t) +files_pid_filetrans(snmpd_t,snmpd_var_run_t,file) kernel_read_kernel_sysctls(snmpd_t) kernel_read_net_sysctls(snmpd_t) @@ -98,7 +98,7 @@ storage_dontaudit_read_removable_device(snmpd_t) term_dontaudit_use_console(snmpd_t) init_read_utmp(snmpd_t) -init_use_fd(snmpd_t) +init_use_fds(snmpd_t) init_use_script_ptys(snmpd_t) init_dontaudit_write_utmp(snmpd_t) diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index 11f974f7..287f496a 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -55,7 +55,7 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) allow spamd_t spamd_var_run_t:file create_file_perms; allow spamd_t spamd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(spamd_t,spamd_var_run_t) +files_pid_filetrans(spamd_t,spamd_var_run_t,file) kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) @@ -99,7 +99,7 @@ files_read_usr_files(spamd_t) files_read_etc_files(spamd_t) files_read_etc_runtime_files(spamd_t) -init_use_fd(spamd_t) +init_use_fds(spamd_t) init_use_script_ptys(spamd_t) init_dontaudit_rw_utmp(spamd_t) diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index 07f819d5..8037fc7b 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -62,13 +62,13 @@ logging_log_filetrans(squid_t,squid_log_t,{ file dir }) allow squid_t squid_var_run_t:file create_file_perms; allow squid_t squid_var_run_t:dir rw_dir_perms; -files_pid_filetrans(squid_t,squid_var_run_t) +files_pid_filetrans(squid_t,squid_var_run_t,file) kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) kernel_tcp_recvfrom(squid_t) -bootloader_dontaudit_getattr_boot_dirs(squid_t) +files_dontaudit_getattr_boot_dirs(squid_t) corenet_tcp_sendrecv_all_if(squid_t) corenet_raw_sendrecv_all_if(squid_t) @@ -116,7 +116,7 @@ files_search_spool(squid_t) files_dontaudit_getattr_tmp_dirs(squid_t) files_getattr_home_dir(squid_t) -init_use_fd(squid_t) +init_use_fds(squid_t) init_use_script_ptys(squid_t) libs_use_ld_so(squid_t) @@ -147,7 +147,7 @@ tunable_policy(`squid_connect_any',` optional_policy(`logrotate',` allow squid_t self:capability kill; - cron_use_fd(squid_t) + cron_use_fds(squid_t) cron_use_system_job_fds(squid_t) cron_rw_pipes(squid_t) cron_write_system_job_pipes(squid_t) diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 813060cd..a89a355a 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -536,14 +536,14 @@ template(`ssh_server_template', ` # files_list_pids($1_t) # ',` # corenet_tcp_bind_ssh_port($1_t) - # init_use_fd($1_t) + # init_use_fds($1_t) # init_use_script_ptys($1_t) # ') #',` # These rules should match the else block # of the run_ssh_inetd tunable directly above corenet_tcp_bind_ssh_port($1_t) - init_use_fd($1_t) + init_use_fds($1_t) init_use_script_ptys($1_t) #') diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 79cae699..9b812eea 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -232,7 +232,7 @@ ifdef(`targeted_policy',`',` files_read_etc_files(ssh_keygen_t) - init_use_fd(ssh_keygen_t) + init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) libs_use_ld_so(ssh_keygen_t) diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te index 47a194b5..14e6a0f5 100644 --- a/refpolicy/policy/modules/services/stunnel.te +++ b/refpolicy/policy/modules/services/stunnel.te @@ -49,7 +49,7 @@ files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) allow stunnel_t stunnel_var_run_t:file create_file_perms; allow stunnel_t stunnel_var_run_t:dir rw_dir_perms; -files_pid_filetrans(stunnel_t,stunnel_var_run_t) +files_pid_filetrans(stunnel_t,stunnel_var_run_t,file) kernel_read_kernel_sysctls(stunnel_t) kernel_read_system_state(stunnel_t) @@ -91,7 +91,7 @@ ifdef(`distro_gentoo', ` domain_use_interactive_fds(stunnel_t) - init_use_fd(stunnel_t) + init_use_fds(stunnel_t) init_use_script_ptys(stunnel_t) userdom_dontaudit_use_unpriv_user_fds(stunnel_t) diff --git a/refpolicy/policy/modules/services/sysstat.te b/refpolicy/policy/modules/services/sysstat.te index a3b38449..620c3804 100644 --- a/refpolicy/policy/modules/services/sysstat.te +++ b/refpolicy/policy/modules/services/sysstat.te @@ -51,7 +51,7 @@ fs_getattr_xattr_fs(sysstat_t) term_use_console(sysstat_t) -init_use_fd(sysstat_t) +init_use_fds(sysstat_t) init_use_script_ptys(sysstat_t) libs_use_ld_so(sysstat_t) diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te index e682d0db..a36dfc78 100644 --- a/refpolicy/policy/modules/services/telnet.te +++ b/refpolicy/policy/modules/services/telnet.te @@ -43,7 +43,7 @@ files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) allow telnetd_t telnetd_var_run_t:file create_file_perms; allow telnetd_t telnetd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(telnetd_t,telnetd_var_run_t) +files_pid_filetrans(telnetd_t,telnetd_var_run_t,file) kernel_read_kernel_sysctls(telnetd_t) kernel_read_system_state(telnetd_t) diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te index 33c0b16c..3e1f2021 100644 --- a/refpolicy/policy/modules/services/tftp.te +++ b/refpolicy/policy/modules/services/tftp.te @@ -35,7 +35,7 @@ allow tftpd_t tftpdir_t:lnk_file { getattr read }; allow tftpd_t tftpd_var_run_t:file create_file_perms; allow tftpd_t