From 763c441e3b03983698ac2e5556f90803ce86693f Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 8 Jun 2005 13:12:00 +0000 Subject: [PATCH] start renaming filesystem interfaces --- refpolicy/policy/global_tunables | 8 +- refpolicy/policy/modules/admin/consoletype.te | 4 +- refpolicy/policy/modules/admin/netutils.te | 6 +- refpolicy/policy/modules/admin/rpm.te | 20 +- refpolicy/policy/modules/admin/usermanage.te | 12 +- refpolicy/policy/modules/apps/gpg.if | 2 +- refpolicy/policy/modules/kernel/bootloader.te | 2 +- refpolicy/policy/modules/kernel/devices.if | 6 +- refpolicy/policy/modules/kernel/devices.te | 94 ++-- refpolicy/policy/modules/kernel/filesystem.if | 468 +++++++++--------- refpolicy/policy/modules/kernel/kernel.if | 24 +- refpolicy/policy/modules/kernel/kernel.te | 10 +- refpolicy/policy/modules/kernel/terminal.if | 2 +- refpolicy/policy/modules/kernel/terminal.te | 2 +- refpolicy/policy/modules/services/cron.if | 4 +- refpolicy/policy/modules/services/cron.te | 6 +- refpolicy/policy/modules/services/mta.te | 2 +- .../policy/modules/services/remotelogin.te | 2 +- refpolicy/policy/modules/services/sendmail.te | 4 +- refpolicy/policy/modules/system/authlogin.if | 6 +- refpolicy/policy/modules/system/authlogin.te | 6 +- refpolicy/policy/modules/system/clock.te | 2 +- refpolicy/policy/modules/system/domain.if | 2 +- refpolicy/policy/modules/system/files.if | 30 +- refpolicy/policy/modules/system/files.te | 80 +-- refpolicy/policy/modules/system/getty.te | 2 +- refpolicy/policy/modules/system/hostname.te | 4 +- refpolicy/policy/modules/system/hotplug.te | 4 +- refpolicy/policy/modules/system/init.te | 24 +- refpolicy/policy/modules/system/iptables.te | 2 +- refpolicy/policy/modules/system/libraries.te | 2 +- refpolicy/policy/modules/system/locallogin.te | 2 +- refpolicy/policy/modules/system/logging.te | 10 +- refpolicy/policy/modules/system/lvm.te | 2 +- refpolicy/policy/modules/system/modutils.te | 6 +- refpolicy/policy/modules/system/mount.te | 22 +- refpolicy/policy/modules/system/selinux.te | 20 +- .../policy/modules/system/selinuxutil.te | 20 +- refpolicy/policy/modules/system/sysnetwork.te | 4 +- refpolicy/policy/modules/system/udev.te | 6 +- refpolicy/policy/modules/system/userdomain.if | 57 ++- 41 files changed, 509 insertions(+), 482 deletions(-) diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables index 9dc1832b..69b4342a 100644 --- a/refpolicy/policy/global_tunables +++ b/refpolicy/policy/global_tunables @@ -1,4 +1,10 @@ +## +## Enable extra rules in the cron domain +## to support fcron. +## +tunable_def(fcron_crond,false) + ## -## Allow the use of DNS for name resolution. +## Allow the use of DNS for name resolution. ## tunable_def(use_dns,false) diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 45607121..2ed973ff 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -34,7 +34,7 @@ allow consoletype_t self:msg { send receive }; kernel_use_file_descriptors(consoletype_t) kernel_ignore_read_system_state(consoletype_t) -filesystem_get_all_filesystems_attributes(consoletype_t) +fs_get_all_fs_attributes(consoletype_t) terminal_use_console(consoletype_t) terminal_use_general_physical_terminal(consoletype_t) @@ -51,7 +51,7 @@ libraries_use_dynamic_loader(consoletype_t) libraries_use_shared_libraries(consoletype_t) ifdef(`distro_redhat', ` - filesystem_use_tmpfs_character_devices(consoletype_t) + fs_use_tmpfs_character_devices(consoletype_t) ') optional_policy(`authlogin.te', ` diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index ede8c86c..9a35ab69 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -57,7 +57,7 @@ corenetwork_sendrecv_udp_on_all_ports(netutils_t) corenetwork_bind_tcp_on_all_nodes(netutils_t) corenetwork_bind_udp_on_all_nodes(netutils_t) -filesystem_get_persistent_filesystem_attributes(netutils_t) +fs_get_persistent_fs_attributes(netutils_t) init_use_file_descriptors(netutils_t) init_script_use_pseudoterminal(netutils_t) @@ -115,7 +115,7 @@ corenetwork_sendrecv_udp_on_all_ports(ping_t) corenetwork_bind_udp_on_all_nodes(ping_t) corenetwork_bind_tcp_on_all_nodes(ping_t) -filesystem_ignore_get_persistent_filesystem_attributes(ping_t) +fs_ignore_get_persistent_fs_attributes(ping_t) domain_use_widely_inheritable_file_descriptors(ping_t) @@ -173,7 +173,7 @@ corenetwork_sendrecv_udp_on_all_ports(traceroute_t) corenetwork_bind_udp_on_all_nodes(traceroute_t) corenetwork_bind_tcp_on_all_nodes(traceroute_t) -filesystem_ignore_get_persistent_filesystem_attributes(traceroute_t) +fs_ignore_get_persistent_fs_attributes(traceroute_t) domain_use_widely_inheritable_file_descriptors(traceroute_t) diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 83a0db62..40ab2104 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -86,7 +86,7 @@ allow rpm_t rpm_tmpfs_t:file { create ioctl read getattr lock write setattr appe allow rpm_t rpm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow rpm_t rpm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow rpm_t rpm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; -filesystem_create_private_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_create_private_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Access /var/lib/rpm files allow rpm_t rpm_var_lib_t:file { create ioctl read getattr lock write setattr append link unlink rename }; @@ -116,9 +116,9 @@ corenetwork_bind_udp_on_all_nodes(rpm_t) devices_get_pseudorandom_data(rpm_t) #devices_manage_all_device_types(rpm_t) -#filesystem_manage_nfs_dir(rpm_t) -#filesystem_manage_nfs_files(rpm_t) -filesystem_get_all_filesystems_attributes(rpm_t) +#fs_manage_nfs_dir(rpm_t) +#fs_manage_nfs_files(rpm_t) +fs_get_all_fs_attributes(rpm_t) storage_raw_write_fixed_disk(rpm_t) # for installing kernel packages @@ -242,7 +242,7 @@ allow rpm_script_t rpm_script_tmpfs_t:file { create ioctl read getattr lock writ allow rpm_script_t rpm_script_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow rpm_script_t rpm_script_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow rpm_script_t rpm_script_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; -filesystem_create_private_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_create_private_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctl(rpm_script_t) kernel_get_selinuxfs_mount_point(rpm_script_t) @@ -259,12 +259,12 @@ devices_manage_generic_character_devices(rpm_script_t) devices_manage_all_block_devices(rpm_script_t) devices_manage_all_character_devices(rpm_script_t) -filesystem_manage_nfs_files(rpm_script_t) -filesystem_get_nfs_filesystem_attributes(rpm_script_t) +fs_manage_nfs_files(rpm_script_t) +fs_get_nfs_fs_attributes(rpm_script_t) # why is this not using mount? -filesystem_get_persistent_filesystem_attributes(rpm_script_t) -filesystem_mount_persistent_filesystem(rpm_script_t) -filesystem_unmount_persistent_filesystem(rpm_script_t) +fs_get_persistent_fs_attributes(rpm_script_t) +fs_mount_persistent_fs(rpm_script_t) +fs_unmount_persistent_fs(rpm_script_t) storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 79064a9d..36984615 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -87,7 +87,7 @@ kernel_compute_selinux_reachable_user_contexts(chfn_t) terminal_use_all_private_physical_terminals(chfn_t) terminal_use_all_private_pseudoterminals(chfn_t) -filesystem_get_persistent_filesystem_attributes(chfn_t) +fs_get_persistent_fs_attributes(chfn_t) # for SSP devices_get_pseudorandom_data(chfn_t) @@ -163,7 +163,7 @@ kernel_read_system_state(crack_t) # for SSP devices_get_pseudorandom_data(crack_t) -filesystem_get_persistent_filesystem_attributes(crack_t) +fs_get_persistent_fs_attributes(crack_t) files_read_general_system_config(crack_t) files_read_runtime_system_config(crack_t) @@ -217,7 +217,7 @@ kernel_compute_selinux_create_context(groupadd_t) kernel_compute_selinux_relabel_context(groupadd_t) kernel_compute_selinux_reachable_user_contexts(groupadd_t) -filesystem_get_persistent_filesystem_attributes(groupadd_t) +fs_get_persistent_fs_attributes(groupadd_t) terminal_use_all_private_physical_terminals(groupadd_t) terminal_use_all_private_pseudoterminals(groupadd_t) @@ -295,7 +295,7 @@ kernel_compute_selinux_reachable_user_contexts(passwd_t) # for SSP devices_get_pseudorandom_data(passwd_t) -filesystem_get_persistent_filesystem_attributes(passwd_t) +fs_get_persistent_fs_attributes(passwd_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. @@ -394,7 +394,7 @@ kernel_read_system_state(sysadm_passwd_t) # for SSP devices_get_pseudorandom_data(sysadm_passwd_t) -filesystem_get_persistent_filesystem_attributes(sysadm_passwd_t) +fs_get_persistent_fs_attributes(sysadm_passwd_t) terminal_use_all_private_physical_terminals(sysadm_passwd_t) terminal_use_all_private_pseudoterminals(sysadm_passwd_t) @@ -483,7 +483,7 @@ kernel_compute_selinux_reachable_user_contexts(useradd_t) # for getting the number of groups kernel_read_kernel_sysctl(useradd_t) -filesystem_get_persistent_filesystem_attributes(useradd_t) +fs_get_persistent_fs_attributes(useradd_t) terminal_use_all_private_physical_terminals(useradd_t) terminal_use_all_private_pseudoterminals(useradd_t) diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 3ed253ec..6f93c8aa 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -79,7 +79,7 @@ define(`gpg_per_userdomain_template',` devices_get_random_data($1_gpg_t) devices_get_pseudorandom_data($1_gpg_t) - filesystem_get_persistent_filesystem_attributes($1_gpg_t) + fs_get_persistent_fs_attributes($1_gpg_t) files_read_general_system_config($1_gpg_t) files_read_general_application_resources($1_gpg_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 6defbf2d..925f84c6 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -106,7 +106,7 @@ devices_get_pseudorandom_data(bootloader_t) # for reading BIOS data devices_raw_read_memory(bootloader_t) -filesystem_get_persistent_filesystem_attributes(bootloader_t) +fs_get_persistent_fs_attributes(bootloader_t) terminal_get_all_private_physical_terminal_attributes(bootloader_t) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 95c2e0f6..3bcb1b6b 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -12,10 +12,10 @@ define(`devices_make_device_node',` typeattribute $1 device_node; - filesystem_associate($1) + fs_associate($1) optional_policy(`distro_redhat',` - filesystem_tmpfs_associate($1) + fs_tmpfs_associate($1) ') ') @@ -370,7 +370,7 @@ define(`devices_create_dev_entry',` type_transition $1 device_t:$3 $2; optional_policy(`distro_redhat',` - filesystem_tmpfs_associate($2) + fs_tmpfs_associate($2) ') ') diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index aece2342..a541a812 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -11,7 +11,7 @@ attribute memory_raw_write; type device_t; files_make_file(device_t) files_make_mountpoint(device_t) -filesystem_tmpfs_associate(device_t) +fs_tmpfs_associate(device_t) # Only directories and symlinks should be labeled device_t. # If there are other files with this type, it is wrong. @@ -25,142 +25,142 @@ filesystem_tmpfs_associate(device_t) # Type for /dev/agpgart # type agp_device_t, device_node; -filesystem_associate(agp_device_t) -filesystem_tmpfs_associate(agp_device_t) +fs_associate(agp_device_t) +fs_tmpfs_associate(agp_device_t) # # Type for /dev/apm_bios # type apm_bios_t, device_node; -filesystem_associate(apm_bios_t) -filesystem_tmpfs_associate(apm_bios_t) +fs_associate(apm_bios_t) +fs_tmpfs_associate(apm_bios_t) type cardmgr_dev_t, device_node; -filesystem_associate(cardmgr_dev_t) -filesystem_tmpfs_associate(cardmgr_dev_t) +fs_associate(cardmgr_dev_t) +fs_tmpfs_associate(cardmgr_dev_t) # # clock_device_t is the type of # /dev/rtc. # type clock_device_t, device_node; -filesystem_associate(clock_device_t) -filesystem_tmpfs_associate(clock_device_t) +fs_associate(clock_device_t) +fs_tmpfs_associate(clock_device_t) # # cpu control devices /dev/cpu/0/* # type