From 9930e8f125cb4cc849fdca19cf886313091e0833 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Wed, 15 Feb 2017 15:41:56 +0100
Subject: [PATCH] * Wed Feb 15 2017 Lukas Vrabec -
3.13.1-240 - Dontaudit xdm_t wake_alarm capability2 - Allow systemd_initctl_t
to create and connect unix_dgram sockets - Allow ifconfig_t to mount/unmount
nsfs_t filesystem - Add interfaces allowing mount/unmount nsfs_t filesystem -
Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944)
---
container-selinux.tgz | Bin 5821 -> 5822 bytes
policy-rawhide-base.patch | 5954 +++++++++++--------------------------
selinux-policy.spec | 9 +-
3 files changed, 1735 insertions(+), 4228 deletions(-)
diff --git a/container-selinux.tgz b/container-selinux.tgz
index 4430a42e6ba8fe55bf7a3c6e25b703d05d4ce73e..c34b7711933d016ac8f6bc7d797f57973a6c12a5 100644
GIT binary patch
delta 5759
zcmV-_7J%u!Exs)uABzY8-e;s(00Zq^ZI9eGlFrxZUmdDTIE5alU+xnfzbmAu}MMNkH*mjx;L(+f`Z;?IK;
zer7McAW8B^5_whbRb`OT7#pPny=JKJeG_LDDR)6gE`Dojy!L6fI?rFlqz1Ag_vk}EBClu^9A+-%Omyd-~N8u^q2Wq9zn
zadz?To6F6atdL&>71SG_nv2uDsV+BIz=B;Vkd-do_ulYcbMM--NnLwp>e^lbWu6cX
z{9oa510IASp>zxtk;0(39vwdLIcemyy)R$M{^q@p1w+4=@fN$_+gm*bLY!i*0+YVl
ziHZY$3agv>Xq|0gkTHKs>nuBRLj8@EsjxeVw_XI*539V437x=c>%4Io+IkiXra-k^
z82k{FNZRt2mG6D~Mn`i8?eqjbeDw=brW7*n;)GCHu%Ko=vasm-+E~p7)aPWhVSqRJ
zj^y}XNf7ne&ARrBGrEL|u@NT<3`8C)GvWgR
z^B=jmpHL1SH&6_cZ3fFVO#hD{3-C~T{hvT$f>g@4zXQK1ZZHC+E1;B4cRXX3$GAFp0T9*|aJY&?kF~zt
zJb<`ExDP--ZO
zy&IObC8D@!N_qJI3okE_|3UJn7gbrCnuw&mVz(sD_D+Ar>Zgd5an2SR?F6xzQY
z?JfL!3;(`fRzLgY-+%r}Rt~1c6mc|d-GIHYLEr!souCjiAnn7&w|$h94~y6!7cx{C
z_TA64B57D9Q%y+ycXbw5jQwp#aqLJaTCyPCTQQQCB*{@(2TsK>p4b~tB$-)s>n`Wu
z1qhbM2y1`BaWwl;r6zay;WZ73>dMHF0#!EvdDWZ
zW1WJXk`z|1FF&atfk){qBc!G$8XD+_)Z^Ha_Y=6;XQt=%xY?bSMfE&&3HN&VMs|7=
z?Ts~s!B#yp@rZMw%Tzf-daRAeLs2o~KE6ao;irFwzmo7SJd{44Adf!OVi_i5;@ib`
zgUDB3h1vLxWYrW_V;YuZVL8h%iS6w|jpawas3rD-dp9V{zk#CJL*l#s1WEF}C9AR)
z8Ym8VO8R3!EQ(^$m6m?P(ugFlycf;8E6DfaayCwshxhYADCG7BHNvNJ&_LB!abAZ>
z4BdY_ABneZftt+X4admCd7SOlfC>y4etXcD*)TMrupufDlBcj!yd3_vDhOrQP=%Q|
z14c|n&~)cajMoW>JF1Q>NBv)8$ZJRcF5X{}>|sgNLryEYG$7lrEr?kXnkNre$bm&*
zc~4PL1h)ATS*H0M6P4Np;d0nNB*F9Yh_`6Rxk2}8JN1=*L)goCCvC!B$E7ku`?U_dzy0!4TL=0zkG>*w9)W*I
zi+UM+xY}j-W47h;p{`6p;Vq}VEj$CiLk`LMa5_&^tICh;9oUyh>tI>mUyvrW7n|Fr07SPl6FZSB!T%B<=0|;A-
z_YpSfC2+%|@jeR@K4HC2AEp^(pfG>7I_U{z#q6F98-n7#FwTjw{K6vH%a2@k0N|a0
zxurJWot=Sx_W3h*)Q3$VmzAW4gYZK4CPy*>_Yi
z1LHQYvxu?@gWl9-WEpn|H}FTq<+fFv<%3XLIHZE*>v**jR>2^9*1(H3gYyDZPFT>&
z=OTyZa!oa+%LcYD9DCkYcW!@Nv`zKnbli#8mc)BQsTMc7b>muFF!{I%?H%USh72mz
z>AkifX=BQIb#X(|hFG;o{nrhW9jb})(IVknOO=M95Q^3~u#)y;84PUi#sc)1-n_Kb
zs_VfvDXsdvs-sQGDj(ZQ9j+ZFdyWl7zxB55&5w^zXKql`f8@T3RxE!`YKI$e#boiN
z*Jx}zpL$ro5u1dR<%XRgqhWme(ud^!AE(wsSCLbdVL$)*?&ju);rY+ockB7j&yn~>
z-B0tVPRK(6Oa$M!39yYVG<)EG!&5+g^0Nz7`Xt&c#j7H
zLakJz3<9P#N%J8y@+E(X_xGQE@rt~xn$V0wh$D`UGN!7tV5_#F(bz$Yd*$tdgp$i%