tftpd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(tftpd_t,tftpd_var_run_t) +files_pid_filetrans(tftpd_t,tftpd_var_run_t,file) kernel_read_kernel_sysctls(tftpd_t) kernel_list_proc(tftpd_t) @@ -68,7 +68,7 @@ files_read_var_files(tftpd_t) files_read_var_symlinks(tftpd_t) files_search_var(tftpd_t) -init_use_fd(tftpd_t) +init_use_fds(tftpd_t) init_use_script_ptys(tftpd_t) libs_use_ld_so(tftpd_t) diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te index 45d5f261..50d4a38c 100644 --- a/refpolicy/policy/modules/services/timidity.te +++ b/refpolicy/policy/modules/services/timidity.te @@ -67,7 +67,7 @@ files_read_usr_files(timidity_t) # read /etc/esd.conf files_read_etc_files(timidity_t) -init_use_fd(timidity_t) +init_use_fds(timidity_t) init_use_script_ptys(timidity_t) libs_use_ld_so(timidity_t) diff --git a/refpolicy/policy/modules/services/uucp.te b/refpolicy/policy/modules/services/uucp.te index 73dc3661..20d12d9f 100644 --- a/refpolicy/policy/modules/services/uucp.te +++ b/refpolicy/policy/modules/services/uucp.te @@ -61,7 +61,7 @@ files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir }) allow uucpd_t uucpd_var_run_t:file create_file_perms; allow uucpd_t uucpd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(uucpd_t,uucpd_var_run_t) +files_pid_filetrans(uucpd_t,uucpd_var_run_t,file) kernel_read_kernel_sysctls(uucpd_t) kernel_read_system_state(uucpd_t) diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te index 916d0a58..d52a3ffd 100644 --- a/refpolicy/policy/modules/services/xfs.te +++ b/refpolicy/policy/modules/services/xfs.te @@ -33,7 +33,7 @@ files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir }) allow xfs_t xfs_var_run_t:file create_file_perms; allow xfs_t xfs_var_run_t:dir rw_dir_perms; -files_pid_filetrans(xfs_t,xfs_var_run_t) +files_pid_filetrans(xfs_t,xfs_var_run_t,file) # Bind to /tmp/.font-unix/fs-1. # cjp: I do not believe this has an effect. @@ -54,7 +54,7 @@ domain_use_interactive_fds(xfs_t) files_read_etc_files(xfs_t) files_read_etc_runtime_files(xfs_t) -init_use_fd(xfs_t) +init_use_fds(xfs_t) init_use_script_ptys(xfs_t) libs_use_ld_so(xfs_t) diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index 9572d183..01c85c1a 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -180,7 +180,7 @@ template(`xserver_common_domain_template',` ifdef(`rpm.te', ` allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr }; allow $1_xserver_t rpm_tmpfs_t:file { read write }; - rpm_use_fd($1_xserver_t) + rpm_use_fds($1_xserver_t) ') ') ') dnl end TODO @@ -279,9 +279,9 @@ template(`xserver_per_userdomain_template',` allow $1_xserver_t $2:shm rw_shm_perms; allow $2 $1_xserver_t:shm rw_shm_perms; - getty_use_fd($1_xserver_t) + getty_use_fds($1_xserver_t) - locallogin_use_fd($1_xserver_t) + locallogin_use_fds($1_xserver_t) userdom_search_user_home_dirs($1,$1_xserver_t) userdom_use_user_ttys($1,$1_xserver_t) diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index 1f683113..eb2182e5 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -216,7 +216,7 @@ ifdef(`enable_polyinstantiation',` ifdef(`strict_policy',` allow xdm_t xdm_lock_t:file create_file_perms; - files_lock_filetrans(xdm_t,xdm_lock_t) + files_lock_filetrans(xdm_t,xdm_lock_t,file) allow xdm_t xdm_tmp_t:dir create_dir_perms; allow xdm_t xdm_tmp_t:file create_file_perms; @@ -232,7 +232,7 @@ ifdef(`strict_policy',` allow xdm_t xdm_var_lib_t:file create_file_perms; allow xdm_t xdm_var_lib_t:dir create_dir_perms; - files_var_lib_filetrans(xdm_t,xdm_var_lib_t) + files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file) allow xdm_t xdm_var_run_t:dir manage_dir_perms; allow xdm_t xdm_var_run_t:fifo_file manage_file_perms; @@ -393,7 +393,7 @@ corenet_tcp_bind_vnc_port(xdm_xserver_t) fs_search_auto_mountpoints(xdm_xserver_t) -init_use_fd(xdm_xserver_t) +init_use_fds(xdm_xserver_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index b6064993..c5796205 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -92,7 +92,7 @@ files_search_etc(zebra_t) files_read_etc_files(zebra_t) files_read_etc_runtime_files(zebra_t) -init_use_fd(zebra_t) +init_use_fds(zebra_t) init_use_script_ptys(zebra_t) libs_use_ld_so(zebra_t) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 69d9c272..107313a8 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -118,7 +118,7 @@ logging_send_syslog_msg(pam_t) userdom_use_unpriv_users_fds(pam_t) optional_policy(`locallogin',` - locallogin_use_fd(pam_t) + locallogin_use_fds(pam_t) ') optional_policy(`nis',` @@ -146,7 +146,7 @@ dontaudit pam_console_t pam_var_console_t:file write; allow pam_console_t pam_var_console_t:lnk_file { getattr read }; kernel_read_kernel_sysctls(pam_console_t) -kernel_use_fd(pam_console_t) +kernel_use_fds(pam_console_t) # Read /proc/meminfo kernel_read_system_state(pam_console_t) @@ -196,7 +196,7 @@ files_list_mnt(pam_console_t) # read /etc/mtab files_read_etc_runtime_files(pam_console_t) -init_use_fd(pam_console_t) +init_use_fds(pam_console_t) init_use_script_ptys(pam_console_t) libs_use_ld_so(pam_console_t) @@ -229,7 +229,7 @@ optional_policy(`gpm',` ') optional_policy(`hotplug',` - hotplug_use_fd(pam_console_t) + hotplug_use_fds(pam_console_t) hotplug_dontaudit_search_config(pam_console_t) ') diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 