cpu_device_t, device_node; -filesystem_associate(cpu_device_t) -filesystem_tmpfs_associate(cpu_device_t) +fs_associate(cpu_device_t) +fs_tmpfs_associate(cpu_device_t) type dri_device_t, device_node; -filesystem_associate(dri_device_t) -filesystem_tmpfs_associate(dri_device_t) +fs_associate(dri_device_t) +fs_tmpfs_associate(dri_device_t) type event_device_t, device_node; -filesystem_associate(event_device_t) -filesystem_tmpfs_associate(event_device_t) +fs_associate(event_device_t) +fs_tmpfs_associate(event_device_t) # # Type for framebuffer /dev/fb/* # type framebuf_device_t, device_node; -filesystem_associate(framebuf_device_t) -filesystem_tmpfs_associate(framebuf_device_t) +fs_associate(framebuf_device_t) +fs_tmpfs_associate(framebuf_device_t) # # Type for /dev/mapper/control # type lvm_control_t, device_node; -filesystem_associate(lvm_control_t) -filesystem_tmpfs_associate(lvm_control_t) +fs_associate(lvm_control_t) +fs_tmpfs_associate(lvm_control_t) # # memory_device_t is the type of /dev/kmem, # /dev/mem and /dev/port. # type memory_device_t, device_node; -filesystem_associate(memory_device_t) -filesystem_tmpfs_associate(memory_device_t) +fs_associate(memory_device_t) +fs_tmpfs_associate(memory_device_t) neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read; neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write }; type misc_device_t, device_node; -filesystem_associate(misc_device_t) -filesystem_tmpfs_associate(misc_device_t) +fs_associate(misc_device_t) +fs_tmpfs_associate(misc_device_t) # # A more general type for mouse devices. # type mouse_device_t, device_node; -filesystem_associate(mouse_device_t) -filesystem_tmpfs_associate(mouse_device_t) +fs_associate(mouse_device_t) +fs_tmpfs_associate(mouse_device_t) # # Type for /dev/cpu/mtrr and /proc/mtrr # type mtrr_device_t, device_node; -filesystem_associate(mtrr_device_t) -filesystem_tmpfs_associate(mtrr_device_t) +fs_associate(mtrr_device_t) +fs_tmpfs_associate(mtrr_device_t) genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0) # # null_device_t is the type of /dev/null. # type null_device_t, device_node; -filesystem_associate(null_device_t) -filesystem_tmpfs_associate(null_device_t) +fs_associate(null_device_t) +fs_tmpfs_associate(null_device_t) sid devnull context_template(system_u:object_r:null_device_t,s0) # # Type for /dev/pmu # type power_device_t, device_node; -filesystem_associate(power_device_t) -filesystem_tmpfs_associate(power_device_t) +fs_associate(power_device_t) +fs_tmpfs_associate(power_device_t) type printer_device_t, device_node; -filesystem_associate(printer_device_t) -filesystem_tmpfs_associate(printer_device_t) +fs_associate(printer_device_t) +fs_tmpfs_associate(printer_device_t) # # random_device_t is the type of /dev/random # type random_device_t, device_node; -filesystem_associate(random_device_t) -filesystem_tmpfs_associate(random_device_t) +fs_associate(random_device_t) +fs_tmpfs_associate(random_device_t) type scanner_device_t, device_node; -filesystem_associate(scanner_device_t) -filesystem_tmpfs_associate(scanner_device_t) +fs_associate(scanner_device_t) +fs_tmpfs_associate(scanner_device_t) # # Type for sound devices and mixers # type sound_device_t, device_node; -filesystem_associate(sound_device_t) -filesystem_tmpfs_associate(sound_device_t) +fs_associate(sound_device_t) +fs_tmpfs_associate(sound_device_t) # # urandom_device_t is the type of /dev/urandom # type urandom_device_t, device_node; -filesystem_associate(urandom_device_t) -filesystem_tmpfs_associate(urandom_device_t) +fs_associate(urandom_device_t) +fs_tmpfs_associate(urandom_device_t) type v4l_device_t, device_node; -filesystem_associate(v4l_device_t) -filesystem_tmpfs_associate(v4l_device_t) +fs_associate(v4l_device_t) +fs_tmpfs_associate(v4l_device_t) type xserver_misc_device_t, device_node; -filesystem_associate(xserver_misc_device_t) -filesystem_tmpfs_associate(xserver_misc_device_t) +fs_associate(xserver_misc_device_t) +fs_tmpfs_associate(xserver_misc_device_t) # # zero_device_t is the type of /dev/zero. # type zero_device_t, device_node; -filesystem_associate(zero_device_t) -filesystem_tmpfs_associate(zero_device_t) +fs_associate(zero_device_t) +fs_tmpfs_associate(zero_device_t) diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index bf7e3201..c992b29b 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -3,29 +3,29 @@ ######################################## # -# filesystem_make_filesystem(type) +# fs_make_fs(type) # -define(`filesystem_make_filesystem',` +define(`fs_make_fs',` requires_block_template(`$0'_depend) typeattribute $1 fs_type; ') -define(`filesystem_make_filesystem_depend',` +define(`fs_make_fs_depend',` attribute fs_type; ') ######################################## # -# filesystem_associate(type) +# fs_associate(type) # -define(`filesystem_associate',` +define(`fs_associate',` requires_block_template(`$0'_depend) allow $1 fs_t:filesystem associate; ') -define(`filesystem_associate_depend',` +define(`fs_associate_depend',` type fs_t; class filesystem associate; @@ -33,9 +33,9 @@ define(`filesystem_associate_depend',` ######################################## # -# filesystem_noxattr_associate(type) +# fs_noxattr_associate(type) # -define(`filesystem_noxattr_associate',` +define(`fs_noxattr_associate',` requires_block_template(`$0'_depend) allow $1 autofs_t:filesystem associate; @@ -47,7 +47,7 @@ define(`filesystem_noxattr_associate',` allow $1 usbfs_t:filesystem associate; ') -define(`filesystem_noxattr_associate_depend',` +define(`fs_noxattr_associate_depend',` type fs_t, nfs_t, cifs_t, dosfs_t, iso9660_t, autofs_t, usbfs_t, removable_t; class filesystem associate; @@ -55,15 +55,15 @@ define(`filesystem_noxattr_associate_depend',` ######################################## # -# filesystem_mount_persistent_filesystem(domain) +# fs_mount_persistent_fs(domain) # -define(`filesystem_mount_persistent_filesystem',` +define(`fs_mount_persistent_fs',` requires_block_template(`$0'_depend) allow $1 fs_t:filesystem mount; ') -define(`filesystem_mount_persistent_filesystem_depend',` +define(`fs_mount_persistent_fs_depend',` type fs_t; class filesystem mount; @@ -71,15 +71,15 @@ define(`filesystem_mount_persistent_filesystem_depend',` ######################################## # -# filesystem_remount_persistent_filesystem(domain) +# fs_remount_persistent_fs(domain) # -define(`filesystem_remount_persistent_filesystem',` +define(`fs_remount_persistent_fs',` requires_block_template(`$0'_depend) allow $1 fs_t:filesystem remount; ') -define(`filesystem_remount_persistent_filesystem_depend',` +define(`fs_remount_persistent_fs_depend',` type fs_t; class filesystem remount; @@ -87,15 +87,15 @@ define(`filesystem_remount_persistent_filesystem_depend',` ######################################## # -# filesystem_unmount_persistent_filesystem(domain) +# fs_unmount_persistent_fs(domain) # -define(`filesystem_unmount_persistent_filesystem',` +define(`fs_unmount_persistent_fs',` requires_block_template(`$0'_depend) allow $1 fs_t:filesystem mount; ') -define(`filesystem_unmount_persistent_filesystem_depend',` +define(`fs_unmount_persistent_fs_depend',` type fs_t; class filesystem unmount; @@ -103,15 +103,15 @@ define(`filesystem_unmount_persistent_filesystem_depend',` ######################################## # -# filesystem_get_persistent_filesystem_attributes(domain) +# fs_get_persistent_fs_attributes(domain) # -define(`filesystem_get_persistent_filesystem_attributes',` +define(`fs_get_persistent_fs_attributes',` requires_block_template(`$0'_depend) allow $1 fs_t:filesystem getattr; ') -define(`filesystem_get_persistent_filesystem_attributes_depend',` +define(`fs_get_persistent_fs_attributes_depend',` type fs_t; class filesystem getattr; @@ -119,15 +119,15 @@ define(`filesystem_get_persistent_filesystem_attributes_depend',` ######################################## # -# filesystem_ignore_get_persistent_filesystem_attributes(domain) +# fs_ignore_get_persistent_fs_attributes(domain) # -define(`filesystem_ignore_get_persistent_filesystem_attributes',` +define(`fs_ignore_get_persistent_fs_attributes',` requires_block_template(`$0'_depend) dontaudit $1 fs_t:filesystem getattr; ') -define(`filesystem_ignore_get_persistent_filesystem_attributes_depend',` +define(`fs_ignore_get_persistent_fs_attributes_depend',` type fs_t; class filesystem getattr; @@ -135,15 +135,15 @@ define(`filesystem_ignore_get_persistent_filesystem_attributes_depend',` ######################################## # -# filesystem_relabelfrom_persistent_filesystem(domain) +# fs_relabelfrom_persistent_fs(domain) # -define(`filesystem_relabelfrom_persistent_filesystem',` +define(`fs_relabelfrom_persistent_fs',` requires_block_template(`$0'_depend) allow $1 fs_t:filesystem relabelfrom; ') -define(`filesystem_relabelfrom_persistent_filesystem_depend',` +define(`fs_relabelfrom_persistent_fs_depend',` type fs_t; class filesystem relabelfrom; @@ -151,30 +151,30 @@ define(`filesystem_relabelfrom_persistent_filesystem_depend',` ######################################## # -# filesystem_mount_automount_filesystem(domain) +# fs_mount_automount_fs(domain) # -define(`filesystem_mount_automount_filesystem',` +define(`fs_mount_automount_fs',` requires_block_template(`$0'_depend) allow $1 autofs_t:filesystem mount; ') -define(`filesystem_mount_automount_filesystem_depend',` +define(`fs_mount_automount_fs_depend',` type autofs_t; class filesystem mount; ') ######################################## # -# filesystem_remount_automount_filesystem(domain) +# fs_remount_automount_fs(domain) # -define(`filesystem_remount_automount_filesystem',` +define(`fs_remount_automount_fs',` requires_block_template(`$0'_depend) allow $1 autofs_t:filesystem remount; ') -define(`filesystem_remount_automount_filesystem_depend',` +define(`fs_remount_automount_fs_depend',` type autofs_t; class filesystem remount; @@ -182,15 +182,15 @@ define(`filesystem_remount_automount_filesystem_depend',` ######################################## # -# filesystem_unmount_automount_filesystem(domain) +# fs_unmount_automount_fs(domain) # -define(`filesystem_unmount_automount_filesystem',` +define(`fs_unmount_automount_fs',` requires_block_template(`$0'_depend) allow $1 autofs_t:filesystem mount; ') -define(`filesystem_unmount_automount_filesystem_depend',` +define(`fs_unmount_automount_fs_depend',` type autofs_t; class filesystem unmount; @@ -198,15 +198,15 @@ define(`filesystem_unmount_automount_filesystem_depend',` ######################################## # -# filesystem_get_automount_filesystem_attributes(domain) +# fs_get_automount_fs_attributes(domain) # -define(`filesystem_get_automount_filesystem_attributes',` +define(`fs_get_automount_fs_attributes',` requires_block_template(`$0'_depend) allow $1 autofs_t:filesystem getattr; ') -define(`filesystem_get_automount_filesystem_attributes_depend',` +define(`fs_get_automount_fs_attributes_depend',` type autofs_t; class filesystem getattr; @@ -214,16 +214,16 @@ define(`filesystem_get_automount_filesystem_attributes_depend',` ######################################## # -# filesystem_register_binary_executable_type(domain) +# fs_register_binary_executable_type(domain) # -define(`filesystem_register_binary_executable_type',` +define(`fs_register_binary_executable_type',` requires_block_template(`$0'_depend) allow $1 binfmt_misc_fs_t:dir { getattr search }; allow $1 binfmt_misc_fs_t:file { getattr ioctl write }; ') -define(`filesystem_register_binary_executable_type_depend',` +define(`fs_register_binary_executable_type_depend',` type binfmt_misc_fs_t; class dir { getattr search }; @@ -232,15 +232,15 @@ define(`filesystem_register_binary_executable_type_depend',` ######################################## # -# filesystem_mount_windows_network_filesystem(domain) +# fs_mount_windows_network_fs(domain) # -define(`filesystem_mount_windows_network_filesystem',` +define(`fs_mount_windows_network_fs',` requires_block_template(`$0'_depend) allow $1 cifs_t:filesystem