zl|+rWvM0PtssR{EPenZNzRc^wyAaljOCby$Y9ZEY4$#)aq~Jnx;{X*%w%CA-wCZDB
zYN?~KK&>bsX`cC9n?vK?IGxqMo0fA?WM4-Y}MXKzzx;n9D=HJMNmb2!9FMU}ZvfRsr*z?D#ESGC;wOKI`9STz=;t5eN~>)bxivELdWzqy
z=~|1g)~embl$L*Pj+n^!l#6~Y9onFR!aCj$y13|Nvdr+b7|e2f)btGe=plBpT9MIL
zHo)dS#0DLHn(>iVKdRV(8;&adDAk+Bd#HW8NEdu)r7@P#Cmj~0Sg^aLbbKVz6x}?$
z&>{@sWq4i}yN&MSk$Tnh#W2edOgQViSWN&LXF{4om$84H^~E5ghS9Kc4%o|{eb}H0
zG9wlHebLV{b^UMGahOp-;&JT)UU7qgZn>i*+1-Uf5p3fmuAaS*UUS%y6C3`z&ZoMrN;IyU%$s$|M{s32-f?H%Zo*cRY<{*<5
zUO*vt43!7f!fLA4D?l6VvAGdtO@`nM*I3=@tz&<|hNtmnBaVg|IU?&~k7hJoY7u&0
z@|>QrBXTHGh3+kG0eg{`Gn>p69i8WSPIJv@Jypx8trG1cww1-Xd7qkS)p?EGYaYyP
zsugSUBr)OXgL&P+6vj2-QlBoJq#;ANlarC36NF{80!*yIMtl~03v(s7v`2&~ADd3k>YWdD{I
zWLGE2GukGA18M%i3>TUANW4P;KLT${kO3aelNvX>kn2AM0p^KvX1d+w*beC2SKLSR
znAb@p3di3mXkxIwgmp;(!0O-R3uxLus|=ZUa4-_g~Pg+jo&7K
zh7avnoi}|uyB_0UMS3*w22kLxIIsu(TTvB5R*yS#BCcY!)WTEGXJ6Z5K;x^}8mj<3J1;=n*Bw^=5
zz=@kc-I+`GDle$Oj@=eAcl0`8PE~&*9f9W!GY8;V!_0=;bVKw9Qp$MiqR8`?vgv=7=X<8)Y$!8rro|id>rgBi5X`F+d
zY>w=}JQD{+lVzj`Aw=2G58Hpx2Lm-HZfA_}K=Mh0alw;wjTXi{mw7Zsj2m{|2p0Ba
z#TAr%mrbA3B+l;5wBmS1V4Au>(rJ*Xg0#v@Tn5YF(Ps|TC(x&(nBE)cnM)6aSw`t&
zT!jZcoj9b`=PfArQT}Lv7WZn&s98M~Bf|H!sYUI{K^$kS_>}Gq)E$3fSQpR?57efe
zL`*|vWHRS|{J()YuxrCiB<&^jhCU#56^qp*BD#lBa)=pW(*P&?yliQ4soQGbrN-JtWmWj_{*kF&?C<@#ixYQ6czk
zo97k#0$QE?D$XH;VmB$ILzE#tu$x%Xq6$n^8k}t&D*y%?3OOG{V-xk@aUG34@5Dij
zMkB~vPrI@o+@S?@#p5Dm0YDaf679=2_T-~3;=@B(#CMg`qgj7GS|U-rP~Jr_(m96h
zaBJ_KmUU<^cC{R;;g~|@Zr2ni4Smnm{fD>!k(TZ95q18Ln$XH;H#_!2!8P=vJ$?$a
z1lCadhC&kCw+k9#>uzNO+bwmWH|!}CB7j5xfob;vluSz3APxBvq2
z7D+1HfVQ?Y79anKO$TekTVl2cS!A2S{^-P^hUu7WjeCC(W?{lTMYDCs1B_bQhP0^C
zCku(3|A1s{G$Rzv9w(IDU1zxZg?J^mUm5GU!Q}%~^j5Wm<%hyUv!2dEuKCV}jlL$*
z+O!8~vy_$J{E`&ua$hc5bRL(8|Cw!;mYT#eZZA6Si6Z4TZQZ9$gSYct6JlBs#j
z^HQhx?~8wSe8G1-raNWZ5N&HJ&7t^}U*&1o6Y*m-jO-9tiTE(!H>=>)GB|t;ZL;1^
z(-ejwX|YKM(9x$scmO(6j+dsAcX3G`VWdQ(4Si{3D(VHZHgR>M&6xJ3ri>ZeAZKVU
zF`g~E+?=a~ZEV`4q8{S18sF=4GRqE}y?2@TI!b?E919#PThiI)A*Ys(9anleYdaa(
zAT;DU_jY-SyKMo`-a6z{-a>PeUNz_Dnrj|9c|@P<_CR;L2rrZTAe$-H4Yk^)p~5nN
zTnW&kAn5TlM$FEa>sx8rBWfzFIo!cRlFmBBZCsLui*d>Uq*~n-Z(%f{QpM!2C3L}TcQD5a9wNgxg7Bauyc7-FCSC?ZVR9>#x3Qdzd
zk@f5gCyS$8srbBOc>GGQk+XQ>2=t6YW@^rfC(IgimH|$&|27ByI!COG>$$v9Yb1bV
z{8}*EyU|#Zh2X8x9}AUX3j{f~2zyM33;K9mh~a*=5&3@Xg>A#XD!E{RuHh5SSnq$u
zkZ5eD4XMqM*$^qtK6zeE3+Cn+Y{)#K-zlM
z`rb0t;|5xCX?WH1*V%k|y_K!;Iika}U#;-~8O5-Q%PBLe_6+z4G_t?wJY$Pv->4>>
zJz36O8NHi(OsN_G
zgFkqv%O}TL3VCm_>f>hH{6a3M6_oy1$*n_hFA>#Oh1UcYumlN(d<_aqQi2P*z9E`$`k(9n{*Hf}oR(#!_#29g)mWg0+<>z*Y?eRdNu83{(^;YZ^^*=X{zc2B
zMgUa-mzho7nY1_uloFO3V=c5$OvLBB>8o7hD9}kI1HobH)ngtFG#y)&rv&FX(38!C$ESKs}Lmq58Q
zkzXe@4lIxFyCb_-nw{KV1{foprj8>Up165o;vjH9ygdT4#ccVw%rI5@h5yadB^r(*
zd70`V(slDkZ5QF-Q4+{H*#+ha=DbAKPyM53z8-#20bnj-895;F7ZwK+c5$iD13q3j
zfL<_jk#7C1O+7*ptRa{)l{I+0a=%^`aWqLE8G%Df7vRxl@Lr3M+htfN767i~(W#&V
xceo7KG`(Exj!tABzY8BYB}%00Zq^ZI9eGlFrxZUmdfqq5Lm6yI
zXrvo^|9>=X&d3=jS`