845dc056..eae12da4 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -47,7 +47,7 @@ term_use_all_user_ptys(hwclock_t) domain_use_interactive_fds(hwclock_t) -init_use_fd(hwclock_t) +init_use_fds(hwclock_t) init_use_script_ptys(hwclock_t) files_read_etc_files(hwclock_t) diff --git a/refpolicy/policy/modules/system/daemontools.te b/refpolicy/policy/modules/system/daemontools.te index 73c32d02..0c617298 100644 --- a/refpolicy/policy/modules/system/daemontools.te +++ b/refpolicy/policy/modules/system/daemontools.te @@ -42,7 +42,7 @@ files_type(svc_svc_t) allow svc_multilog_t svc_svc_t:dir rw_dir_perms; allow svc_multilog_t svc_svc_t:file create_file_perms; -init_use_fd(svc_multilog_t) +init_use_fds(svc_multilog_t) libs_use_ld_so(svc_multilog_t) libs_use_shared_libs(svc_multilog_t) @@ -82,7 +82,7 @@ files_search_pids(svc_run_t) files_search_var_lib(svc_run_t) init_use_script_fds(svc_run_t) -init_use_fd(svc_run_t) +init_use_fds(svc_run_t) libs_use_ld_so(svc_run_t) libs_use_shared_libs(svc_run_t) diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 34bc157f..0d069a64 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -57,7 +57,7 @@ kernel_getattr_proc(fsadm_t) kernel_rw_unlabeled_dirs(fsadm_t) kernel_rw_unlabeled_blk_files(fsadm_t) -bootloader_getattr_boot_dirs(fsadm_t) +files_getattr_boot_dirs(fsadm_t) dev_getattr_all_chr_files(fsadm_t) # mkreiserfs and other programs need this for UUID @@ -125,7 +125,7 @@ files_manage_mnt_dirs(fsadm_t) # for tune2fs files_search_all(fsadm_t) -init_use_fd(fsadm_t) +init_use_fds(fsadm_t) init_use_script_ptys(fsadm_t) libs_use_ld_so(fsadm_t) diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index ed6cf363..79a89e7c 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -34,7 +34,7 @@ interface(`getty_domtrans',` ## ## # -interface(`getty_use_fd',` +interface(`getty_use_fds',` gen_require(` type getty_t; ') diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index bebab10f..456e3b50 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -47,10 +47,10 @@ allow getty_t getty_etc_t:lnk_file { getattr read }; files_etc_filetrans(getty_t,getty_etc_t,{ file dir }) allow getty_t getty_lock_t:file create_file_perms; -files_lock_filetrans(getty_t,getty_lock_t) +files_lock_filetrans(getty_t,getty_lock_t,file) allow getty_t getty_log_t:file create_file_perms; -logging_log_filetrans(getty_t,getty_log_t) +logging_log_filetrans(getty_t,getty_log_t,file) allow getty_t getty_tmp_t:file create_file_perms; allow getty_t getty_tmp_t:dir create_dir_perms; @@ -58,7 +58,7 @@ files_tmp_filetrans(getty_t,getty_tmp_t,{ file dir }) allow getty_t getty_var_run_t:file create_file_perms; allow getty_t getty_var_run_t:dir rw_dir_perms; -files_pid_filetrans(getty_t,getty_var_run_t) +files_pid_filetrans(getty_t,getty_var_run_t,file) kernel_list_proc(getty_t) kernel_read_proc_symlinks(getty_t) diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 2f7b48ad..dbe028b0 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -35,7 +35,7 @@ term_dontaudit_use_console(hostname_t) term_use_all_user_ttys(hostname_t) term_use_all_user_ptys(hostname_t) -init_use_fd(hostname_t) +init_use_fds(hostname_t) init_use_script_fds(hostname_t) init_use_script_ptys(hostname_t) diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 6b8abaf8..3aa11c9b 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -36,9 +36,9 @@ interface(`hotplug_exec',` ####################################### # -# hotplug_use_fd(domain) +# hotplug_use_fds(domain) # -interface(`hotplug_use_fd',` +interface(`hotplug_use_fds',` gen_require(` type hotplug_t; ') @@ -48,9 +48,9 @@ interface(`hotplug_use_fd',` ####################################### # -# hotplug_dontaudit_use_fd(domain) +# hotplug_dontaudit_use_fds(domain) # -interface(`hotplug_dontaudit_use_fd',` +interface(`hotplug_dontaudit_use_fds',` gen_require(` type hotplug_t; ') diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 723bd71a..b5d63779 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -42,7 +42,7 @@ can_exec(hotplug_t,hotplug_exec_t) allow hotplug_t hotplug_var_run_t:file manage_file_perms; allow hotplug_t hotplug_var_run_t:dir rw_dir_perms; -files_pid_filetrans(hotplug_t,hotplug_var_run_t) +files_pid_filetrans(hotplug_t,hotplug_var_run_t,file) kernel_sigchld(hotplug_t) kernel_setpgid(hotplug_t) @@ -50,7 +50,7 @@ kernel_read_system_state(hotplug_t) kernel_read_kernel_sysctls(hotplug_t) kernel_read_net_sysctls(hotplug_t) -bootloader_read_kernel_modules(hotplug_t) +files_read_kernel_modules(hotplug_t) corenet_tcp_sendrecv_all_if(hotplug_t) corenet_udp_sendrecv_all_if(hotplug_t) @@ -95,7 +95,7 @@ files_exec_etc_files(hotplug_t) # for when filesystems are not mounted early in the boot: files_dontaudit_search_isid_type_dirs(hotplug_t) -init_use_fd(hotplug_t) +init_use_fds(hotplug_t) init_use_script_ptys(hotplug_t) init_read_script_state(hotplug_t) # Allow hotplug (including /sbin/ifup-local) to start/stop services and @@ -152,7 +152,7 @@ optional_policy(`fstools',` ') optional_policy(`hal',` - hal_dgram_sendto(hotplug_t) + hal_dgram_send(hotplug_t) ') optional_policy(`hostname',` diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 1da9f70c..dad3d96f 