mount; ') -define(`filesystem_mount_windows_network_filesystem_depend',` +define(`fs_mount_windows_network_fs_depend',` type cifs_t; class filesystem mount; @@ -248,15 +248,15 @@ define(`filesystem_mount_windows_network_filesystem_depend',` ######################################## # -# filesystem_remount_windows_network_filesystem(domain) +# fs_remount_windows_network_fs(domain) # -define(`filesystem_remount_windows_network_filesystem',` +define(`fs_remount_windows_network_fs',` requires_block_template(`$0'_depend) allow $1 cifs_t:filesystem remount; ') -define(`filesystem_remount_windows_network_filesystem_depend',` +define(`fs_remount_windows_network_fs_depend',` type cifs_t; class filesystem remount; @@ -264,15 +264,15 @@ define(`filesystem_remount_windows_network_filesystem_depend',` ######################################## # -# filesystem_unmount_windows_network_filesystem(domain) +# fs_unmount_windows_network_fs(domain) # -define(`filesystem_unmount_windows_network_filesystem',` +define(`fs_unmount_windows_network_fs',` requires_block_template(`$0'_depend) allow $1 cifs_t:filesystem mount; ') -define(`filesystem_unmount_windows_network_filesystem_depend',` +define(`fs_unmount_windows_network_fs_depend',` type cifs_t; class filesystem unmount; @@ -280,15 +280,15 @@ define(`filesystem_unmount_windows_network_filesystem_depend',` ######################################## # -# filesystem_get_windows_network_filesystem_attributes(domain) +# fs_get_windows_network_fs_attributes(domain) # -define(`filesystem_get_windows_network_filesystem_attributes',` +define(`fs_get_windows_network_fs_attributes',` requires_block_template(`$0'_depend) allow $1 cifs_t:filesystem getattr; ') -define(`filesystem_get_windows_network_filesystem_attributes_depend',` +define(`fs_get_windows_network_fs_attributes_depend',` type cifs_t; class filesystem getattr; @@ -296,16 +296,16 @@ define(`filesystem_get_windows_network_filesystem_attributes_depend',` ######################################## # -# filesystem_execute_windows_network_files(domain) +# fs_execute_windows_network_files(domain) # -define(`filesystem_execute_windows_network_files',` +define(`fs_execute_windows_network_files',` requires_block_template(`$0'_depend) allow $1 cifs_t:dir r_dir_perms; allow $1 cifs_t:file { getattr read execute execute_no_trans }; ') -define(`filesystem_execute_windows_network_files_depend',` +define(`fs_execute_windows_network_files_depend',` type cifs_t; class dir r_dir_perms; @@ -314,15 +314,15 @@ define(`filesystem_execute_windows_network_files_depend',` ######################################## # -# filesystem_manage_windows_network_directories(domain) +# fs_manage_windows_network_directories(domain) # -define(`filesystem_manage_windows_network_directories',` +define(`fs_manage_windows_network_directories',` requires_block_template(`$0'_depend) allow $1 cifs_t:dir create_file_perms; ') -define(`filesystem_manage_windows_network_directories_depend',` +define(`fs_manage_windows_network_directories_depend',` type cifs_t; class dir create_file_perms; @@ -330,16 +330,16 @@ define(`filesystem_manage_windows_network_directories_depend',` ######################################## # -# filesystem_manage_windows_network_files(domain) +# fs_manage_windows_network_files(domain) # -define(`filesystem_manage_windows_network_files',` +define(`fs_manage_windows_network_files',` requires_block_template(`$0'_depend) allow $1 cifs_t:dir rw_dir_perms; allow $1 cifs_t:file create_file_perms; ') -define(`filesystem_manage_windows_network_files_depend',` +define(`fs_manage_windows_network_files_depend',` type cifs_t; class dir rw_dir_perms; @@ -348,16 +348,16 @@ define(`filesystem_manage_windows_network_files_depend',` ######################################## # -# filesystem_manage_windows_network_symbolic_links(domain) +# fs_manage_windows_network_symbolic_links(domain) # -define(`filesystem_manage_windows_network_symbolic_links',` +define(`fs_manage_windows_network_symbolic_links',` requires_block_template(`$0'_depend) allow $1 cifs_t:dir rw_dir_perms; allow $1 cifs_t:lnk_file create_lnk_perms; ') -define(`filesystem_manage_windows_network_symbolic_links_depend',` +define(`fs_manage_windows_network_symbolic_links_depend',` type cifs_t; class dir rw_dir_perms; @@ -366,16 +366,16 @@ define(`filesystem_manage_windows_network_symbolic_links_depend',` ######################################## # -# filesystem_manage_windows_network_named_pipes(domain) +# fs_manage_windows_network_named_pipes(domain) # -define(`filesystem_manage_windows_network_named_pipes',` +define(`fs_manage_windows_network_named_pipes',` requires_block_template(`$0'_depend) allow $1 cifs_t:dir rw_dir_perms; allow $1 cifs_t:fifo_file create_file_perms; ') -define(`filesystem_manage_windows_network_named_pipes_depend',` +define(`fs_manage_windows_network_named_pipes_depend',` type cifs_t; class dir rw_dir_perms; @@ -384,16 +384,16 @@ define(`filesystem_manage_windows_network_named_pipes_depend',` ######################################## # -# filesystem_manage_windows_network_named_sockets(domain) +# fs_manage_windows_network_named_sockets(domain) # -define(`filesystem_manage_windows_network_named_sockets',` +define(`fs_manage_windows_network_named_sockets',` requires_block_template(`$0'_depend) allow $1 cifs_t:dir rw_file_perms; allow $1 cifs_t:sock_file create_file_perms; ') -define(`filesystem_manage_windows_network_named_sockets_depend',` +define(`fs_manage_windows_network_named_sockets_depend',` type cifs_t; class dir rw_dir_perms; @@ -402,15 +402,15 @@ define(`filesystem_manage_windows_network_named_sockets_depend',` ######################################## # -# filesystem_mount_dos_filesystem(domain) +# fs_mount_dos_fs(domain) # -define(`filesystem_mount_dos_filesystem',` +define(`fs_mount_dos_fs',` requires_block_template(`$0'_depend) allow $1 dosfs_t:filesystem mount; ') -define(`filesystem_mount_dos_filesystem_depend',` +define(`fs_mount_dos_fs_depend',` type dosfs_t; class filesystem mount; @@ -418,15 +418,15 @@ define(`filesystem_mount_dos_filesystem_depend',` ######################################## # -# filesystem_remount_dos_filesystem(domain) +# fs_remount_dos_fs(domain) # -define(`filesystem_remount_dos_filesystem',` +define(`fs_remount_dos_fs',` requires_block_template(`$0'_depend) allow $1 dosfs_t:filesystem remount; ') -define(`filesystem_remount_dos_filesystem_depend',` +define(`fs_remount_dos_fs_depend',` type dosfs_t; class filesystem remount; @@ -434,15 +434,15 @@ define(`filesystem_remount_dos_filesystem_depend',` ######################################## # -# filesystem_unmount_dos_filesystem(domain) +# fs_unmount_dos_fs(domain) # -define(`filesystem_unmount_dos_filesystem',` +define(`fs_unmount_dos_fs',` requires_block_template(`$0'_depend) allow $1 dosfs_t:filesystem mount; ') -define(`filesystem_unmount_dos_filesystem_depend',` +define(`fs_unmount_dos_fs_depend',` type dosfs_t; class filesystem unmount; @@ -450,15 +450,15 @@ define(`filesystem_unmount_dos_filesystem_depend',` ######################################## # -# filesystem_get_dos_filesystem_attributes(domain) +# fs_get_dos_fs_attributes(domain) # -define(`filesystem_get_dos_filesystem_attributes',` +define(`fs_get_dos_fs_attributes',` requires_block_template(`$0'_depend) allow $1 dosfs_t:filesystem getattr; ') -define(`filesystem_get_dos_filesystem_attributes_depend',` +define(`fs_get_dos_fs_attributes_depend',` type dosfs_t; class filesystem getattr; @@ -466,15 +466,15 @@ define(`filesystem_get_dos_filesystem_attributes_depend',` ######################################## # -# filesystem_relabelfrom_dos_filesystem(domain) +# fs_relabelfrom_dos_fs(domain) # -define(`filesystem_relabelfrom_dos_filesystem',` +define(`fs_relabelfrom_dos_fs',` requires_block_template(`$0'_depend) allow $1 dosfs_t:filesystem relabelfrom; ') -define(`filesystem_relabelfrom_dos_filesystem_depend',` +define(`fs_relabelfrom_dos_fs_depend',` type dosfs_t; class filesystem relabelfrom; @@ -482,15 +482,15 @@ define(`filesystem_relabelfrom_dos_filesystem_depend',` ######################################## # -# filesystem_mount_cd_filesystem(domain) +# fs_mount_cd_fs(domain) # -define(`filesystem_mount_cd_filesystem',` +define(`fs_mount_cd_fs',` requires_block_template(`$0'_depend) allow $1 iso9660_t:filesystem mount; ') -define(`filesystem_mount_cd_filesystem_depend',` +define(`fs_mount_cd_fs_depend',` type iso9660_t; class filesystem mount; @@ -498,15 +498,15 @@ define(`filesystem_mount_cd_filesystem_depend',` ######################################## # -# filesystem_remount_cd_filesystem(domain) +# fs_remount_cd_fs(domain) # -define(`filesystem_remount_cd_filesystem',` +define(`fs_remount_cd_fs',` requires_block_template(`$0'_depend) allow $1 iso9660_t:filesystem remount; ') -define(`filesystem_remount_cd_filesystem_depend',` +define(`fs_remount_cd_fs_depend',` type iso9660_t; class filesystem remount; @@ -514,15 +514,15 @@ define(`filesystem_remount_cd_filesystem_depend',` ######################################## # -# filesystem_unmount_cd_filesystem(domain) +# fs_unmount_cd_fs(domain) # -define(`filesystem_unmount_cd_filesystem',` +define(`fs_unmount_cd_fs',` requires_block_template(`$0'_depend) allow $1 iso9660_t:filesystem mount; ') -define(`filesystem_unmount_cd_filesystem_depend',` +define(`fs_unmount_cd_fs_depend',` type iso9660_t; class filesystem unmount; @@ -530,15 +530,15 @@ define(`filesystem_unmount_cd_filesystem_depend',` ######################################## # -# filesystem_get_cd_filesystem_attributes(domain) +# fs_get_cd_fs_attributes(domain) # -define(`filesystem_get_cd_filesystem_attributes',` +define(`fs_get_cd_fs_attributes',` requires_block_template(`$0'_depend) allow $1 iso9660_t:filesystem getattr; ') -define(`filesystem_get_cd_filesystem_attributes_depend',` +define(`fs_get_cd_fs_attributes_depend',` type iso9660_t; class filesystem getattr; @@ -546,15 +546,15 @@ define(`filesystem_get_cd_filesystem_attributes_depend',` ######################################## # -# filesystem_mount_nfs_filesystem(domain) +# fs_mount_nfs_fs(domain) # -define(`filesystem_mount_nfs_filesystem',` +define(`fs_mount_nfs_fs',` requires_block_template(`$0'_depend) allow $1 nfs_t:filesystem mount; ') -define(`filesystem_mount_nfs_filesystem_depend',` +define(`fs_mount_nfs_fs_depend',` type nfs_t; class filesystem mount; @@ -562,15 +562,15 @@ define(`filesystem_mount_nfs_filesystem_depend',` ######################################## # -# filesystem_remount_nfs_filesystem(domain) +# fs_remount_nfs_fs(domain) # -define(`filesystem_remount_nfs_filesystem',` +define(`fs_remount_nfs_fs',` requires_block_template(`$0'_depend) allow $1 nfs_t:filesystem remount; ') -define(`filesystem_remount_nfs_filesystem_depend',` +define(`fs_remount_nfs_fs_depend',` type nfs_t; class filesystem remount; @@ -578,15 +578,15 @@ define(`filesystem_remount_nfs_filesystem_depend',` ######################################## # -# filesystem_unmount_nfs_filesystem(domain) +# fs_unmount_nfs_fs(domain) # -define(`filesystem_unmount_nfs_filesystem',` +define(`fs_unmount_nfs_fs',` requires_block_template(`$0'_depend) allow $1 nfs_t:filesystem mount; ') -define(`filesystem_unmount_nfs_filesystem_depend',` +define(`fs_unmount_nfs_fs_depend',` type nfs_t; class filesystem unmount; @@ -594,15 +594,15 @@ define(`filesystem_unmount_nfs_filesystem_depend',` ######################################## # -# filesystem_get_nfs_filesystem_attributes(domain) +# fs_get_nfs_fs_attributes(domain) # -define(`filesystem_get_nfs_filesystem_attributes',` +define(`fs_get_nfs_fs_attributes',` requires_block_template(`$0'_depend) allow $1 nfs_t:filesystem getattr; ') -define(`filesystem_get_nfs_filesystem_attributes_depend',` +define(`fs_get_nfs_fs_attributes_depend',` type nfs_t; class filesystem getattr; @@ -610,16 +610,16 @@ define(`filesystem_get_nfs_filesystem_attributes_depend',` ######################################## # -# filesystem_execute_nfs_files(domain) +# fs_execute_nfs_files(domain) # -define(`filesystem_execute_nfs_files',` +define(`fs_execute_nfs_files',` requires_block_template(`$0'_depend) allow $1 nfs_t:dir r_dir_perms; allow $1 nfs_t:file { getattr read execute execute_no_trans }; ') -define(`filesystem_execute_nfs_files_depend',` +define(`fs_execute_nfs_files_depend',` type nfs_t; class dir r_dir_perms; @@ -628,15 +628,15 @@ define(`filesystem_execute_nfs_files_depend',` ######################################## # -# filesystem_manage_nfs_directories(domain) +# fs_manage_nfs_directories(domain) # -define(`filesystem_manage_nfs_directories',` +define(`fs_manage_nfs_directories',` requires_block_template(`$0'_depend) allow $1 nfs_t:dir create_dir_perms; ') -define(`filesystem_manage_nfs_directories_depend',` +define(`fs_manage_nfs_directories_depend',` type nfs_t; class dir create_dir_perms; @@ -644,16 +644,16 @@ define(`filesystem_manage_nfs_directories_depend',` ######################################## # -# filesystem_manage_nfs_files(domain) +# fs_manage_nfs_files(domain) # -define(`filesystem_manage_nfs_files',` +define(`fs_manage_nfs_files',` requires_block_template(`$0'_depend) allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:file create_file_perms; ') -define(`filesystem_manage_nfs_files_depend',` +define(`fs_manage_nfs_files_depend',` type nfs_t; class dir rw_dir_perms; @@ -662,16 +662,16 @@ define(`filesystem_manage_nfs_files_depend',` ######################################## # -# filesystem_manage_nfs_symbolic_links(domain) +# fs_manage_nfs_symbolic_links(domain) # -define(`filesystem_manage_nfs_symbolic_links',` +define(`fs_manage_nfs_symbolic_links',` requires_block_template(`$0'_depend) allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:lnk_file create_lnk_perms; ') -define(`filesystem_manage_nfs_symbolic_links_depend',` +define(`fs_manage_nfs_symbolic_links_depend',` type nfs_t; class dir r_dir_perms; @@ -680,16 +680,16 @@ define(`filesystem_manage_nfs_symbolic_links_depend',` ######################################## # -# filesystem_manage_nfs_named_pipes(domain) +# fs_manage_nfs_named_pipes(domain) # -define(`filesystem_manage_nfs_named_pipes',` +define(`fs_manage_nfs_named_pipes',` requires_block_template(`$0'_depend) allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:fifo_file create_file_perms; ') -define(`filesystem_manage_nfs_named_pipes_depend',` +define(`fs_manage_nfs_named_pipes_depend',` type nfs_t; class dir { getattr search read write add_name remove_name }; @@ -698,16 +698,16 @@ define(`filesystem_manage_nfs_named_pipes_depend',` ######################################## # -# filesystem_manage_nfs_named_sockets(domain) +# fs_manage_nfs_named_sockets(domain) # -define(`filesystem_manage_nfs_named_sockets',` +define(`fs_manage_nfs_named_sockets',` requires_block_template(`$0'_depend) allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:sock_file create_file_perms; ') -define(`filesystem_manage_nfs_named_sockets_depend',` +define(`fs_manage_nfs_named_sockets_depend',` type nfs_t; class dir rw_dir_perms; @@ -716,15 +716,15 @@ define(`filesystem_manage_nfs_named_sockets_depend',` ######################################## # -# filesystem_mount_nfsd_filesystem(domain) +# fs_mount_nfsd_fs(domain) # -define(`filesystem_mount_nfsd_filesystem',` +define(`fs_mount_nfsd_fs',` requires_block_template(`$0'_depend) allow $1 nfsd_fs_t:filesystem mount; ') -define(`filesystem_mount_nfsd_filesystem_depend',` +define(`fs_mount_nfsd_fs_depend',` type nfsd_fs_t; class filesystem mount; @@ -732,15 +732,15 @@ define(`filesystem_mount_nfsd_filesystem_depend',` ######################################## # -# filesystem_remount_nfsd_filesystem(domain) +# fs_remount_nfsd_fs(domain) # -define(`filesystem_remount_nfsd_filesystem',` +define(`fs_remount_nfsd_fs',` requires_block_template(`$0'_depend) allow $1 nfsd_fs_t:filesystem remount; ') -define(`filesystem_remount_nfsd_filesystem_depend',` +define(`fs_remount_nfsd_fs_depend',` type nfsd_fs_t; class filesystem remount; @@ -748,15 +748,15 @@ define(`filesystem_remount_nfsd_filesystem_depend',` ######################################## # -# filesystem_unmount_nfsd_filesystem(domain) +# fs_unmount_nfsd_fs(domain) # -define(`filesystem_unmount_nfsd_filesystem',` +define(`fs_unmount_nfsd_fs',` requires_block_template(`$0'_depend) allow $1 nfsd_fs_t:filesystem mount; ') -define(`filesystem_unmount_nfsd_filesystem_depend',` +define(`fs_unmount_nfsd_fs_depend',` type nfsd_fs_t; class filesystem unmount; @@ -764,15 +764,15 @@ define(`filesystem_unmount_nfsd_filesystem_depend',` ######################################## # -# filesystem_get_nfsd_filesystem_attributes(domain) +# fs_get_nfsd_fs_attributes(domain) # -define(`filesystem_get_nfsd_filesystem_attributes',` +define(`fs_get_nfsd_fs_attributes',` requires_block_template(`$0'_depend) allow $1 nfsd_fs_t:filesystem getattr; ') -define(`filesystem_get_nfsd_filesystem_attributes_depend',` +define(`fs_get_nfsd_fs_attributes_depend',` type nfsd_fs_t; class filesystem getattr; @@ -780,15 +780,15 @@ define(`filesystem_get_nfsd_filesystem_attributes_depend',` ######################################## # -# filesystem_mount_ram_filesystem(domain) +# fs_mount_ram_fs(domain) # -define(`filesystem_mount_ram_filesystem',` +define(`fs_mount_ram_fs',` requires_block_template(`$0'_depend) allow $1 ramfs_t:filesystem mount; ') -define(`filesystem_mount_ram_filesystem_depend',` +define(`fs_mount_ram_fs_depend',` type ramfs_t; class filesystem mount; @@ -796,15 +796,15 @@ define(`filesystem_mount_ram_filesystem_depend',` ######################################## # -# filesystem_remount_ram_filesystem(domain) +# fs_remount_ram_fs(domain) # -define(`filesystem_remount_ram_filesystem',` +define(`fs_remount_ram_fs',` requires_block_template(`$0'_depend) allow $1 ramfs_t:filesystem remount; ') -define(`filesystem_remount_ram_filesystem_depend',` +define(`fs_remount_ram_fs_depend',` type ramfs_t; class filesystem remount; @@ -812,15 +812,15 @@ define(`filesystem_remount_ram_filesystem_depend',` ######################################## # -# filesystem_unmount_ram_filesystem(domain) +# fs_unmount_ram_fs(domain) # -define(`filesystem_unmount_ram_filesystem',` +define(`fs_unmount_ram_fs',` requires_block_template(`$0'_depend) allow $1 ramfs_t:filesystem mount; ') -define(`filesystem_unmount_ram_filesystem_depend',` +define(`fs_unmount_ram_fs_depend',` type ramfs_t; class filesystem unmount; @@ -828,15 +828,15 @@ define(`filesystem_unmount_ram_filesystem_depend',` ######################################## # -# filesystem_get_ram_filesystem_attributes(domain) +# fs_get_ram_fs_attributes(domain) # -define(`filesystem_get_ram_filesystem_attributes',` +define(`fs_get_ram_fs_attributes',` requires_block_template(`$0'_depend) allow $1 ramfs_t:filesystem getattr; ') -define(`filesystem_get_ram_filesystem_attributes_depend',` +define(`fs_get_ram_fs_attributes_depend',` type ramfs_t; class filesystem getattr; @@ -844,15 +844,15 @@ define(`filesystem_get_ram_filesystem_attributes_depend',` ######################################## # -# filesystem_mount_rom_filesystem(domain) +# fs_mount_rom_fs(domain) # -define(`filesystem_mount_rom_filesystem',` +define(`fs_mount_rom_fs',` requires_block_template(`$0'_depend) allow $1 romfs_t:filesystem mount; ') -define(`filesystem_mount_rom_filesystem_depend',` +define(`fs_mount_rom_fs_depend',` type romfs_t; class filesystem mount; @@ -860,15 +860,15 @@ define(`filesystem_mount_rom_filesystem_depend',` ######################################## # -# filesystem_remount_rom_filesystem(domain) +# fs_remount_rom_fs(domain) # -define(`filesystem_remount_rom_filesystem',` +define(`fs_remount_rom_fs',` requires_block_template(`$0'_depend) allow $1 romfs_t:filesystem remount; ') -define(`filesystem_remount_rom_filesystem_depend',` +define(`fs_remount_rom_fs_depend',` type romfs_t; class filesystem remount; @@ -876,15 +876,15 @@ define(`filesystem_remount_rom_filesystem_depend',` ######################################## # -# filesystem_unmount_rom_filesystem(domain) +# fs_unmount_rom_fs(domain) # -define(`filesystem_unmount_rom_filesystem',` +define(`fs_unmount_rom_fs',` requires_block_template(`$0'_depend) allow $1 romfs_t:filesystem mount; ') -define(`filesystem_unmount_rom_filesystem_depend',` +define(`fs_unmount_rom_fs_depend',` type romfs_t; class filesystem unmount; @@ -892,15 +892,15 @@ define(`filesystem_unmount_rom_filesystem_depend',` ######################################## # -# filesystem_get_rom_filesystem_attributes(domain) +# fs_get_rom_fs_attributes(domain) # -define(`filesystem_get_rom_filesystem_attributes',` +define(`fs_get_rom_fs_attributes',` requires_block_template(`$0'_depend) allow $1 romfs_t:filesystem getattr; ') -define(`filesystem_get_rom_filesystem_attributes_depend',` +define(`fs_get_rom_fs_attributes_depend',` type romfs_t; class filesystem getattr; @@ -908,15 +908,15 @@ define(`filesystem_get_rom_filesystem_attributes_depend',` ######################################## # -# filesystem_mount_rpc_pipefs_filesystem(domain) +# fs_mount_rpc_pipefs_fs(domain) # -define(`filesystem_mount_rpc_pipefs_filesystem',` +define(`fs_mount_rpc_pipefs_fs',` requires_block_template(`$0'_depend) allow $1 rpc_pipefs_t:filesystem mount; ') -define(`filesystem_mount_rpc_pipefs_filesystem_depend',` +define(`fs_mount_rpc_pipefs_fs_depend',` type rpc_pipefs_t; class filesystem mount; @@ -924,15 +924,15 @@ define(`filesystem_mount_rpc_pipefs_filesystem_depend',` ######################################## # -# filesystem_remount_rpc_pipefs_filesystem(domain) +# fs_remount_rpc_pipefs_fs(domain) # -define(`filesystem_remount_rpc_pipefs_filesystem',` +define(`fs_remount_rpc_pipefs_fs',` requires_block_template(`$0'_depend) allow $1 rpc_pipefs_t:filesystem remount; ') -define(`filesystem_remount_rpc_pipefs_filesystem_depend',` +define(`fs_remount_rpc_pipefs_fs_depend',` type rpc_pipefs_t; class filesystem remount; @@ -940,15 +940,15 @@ define(`filesystem_remount_rpc_pipefs_filesystem_depend',` ######################################## # -# filesystem_unmount_rpc_pipefs_filesystem(domain) +# fs_unmount_rpc_pipefs_fs(domain) # -define(`filesystem_unmount_rpc_pipefs_filesystem',` +define(`fs_unmount_rpc_pipefs_fs',` requires_block_template(`$0'_depend) allow $1 rpc_pipefs_t:filesystem mount; ') -define(`filesystem_unmount_rpc_pipefs_filesystem_depend',` +define(`fs_unmount_rpc_pipefs_fs_depend',` type rpc_pipefs_t; class filesystem unmount; @@ -956,15 +956,15 @@ define(`filesystem_unmount_rpc_pipefs_filesystem_depend',` ######################################## # -# filesystem_get_rpc_pipefs_filesystem_attributes(domain) +# fs_get_rpc_pipefs_fs_attributes(domain) # -define(`filesystem_get_rpc_pipefs_filesystem_attributes',` +define(`fs_get_rpc_pipefs_fs_attributes',` requires_block_template(`$0'_depend) allow $1 rpc_pipefs_t:filesystem getattr; ') -define(`filesystem_get_rpc_pipefs_filesystem_attributes_depend',` +define(`fs_get_rpc_pipefs_fs_attributes_depend',` type rpc_pipefs_t; class filesystem getattr; @@ -972,15 +972,15 @@ define(`filesystem_get_rpc_pipefs_filesystem_attributes_depend',` ######################################## # -# filesystem_mount_tmpfs_filesystem(domain) +# fs_mount_tmpfs_fs(domain) # -define(`filesystem_mount_tmpfs_filesystem',` +define(`fs_mount_tmpfs_fs',` requires_block_template(`$0'_depend) allow $1 tmpfs_t:filesystem mount; ') -define(`filesystem_mount_tmpfs_filesystem_depend',` +define(`fs_mount_tmpfs_fs_depend',` type tmpfs_t; class filesystem mount; @@ -988,15 +988,15 @@ define(`filesystem_mount_tmpfs_filesystem_depend',` ######################################## # -# filesystem_remount_tmpfs_filesystem(domain) +# fs_remount_tmpfs_fs(domain) # -define(`filesystem_remount_tmpfs_filesystem',` +define(`fs_remount_tmpfs_fs',` requires_block_template(`$0'_depend) allow $1 tmpfs_t:filesystem remount; ') -define(`filesystem_remount_tmpfs_filesystem_depend',` +define(`fs_remount_tmpfs_fs_depend',` type tmpfs_t; class filesystem remount; @@ -1004,15 +1004,15 @@ define(`filesystem_remount_tmpfs_filesystem_depend',` ######################################## # -# filesystem_unmount_tmpfs_filesystem(domain) +# fs_unmount_tmpfs_fs(domain) # -define(`filesystem_unmount_tmpfs_filesystem',` +define(`fs_unmount_tmpfs_fs',` requires_block_template(`$0'_depend) allow $1 tmpfs_t:filesystem mount; ') -define(`filesystem_unmount_tmpfs_filesystem_depend',` +define(`fs_unmount_tmpfs_fs_depend',` type tmpfs_t; class filesystem unmount; @@ -1020,22 +1020,22 @@ define(`filesystem_unmount_tmpfs_filesystem_depend',` ######################################## # -# filesystem_get_tmpfs_filesystem_attributes(domain) +# fs_get_tmpfs_fs_attributes(domain) # -define(`filesystem_get_tmpfs_filesystem_attributes',` +define(`fs_get_tmpfs_fs_attributes',` requires_block_template(`$0'_depend) allow $1 tmpfs_t:filesystem getattr; ') -define(`filesystem_get_tmpfs_filesystem_attributes_depend',` +define(`fs_get_tmpfs_fs_attributes_depend',` type tmpfs_t; class filesystem getattr; ') ######################################## -## +## ## ## Allow the type to associate to tmpfs filesystems. ## @@ -1045,13 +1045,13 @@ define(`filesystem_get_tmpfs_filesystem_attributes_depend',` ## ## # -define(`filesystem_tmpfs_associate',` +define(`fs_tmpfs_associate',` requires_block_template(`$0'_depend) allow $1 tmpfs_t:filesystem associate; ') -define(`filesystem_tmpfs_associate_depend',` +define(`fs_tmpfs_associate_depend',` type tmpfs_t; class filesystem associate; @@ -1059,9 +1059,9 @@ define(`filesystem_tmpfs_associate_depend',` ######################################## # -# filesystem_create_private_tmpfs_data(domain,derivedtype,[class]) +# fs_create_private_tmpfs_data(domain,derivedtype,[class]) # -define(`filesystem_create_private_tmpfs_data',` +define(`fs_create_private_tmpfs_data',` requires_block_template(`$0'_depend) allow $2 tmpfs_t:filesystem associate; @@ -1074,7 +1074,7 @@ define(`filesystem_create_private_tmpfs_data',` ') ') -define(`filesystem_create_private_tmpfs_data_depend',` +define(`fs_create_private_tmpfs_data_depend',` type tmpfs_t; class filesystem associate; @@ -1082,7 +1082,7 @@ define(`filesystem_create_private_tmpfs_data_depend',` ') ######################################## -## +## ## ## Read and write character nodes on tmpfs filesystems. ## @@ -1092,14 +1092,14 @@ define(`filesystem_create_private_tmpfs_data_depend',` ## ## # -define(`filesystem_use_tmpfs_character_devices',` +define(`fs_use_tmpfs_character_devices',` requires_block_template(`$0'_depend) allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:chr_file rw_file_perms; ') -define(`filesystem_use_tmpfs_character_devices_depend',` +define(`fs_use_tmpfs_character_devices_depend',` type tmpfs_t; class dir r_dir_perms; @@ -1107,7 +1107,7 @@ define(`filesystem_use_tmpfs_character_devices_depend',` ') ######################################## -## +## ## ## Relabel character nodes on tmpfs filesystems. ## @@ -1117,14 +1117,14 @@ define(`filesystem_use_tmpfs_character_devices_depend',` ## ## # -define(`filesystem_relabel_tmpfs_character_devices',` +define(`fs_relabel_tmpfs_character_devices',` requires_block_template(`$0'_depend) allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto }; ') -define(`filesystem_relabel_tmpfs_character_devices_depend',` +define(`fs_relabel_tmpfs_character_devices_depend',` type tmpfs_t; class dir r_dir_perms; @@ -1132,7 +1132,7 @@ define(`filesystem_relabel_tmpfs_character_devices_depend',` ') ######################################## -## +## ## ## Read and write block nodes on tmpfs filesystems. ## @@ -1142,14 +1142,14 @@ define(`filesystem_relabel_tmpfs_character_devices_depend',` ## ## # -define(`filesystem_use_tmpfs_block_devices',` +define(`fs_use_tmpfs_block_devices',` requires_block_template(`$0'_depend) allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:blk_file rw_file_perms; ') -define(`filesystem_use_tmpfs_block_devices_depend',` +define(`fs_use_tmpfs_block_devices_depend',` type tmpfs_t; class dir r_dir_perms; @@ -1157,7 +1157,7 @@ define(`filesystem_use_tmpfs_block_devices_depend',` ') ######################################## -## +## ## ## Relabel block nodes on tmpfs filesystems. ## @@ -1167,14 +1167,14 @@ define(`filesystem_use_tmpfs_block_devices_depend',` ## ## # -define(`filesystem_relabel_tmpfs_block_devices',` +define(`fs_relabel_tmpfs_block_devices',` requires_block_template(`$0'_depend) allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto }; ') -define(`filesystem_use_tmpfs_block_devices_depend',` +define(`fs_use_tmpfs_block_devices_depend',` type tmpfs_t; class dir r_dir_perms; @@ -1182,7 +1182,7 @@ define(`filesystem_use_tmpfs_block_devices_depend',` ') ######################################## -## +## ## ## Read and write, create and delete character ## nodes on tmpfs filesystems. @@ -1193,14 +1193,14 @@ define(`filesystem_use_tmpfs_block_devices_depend',` ## ## # -define(`filesystem_manage_tmpfs_character_devices',` +define(`fs_manage_tmpfs_character_devices',` requires_block_template(`$0'_depend) allow $1 tmpfs_t:dir rw_dir_perms; allow $1 tmpfs_t:chr_file create_file_perms; ') -define(`filesystem_manage_tmpfs_character_devices_depend',` +define(`fs_manage_tmpfs_character_devices_depend',` type tmpfs_t; class dir rw_dir_perms; @@ -1208,7 +1208,7 @@ define(`filesystem_manage_tmpfs_character_devices_depend',` ') ######################################## -## +## ## ## Read and write, create and delete block nodes ## on tmpfs filesystems. @@ -1219,14 +1219,14 @@ define(`filesystem_manage_tmpfs_character_devices_depend',` ## ## # -define(`filesystem_manage_tmpfs_block_devices',` +define(`fs_manage_tmpfs_block_devices',` requires_block_template(`$0'_depend) allow $1 tmpfs_t:dir rw_dir_perms; allow $1 tmpfs_t:blk_file create_file_perms; ') -define(`filesystem_manage_tmpfs_block_devices_depend',` +define(`fs_manage_tmpfs_block_devices_depend',` type tmpfs_t; class dir rw_dir_perms; @@ -1235,15 +1235,15 @@ define(`filesystem_manage_tmpfs_block_devices_depend',` ######################################## # -# filesystem_mount_all_filesystems(type) +# fs_mount_all_fs(type) # -define(`filesystem_mount_all_filesystems',` +define(`fs_mount_all_fs',` requires_block_template(`$0'_depend) allow $1 fs_type:filesystem mount; ') -define(`filesystem_mount_all_filesystems_depend',` +define(`fs_mount_all_fs_depend',` attribute fs_type; class filesystem mount; @@ -1251,15 +1251,15 @@ define(`filesystem_mount_all_filesystems_depend',` ######################################## # -# filesystem_remount_all_filesystems(type) +# fs_remount_all_fs(type) # -define(`filesystem_remount_all_filesystems',` +define(`fs_remount_all_fs',` requires_block_template(`$0'_depend) allow $1 fs_type:filesystem remount; ') -define(`filesystem_remount_all_filesystems_depend',` +define(`fs_remount_all_fs_depend',` attribute fs_type; class filesystem remount; @@ -1267,15 +1267,15 @@ define(`filesystem_remount_all_filesystems_depend',` ######################################## # -# filesystem_unmount_all_filesystems(type) +# fs_unmount_all_fs(type) # -define(`filesystem_unmount_all_filesystems',` +define(`fs_unmount_all_fs',` requires_block_template(`$0'_depend) allow $1 fs_type:filesystem unmount; ') -define(`filesystem_mount_all_filesystems_depend',` +define(`fs_mount_all_fs_depend',` attribute fs_type; class filesystem unmount; @@ -1283,15 +1283,15 @@ define(`filesystem_mount_all_filesystems_depend',` ######################################## # -# filesystem_get_all_filesystems_attributes(type) +# fs_get_all_fs_attributes(type) # -define(`filesystem_get_all_filesystems_attributes',` +define(`fs_get_all_fs_attributes',` requires_block_template(`$0'_depend) allow $1 fs_type:filesystem getattr; ') -define(`filesystem_get_all_filesystems_attributes_depend',` +define(`fs_get_all_fs_attributes_depend',` attribute fs_type; class filesystem getattr; @@ -1299,15 +1299,15 @@ define(`filesystem_get_all_filesystems_attributes_depend',` ######################################## # -# filesystem_get_all_filesystems_quotas(type) +# fs_get_all_fs_quotas(type) # -define(`filesystem_get_all_filesystems_quotas',` +define(`fs_get_all_fs_quotas',` requires_block_template(`$0'_depend) allow $1 fs_type:filesystem quotaget; ') -define(`filesystem_get_all_filesystems_quotas_depend',` +define(`fs_get_all_fs_quotas_depend',` attribute fs_type; class filesystem quotaget; @@ -1315,15 +1315,15 @@ define(`filesystem_get_all_filesystems_quotas_depend',` ######################################## # -# filesystem_set_all_filesystems_quotas(type) +# fs_set_all_fs_quotas(type) # -define(`filesystem_set_all_filesystems_quotas',` +define(`fs_set_all_fs_quotas',` requires_block_template(`$0'_depend) allow $1 fs_type:filesystem quotamod; ') -define(`filesystem_set_all_filesystems_quotas_depend',` +define(`fs_set_all_fs_quotas_depend',` attribute fs_type; class filesystem quotamod; @@ -1331,9 +1331,9 @@ define(`filesystem_set_all_filesystems_quotas_depend',` ######################################## # -# filesystem_get_all_file_attributes(type) +# fs_get_all_file_attributes(type) # -define(`filesystem_get_all_file_attributes',` +define(`fs_get_all_file_attributes',` requires_block_template(`$0'_depend) allow $1 fs_type:dir { search getattr }; @@ -1343,7 +1343,7 @@ define(`filesystem_get_all_file_attributes',` allow $1 fs_type:sock_file getattr; ') -define(`filesystem_get_all_file_attributes_depend',` +define(`fs_get_all_file_attributes_depend',` attribute fs_type; class dir { search getattr }; diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 1f1dd8d8..53be1d3b 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -129,7 +129,7 @@ define(`kernel_ignore_use_file_descriptors_depend',` ') ######################################## -## +## ## ## Allows the kernel to mount filesystems on ## the caller. @@ -144,13 +144,13 @@ define(`kernel_ignore_use_file_descriptors_depend',` ## ## # -define(`kernel_make_root_filesystem_mountpoint',` +define(`kernel_make_root_fs_mountpoint',` requires_block_template(`$0'_depend) allow kernel_t $1:dir mounton; ') -define(`kernel_make_root_filesystem_mountpoint_depend',` +define(`kernel_make_root_fs_mountpoint_depend',` type kernel_t; class dir mounton; @@ -1481,7 +1481,7 @@ define(`kernel_modify_kernel_sysctl_depend',` ') ######################################## -## +## ## ## Allow caller to read filesystem information. ## @@ -1494,7 +1494,7 @@ define(`kernel_modify_kernel_sysctl_depend',` ## ## # -define(`kernel_read_filesystem_sysctl',` +define(`kernel_read_fs_sysctl',` requires_block_template(`$0'_depend) allow $1 proc_t:dir search; @@ -1503,7 +1503,7 @@ define(`kernel_read_filesystem_sysctl',` allow $1 sysctl_fs_t:file { getattr read }; ') -define(`kernel_read_filesystem_sysctl_depend',` +define(`kernel_read_fs_sysctl_depend',` type proc_t, sysctl_t, sysctl_fs_t; class dir { search getattr read }; @@ -1512,8 +1512,8 @@ define(`kernel_read_filesystem_sysctl_depend',` ######################################## # -# kernel_modify_filesystem_sysctl(domain) -## +# kernel_modify_fs_sysctl(domain) +## ## ## Allow caller to modify filesystem information. ## @@ -1526,7 +1526,7 @@ define(`kernel_read_filesystem_sysctl_depend',` ## ## # -define(`kernel_modify_filesystem_sysctl',` +define(`kernel_modify_fs_sysctl',` requires_block_template(`$0'_depend) allow $1 proc_t:dir search; @@ -1535,7 +1535,7 @@ define(`kernel_modify_filesystem_sysctl',` allow $1 sysctl_fs_t:file { getattr read write }; ') -define(`kernel_modify_filesystem_sysctl_depend',` +define(`kernel_modify_fs_sysctl_depend',` type proc_t, sysctl_t, sysctl_fs_t; class dir { search getattr read }; @@ -1663,7 +1663,7 @@ define(`kernel_read_all_sysctl',` kernel_read_hotplug_sysctl($1) kernel_read_modprobe_sysctl($1) kernel_read_kernel_sysctl($1) - kernel_read_filesystem_sysctl($1) + kernel_read_fs_sysctl($1) kernel_read_irq_sysctl($1) kernel_read_rpc_sysctl($1) ') @@ -1690,7 +1690,7 @@ define(`kernel_modify_all_sysctl',` kernel_modify_hotplug_sysctl($1) kernel_modify_modprobe_sysctl($1) kernel_modify_kernel_sysctl($1) - kernel_modify_filesystem_sysctl($1) + kernel_modify_fs_sysctl($1) kernel_modify_irq_sysctl($1) kernel_modify_rpc_sysctl($1) ') diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 37195a75..68bfa1ff 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -55,7 +55,7 @@ sid tcp_socket context_template(system_u:object_r:unlabeled_t,s0) # applied to selinuxfs inodes. # type security_t; -filesystem_make_filesystem(security_t) +fs_make_fs(security_t) sid security context_template(system_u:object_r:security_t,s0) genfscon selinuxfs / context_template(system_u:object_r:security_t,s0) @@ -64,7 +64,7 @@ genfscon selinuxfs / context_template(system_u:object_r:security_t,s0) # type sysfs_t; files_make_mountpoint(sysfs_t) -filesystem_make_filesystem(sysfs_t) +fs_make_fs(sysfs_t) genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0) # @@ -72,7 +72,7 @@ genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0) # type usbfs_t alias usbdevfs_t; files_make_mountpoint(usbfs_t) -filesystem_make_filesystem(usbfs_t) +fs_make_fs(usbfs_t) genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0) genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0) @@ -82,7 +82,7 @@ genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0) type proc_t; files_make_mountpoint(proc_t) -filesystem_make_filesystem(proc_t) +fs_make_fs(proc_t) genfscon proc / context_template(system_u:object_r:proc_t,s0) genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0) @@ -209,7 +209,7 @@ domain_signal_all_domains(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -filesystem_mount_all_filesystems(kernel_t) +fs_mount_all_fs(kernel_t) # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. corecommands_execute_general_programs(kernel_t) diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 44d6b21e..a91c1071 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -67,7 +67,7 @@ define(`terminal_make_physical_terminal',` ') ifdef(`distro_redhat',` - filesystem_tmpfs_associate($2) + fs_tmpfs_associate($2) ') ') diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te index 7f6654b5..c2d69a30 100644 --- a/refpolicy/policy/modules/kernel/terminal.te +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -22,7 +22,7 @@ devices_make_device_node(console_device_t) # type devpts_t; files_make_mountpoint(devpts_t) -filesystem_make_filesystem(devpts_t) +fs_make_fs(devpts_t) fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0); # diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 157d94db..43060de6 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -70,7 +70,7 @@ define(`cron_per_userdomain_template',` devices_get_pseudorandom_data($1_crond_t) - filesystem_get_all_filesystems_attributes($1_crond_t) + fs_get_all_fs_attributes($1_crond_t) domain_execute_all_entrypoint_programs($1_crond_t) @@ -153,7 +153,7 @@ define(`cron_per_userdomain_template',` allow $1_crontab_t crond_log_t:file { getattr read append }; - filesystem_get_persistent_filesystem_attributes($1_crontab_t) + fs_get_persistent_fs_attributes($1_crontab_t) domain_use_widely_inheritable_file_descriptors($1_crontab_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 8f4b8212..515880ff 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -89,7 +89,7 @@ kernel_compute_selinux_reachable_user_contexts(crond_t) devices_get_pseudorandom_data(crond_t) -filesystem_get_all_filesystems_attributes(crond_t) +fs_get_all_fs_attributes(crond_t) terminal_ignore_use_console(crond_t) @@ -252,8 +252,8 @@ devices_get_all_block_device_attributes(system_crond_t) devices_get_all_character_device_attributes(system_crond_t) devices_get_pseudorandom_data(system_crond_t) -filesystem_get_all_filesystems_attributes(system_crond_t) -filesystem_get_all_file_attributes(system_crond_t) +fs_get_all_fs_attributes(system_crond_t) +fs_get_all_file_attributes(system_crond_t) init_use_file_descriptors(system_crond_t) init_script_use_file_descriptors(system_crond_t) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 643b1749..1e7cb0bd 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -62,7 +62,7 @@ corenetwork_sendrecv_tcp_on_all_ports(system_mail_t) devices_get_pseudorandom_data(system_mail_t) -filesystem_get_persistent_filesystem_attributes(system_mail_t) +fs_get_persistent_fs_attributes(system_mail_t) init_script_use_pseudoterminal(system_mail_t) diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index daceb541..71979afc 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -53,7 +53,7 @@ kernel_compute_selinux_reachable_user_contexts(remote_login_t) # for SSP/ProPolice devices_get_pseudorandom_data(remote_login_t) -filesystem_get_persistent_filesystem_attributes(remote_login_t) +fs_get_persistent_fs_attributes(remote_login_t) init_script_modify_runtime_data(remote_login_t) diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 81746d78..d5f9ac48 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -56,7 +56,7 @@ corenetwork_bind_tcp_on_smtp_port(sendmail_t) devices_get_pseudorandom_data(sendmail_t) -filesystem_get_all_filesystems_attributes(sendmail_t) +fs_get_all_fs_attributes(sendmail_t) terminal_ignore_use_console(sendmail_t) @@ -88,7 +88,7 @@ mta_manage_mail_spool(sendmail_t) sysnetwork_read_network_config(sendmail_t) -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(sendmail_t) terminal_ignore_use_general_pseudoterminal(sendmail_t) files_ignore_read_rootfs_file(sendmail_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 90fc4a7d..7ee3f61f 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -25,7 +25,7 @@ define(`authlogin_per_userdomain_template',` # is_selinux_enabled kernel_read_system_state($1_chkpwd_t) - filesystem_ignore_get_persistent_filesystem_attributes($1_chkpwd_t) + fs_ignore_get_persistent_fs_attributes($1_chkpwd_t) domain_use_widely_inheritable_file_descriptors($1_chkpwd_t) @@ -154,9 +154,7 @@ define(`authlogin_login_program_transition_depend',` define(`authlogin_check_password_transition',` requires_block_template(`$0'_depend) - allow $1 chkpwd_exec_t:file { getattr read execute }; - allow $1 system_chkpwd_t:process transition; - type_transition $1 chkpwd_exec_t:process system_chkpwd_t; + domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t) allow $1 system_chkpwd_t:fd use; allow system_chkpwd_t $1:fd use; diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 5b643a16..3b9df980 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -170,8 +170,8 @@ selinux_read_file_contexts(pam_console_t) userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t) -tunable_policy(`direct_sysadm_daemon', ` - dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms; +ifdef(`direct_sysadm_daemon', ` + userdomain_dontaudit_use_admin_terminals(pam_console_t) ') ifdef(`targeted_policy', ` @@ -236,7 +236,7 @@ allow system_chkpwd_t shadow_t:file { getattr read }; # is_selinux_enabled kernel_read_system_state(system_chkpwd_t) -filesystem_ignore_get_persistent_filesystem_attributes(system_chkpwd_t) +fs_ignore_get_persistent_fs_attributes(system_chkpwd_t) terminal_use_general_physical_terminal(system_chkpwd_t) diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 5ba29d9a..646f74ea 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -34,7 +34,7 @@ kernel_read_hardware_state(hwclock_t) devices_modify_realtime_clock(hwclock_t) -filesystem_get_persistent_filesystem_attributes(hwclock_t) +fs_get_persistent_fs_attributes(hwclock_t) terminal_ignore_use_console(hwclock_t) terminal_use_general_physical_terminal(hwclock_t) diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index fe8bcb6e..21130a5b 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -475,7 +475,7 @@ define(`domain_read_all_entrypoint_programs_depend',` # # domain_trans(source_domain,entrypoint_file,target_domain) # -define(`domain_auto_trans',` +define(`domain_trans',` requires_block_template(`$0'_depend) allow $1 $2:file { getattr read execute }; diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 116f0c47..e6f8bc19 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -8,8 +8,8 @@ define(`files_make_file',` requires_block_template(`$0'_depend) - filesystem_associate($1) - filesystem_noxattr_associate($1) + fs_associate($1) + fs_noxattr_associate($1) typeattribute $1 file_type; ') @@ -93,7 +93,7 @@ define(`files_make_tmpfs_file',` requires_block_template(`$0'_depend) files_make_file($1) - filesystem_tmpfs_associate($1) + fs_tmpfs_associate($1) typeattribute $1 tmpfsfile; ') @@ -258,15 +258,15 @@ define(`files_ignore_search_all_directories_depend',` ####################################### # -# files_relabelto_all_file_type_filesystems(domain) +# files_relabelto_all_file_type_fs(domain) # -define(`files_relabelto_all_file_type_filesystems',` +define(`files_relabelto_all_file_type_fs',` requires_block_template(`$0'_depend) allow $1 file_type:filesystem relabelto; ') -define(`files_relabelto_all_file_type_filesystems_depend',` +define(`files_relabelto_all_file_type_fs_depend',` attribute file_type; filesystem relabelto; @@ -274,15 +274,15 @@ define(`files_relabelto_all_file_type_filesystems_depend',` ####################################### # -# files_mount_all_file_type_filesystems(domain) +# files_mount_all_file_type_fs(domain) # -define(`files_mount_all_file_type_filesystems',` +define(`files_mount_all_file_type_fs',` requires_block_template(`$0'_depend) allow $1 file_type:filesystem mount; ') -define(`files_mount_all_file_type_filesystems_depend',` +define(`files_mount_all_file_type_fs_depend',` attribute file_type; filesystem mount; @@ -290,15 +290,15 @@ define(`files_mount_all_file_type_filesystems_depend',` ####################################### # -# files_unmount_all_file_type_filesystems(domain) +# files_unmount_all_file_type_fs(domain) # -define(`files_unmount_all_file_type_filesystems',` +define(`files_unmount_all_file_type_fs',` requires_block_template(`$0'_depend) allow $1 file_type:filesystem mount; ') -define(`files_unmount_all_file_type_filesystems_depend',` +define(`files_unmount_all_file_type_fs_depend',` attribute file_type; filesystem mount; @@ -457,15 +457,15 @@ define(`files_remove_root_dir_entry_depend',` ######################################## # -# files_unmount_root_filesystem(domain) +# files_unmount_root_fs(domain) # -define(`files_unmount_root_filesystem',` +define(`files_unmount_root_fs',` requires_block_template(`$0'_depend) allow $1 root_t:filesystem unmount; ') -define(`files_unmount_root_filesystem_depend',` +define(`files_unmount_root_fs_depend',` type root_t; class filesystem unmount; diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index b22386d9..dd2bc408 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -12,15 +12,15 @@ attribute tmpfsfile; # match any specification in the file_contexts configuration # other than the generic /.