z&Mv-vbGbQ_74nOqf_mdqb8)&i)#U~YSg`uX`kah54Dcr3
zksSXk38EgmS=WAXMwd`A)1C)xdM1osXfboalqS&!>8El3#eV(1{=k+`;!fyiTJMtneE
z{v#Ln6UxEk28uzl&0x8P>HiUA!M?wcd>wNvWmP+wY!mRuNH>WwHepUGCAB^HHK_th
zKcY}OO*dM^ehxU*~Eqttn1|O|4tSR}9Nn*|v6y71@(v+fjUO!9%N)1J^
zcf+!_L=+cIDG&dD;pGMLKS=)cqAF`s6Opu6?3TpY-l>0B{S=Wh&e=kvogg-IiZThl
zy@h{o;orMu^|N38{pYV_|>)r8c4S7&j>*xz;($Bu-eB@5!c6(e~`k{p$F;8YCbiM{bel9@%f?s5)Z
zfM9uyuqJ;TN3$PQYI27kUNbV99qC9eQ6Wz(VB)9Dy*Vpjh?P0cfDsGnBHOGWi@e7&
z)+yL2Nnz#s@{{@zc$CgELTY-Vp@Du#J&rATKY^QlW_n(ao84(yRL@hFaIc4NWT!XL
z-dIx@Y}GRpk2n{)OqDaF$J&TI6csb><4a@|erkXCD+%wyL+SGg^5{b?mSHj`zFllL
zh3r1RhWr0
zV8mnuO?S@3c%6W_qw2_V)c-Yxyms{O;{6rL9+pHs&kh68Zg35u
zABIhIwQ(x&fguR@1(kAS6Tq-lPU+cj8+b=)0b)aAK=qp0!5r}`Z
zsF%Tqt6hdaW?L>F>dF)p-g4U8!ZYwY_QDtu;o&yX;ZBd1tt50X<#+Vy}J9)fq=KfUvcA
zA7PVT0yjJw@3SD`6W06mVVXe(3S)n(lb%pk%$(8Bj?F?4|O4
z#Ax_(X=AS+)YU;mY7H#D?B!P$(Z=dKCGM1E=tv8t$w$VMDoBIJ$Hgt^JL-SfSi=*^
zb;$+i?l>yEP(e7>F$moRr``rt7=u6GqdUeMc2D
zFmCfYizu5g=uKTlmT`x01AjzZZd=7!J_xmiLn>Ilj#oQj6%4Xx4ZK)0I4?lugaxg9
zE^=rt*HmM=Y+(DsvFB}d=f;0U+f+YJ$DMd>NxV0dYH_1mH?Fk>laHIw-eFE{$e>c4
z-fIhzHm0ms7dIqrh*gW!f88M2p_(WkEfT)9RB0Frp=gZ*D``KL!NB%zEI^Ox%}YzI
zx*lwk(yGs^I@*-1^0BSd;o4!c=h#s6TW{Om{P+lU<_1OmNA9a=#o~XYcDMmoOcq~y
zjmEa~sfYC&u}Mf-ZrBMj8pgLTeMs*AacVtu6**NI_Vb_bZ*G1Vp8vePUC)1hj>I?W
zews&hLN1!o@XC90b#rwyNn~x#y`M>#fPBCWE{LKHlNb@9p@_UFM9c-j$OS0Idpr;j
zYNZ-w5HPJtnh%+gFG+vAzyI`$SL9{Ygk}^%9C37%F;$%fTeS_1#tvHCD{mJhlw9_z
zBx=N!J>gwa4Zu)(D&m3nWnLHFg|Jp!3SsC_3$a#nfVLhc1s9qd2dF@@#Rg=gRUhk8
zOC5~`YDED_^UUWW|3Xue?cf^E<sopf+L+#r|y5K`Ajj@bA>98opg552p<0Fx#=;q;t
z7GVf4!}Ge>ZFC=x)T^E^hFOMS!dc(NY68$W6Ve>IjO~A{F9sPkjE0qSz+U$3!v;-|
z8L8Osi++}=>wmkB!;A_Nk82n3iW>}c%N-@j?k)_9U>hfK_3VB0!bAR;dG|3a`#bms
zU^_~xIP%i_ERQ^_Ec0ftZ`(L)f|1#SGJutwR6BsgCBVl>6n2@#rw?PbfVEqCFH4eu
zwwIvyawLCK>*(5(3XkA-JzY?hGKtf;VwIvIsuBf$N>cU-`e%6WP`k!8f}x*^pM?8f
zMl$Ohw5%%KhmL4fSS)~2M+1~8+1oL5>us3;r!_4|7TI$42e{f4+#<8_DB*o(ZJ*<`Nh=seGJnrlYusaj5Lm1rNatt`&X`_x3M&TH&m^I&dM
ztyq&Mi3v|1%Y)7j?3&oU`2k+%lj)J`?tIx
zyE;jp(KZ1bNb?6~xX8Rm;vE9`5qMjI4De{4)VSG&T>mKuFi(^-)9o(Dc0lL8;y$9s
zyiOufIQ~vS6NB|7tV;p_RtJ~Zh4K#|{NR6>p;a5DBH6Np1$t@qN_E379M-*T{5AnJ
zd}zn&yy@H7^%!5wo6ZxlCr@uz{O*>|X|ngA4U_&zhK~et9?f)D{9_pJ-UgvdpRy2n
zZtIj~Y?Bi*%Vibm2kqj>RF;nqc6*<#^qp$Cm^w{(+f=n;UUQnWcT7s=*@s!P%yxg>
z%iO`@fH`?^IAAV~H+i<(FkO0B5KmNmTt{(Jm1Q&~{lS%!V7I4OP6>azJihMa)oF@Q
zPEDPz06gflId5s&k~*hdm(#h%E_azT@f|TI3q42N$%4-jw>js!H1K38IEL#Y2|E`8
zPTU0Q&Rn`zc|iqs?6#1(qt^*@suF+c2t03?IRMWZW;Wced&YSf2uR&9Xxh#Ogv&4<
z-jmQ9yN`{WX$|yfweLUvB%C(FGTrsvXxpMVbnbzhBoTp7+zrj*q4aWErOrr&b_Z8-
zb_nB{hE-zNcT3_&M0O$te$enhBDccP`(appgkK)x@>r-?5LWR6Oq9q_zMy}P@Le6T
zn`T5I{0+4+r8P{Tp<}BLc)09R(E~{m3mkF`-2=?Uw1=N%9Qs)v8LFUWp(Kl-q=zP3
zyql3}W?4N?o*^4+73)F_s~M*cMKH~wstU&T7^pdMJ7a_gl200p3!a>7v@qtm%%d@4+_3XTu&^g9
zuAt<*Z2FugadvN}6~{9I)6@l$PJ>Jpq*Y$xGFS$WK69u(fj%9@^xi`v#38LdZ$Y__@<#)-xK~R?&FZNb5x%cYEox5=;y7c)r*v&x`1YQpf>F!