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -297,9 +297,9 @@ interface(`init_sigchld',` ######################################## # -# init_use_fd(domain) +# init_use_fds(domain) # -interface(`init_use_fd',` +interface(`init_use_fds',` gen_require(` type init_t; ') @@ -309,9 +309,9 @@ interface(`init_use_fd',` ######################################## # -# init_dontaudit_use_fd(domain) +# init_dontaudit_use_fds(domain) # -interface(`init_dontaudit_use_fd',` +interface(`init_dontaudit_use_fds',` gen_require(` type init_t; ') @@ -810,9 +810,9 @@ interface(`init_rw_script_tmp_files',` ## The type of the object to be created ## ## -## +## ## -## The object class. If not specified, file is used. +## The object class. ## ## # @@ -824,12 +824,7 @@ interface(`init_script_tmp_filetrans',` files_search_tmp($1) allow $1 initrc_tmp_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 initrc_tmp_t:file $2; - ',` - type_transition $1 initrc_tmp_t:$3 $2; - ') + type_transition $1 initrc_tmp_t:$3 $2; ') ######################################## diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index d83d9098..e3d90553 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -104,7 +104,7 @@ allow init_t initrc_t:unix_stream_socket connectto; # For /var/run/shutdown.pid. allow init_t init_var_run_t:file { create getattr read append write setattr unlink }; -files_pid_filetrans(init_t,init_var_run_t) +files_pid_filetrans(init_t,init_var_run_t,file) allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink }; fs_associate_tmpfs(initctl_t) @@ -224,7 +224,7 @@ allow initrc_t initrc_state_t:file create_file_perms; allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename }; allow initrc_t initrc_var_run_t:file create_file_perms; -files_pid_filetrans(initrc_t,initrc_var_run_t) +files_pid_filetrans(initrc_t,initrc_var_run_t,file) can_exec(initrc_t,initrc_tmp_t) allow initrc_t initrc_tmp_t:file create_file_perms; @@ -245,7 +245,7 @@ kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) -bootloader_read_kernel_symbol_table(initrc_t) +files_read_kernel_symbol_table(initrc_t) corenet_tcp_sendrecv_all_if(initrc_t) corenet_raw_sendrecv_all_if(initrc_t) @@ -395,7 +395,8 @@ ifdef(`distro_debian',` # for storing state under /dev/shm fs_setattr_tmpfs_dirs(initrc_t) - storage_create_fixed_disk_tmpfs(initrc_t) + storage_manage_fixed_disk(initrc_t) + storage_tmpfs_filetrans_fixed_disk(initrc_t) files_setattr_etc_dirs(initrc_t) ') @@ -416,7 +417,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd - kernel_dontaudit_use_fd(initrc_t) + kernel_dontaudit_use_fds(initrc_t) files_dontaudit_read_root_files(initrc_t) selinux_set_enforce_mode(initrc_t) @@ -424,7 +425,7 @@ ifdef(`distro_redhat',` # Create and read /boot/kernel.h and /boot/System.map. # Redhat systems typically create this file at boot time. bootloader_create_runtime_file(initrc_t) - bootloader_rw_boot_symlinks(initrc_t) + files_rw_boot_symlinks(initrc_t) # These seem to be from the initrd # during device initialization: @@ -442,7 +443,8 @@ ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(initrc_t) - storage_create_fixed_disk(initrc_t) + storage_manage_fixed_disk(initrc_t) + storage_dev_filetrans_fixed_disk(initrc_t) storage_getattr_removable_dev(initrc_t) # readahead asks for these diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index 9010cfe4..dd4ee281 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -109,7 +109,7 @@ domain_use_interactive_fds(ipsec_t) files_read_etc_files(ipsec_t) -init_use_fd(ipsec_t) +init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) libs_use_ld_so(ipsec_t) @@ -156,10 +156,10 @@ allow ipsec_mgmt_t self:key_socket { create setopt }; allow ipsec_mgmt_t self:fifo_file rw_file_perms; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms; -files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t) +files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms; -files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t) +files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms; allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms; @@ -180,9 +180,8 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl }; allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms; allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms; -# cjp: combo of file_type_auto_trans and rw_dir_create_file allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms; -files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t) +files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t,file) # whack needs to connect to pluto allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write }; @@ -207,8 +206,8 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) -bootloader_read_kernel_symbol_table(ipsec_mgmt_t) -bootloader_getattr_kernel_modules(ipsec_mgmt_t) +files_read_kernel_symbol_table(ipsec_mgmt_t) +files_getattr_kernel_modules(ipsec_mgmt_t) dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) @@ -241,7 +240,7 @@ files_dontaudit_getattr_default_files(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) -init_use_fd(ipsec_mgmt_t) +init_use_fds(ipsec_mgmt_t) libs_use_ld_so(ipsec_mgmt_t) libs_use_shared_libs(ipsec_mgmt_t) diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index