* specification. type default_t, file_type, mountpoint; -filesystem_associate(default_t) -filesystem_noxattr_associate(default_t) +fs_associate(default_t) +fs_noxattr_associate(default_t) # # etc_t is the type of the system etc directories. # type etc_t, file_type; -filesystem_associate(etc_t) -filesystem_noxattr_associate(etc_t) +fs_associate(etc_t) +fs_noxattr_associate(etc_t) # # etc_runtime_t is the type of various @@ -28,8 +28,8 @@ filesystem_noxattr_associate(etc_t) # generated during initialization. # type etc_runtime_t, file_type; -filesystem_associate(etc_runtime_t) -filesystem_noxattr_associate(etc_runtime_t) +fs_associate(etc_runtime_t) +fs_noxattr_associate(etc_runtime_t) # # file_t is the default type of a file that has not yet been @@ -37,9 +37,9 @@ filesystem_noxattr_associate(etc_runtime_t) # that supports EAs). # type file_t, file_type, mountpoint; -filesystem_associate(file_t) -filesystem_noxattr_associate(file_t) -kernel_make_root_filesystem_mountpoint(file_t) +fs_associate(file_t) +fs_noxattr_associate(file_t) +kernel_make_root_fs_mountpoint(file_t) sid file context_template(system_u:object_r:file_t,s0) # @@ -47,98 +47,98 @@ sid file context_template(system_u:object_r:file_t,s0) # are created # type home_root_t, file_type, mountpoint; -filesystem_associate(home_root_t) -filesystem_noxattr_associate(home_root_t) +fs_associate(home_root_t) +fs_noxattr_associate(home_root_t) # # lost_found_t is the type for the lost+found directories. # type lost_found_t, file_type; -filesystem_associate(lost_found_t) -filesystem_noxattr_associate(lost_found_t) +fs_associate(lost_found_t) +fs_noxattr_associate(lost_found_t) # # mnt_t is the type for mount points such as /mnt/cdrom # type mnt_t, file_type, mountpoint; -filesystem_associate(mnt_t) -filesystem_noxattr_associate(mnt_t) +fs_associate(mnt_t) +fs_noxattr_associate(mnt_t) type no_access_t, file_type; -filesystem_associate(no_access_t) -filesystem_noxattr_associate(no_access_t) +fs_associate(no_access_t) +fs_noxattr_associate(no_access_t) type poly_t, file_type; -filesystem_associate(poly_t) -filesystem_noxattr_associate(poly_t) +fs_associate(poly_t) +fs_noxattr_associate(poly_t) type readable_t, file_type; -filesystem_associate(readable_t) -filesystem_noxattr_associate(readable_t) +fs_associate(readable_t) +fs_noxattr_associate(readable_t) # # root_t is the type for rootfs and the root directory. # type root_t, file_type, mountpoint; -filesystem_associate(root_t) -filesystem_noxattr_associate(root_t) +fs_associate(root_t) +fs_noxattr_associate(root_t) kernel_read_directory_from(root_t) -kernel_make_root_filesystem_mountpoint(root_t) +kernel_make_root_fs_mountpoint(root_t) genfscon rootfs / context_template(system_u:object_r:root_t,s0) # # src_t is the type of files in the system src directories. # type src_t, file_type; -filesystem_associate(src_t) -filesystem_noxattr_associate(src_t) +fs_associate(src_t) +fs_noxattr_associate(src_t) # # tmp_t is the type of the temporary directories # type tmp_t, file_type, tmpfile, mountpoint; -filesystem_associate(tmp_t) -filesystem_noxattr_associate(tmp_t) +fs_associate(tmp_t) +fs_noxattr_associate(tmp_t) # # usr_t is the type for /usr. # type usr_t, file_type, mountpoint; -filesystem_associate(usr_t) -filesystem_noxattr_associate(usr_t) +fs_associate(usr_t) +fs_noxattr_associate(usr_t) # # var_t is the type of /var # type var_t, file_type, mountpoint; -filesystem_associate(var_t) -filesystem_noxattr_associate(var_t) +fs_associate(var_t) +fs_noxattr_associate(var_t) # # var_lib_t is the type of /var/lib # type var_lib_t, file_type; -filesystem_associate(var_lib_t) -filesystem_noxattr_associate(var_lib_t) +fs_associate(var_lib_t) +fs_noxattr_associate(var_lib_t) # # var_lock_t is tye type of /var/lock # type var_lock_t, file_type, lockfile; -filesystem_associate(var_lock_t) -filesystem_noxattr_associate(var_lock_t) +fs_associate(var_lock_t) +fs_noxattr_associate(var_lock_t) # # var_run_t is the type of /var/run, usually # used for pid and other runtime files. # type var_run_t, file_type, pidfile; -filesystem_associate(var_run_t) -filesystem_noxattr_associate(var_run_t) +fs_associate(var_run_t) +fs_noxattr_associate(var_run_t) # # var_spool_t is the type of /var/spool # type var_spool_t, file_type; -filesystem_associate(var_spool_t) -filesystem_noxattr_associate(var_spool_t) +fs_associate(var_spool_t) +fs_noxattr_associate(var_spool_t) diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 6c9c9de5..9835db48 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -45,7 +45,7 @@ allow getty_t getty_log_t:file { getattr append setattr }; kernel_read_hardware_state(getty_t) # for error condition handling -filesystem_get_persistent_filesystem_attributes(getty_t) +fs_get_persistent_fs_attributes(getty_t) # Chown, chmod, read and write ttys. terminal_use_all_private_physical_terminals(getty_t) diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 178c4b62..e788ec5f 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -31,7 +31,7 @@ kernel_ignore_use_file_descriptors(hostname_t) files_read_general_system_config(hostname_t) files_ignore_search_system_state_data_directory(hostname_t) -filesystem_get_persistent_filesystem_attributes(hostname_t) +fs_get_persistent_fs_attributes(hostname_t) terminal_ignore_use_console(hostname_t) terminal_use_all_private_physical_terminals(hostname_t) @@ -55,7 +55,7 @@ miscfiles_read_localization(hostname_t) userdomain_use_all_users_file_descriptors(hostname_t) ifdef(`distro_redhat', ` - filesystem_use_tmpfs_character_devices(hostname_t) + fs_use_tmpfs_character_devices(hostname_t) ') ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 020d664e..9e659fd4 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -61,7 +61,7 @@ corenetwork_bind_tcp_on_all_nodes(hotplug_t) # for SSP devices_get_pseudorandom_data(hotplug_t) -filesystem_get_all_filesystems_attributes(hotplug_t) +fs_get_all_fs_attributes(hotplug_t) storage_set_fixed_disk_attributes(hotplug_t) storage_set_removable_device_attributes(hotplug_t) @@ -112,7 +112,7 @@ ifdef(`distro_redhat', ` optional_policy(`netutils.te', ` # for arping used for static IP addresses on PCMCIA ethernet netutils_transition(hotplug_t) - filesystem_use_tmpfs_character_devices(hotplug_t) + fs_use_tmpfs_character_devices(hotplug_t) ') files_get_system_lock_file_attributes(hotplug_t) ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 65bb7c96..3837c97b 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -42,8 +42,8 @@ type initrc_exec_t; domain_make_entrypoint_file(initrc_t,initrc_exec_t) type initrc_devpts_t; -filesystem_associate(initrc_devpts_t) -filesystem_noxattr_associate(initrc_devpts_t) +fs_associate(initrc_devpts_t) +fs_noxattr_associate(initrc_devpts_t) terminal_make_pseudoterminal(initrc_devpts_t) type initrc_var_run_t; @@ -79,7 +79,7 @@ allow init_t init_var_run_t:file { create getattr read append write setattr unli files_create_daemon_runtime_data(init_t,init_var_run_t) allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink }; -filesystem_tmpfs_associate(initctl_t) +fs_tmpfs_associate(initctl_t) devices_create_dev_entry(init_t,initctl_t,fifo_file) # Modify utmp. @@ -140,8 +140,8 @@ selinux_read_config(init_t) miscfiles_read_localization(init_t) ifdef(`distro_redhat',` - filesystem_use_tmpfs_character_devices(init_t) - filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file) + fs_use_tmpfs_character_devices(init_t) + fs_create_private_tmpfs_data(init_t,initctl_t,fifo_file) ') optional_policy(`authlogin.te',` @@ -228,12 +228,12 @@ devices_remove_lvm_control_channel(initrc_t) # Wants to remove udev.tbl: devices_remove_dev_symbolic_links(initrc_t) -filesystem_register_binary_executable_type(initrc_t) +fs_register_binary_executable_type(initrc_t) # cjp: not sure why these are here; should use mount policy -filesystem_mount_all_filesystems(initrc_t) -filesystem_unmount_all_filesystems(initrc_t) -filesystem_remount_all_filesystems(initrc_t) -filesystem_get_all_filesystems_attributes(initrc_t) +fs_mount_all_fs(initrc_t) +fs_unmount_all_fs(initrc_t) +fs_remount_all_fs(initrc_t) +fs_get_all_fs_attributes(initrc_t) storage_get_fixed_disk_attributes(initrc_t) storage_set_fixed_disk_attributes(initrc_t) @@ -308,7 +308,7 @@ userdomain_read_all_users_data(initrc_t) userdomain_use_admin_terminals(initrc_t) ifdef(`distro_debian', ` - filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir) + fs_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir) ') ifdef(`distro_redhat',` @@ -336,7 +336,7 @@ ifdef(`distro_redhat',` storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) - filesystem_use_tmpfs_character_devices(initrc_t) + fs_use_tmpfs_character_devices(initrc_t) files_create_boot_flag(initrc_t) diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 9949f0f0..17fbd3f6 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -44,7 +44,7 @@ kernel_read_kernel_sysctl(iptables_t) kernel_read_modprobe_sysctl(iptables_t) kernel_use_file_descriptors(iptables_t) -filesystem_get_persistent_filesystem_attributes(iptables_t) +fs_get_persistent_fs_attributes(iptables_t) terminal_ignore_use_console(iptables_t) diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index bb73e2c2..004d929b 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -60,7 +60,7 @@ allow ldconfig_t { shlib_t texrel_shlib_t }:file { getattr read execute }; kernel_read_system_state(ldconfig_t) -filesystem_get_persistent_filesystem_attributes(ldconfig_t) +fs_get_persistent_fs_attributes(ldconfig_t) domain_use_widely_inheritable_file_descriptors(ldconfig_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index b5b127fe..7b24ef81 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -153,7 +153,7 @@ ifdef(`crack.te', ` allow local_login_t mouse_device_t:chr_file { getattr setattr }; -tunable_policy(`targeted_policy',` +ifdef(`targeted_policy',` unconfined_domain(local_login_t) domain_auto_trans(local_login_t, shell_exec_t, unconfined_t) ') diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index beb0e0da..78160b17 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -61,7 +61,7 @@ files_create_daemon_runtime_data(auditd_t,auditd_var_run_t) kernel_read_kernel_sysctl(auditd_t) kernel_read_hardware_state(auditd_t) -filesystem_get_all_filesystems_attributes(auditd_t) +fs_get_all_fs_attributes(auditd_t) terminal_ignore_use_console(auditd_t) @@ -79,7 +79,7 @@ libraries_use_shared_libraries(auditd_t) miscfiles_read_localization(auditd_t) -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(auditd_t) terminal_ignore_use_general_pseudoterminal(auditd_t) files_ignore_read_rootfs_file(auditd_t) @@ -132,7 +132,7 @@ bootloader_read_kernel_symbol_table(klogd_t) devices_raw_read_memory(klogd_t) -filesystem_get_all_filesystems_attributes(klogd_t) +fs_get_all_fs_attributes(klogd_t) files_create_daemon_runtime_data(klogd_t,klogd_var_run_t) files_read_runtime_system_config(klogd_t) @@ -208,7 +208,7 @@ corenetwork_sendrecv_udp_on_all_ports(syslogd_t) corenetwork_bind_udp_on_all_nodes(syslogd_t) corenetwork_bind_udp_on_syslogd_port(syslogd_t) -filesystem_get_all_filesystems_attributes(syslogd_t) +fs_get_all_fs_attributes(syslogd_t) init_use_file_descriptors(syslogd_t) init_script_use_pseudoterminal(syslogd_t) @@ -243,7 +243,7 @@ ifdef(`klogd.te', `', ` kernel_change_ring_buffer_level(syslogd_t) ') -tunable_policy(`targeted_policy', ` +ifdef(`targeted_policy', ` terminal_ignore_use_general_physical_terminal(syslogd_t) terminal_ignore_use_general_pseudoterminal(syslogd_t) files_ignore_read_rootfs_file(syslogd_t) diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index a58388f1..e070a820 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -99,7 +99,7 @@ devices_ignore_get_generic_block_device_attributes(lvm_t) devices_ignore_get_generic_pipe_attributes(lvm_t) terminal_ignore_get_all_private_physical_terminal_attributes(lvm_t) -filesystem_get_persistent_filesystem_attributes(lvm_t) +fs_get_persistent_fs_attributes(lvm_t) # LVM creates block devices in /dev/mapper or /dev/ # depending on its version diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 1c63c5bc..7d16483e 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -66,7 +66,7 @@ devices_write_mtrr(insmod_t) devices_get_pseudorandom_data(insmod_t) devices_direct_agp_access(insmod_t) -filesystem_get_persistent_filesystem_attributes(insmod_t) +fs_get_persistent_fs_attributes(insmod_t) corecommands_execute_general_programs(insmod_t) corecommands_execute_system_programs(insmod_t) @@ -131,7 +131,7 @@ bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t) kernel_read_system_state(depmod_t) -filesystem_get_persistent_filesystem_attributes(depmod_t) +fs_get_persistent_fs_attributes(depmod_t) terminal_use_console(depmod_t) @@ -194,7 +194,7 @@ kernel_read_system_state(update_modules_t) devices_get_pseudorandom_data(update_modules_t) -filesystem_get_persistent_filesystem_attributes(update_modules_t) +fs_get_persistent_fs_attributes(update_modules_t) terminal_use_console(update_modules_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 13d3ab25..80813666 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -31,11 +31,11 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) -filesystem_get_persistent_filesystem_attributes(mount_t) -filesystem_mount_all_filesystems(mount_t) -filesystem_unmount_all_filesystems(mount_t) -filesystem_remount_all_filesystems(mount_t) -filesystem_relabelfrom_persistent_filesystem(mount_t) +fs_get_persistent_fs_attributes(mount_t) +fs_mount_all_fs(mount_t) +fs_unmount_all_fs(mount_t) +fs_remount_all_fs(mount_t) +fs_relabelfrom_persistent_fs(mount_t) terminal_use_console(mount_t) @@ -50,11 +50,11 @@ files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir }) files_read_general_system_config(mount_t) files_manage_runtime_system_config(mount_t) files_mount_on_all_mountpoints(mount_t) -files_unmount_root_filesystem(mount_t) +files_unmount_root_fs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: -files_relabelto_all_file_type_filesystems(mount_t) -files_mount_all_file_type_filesystems(mount_t) -files_mount_all_file_type_filesystems(mount_t) +files_relabelto_all_file_type_fs(mount_t) +files_mount_all_file_type_fs(mount_t) +files_mount_all_file_type_fs(mount_t) init_use_file_descriptors(mount_t) init_script_use_pseudoterminal(mount_t) @@ -69,13 +69,13 @@ miscfiles_read_localization(mount_t) userdomain_use_all_users_file_descriptors(mount_t) ifdef(`distro_redhat',` - filesystem_use_tmpfs_character_devices(mount_t) + fs_use_tmpfs_character_devices(mount_t) allow mount_t tmpfs_t:dir mounton; optional_policy(`authlogin.te',` authlogin_pam_console_read_runtime_data(mount_t) # mount config by default sets fscontext=removable_t - filesystem_relabelfrom_dos_filesystem(mount_t) + fs_relabelfrom_dos_fs(mount_t) ') ') diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 17a0c370..20d4bd67 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -111,7 +111,7 @@ allow checkpolicy_t policy_src_t:file { getattr read ioctl }; allow checkpolicy_t policy_src_t:lnk_file { getattr read }; allow checkpolicy_t selinux_config_t:dir search; -filesystem_get_persistent_filesystem_attributes(checkpolicy_t) +fs_get_persistent_fs_attributes(checkpolicy_t) terminal_use_console(checkpolicy_t) @@ -153,7 +153,7 @@ kernel_get_selinuxfs_mount_point(load_policy_t) kernel_load_selinux_policy(load_policy_t) kernel_set_selinux_boolean(load_policy_t) -filesystem_get_persistent_filesystem_attributes(load_policy_t) +fs_get_persistent_fs_attributes(load_policy_t) terminal_use_console(load_policy_t) terminal_list_pseudoterminals(load_policy_t) @@ -205,7 +205,7 @@ kernel_compute_selinux_reachable_user_contexts(newrole_t) devices_get_pseudorandom_data(newrole_t) -filesystem_get_persistent_filesystem_attributes(newrole_t) +fs_get_persistent_fs_attributes(newrole_t) terminal_use_all_private_physical_terminals(newrole_t) terminal_use_all_private_pseudoterminals(newrole_t) @@ -287,7 +287,7 @@ kernel_compute_selinux_create_context(restorecon_t) kernel_compute_selinux_relabel_context(restorecon_t) kernel_compute_selinux_reachable_user_contexts(restorecon_t) -filesystem_get_persistent_filesystem_attributes(restorecon_t) +fs_get_persistent_fs_attributes(restorecon_t) terminal_use_general_physical_terminal(restorecon_t) @@ -319,10 +319,10 @@ files_read_all_directories(restorecon_t) authlogin_relabel_to_shadow_passwords(restorecon_t) ifdef(`distro_redhat', ` -filesystem_use_tmpfs_character_devices(restorecon_t) -filesystem_use_tmpfs_block_devices(restorecon_t) -filesystem_relabel_tmpfs_block_devices(restorecon_t) -filesystem_relabel_tmpfs_character_devices(restorecon_t) +fs_use_tmpfs_character_devices(restorecon_t) +fs_use_tmpfs_block_devices(restorecon_t) +fs_relabel_tmpfs_block_devices(restorecon_t) +fs_relabel_tmpfs_character_devices(restorecon_t) ') ifdef(`TODO',` @@ -360,7 +360,7 @@ ifdef(`targeted_policy',`',` # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; - filesystem_get_persistent_filesystem_attributes(run_init_t) + fs_get_persistent_fs_attributes(run_init_t) devices_ignore_list_device_nodes(run_init_t) @@ -420,7 +420,7 @@ kernel_compute_selinux_create_context(setfiles_t) kernel_compute_selinux_relabel_context(setfiles_t) kernel_compute_selinux_reachable_user_contexts(setfiles_t) -filesystem_get_persistent_filesystem_attributes(setfiles_t) +fs_get_persistent_fs_attributes(setfiles_t) terminal_use_all_private_physical_terminals(setfiles_t) terminal_use_all_private_pseudoterminals(setfiles_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 17a0c370..20d4bd67 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -111,7 +111,7 @@ allow checkpolicy_t policy_src_t:file { getattr read ioctl }; allow checkpolicy_t policy_src_t:lnk_file { getattr read }; allow checkpolicy_t selinux_config_t:dir search; -filesystem_get_persistent_filesystem_attributes(checkpolicy_t) +fs_get_persistent_fs_attributes(checkpolicy_t) terminal_use_console(checkpolicy_t) @@ -153,7 +153,7 @@ kernel_get_selinuxfs_mount_point(load_policy_t) kernel_load_selinux_policy(load_policy_t) kernel_set_selinux_boolean(load_policy_t) -filesystem_get_persistent_filesystem_attributes(load_policy_t) +fs_get_persistent_fs_attributes(load_policy_t) terminal_use_console(load_policy_t) terminal_list_pseudoterminals(load_policy_t) @@ -205,7 +205,7 @@ kernel_compute_selinux_reachable_user_contexts(newrole_t) devices_get_pseudorandom_data(newrole_t) -filesystem_get_persistent_filesystem_attributes(newrole_t) +fs_get_persistent_fs_attributes(newrole_t) terminal_use_all_private_physical_terminals(newrole_t) terminal_use_all_private_pseudoterminals(newrole_t) @@ -287,7 +287,7 @@ kernel_compute_selinux_create_context(restorecon_t) kernel_compute_selinux_relabel_context(restorecon_t) kernel_compute_selinux_reachable_user_contexts(restorecon_t) -filesystem_get_persistent_filesystem_attributes(restorecon_t) +fs_get_persistent_fs_attributes(restorecon_t) terminal_use_general_physical_terminal(restorecon_t) @@ -319,10 +319,10 @@ files_read_all_directories(restorecon_t) authlogin_relabel_to_shadow_passwords(restorecon_t) ifdef(`distro_redhat', ` -filesystem_use_tmpfs_character_devices(restorecon_t) -filesystem_use_tmpfs_block_devices(restorecon_t) -filesystem_relabel_tmpfs_block_devices(restorecon_t) -filesystem_relabel_tmpfs_character_devices(restorecon_t) +fs_use_tmpfs_character_devices(restorecon_t) +fs_use_tmpfs_block_devices(restorecon_t) +fs_relabel_tmpfs_block_devices(restorecon_t) +fs_relabel_tmpfs_character_devices(restorecon_t) ') ifdef(`TODO',` @@ -360,7 +360,7 @@ ifdef(`targeted_policy',`',` # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; - filesystem_get_persistent_filesystem_attributes(run_init_t) + fs_get_persistent_fs_attributes(run_init_t) devices_ignore_list_device_nodes(run_init_t) @@ -420,7 +420,7 @@ kernel_compute_selinux_create_context(setfiles_t) kernel_compute_selinux_relabel_context(setfiles_t) kernel_compute_selinux_reachable_user_contexts(setfiles_t) -filesystem_get_persistent_filesystem_attributes(setfiles_t) +fs_get_persistent_fs_attributes(setfiles_t) terminal_use_all_private_physical_terminals(setfiles_t) terminal_use_all_private_pseudoterminals(setfiles_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index f7ad7bd8..af58a12a 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -107,7 +107,7 @@ corenetwork_bind_udp_on_dhcpc_port(dhcpc_t) # for SSP devices_get_pseudorandom_data(dhcpc_t) -filesystem_get_all_filesystems_attributes(dhcpc_t) +fs_get_all_fs_attributes(dhcpc_t) terminal_ignore_use_console(dhcpc_t) terminal_ignore_use_all_private_physical_terminals(dhcpc_t) @@ -268,7 +268,7 @@ kernel_read_network_state(ifconfig_t) kernel_ignore_search_sysctl_dir(ifconfig_t) kernel_ignore_search_network_sysctl_dir(ifconfig_t) -filesystem_get_persistent_filesystem_attributes(ifconfig_t) +fs_get_persistent_fs_attributes(ifconfig_t) terminal_ignore_use_all_private_physical_terminals(ifconfig_t) terminal_ignore_use_all_private_pseudoterminals(ifconfig_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 40e2b347..6ce9680e 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -79,7 +79,7 @@ kernel_compute_selinux_reachable_user_contexts(udev_t) devices_manage_device_nodes(udev_t) -filesystem_get_all_filesystems_attributes(udev_t) +fs_get_all_fs_attributes(udev_t) corecommands_execute_general_programs(udev_t) corecommands_execute_system_programs(udev_t) @@ -114,8 +114,8 @@ selinux_restorecon_transition(udev_t) sysnetwork_ifconfig_transition(udev_t) ifdef(`distro_redhat',` - filesystem_manage_tmpfs_block_devices(udev_t) - filesystem_manage_tmpfs_character_devices(udev_t) + fs_manage_tmpfs_block_devices(udev_t) + fs_manage_tmpfs_character_devices(udev_t) # for arping used for static IP addresses on PCMCIA ethernet netutils_transition(udev_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 549520a4..5434eb7f 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -88,7 +88,7 @@ define(`base_user_domain',` allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + fs_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow $1_t $1_tty_device_t:chr_file { setattr getattr read write append ioctl lock }; @@ -136,8 +136,8 @@ define(`base_user_domain',` devices_get_direct_rendering_interface_attributes($1_t) devices_ignore_use_direct_rendering_interface($1_t) - filesystem_get_all_filesystems_quotas($1_t) - filesystem_get_all_filesystems_attributes($1_t) + fs_get_all_fs_quotas($1_t) + fs_get_all_fs_attributes($1_t) # for eject storage_get_fixed_disk_attributes($1_t) @@ -180,21 +180,21 @@ define(`base_user_domain',` } if (use_nfs_home_dirs) { - filesystem_manage_nfs_directories($1_t) - filesystem_manage_nfs_files($1_t) - filesystem_manage_nfs_symbolic_links($1_t) - filesystem_manage_nfs_named_sockets($1_t) - filesystem_manage_nfs_named_pipes($1_t) - filesystem_execute_nfs_files($1_t) + fs_manage_nfs_directories($1_t) + fs_manage_nfs_files($1_t) + fs_manage_nfs_symbolic_links($1_t) + fs_manage_nfs_named_sockets($1_t) + fs_manage_nfs_named_pipes($1_t) + fs_execute_nfs_files($1_t) } if (use_samba_home_dirs) { - filesystem_manage_windows_network_directories($1_t) - filesystem_manage_windows_network_files($1_t) - filesystem_manage_windows_network_symbolic_links($1_t) - filesystem_manage_windows_network_named_sockets($1_t) - filesystem_manage_windows_network_named_pipes($1_t) - filesystem_execute_windows_network_files($1_t) + fs_manage_windows_network_directories($1_t) + fs_manage_windows_network_files($1_t) + fs_manage_windows_network_symbolic_links($1_t) + fs_manage_windows_network_named_sockets($1_t) + fs_manage_windows_network_named_pipes($1_t) + fs_execute_windows_network_files($1_t) } if (user_direct_mouse) { @@ -686,8 +686,8 @@ define(`admin_domain_template',` devices_get_all_block_device_attributes($1_t) devices_get_all_character_device_attributes($1_t) - filesystem_get_all_filesystems_attributes($1_t) - filesystem_set_all_filesystems_quotas($1_t) + fs_get_all_fs_attributes($1_t) + fs_set_all_fs_quotas($1_t) storage_raw_read_removable_device($1_t) storage_raw_write_removable_device($1_t) @@ -875,6 +875,29 @@ define(`userdomain_use_admin_terminals_depend',` class chr_file { getattr read write ioctl }; ') +######################################## +## +## +## Do not audit attempts to use admin ttys and ptys. +## +## +## The type of the process performing this action. +## +## +## +# +define(`userdomain_dontaudit_use_admin_terminals',` + requires_block_template(`$0'_depend) + + dontaudit $1 admin_terminal:chr_file { read write }; +') + +define(`userdomain_dontaudit_use_admin_terminals_depend',` + attribute admin_terminal; + + class chr_file { read write }; +') + ######################################## ## ##