zVj3zVlR5X}{|(H6T^nX1X)mca^Z}`>Sga-y*#&h{@h#1hX@00V`1~+IKU17{k=QEv
z{6Y!?Zv`=172=&0S98L#EK;L6;F7=QE!uBtGCk|pX
z8bRiI+Lis_4lST79v2}C0J7kdXkWImCm(eYA0EmgzN?%b&GLWI5{cr4@-Bjr&M|C<
zTYK-ctV4UTtL0D)#}q1eyQVm4=zFg2Kg0!yv}~7;sPli+gjPPg*|8rAuAvw0@l%*3
zu!h<<6q4A!UCXg3#4EY|%2>}0E+3$xx2h#9KNKFC^>h|;&386z^fi&z
zraeHLrL6qsm%NZzUycktbkSEETE5k^9d6L%YRp#nz-qK=bMUTc3$nCcn@I+cOwD7S
zmpZ+FU$lSY3%=tq-6`9KXj@Zh4#lthDo?|nh##Y2WQV{?#D@XDSp~0_!Qo?Qll6X@
zrZ5aii%mL!jy?^-1JIdryfl@(i%aqdBPAMb=u0D0Q7@RaiK`oJ#bk-qm;~KT4p0SZC&UiKhwWSQ(6Q}YXaGgPX
z#0Y<^X6xFf1AYbHXs(W5V5GEZ_Y!Q**^L9*<2~$%$>W|#)_FkT2%g+oB4lKzu^e7koontD;&AJx*QXs@^Z~qXqx1S
ztY=?1Ssdj`#pfNv<5zl(oW&DIpl2L1Q*%x{Vb++l3~-A5w>j|FIbvm8&*hC;BLO7i
z*MiyJjmDBJ1aFQ0Sf~tJAjq*r*keLm(8uFK4EM8*$oFF}Y#aVn$ps5^4WDSndM|&5
zL}NQ`NNtYHhDdSt$@6MjFgM3wLq6`6Ye;7bys9tl&b^=N611W!dFID#Vtywctj?gu
zqA}V)+xkIDqQSdI9v7-t9-dgW3FEw7ys!xS`r(
z!t&rSF6gYN#%(I)W!&i~7J@Jsmb!o47$0*(p*)nw{4};+glo>`b`R%z!&PMFap2?5
zBHKK1lYCvWvzTf=rvWpvl)+=XM62(`p9QSR16odOHE{^i?MO6!Q^N3xQ&_GeQdjK7
zVLYI=a8BCPX;tYCA$_4Ir!ZQDA=t($=fi
z_m-(1H_(zx!>gXZ&gRSOt!$0Y5gnfWYK;fTD27#BPMJ})XTV3Gk^M#I8Cx9tMm6E=
z$#U+>=-u2SC&M|&Wxu(NKzLI+{FId1C5by<#66vTvB7gTM27nhG?$#nBKsDTPNR`|
zP51`8GSDEllr^ZK|Dd(V4Df&1)gg}9jMfns2Q_4+j?n-3$ZF0<9J>X7G|w$&O4R@u
z{J}$AJ~`G>$a`BQyNjKE4H(M{vptG~z0)!}hBaYndil!xt-Uv2jgv6N!HGS!*^bw7
zNiw#LxioQSKkCaglsg<%SZP-5cub$!ut6z}%-dv3zHx_$$o!=*FI<1q(W&XvtKG@&
zwzS{>dGo`&x8D!$|Gas>-v9YI(ly3MUjKT0U&PT
zp?E{+bxq6bB;MlQ^qS*bUwwD>`n5Bf+?a~LCxNIsQ1N#u7l8)twZ&Ts5cd7A5pF3w
zco!~*)=>S||6Kp~cieyEv@9#d-%wnv#sW3u2Ari~v-}}X>Xf{m&I
z{5q*|V0nDs9ofCo?BxD3z!>2)bsX97#LWv62Z00P?GcbIX3NKAhN;po{BNEv(Qp*W
z%Ty1MuA4tK{Gx_3(=d0CN$`$N`DJusD#gi%W$b@bSU{
z^n#g-bn9WM*M4Z)nLtij`z`}L}bqe=S62pn3v0FN$%_gaM9F2h2x0B|LbP6Zvf
t!xcFOz>3;4K?1M~L{*^uJRB)WzVz;VlYJI74XtUI{t5Vp2Ot2*003;cBR~KE
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 550765cf..6bdaf0c1 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -11246,7 +11246,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..e06a46c 100644
+index f962f76..d9660e9 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -13197,7 +13197,34 @@ index f962f76..e06a46c 100644
')
########################################
-@@ -4012,6 +4908,12 @@ interface(`files_read_kernel_modules',`
+@@ -3921,6 +4817,26 @@ interface(`files_read_mnt_symlinks',`
+ read_lnk_files_pattern($1, mnt_t, mnt_t)
+ ')
+
++
++########################################
++##
++## Load kernel module files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_load_kernel_modules',`
++ gen_require(`
++ type modules_object_t;
++ ')
++
++ files_read_kernel_modules($1)
++ allow $1 modules_object_t:system module_load;
++')
++
+ ########################################
+ ##
+ ## Create, read, write, and delete symbolic links in /mnt.