c48dee85..d81e6f1e 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -27,7 +27,7 @@ dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t iptables_var_run_t:dir rw_dir_perms; -files_pid_filetrans(iptables_t,iptables_var_run_t) +files_pid_filetrans(iptables_t,iptables_var_run_t,file) can_exec(iptables_t,iptables_exec_t) @@ -41,7 +41,7 @@ kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) kernel_read_kernel_sysctls(iptables_t) kernel_read_modprobe_sysctls(iptables_t) -kernel_use_fd(iptables_t) +kernel_use_fds(iptables_t) dev_read_sysfs(iptables_t) @@ -56,7 +56,7 @@ domain_use_interactive_fds(iptables_t) files_read_etc_files(iptables_t) -init_use_fd(iptables_t) +init_use_fds(iptables_t) init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) @@ -82,7 +82,7 @@ ifdef(`targeted_policy', ` ') optional_policy(`firstboot',` - firstboot_use_fd(iptables_t) + firstboot_use_fds(iptables_t) firstboot_write_pipes(iptables_t) ') diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index bba2c990..801aa12d 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -28,7 +28,7 @@ interface(`locallogin_domtrans',` ## ## # -interface(`locallogin_use_fd',` +interface(`locallogin_use_fds',` gen_require(` type local_login_t; ') @@ -46,7 +46,7 @@ interface(`locallogin_use_fd',` ## ## # -interface(`locallogin_dontaudit_use_fd',` +interface(`locallogin_dontaudit_use_fds',` gen_require(` type local_login_t; ') diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 5c995141..b3eeb237 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -52,7 +52,7 @@ allow local_login_t self:msgq create_msgq_perms; allow local_login_t self:msg { send receive }; allow local_login_t local_login_lock_t:file create_file_perms; -files_lock_filetrans(local_login_t,local_login_lock_t) +files_lock_filetrans(local_login_t,local_login_lock_t,file) allow local_login_t local_login_tmp_t:dir create_dir_perms; allow local_login_t local_login_tmp_t:file create_file_perms; @@ -145,7 +145,7 @@ files_read_var_symlinks(local_login_t) files_polyinstantiate_all(local_login_t) init_rw_utmp(local_login_t) -init_dontaudit_use_fd(local_login_t) +init_dontaudit_use_fds(local_login_t) libs_use_ld_so(local_login_t) libs_use_shared_libs(local_login_t) diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 163ada10..10d4d26a 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -98,13 +98,9 @@ interface(`logging_log_filetrans',` type var_log_t; ') + files_search_var($1) allow $1 var_log_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 var_log_t:file $2; - ',` - type_transition $1 var_log_t:$3 $2; - ') + type_transition $1 var_log_t:$3 $2; ') ####################################### diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index c8cebad4..161a82f1 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -83,9 +83,9 @@ mls_file_read_up(auditctl_t) term_use_all_terms(auditctl_t) init_use_script_ptys(auditctl_t) -init_dontaudit_use_fd(auditctl_t) +init_dontaudit_use_fds(auditctl_t) -locallogin_dontaudit_use_fd(auditctl_t) +locallogin_dontaudit_use_fds(auditctl_t) logging_send_syslog_msg(auditctl_t) @@ -131,7 +131,7 @@ allow auditd_t var_log_t:dir search; allow auditd_t auditd_var_run_t:file create_file_perms; allow auditd_t auditd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(auditd_t,auditd_var_run_t) +files_pid_filetrans(auditd_t,auditd_var_run_t,file) kernel_read_kernel_sysctls(auditd_t) kernel_list_proc(auditd_t) @@ -152,7 +152,7 @@ domain_use_interactive_fds(auditd_t) files_read_etc_files(auditd_t) files_list_usr(auditd_t) -init_use_fd(auditd_t) +init_use_fds(auditd_t) init_exec(auditd_t) init_write_initctl(auditd_t) init_use_script_ptys(auditd_t) @@ -203,7 +203,7 @@ files_tmp_filetrans(klogd_t,klogd_tmp_t,{ file dir }) allow klogd_t klogd_var_run_t:file create_file_perms; allow klogd_t klogd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(klogd_t,klogd_var_run_t) +files_pid_filetrans(klogd_t,klogd_var_run_t,file) kernel_read_system_state(klogd_t) kernel_read_messages(klogd_t) @@ -212,7 +212,7 @@ kernel_read_kernel_sysctls(klogd_t) kernel_clear_ring_buffer(klogd_t) kernel_change_ring_buffer_level(klogd_t) -bootloader_read_kernel_symbol_table(klogd_t) +files_read_kernel_symbol_table(klogd_t) dev_read_raw_memory(klogd_t) dev_read_sysfs(klogd_t) @@ -228,7 +228,7 @@ files_read_etc_runtime_files(klogd_t) # read /etc/nsswitch.conf files_read_etc_files(klogd_t) -init_use_fd(klogd_t) +init_use_fds(klogd_t) init_use_script_ptys(klogd_t) libs_use_ld_so(klogd_t) @@ -294,7 +294,7 @@ files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) # manage pid file allow syslogd_t syslogd_var_run_t:file create_file_perms; allow syslogd_t syslogd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(syslogd_t,syslogd_var_run_t) +files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) kernel_read_kernel_sysctls(syslogd_t) kernel_read_proc_symlinks(syslogd_t) @@ -329,7 +329,7 @@ corenet_udp_bind_syslogd_port(syslogd_t) fs_getattr_all_fs(syslogd_t) -init_use_fd(syslogd_t) +init_use_fds(syslogd_t) init_use_script_ptys(syslogd_t) domain_use_interactive_fds(syslogd_t) diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 