split out filetrans part of files_manage_etc_runtime_files(), bug 1663

refpolicy/policy/modules/admin/bootloader.te

@@ -110,6 +110,7 @@ files_read_kernel_modules(bootloader_t)
 files_dontaudit_search_pids(bootloader_t)
 # for blkid.tab
 files_manage_etc_runtime_files(bootloader_t)
+files_etc_filetrans_etc_runtime(bootloader_t,file)
 
 init_getattr_initctl(bootloader_t)
 init_use_script_ptys(bootloader_t)

refpolicy/policy/modules/admin/kudzu.te

@@ -88,6 +88,7 @@ files_search_var(kudzu_t)
 files_search_locks(kudzu_t)
 files_manage_etc_files(kudzu_t)
 files_manage_etc_runtime_files(kudzu_t)
+files_etc_filetrans_etc_runtime(kudzu_t,file)
 files_manage_mnt_files(kudzu_t)
 files_manage_mnt_symlinks(kudzu_t)
 files_dontaudit_search_src(kudzu_t)

refpolicy/policy/modules/kernel/files.if

@@ -1682,6 +1682,19 @@ interface(`files_relabel_etc_files',`
 	allow $1 etc_t:file { relabelfrom relabelto };
 ')
 
+########################################
+#
+# files_etc_filetrans(domain,privatetype,class(es))
+#
+interface(`files_etc_filetrans',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir rw_dir_perms;
+	type_transition $1 etc_t:$3 $2;
+')
+
 ########################################
 #
 # files_create_boot_flag(domain)
@@ -1778,21 +1791,32 @@ interface(`files_manage_etc_runtime_files',`
 
 	allow $1 etc_t:dir rw_dir_perms;
 	allow $1 etc_runtime_t:dir rw_dir_perms;
-	allow $1 etc_runtime_t:file create_file_perms;
+	allow $1 etc_runtime_t:file manage_file_perms;
-	type_transition $1 etc_t:file etc_runtime_t;
 ')
 
 ########################################
+## <summary>
+##	Create, etc runtime objects with an automatic
+##	type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The class of the object being created.
+##	</summary>
+## </param>
 #
-# files_etc_filetrans(domain,privatetype,class(es))
+interface(`files_etc_filetrans_etc_runtime',`
-#
-interface(`files_etc_filetrans',`
 	gen_require(`
-		type etc_t;
+		type etc_t, etc_runtime_t;
 	')
 
 	allow $1 etc_t:dir rw_dir_perms;
-	type_transition $1 etc_t:$3 $2;
+	type_transition $1 etc_t:$2 etc_runtime_t;
 ')
 
 ########################################

refpolicy/policy/modules/services/samba.te

@@ -496,6 +496,7 @@ corecmd_list_bin(smbmount_t)
 files_list_mnt(smbmount_t)
 files_mounton_mnt(smbmount_t)
 files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t,file)
 files_read_etc_files(smbmount_t)
 
 miscfiles_read_localization(smbmount_t)

refpolicy/policy/modules/services/watchdog.te

@@ -75,6 +75,7 @@ domain_kill_all_domains(watchdog_t)
 files_read_etc_files(watchdog_t)
 # for updating mtab on umount
 files_manage_etc_runtime_files(watchdog_t)
+files_etc_filetrans_etc_runtime(watchdog_t,file)
 
 fs_unmount_xattr_fs(watchdog_t)
 fs_getattr_all_fs(watchdog_t)

refpolicy/policy/modules/system/fstools.te

@@ -121,6 +121,7 @@ files_manage_lost_found(fsadm_t)
 files_manage_isid_type_dirs(fsadm_t)
 # Write to /etc/mtab.
 files_manage_etc_runtime_files(fsadm_t)
+files_etc_filetrans_etc_runtime(fsadm_t,file)
 # Access to /initrd devices
 files_rw_isid_type_dirs(fsadm_t)
 files_rw_isid_type_blk_files(fsadm_t)

refpolicy/policy/modules/system/hotplug.te

@@ -91,6 +91,7 @@ domain_dontaudit_getattr_all_domains(hotplug_t)
 
 files_read_etc_files(hotplug_t)
 files_manage_etc_runtime_files(hotplug_t)
+files_etc_filetrans_etc_runtime(hotplug_t,file)
 files_exec_etc_files(hotplug_t)
 # for when filesystems are not mounted early in the boot:
 files_dontaudit_search_isid_type_dirs(hotplug_t)

refpolicy/policy/modules/system/init.te

@@ -146,6 +146,7 @@ files_read_etc_files(init_t)
 files_rw_generic_pids(init_t)
 files_dontaudit_search_isid_type_dirs(init_t)
 files_manage_etc_runtime_files(init_t)
+files_etc_filetrans_etc_runtime(init_t,file)
 # Run /etc/X11/prefdm:
 files_exec_etc_files(init_t)
 # file descriptors inherited from the rootfs:
@@ -337,6 +338,7 @@ files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
 files_manage_etc_runtime_files(initrc_t)
+files_etc_filetrans_etc_runtime(initrc_t,file)
 files_manage_generic_locks(initrc_t)
 files_exec_etc_files(initrc_t)
 files_read_usr_files(initrc_t)

refpolicy/policy/modules/system/mount.te

@@ -71,6 +71,7 @@ domain_use_interactive_fds(mount_t)
 files_search_all(mount_t)
 files_read_etc_files(mount_t)
 files_manage_etc_runtime_files(mount_t)
+files_etc_filetrans_etc_runtime(mount_t,file)
 files_mounton_all_mountpoints(mount_t)
 files_unmount_rootfs(mount_t)
 # These rules need to be generalized.  Only admin, initrc should have it:
@@ -164,6 +165,6 @@ optional_policy(`
 #
 
 ifdef(`targeted_policy',`
-	files_manage_etc_runtime_files(unconfined_mount_t)
+	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
 	unconfined_domain(unconfined_mount_t)
 ')