+@@ -4012,6 +4928,12 @@ interface(`files_read_kernel_modules',`
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -13210,7 +13237,7 @@ index f962f76..e06a46c 100644
')
########################################
-@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,78 +5139,289 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13340,111 +13367,75 @@ index f962f76..e06a46c 100644
##
#
-interface(`files_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- allow $1 tmp_t:dir search_dir_perms;
++
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Do not audit attempts to search the tmp directory (/tmp).
++##
+## Relabel manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain to not audit.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- dontaudit $1 tmp_t:dir search_dir_perms;
++
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+###################################
- ##
--## Read the tmp directory (/tmp).
++##
+## Create files in /etc with the type used for
+## the manageable system config files.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## The type of the process performing this action.
+##
- ##
- #
--interface(`files_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:dir list_dir_perms;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Do not audit listing of the tmp directory (/tmp).
++##
+## Manage manageable system db files in /var/lib.
- ##
- ##
--##
--## Domain not to audit.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_manage_system_db_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-
-- dontaudit $1 tmp_t:dir list_dir_perms;
++
+ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
+ files_filetrans_system_db_named_files($1)
- ')
-
--########################################
++')
++
+#####################################
- ##
--## Remove entries from the tmp directory.
++##
+## File name transition for system db files in /var/lib.
- ##
- ##
++##
++##
+##
+## Domain allowed access.
+##
@@ -13466,322 +13457,173 @@ index f962f76..e06a46c 100644
+## temporary directory (/tmp).
+##
+##
- ##
--## Domain allowed access.
++##
+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_delete_tmp_dir_entry',`
++##
++##
++#
+interface(`files_associate_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
-- allow $1 tmp_t:dir del_entry_dir_perms;
++ gen_require(`
++ type tmp_t;
++ ')
++
+ allow $1 tmp_t:filesystem associate;
- ')
-
- ########################################
- ##
--## Read files in the tmp directory (/tmp).
++')
++
++########################################
++##
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
- ##
--##
++##
+##
- ##
--## Domain allowed access.
++##
+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_read_generic_tmp_files',`
++##
++##
++#
+interface(`files_associate_rootfs',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type root_t;
- ')
-
-- read_files_pattern($1, tmp_t, tmp_t)
++ ')
++
+ allow $1 root_t:filesystem associate;
- ')
-
- ########################################
- ##
--## Manage temporary directories in /tmp.
++')
++
++########################################
++##
+## Get the attributes of the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',`
- ##
- ##
- #
--interface(`files_manage_generic_tmp_dirs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
- ')
-
-- manage_dirs_pattern($1, tmp_t, tmp_t)
++ gen_require(`
++ type tmp_t;
++ ')
++
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir getattr;
- ')
-
- ########################################
- ##
--## Manage temporary files and directories in /tmp.
++')
++
++########################################
++##
+## Do not audit attempts to check the
+## access on tmp files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_generic_tmp_files',`
++##
++##
++#
+interface(`files_dontaudit_access_check_tmp',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type etc_t;
- ')
-
-- manage_files_pattern($1, tmp_t, tmp_t)
++ ')
++
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## Read symbolic links in the tmp directory (/tmp).
++')
++
++########################################
++##
+## Do not audit attempts to get the
+## attributes of the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_generic_tmp_symlinks',`
++##
++##
++#
+interface(`files_dontaudit_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
- ')
-
-- read_lnk_files_pattern($1, tmp_t, tmp_t)
++ gen_require(`
++ type tmp_t;
++ ')
++
+ dontaudit $1 tmp_t:dir getattr;
- ')
-
- ########################################
- ##
--## Read and write generic named sockets in the tmp directory (/tmp).
++')
++
++########################################
++##
+## Search the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',`
- ##
- ##
- #
--interface(`files_rw_generic_tmp_sockets',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_search_tmp',`
gen_require(`
type tmp_t;
')
-- rw_sock_files_pattern($1, tmp_t, tmp_t)
+ fs_search_tmpfs($1)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:dir search_dir_perms;
')
- ########################################
- ##
--## Set the attributes of all tmp directories.
-+## Do not audit attempts to search the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_setattr_all_tmp_dirs',`
-+interface(`files_dontaudit_search_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+@@ -4325,6 +5458,7 @@ interface(`files_list_tmp',`
+ type tmp_t;
')
-- allow $1 tmpfile:dir { search_dir_perms setattr };
-+ dontaudit $1 tmp_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## List all tmp directories.
-+## Read the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',`
- ##
- ##
- #
--interface(`files_list_all_tmp',`
-+interface(`files_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir list_dir_perms;
+ allow $1 tmp_t:dir list_dir_perms;
')
- ########################################
- ##
--## Relabel to and from all temporary
--## directory types.
-+## Do not audit listing of the tmp directory (/tmp).
+@@ -4334,7 +5468,7 @@ interface(`files_list_tmp',`
##
##
##
--## Domain allowed access.
+-## Domain not to audit.
+## Domain to not audit.
##
##
--##
#
--interface(`files_relabel_all_tmp_dirs',`
-+interface(`files_dontaudit_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
-+ dontaudit $1 tmp_t:dir list_dir_perms;
+@@ -4346,6 +5480,25 @@ interface(`files_dontaudit_list_tmp',`
+ dontaudit $1 tmp_t:dir list_dir_perms;
')
--########################################
+#######################################
- ##
--## Do not audit attempts to get the attributes
--## of all tmp files.
++##
+## Allow read and write to the tmp directory (/tmp).
- ##
- ##
--##
--## Domain not to audit.
--##
++##
++##
+##
+## Domain not to audit.