282f004d..6264099c 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -55,7 +55,7 @@ allow clvmd_t self:udp_socket create_socket_perms; allow clvmd_t clvmd_var_run_t:file create_file_perms; allow clvmd_t clvmd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(clvmd_t,clvmd_var_run_t) +files_pid_filetrans(clvmd_t,clvmd_var_run_t,file) kernel_read_kernel_sysctls(clvmd_t) kernel_list_proc(clvmd_t) @@ -86,7 +86,7 @@ domain_use_interactive_fds(clvmd_t) files_list_usr(clvmd_t) -init_use_fd(clvmd_t) +init_use_fds(clvmd_t) init_use_script_ptys(clvmd_t) libs_use_ld_so(clvmd_t) @@ -151,11 +151,11 @@ can_exec(lvm_t, lvm_exec_t) # Creating lock files allow lvm_t lvm_lock_t:dir rw_dir_perms; allow lvm_t lvm_lock_t:file create_file_perms; -files_lock_filetrans(lvm_t,lvm_lock_t) +files_lock_filetrans(lvm_t,lvm_lock_t,file) allow lvm_t lvm_var_run_t:file create_file_perms; allow lvm_t lvm_var_run_t:dir create_dir_perms; -files_pid_filetrans(lvm_t,lvm_var_run_t) +files_pid_filetrans(lvm_t,lvm_var_run_t,file) allow lvm_t lvm_etc_t:file r_file_perms; allow lvm_t lvm_etc_t:lnk_file r_file_perms; @@ -210,7 +210,8 @@ storage_relabel_fixed_disk(lvm_t) # depending on its version # LVM(2) needs to create directores (/dev/mapper, /dev/) # and links from /dev/ to /dev/mapper/- -storage_create_fixed_disk(lvm_t) +# cjp: need create interface here for fixed disk create +storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -227,7 +228,7 @@ files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) -init_use_fd(lvm_t) +init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) init_use_script_ptys(lvm_t) diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index ddd0e8c9..05238434 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -15,7 +15,7 @@ interface(`modutils_read_module_deps',` type modules_dep_t; ') - bootloader_list_kernel_modules($1) + files_list_kernel_modules($1) allow $1 modules_dep_t:file r_file_perms; ') @@ -38,7 +38,7 @@ interface(`modutils_read_module_config',` # This file type can be in /etc or # /lib(64)?/modules files_search_etc($1) - bootloader_search_boot($1) + files_search_boot($1) allow $1 modules_conf_t:{ file lnk_file } r_file_perms; ') diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index c50a9c22..64d21e27 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -66,9 +66,9 @@ kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctls(insmod_t) -bootloader_read_kernel_modules(insmod_t) +files_read_kernel_modules(insmod_t) # for locking: (cjp: ????) -bootloader_write_kernel_modules(insmod_t) +files_write_kernel_modules(insmod_t) dev_search_sysfs(insmod_t) dev_search_usbfs(insmod_t) @@ -101,7 +101,7 @@ files_dontaudit_search_pids(insmod_t) files_dontaudit_search_isid_type_dirs(insmod_t) init_rw_initctl(insmod_t) -init_use_fd(insmod_t) +init_use_fds(insmod_t) init_use_script_fds(insmod_t) init_use_script_ptys(insmod_t) @@ -166,12 +166,12 @@ can_exec(depmod_t, depmod_exec_t) allow depmod_t modules_conf_t:file r_file_perms; allow depmod_t modules_dep_t:file create_file_perms; -bootloader_modules_filetrans(depmod_t,modules_dep_t) +files_kernel_modules_filetrans(depmod_t,modules_dep_t,file) kernel_read_system_state(depmod_t) -bootloader_read_kernel_symbol_table(depmod_t) -bootloader_read_kernel_modules(depmod_t) +files_read_kernel_symbol_table(depmod_t) +files_read_kernel_modules(depmod_t) fs_getattr_xattr_fs(depmod_t) @@ -182,7 +182,7 @@ corecmd_search_sbin(depmod_t) domain_use_interactive_fds(depmod_t) -init_use_fd(depmod_t) +init_use_fds(depmod_t) init_use_script_fds(depmod_t) init_use_script_ptys(depmod_t) @@ -228,8 +228,8 @@ can_exec(update_modules_t, update_modules_exec_t) # manage module loading configuration allow update_modules_t modules_conf_t:file create_file_perms; -bootloader_modules_filetrans(update_modules_t,modules_conf_t) -files_etc_filetrans(update_modules_t,modules_conf_t) +files_kernel_modules_filetrans(update_modules_t,modules_conf_t,file) +files_etc_filetrans(update_modules_t,modules_conf_t,file) # transition to depmod domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) @@ -251,7 +251,7 @@ fs_getattr_xattr_fs(update_modules_t) term_use_console(update_modules_t) -init_use_fd(update_modules_t) +init_use_fds(update_modules_t) init_use_script_fds(update_modules_t) init_use_script_ptys(update_modules_t) diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index b4ad1496..ce71126f 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -86,7 +86,7 @@ interface(`mount_exec',` ## ## # -interface(`mount_use_fd',` +interface(`mount_use_fds',` gen_require(` type mount_t; ') diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 400a3c0a..19ef36ed 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -71,7 +71,7 @@ files_unmount_all_file_type_fs(mount_t) # cjp: this seems wrong, the type should probably be etc files_read_isid_type_files(mount_t) -init_use_fd(mount_t) +init_use_fds(mount_t) init_use_script_ptys(mount_t) libs_use_ld_so(mount_t) @@ -125,7 +125,7 @@ optional_policy(`portmap',` ') optional_policy(`apm',` - apm_use_fd(mount_t) + apm_use_fds(mount_t) ') # for kernel package installation diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 6b57cf52..df17b40a 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -43,16 +43,16 @@ dev_filetrans(cardmgr_t,cardmgr_lnk_t,lnk_file) # Create stab file allow cardmgr_t cardmgr_var_lib_t:file create_file_perms; allow cardmgr_t cardmgr_var_lib_t:dir rw_dir_perms; -files_var_lib_filetrans(cardmgr_t,cardmgr_var_lib_t) +files_var_lib_filetrans(cardmgr_t,cardmgr_var_lib_t,file) allow cardmgr_t cardmgr_var_run_t:file create_file_perms; -files_pid_filetrans(cardmgr_t,cardmgr_var_run_t) +files_pid_filetrans(cardmgr_t,cardmgr_var_run_t,file) kernel_read_system_state(cardmgr_t) kernel_read_kernel_sysctls(cardmgr_t) kernel_dontaudit_getattr_message_if(cardmgr_t) -bootloader_search_kernel_modules(cardmgr_t) +files_search_kernel_modules(cardmgr_t) dev_read_sysfs(cardmgr_t) dev_manage_cardmgr_dev(cardmgr_t) @@ -98,7 +98,7 @@ files_dontaudit_getattr_all_symlinks(cardmgr_t) files_dontaudit_getattr_all_pipes(cardmgr_t) files_dontaudit_getattr_all_sockets(cardmgr_t) -init_use_fd(cardmgr_t) +init_use_fds(cardmgr_t) init_use_script_ptys(cardmgr_t) libs_use_ld_so(cardmgr_t) diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index ace3f78a..f6ad01f5 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -24,7 +24,7 @@ dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; allow mdadm_t mdadm_var_run_t:file create_file_perms; -files_pid_filetrans(mdadm_t,mdadm_var_run_t) +files_pid_filetrans(mdadm_t,mdadm_var_run_t,file) kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctls(mdadm_t) @@ -53,7 +53,7 @@ domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) files_read_etc_runtime_files(mdadm_t) -init_use_fd(mdadm_t) +init_use_fds(mdadm_t) init_use_script_ptys(mdadm_t) init_dontaudit_getattr_initctl(mdadm_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index b30c1c9f..c6e02c43 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -148,7 +148,7 @@ files_list_usr(checkpolicy_t) # directory search permissions for path to source and binary policy files files_search_etc(checkpolicy_t) -init_use_fd(checkpolicy_t) +init_use_fds(checkpolicy_t) init_use_script_ptys(checkpolicy_t) libs_use_ld_so(checkpolicy_t) @@ -333,7 +333,7 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; -kernel_use_fd(restorecon_t) +kernel_use_fds(restorecon_t) kernel_rw_pipes(restorecon_t) kernel_read_system_state(restorecon_t) kernel_relabelfrom_unlabeled_dirs(restorecon_t) @@ -365,7 +365,7 @@ term_use_unallocated_ttys(restorecon_t) term_use_all_user_ttys(restorecon_t) term_use_all_user_ptys(restorecon_t) -init_use_fd(restorecon_t) +init_use_fds(restorecon_t) init_use_script_ptys(restorecon_t) domain_use_interactive_fds(restorecon_t) @@ -398,7 +398,7 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(`hotplug',` - hotplug_use_fd(restorecon_t) + hotplug_use_fds(restorecon_t) ') ifdef(`TODO',` @@ -562,7 +562,7 @@ term_use_unallocated_ttys(setfiles_t) # this is to satisfy the assertion: auth_relabelto_shadow(setfiles_t) -init_use_fd(setfiles_t) +init_use_fds(setfiles_t) init_use_script_fds(setfiles_t) init_use_script_ptys(setfiles_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index ebf653c7..91809a57 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -453,9 +453,9 @@ interface(`sysnet_search_dhcp_state',` ## The type of the object to be created ## ## -## +## ## -## The object class. If not specified, file is used. +## The object class. ## ## # @@ -466,12 +466,7 @@ interface(`sysnet_dhcp_state_filetrans',` files_search_var_lib($1) allow $1 dhcp_state_t:dir rw_dir_perms; - - ifelse(`$3',`',` - type_transition $1 dhcp_state_t:file $2; - ',` - type_transition $1 dhcp_state_t:$3 $2; - ') + type_transition $1 dhcp_state_t:$3 $2; ') ######################################## diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 1568eb60..24016464 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -65,7 +65,7 @@ type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t; # create pid file allow dhcpc_t dhcpc_var_run_t:file create_file_perms; allow dhcpc_t dhcpc_var_run_t:dir rw_dir_perms; -files_pid_filetrans(dhcpc_t,dhcpc_var_run_t) +files_pid_filetrans(dhcpc_t,dhcpc_var_run_t,file) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -89,7 +89,7 @@ allow ifconfig_t dhcpc_t:process sigchld; kernel_read_system_state(dhcpc_t) kernel_read_network_state(dhcpc_t) kernel_read_kernel_sysctls(dhcpc_t) -kernel_use_fd(dhcpc_t) +kernel_use_fds(dhcpc_t) corenet_tcp_sendrecv_all_if(dhcpc_t) corenet_raw_sendrecv_all_if(dhcpc_t) @@ -131,7 +131,7 @@ files_search_home(dhcpc_t) files_search_var_lib(dhcpc_t) files_dontaudit_search_locks(dhcpc_t) -init_use_fd(dhcpc_t) +init_use_fds(dhcpc_t) init_use_script_ptys(dhcpc_t) init_rw_utmp(dhcpc_t) @@ -277,7 +277,7 @@ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:tcp_socket { create ioctl }; files_read_etc_files(ifconfig_t); -kernel_use_fd(ifconfig_t) +kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) kernel_search_network_sysctl(ifconfig_t) @@ -296,7 +296,7 @@ domain_use_interactive_fds(ifconfig_t) files_dontaudit_read_root_files(ifconfig_t) -init_use_fd(ifconfig_t) +init_use_fds(ifconfig_t) init_use_script_ptys(ifconfig_t) libs_use_ld_so(ifconfig_t) @@ -337,5 +337,5 @@ optional_policy(`nis',` ') optional_policy(`ppp',` - ppp_use_fd(ifconfig_t) + ppp_use_fds(ifconfig_t) ') diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index 1e4175a9..6aa57cef 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -77,7 +77,7 @@ interface(`udev_read_state',` ## ## # -interface(`udev_dontaudit_use_fd',` +interface(`udev_dontaudit_use_fds',` gen_require(` type udev_t; ') diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 329b2dae..d7c825fa 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -70,11 +70,11 @@ dev_filetrans(udev_t,udev_tbl_t,file) allow udev_t udev_var_run_t:file create_file_perms; allow udev_t udev_var_run_t:dir rw_dir_perms; -files_pid_filetrans(udev_t,udev_var_run_t) +files_pid_filetrans(udev_t,udev_var_run_t,file) kernel_read_system_state(udev_t) kernel_getattr_core_if(udev_t) -kernel_use_fd(udev_t) +kernel_use_fds(udev_t) kernel_read_device_sysctls(udev_t) kernel_read_hotplug_sysctls(udev_t) kernel_read_modprobe_sysctls(udev_t) @@ -115,7 +115,7 @@ files_dontaudit_search_isid_type_dirs(udev_t) files_getattr_generic_locks(udev_t) files_search_mnt(udev_t) -init_use_fd(udev_t) +init_use_fds(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) @@ -180,7 +180,7 @@ optional_policy(`dbus',` ') optional_policy(`hal',` - hal_dgram_sendto(udev_t) + hal_dgram_send(udev_t) ') optional_policy(`hotplug',` diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index bc32cd79..68a09fdf 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -67,10 +67,6 @@ interface(`unconfined_domain_noaudit',` auth_unconfined($1) ') - optional_policy(`bootloader',` - bootloader_manage_kernel_modules($1) - ') - optional_policy(`dbus',` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -208,7 +204,7 @@ interface(`unconfined_shell_domtrans',` ## ## # -interface(`unconfined_use_fd',` +interface(`unconfined_use_fds',` gen_require(` type unconfined_t; ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 47385064..c00a0baa 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -367,8 +367,8 @@ template(`base_user_template',` optional_policy(`inetd',` inetd_tcp_connect($1_t) - inetd_udp_sendto($1_t) - inetd_use_fd($1_t) + inetd_udp_send($1_t) + inetd_use_fds($1_t) inetd_rw_tcp_sockets($1_t) ') @@ -551,7 +551,7 @@ template(`unpriv_user_template', ` dev_read_sysfs($1_t) # cjp: why? - bootloader_read_kernel_symbol_table($1_t) + files_read_kernel_symbol_table($1_t) # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) @@ -574,7 +574,7 @@ template(`unpriv_user_template', ` # then fall back to read-only if it fails. init_dontaudit_write_utmp($1_t) # Stop warnings about access to /dev/console - init_dontaudit_use_fd($1_t) + init_dontaudit_use_fds($1_t) init_dontaudit_use_script_fds($1_t) miscfiles_read_man_pages($1_t) @@ -3360,8 +3360,7 @@ interface(`userdom_dontaudit_use_sysadm_terms',` # interface(`userdom_use_sysadm_fds',` ifdef(`targeted_policy',` - #cjp: need to doublecheck this one - unconfined_use_fd($1) + unconfined_use_fds($1) ',` gen_require(` type sysadm_t; @@ -3859,7 +3858,7 @@ interface(`userdom_home_filetrans_generic_user_home_dir',` type user_home_dir_t; ') - files_home_filetrans($1,user_home_dir_t) + files_home_filetrans($1,user_home_dir_t,dir) ') ######################################## @@ -3890,7 +3889,7 @@ interface(`userdom_search_generic_user_home_dirs',` ## Domain allowed access. ## ## -## +## ## ## The class of the object to be created. ## If not specified, file is used. @@ -3903,13 +3902,8 @@ interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',` ') files_search_home($1) - allow $1 user_home_dir_t:dir rw_dir_perms; - ifelse(`$2',`',` - type_transition $1 user_home_dir_t:file user_home_t; - ',` - type_transition $1 user_home_dir_t:$2 user_home_t; - ') + type_transition $1 user_home_dir_t:$2 user_home_t; ') ######################################## @@ -4436,5 +4430,5 @@ interface(`userdom_unconfined',` ') allow $1 user_home_dir_t:dir create_dir_perms; - files_home_filetrans($1,user_home_dir_t) + files_home_filetrans($1,user_home_dir_t,dir) ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 6db0b1b4..71ad4da0 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -150,7 +150,7 @@ ifdef(`targeted_policy',` # Add/remove user home directories allow sysadm_t user_home_dir_t:dir create_dir_perms; - files_home_filetrans(sysadm_t,user_home_dir_t) + files_home_filetrans(sysadm_t,user_home_dir_t,dir) corecmd_exec_shell(sysadm_t) diff --git a/refpolicy/policy/support/obj_perm_sets.spt b/refpolicy/policy/support/obj_perm_sets.spt index ecc755a4..d4870803 100644 --- a/refpolicy/policy/support/obj_perm_sets.spt +++ b/refpolicy/policy/support/obj_perm_sets.spt @@ -210,7 +210,8 @@ define(`setattr_file_perms',`{ setattr }') define(`read_file_perms',`{ getattr read lock ioctl }') define(`append_file_perms',`{ getattr append lock ioctl }') define(`write_file_perms',`{ getattr write append lock ioctl }') -define(`rw_file_perms', `{ getattr read write append ioctl lock }') +define(`rw_file_perms',`{ getattr read write append ioctl lock }') +define(`delete_file_perms',`{ getattr unlink }') define(`manage_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') #