+##
- ##
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
-- gen_require(`
-- attribute tmpfile;
-- ')
++##
++#
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ ')
-
-- dontaudit $1 tmpfile:file getattr;
++
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
- ')
-
++')
++
########################################
##
--## Allow attempts to get the attributes
--## of all tmp files.
-+## Remove entries from the tmp directory.
- ##
- ##
- ##
-@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
- ##
- ##
- #
--interface(`files_getattr_all_tmp_files',`
-+interface(`files_delete_tmp_dir_entry',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ ## Remove entries from the tmp directory.
+@@ -4361,6 +5514,7 @@ interface(`files_delete_tmp_dir_entry',`
+ type tmp_t;
')
-- allow $1 tmpfile:file getattr;
+ files_search_tmp($1)
-+ allow $1 tmp_t:dir del_entry_dir_perms;
+ allow $1 tmp_t:dir del_entry_dir_perms;
')
+@@ -4402,6 +5556,32 @@ interface(`files_manage_generic_tmp_dirs',`
+
########################################
##
--## Relabel to and from all temporary
--## file types.
-+## Read files in the tmp directory (/tmp).
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_tmp_files',`
-+interface(`files_read_generic_tmp_files',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_files_pattern($1, tmpfile, tmpfile)
-+ read_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of all tmp sock_file.
-+## Manage temporary directories in /tmp.
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+interface(`files_manage_generic_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- dontaudit $1 tmpfile:sock_file getattr;
-+ manage_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Read all tmp files.
+## Allow shared library text relocations in tmp files.
- ##
++##
+##
+##
+## Allow shared library text relocations in tmp files.
@@ -13790,437 +13632,153 @@ index f962f76..e06a46c 100644
+## This is added to support java policy.
+##
+##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_execmod_tmp',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file execmod;
++')
++
++########################################
++##
+ ## Manage temporary files and directories in /tmp.
+ ##
+ ##
+@@ -4456,6 +5636,42 @@ interface(`files_rw_generic_tmp_sockets',`
+
+ ########################################
+ ##
++## Relabel a dir from the type used in /tmp.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_tmp_dirs',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++##
++## Relabel a file from the type used in /tmp.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelfrom_tmp_files',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++')
++
++########################################
++##
+ ## Set the attributes of all tmp directories.
+ ##
+ ##
+@@ -4474,6 +5690,60 @@ interface(`files_setattr_all_tmp_dirs',`
+
+ ########################################
+ ##
++## Allow caller to read inherited tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file { append read_inherited_file_perms };
++')
++
++########################################
++##
++## Allow caller to append inherited tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_append_inherited_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file append_inherited_file_perms;
++')
++
++########################################
++##
++## Allow caller to read and write inherited tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_inherited_tmp_file',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## List all tmp directories.
+ ##
+ ##
+@@ -4519,7 +5789,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ##
##
##
- ## Domain allowed access.
+-## Domain not to audit.
++## Domain to not audit.
##
##
#
--interface(`files_read_all_tmp_files',`
-+interface(`files_execmod_tmp',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- read_files_pattern($1, tmpfile, tmpfile)
-+ allow $1 tmpfile:file execmod;
- ')
+@@ -4579,7 +5849,7 @@ interface(`files_relabel_all_tmp_files',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -4611,15 +5881,53 @@ interface(`files_read_all_tmp_files',`
########################################
##
-## Create an object in the tmp directories, with a private
-## type using a type transition.
-+## Manage temporary files and directories in /tmp.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_tmp_filetrans',`
-+interface(`files_manage_generic_tmp_files',`
- gen_require(`
- type tmp_t;
- ')
-
-- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ manage_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Delete the contents of /tmp.
-+## Read symbolic links in the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',`
- ##
- ##
- #
--interface(`files_purge_tmp',`
-+interface(`files_read_generic_tmp_symlinks',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-- delete_dirs_pattern($1, tmpfile, tmpfile)
-- delete_files_pattern($1, tmpfile, tmpfile)
-- delete_lnk_files_pattern($1, tmpfile, tmpfile)
-- delete_fifo_files_pattern($1, tmpfile, tmpfile)
-- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Set the attributes of the /usr directory.
-+## Read and write generic named sockets in the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',`
- ##
- ##
- #
--interface(`files_setattr_usr_dirs',`
-+interface(`files_rw_generic_tmp_sockets',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir setattr;
-+ rw_sock_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Search the content of /usr.
-+## Relabel a dir from the type used in /tmp.
- ##
- ##
- ##
-@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',`
- ##
- ##
- #
--interface(`files_search_usr',`
-+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir search_dir_perms;
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## List the contents of generic
--## directories in /usr.
-+## Relabel a file from the type used in /tmp.
- ##
- ##
- ##
-@@ -4713,35 +5642,35 @@ interface(`files_search_usr',`
- ##
- ##
- #
--interface(`files_list_usr',`
-+interface(`files_relabelfrom_tmp_files',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit write of /usr dirs
-+## Set the attributes of all tmp directories.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir write;
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
-
- ########################################
- ##
--## Add and remove entries from /usr directories.
-+## Allow caller to read inherited tmp files.
- ##
- ##
- ##
-@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',`
- ##
- ##
- #
--interface(`files_rw_usr_dirs',`
-+interface(`files_read_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
- ')
-
- ########################################
- ##
--## Do not audit attempts to add and remove
--## entries from /usr directories.
-+## Allow caller to append inherited tmp files.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_rw_usr_dirs',`
-+interface(`files_append_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file append_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete generic directories in /usr in the caller domain.
-+## Allow caller to read and write inherited tmp files.
- ##
- ##
- ##
-@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
- ##
- ##
- #
--interface(`files_delete_usr_dirs',`
-+interface(`files_rw_inherited_tmp_file',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- delete_dirs_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete generic files in /usr in the caller domain.
-+## List all tmp directories.
- ##
- ##
- ##
-@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',`
- ##
- ##
- #
--interface(`files_delete_usr_files',`
-+interface(`files_list_all_tmp',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- delete_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of files in /usr.
-+## Relabel to and from all temporary
-+## directory types.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_getattr_usr_files',`
-+interface(`files_relabel_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- getattr_files_pattern($1, usr_t, usr_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ##
--## Read generic files in /usr.
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
- ##
--##
--##
--## Allow the specified domain to read generic
--## files in /usr. These files are various program
--## files that do not have more specific SELinux types.
--## Some examples of these files are:
--##
--##
--## - /usr/include/*
--## - /usr/share/doc/*
--## - /usr/share/info/*
--##
--##
--## Generally, it is safe for many domains to have
--## this access.
--##
--##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_read_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-- read_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file getattr;
- ')
-
- ########################################
- ##
--## Execute generic programs in /usr in the caller domain.
-+## Allow attempts to get the attributes
-+## of all tmp files.
- ##
- ##
- ##
-@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',`
- ##
- ##
- #
--interface(`files_exec_usr_files',`
-+interface(`files_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-- exec_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file getattr;
- ')
-
- ########################################
- ##
--## dontaudit write of /usr files
-+## Relabel to and from all temporary
-+## file types.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_dontaudit_write_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- dontaudit $1 usr_t:file write;
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files in the /usr directory.
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- manage_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:sock_file getattr;
- ')
-
- ########################################
- ##
--## Relabel a file to the type used in /usr.
-+## Read all tmp files.
- ##
- ##
- ##
-@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',`
- ##
- ##
- #
--interface(`files_relabelto_usr_files',`
-+interface(`files_read_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- relabelto_files_pattern($1, usr_t, usr_t)
-+ read_files_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ##
--## Relabel a file from the type used in /usr.
+## Do not audit attempts to read or write
+## all leaked tmpfiles files.
##
@@ -14230,109 +13788,53 @@ index f962f76..e06a46c 100644
+## Domain to not audit.
##
##
- #
--interface(`files_relabelfrom_usr_files',`
+-##
++#
+interface(`files_dontaudit_tmp_file_leaks',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- relabelfrom_files_pattern($1, usr_t, usr_t)
++ ')
++
+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Read symbolic links in /usr.
++')
++
++########################################
++##
+## Do allow attempts to read or write
+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_usr_symlinks',`
++##
++##
++#
+interface(`files_rw_tmp_file_leaks',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- read_lnk_files_pattern($1, usr_t, usr_t)
++ ')
++
+ allow $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Create objects in the /usr directory
++')
++
++########################################
++##
+## Create an object in the tmp directories, with a private
+## type using a type transition.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
##
--## The type of the object to be created
-+## The type of the object to be created.
+ ## The type of the object to be created.
##
- ##
--##
-+##
- ##
--## The object class.
-+## The object class of the object being created.
- ##
- ##
- ##
-@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',`
- ##
- ##
- #
--interface(`files_usr_filetrans',`
-+interface(`files_tmp_filetrans',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- filetrans_pattern($1, usr_t, $2, $3, $4)
-+ filetrans_pattern($1, tmp_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search /usr/src.
-+## Delete the contents of /tmp.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_src',`
-+interface(`files_purge_tmp',`
- gen_require(`
-- type src_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 src_t:dir search_dir_perms;
-+ allow $1 tmpfile:dir list_dir_perms;
-+ delete_dirs_pattern($1, tmpfile, tmpfile)
-+ delete_files_pattern($1, tmpfile, tmpfile)
-+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
-+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
-+ delete_sock_files_pattern($1, tmpfile, tmpfile)
+@@ -4664,6 +5972,16 @@ interface(`files_purge_tmp',`
+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ delete_sock_files_pattern($1, tmpfile, tmpfile)
+ delete_chr_files_pattern($1, tmpfile, tmpfile)
+ delete_blk_files_pattern($1, tmpfile, tmpfile)
+ files_list_isid_type_dirs($1)
@@ -14346,1335 +13848,73 @@ index f962f76..e06a46c 100644
')
########################################
- ##
--## Get the attributes of files in /usr/src.
-+## Set the attributes of the /usr directory.
- ##
- ##
- ##
-@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',`
- ##
- ##
- #
--interface(`files_getattr_usr_src_files',`
-+interface(`files_setattr_usr_dirs',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
-- getattr_files_pattern($1, src_t, src_t)
--
-- # /usr/src/linux symlink:
-- read_lnk_files_pattern($1, usr_t, src_t)
-+ allow $1 usr_t:dir setattr;
- ')
+@@ -5112,6 +6430,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
##
--## Read files in /usr/src.
-+## Search the content of /usr.
- ##
- ##
- ##
-@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',`
- ##
- ##
- #
--interface(`files_read_usr_src_files',`
-+interface(`files_search_usr',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
- allow $1 usr_t:dir search_dir_perms;
-- read_files_pattern($1, { usr_t src_t }, src_t)
-- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-- allow $1 src_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Execute programs in /usr/src in the caller domain.
-+## List the contents of generic
-+## directories in /usr.
- ##
- ##
- ##
-@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',`
- ##
- ##
- #
--interface(`files_exec_usr_src_files',`
-+interface(`files_list_usr',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
-- list_dirs_pattern($1, usr_t, src_t)
-- exec_files_pattern($1, src_t, src_t)
-- read_lnk_files_pattern($1, src_t, src_t)
-+ allow $1 usr_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Install a system.map into the /boot directory.
-+## Do not audit write of /usr dirs
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_create_kernel_symbol_table',`
-+interface(`files_dontaudit_write_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-- allow $1 system_map_t:file { create_file_perms rw_file_perms };
-+ dontaudit $1 usr_t:dir write;
- ')
-
- ########################################
- ##
--## Read system.map in the /boot directory.
-+## Add and remove entries from /usr directories.
- ##
- ##
- ##
-@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',`
- ##
- ##
- #
--interface(`files_read_kernel_symbol_table',`
-+interface(`files_rw_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir list_dir_perms;
-- read_files_pattern($1, boot_t, system_map_t)
-+ allow $1 usr_t:dir rw_dir_perms;
- ')
-
- ########################################
- ##
--## Delete a system.map in the /boot directory.
-+## Do not audit attempts to add and remove
-+## entries from /usr directories.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_delete_kernel_symbol_table',`
-+interface(`files_dontaudit_rw_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir list_dir_perms;
-- delete_files_pattern($1, boot_t, system_map_t)
-+ dontaudit $1 usr_t:dir rw_dir_perms;
- ')
-
- ########################################
- ##
--## Search the contents of /var.
-+## Delete generic directories in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',`
- ##
- ##
- #
--interface(`files_search_var',`
-+interface(`files_delete_usr_dirs',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to write to /var.
-+## Delete generic files in /usr in the caller domain.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_write_var_dirs',`
-+interface(`files_delete_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:dir write;
-+ delete_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Allow attempts to write to /var.dirs
-+## Get the attributes of files in /usr.
- ##
- ##
- ##
-@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',`
- ##
- ##
- #
--interface(`files_write_var_dirs',`
-+interface(`files_getattr_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir write;
-+ getattr_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search
--## the contents of /var.
-+## Read generic files in /usr.
- ##
-+##
-+##
-+## Allow the specified domain to read generic
-+## files in /usr. These files are various program
-+## files that do not have more specific SELinux types.
-+## Some examples of these files are:
-+##
-+##
-+## - /usr/include/*
-+## - /usr/share/doc/*
-+## - /usr/share/info/*
-+##
-+##
-+## Generally, it is safe for many domains to have
-+## this access.
-+##
-+##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_dontaudit_search_var',`
-+interface(`files_read_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:dir search_dir_perms;
-+ allow $1 usr_t:dir list_dir_perms;
-+ read_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## List the contents of /var.
-+## Execute generic programs in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',`
- ##
- ##
- #
--interface(`files_list_var',`
-+interface(`files_exec_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir list_dir_perms;
-+ allow $1 usr_t:dir list_dir_perms;
-+ exec_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete directories
--## in the /var directory.
-+## dontaudit write of /usr files
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_var_dirs',`
-+interface(`files_dontaudit_write_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir manage_dir_perms;
-+ dontaudit $1 usr_t:file write;
- ')
-
- ########################################
- ##
--## Read files in the /var directory.
-+## Create, read, write, and delete files in the /usr directory.
- ##
- ##
- ##
-@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',`
- ##
- ##
- #
--interface(`files_read_var_files',`
-+interface(`files_manage_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- read_files_pattern($1, var_t, var_t)
-+ manage_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Append files in the /var directory.
-+## Relabel a file to the type used in /usr.
- ##
- ##
- ##
-@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',`
- ##
- ##
- #
--interface(`files_append_var_files',`
-+interface(`files_relabelto_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- append_files_pattern($1, var_t, var_t)
-+ relabelto_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Read and write files in the /var directory.
-+## Relabel a file from the type used in /usr.
- ##
- ##
- ##
-@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',`
- ##
- ##
- #
--interface(`files_rw_var_files',`
-+interface(`files_relabelfrom_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- rw_files_pattern($1, var_t, var_t)
-+ relabelfrom_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and write
--## files in the /var directory.
-+## Read symbolic links in /usr.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_rw_var_files',`
-+interface(`files_read_usr_symlinks',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:file rw_file_perms;
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files in the /var directory.
-+## Create objects in the /usr directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_manage_var_files',`
-+interface(`files_usr_filetrans',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- manage_files_pattern($1, var_t, var_t)
-+ filetrans_pattern($1, usr_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Read symbolic links in the /var directory.
-+## Do not audit attempts to search /usr/src.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_var_symlinks',`
-+interface(`files_dontaudit_search_src',`
- gen_require(`
-- type var_t;
-+ type src_t;
- ')
-
-- read_lnk_files_pattern($1, var_t, var_t)
-+ dontaudit $1 src_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete symbolic
--## links in the /var directory.
-+## Get the attributes of files in /usr/src.
- ##
- ##
- ##
-@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',`
- ##
- ##
- #
--interface(`files_manage_var_symlinks',`
-+interface(`files_getattr_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- manage_lnk_files_pattern($1, var_t, var_t)
-+ getattr_files_pattern($1, src_t, src_t)
-+
-+ # /usr/src/linux symlink:
-+ read_lnk_files_pattern($1, usr_t, src_t)
- ')
-
- ########################################
- ##
--## Create objects in the /var directory
-+## Read files in /usr/src.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
--## The object class.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_var_filetrans',`
-+interface(`files_read_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- filetrans_pattern($1, var_t, $2, $3, $4)
-+ allow $1 usr_t:dir search_dir_perms;
-+ read_files_pattern($1, { usr_t src_t }, src_t)
-+ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-+ allow $1 src_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of the /var/lib directory.
-+## Execute programs in /usr/src in the caller domain.
- ##
- ##
- ##
-@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',`
- ##
- ##
- #
--interface(`files_getattr_var_lib_dirs',`
-+interface(`files_exec_usr_src_files',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type usr_t, src_t;
- ')
-
-- getattr_dirs_pattern($1, var_t, var_lib_t)
-+ list_dirs_pattern($1, usr_t, src_t)
-+ exec_files_pattern($1, src_t, src_t)
-+ read_lnk_files_pattern($1, src_t, src_t)
- ')
-
- ########################################
- ##
--## Search the /var/lib directory.
-+## Install a system.map into the /boot directory.
- ##
--##
--##
--## Search the /var/lib directory. This is
--## necessary to access files or directories under
--## /var/lib that have a private type. For example, a
--## domain accessing a private library file in the
--## /var/lib directory:
--##
--##
--## allow mydomain_t mylibfile_t:file read_file_perms;
--## files_search_var_lib(mydomain_t)
--##
--##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_search_var_lib',`
-+interface(`files_create_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- search_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## contents of /var/lib.
+## Dontaudit getattr attempts on the system.map file
- ##
- ##
- ##
- ## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_dontaudit_search_var_lib',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaduit_getattr_kernel_symbol_table',`
- gen_require(`
-- type var_lib_t;
++ gen_require(`
+ type system_map_t;
- ')
-
-- dontaudit $1 var_lib_t:dir search_dir_perms;
-+ dontaudit $1 system_map_t:file getattr;
- ')
-
- ########################################
- ##
--## List the contents of the /var/lib directory.
-+## Read system.map in the /boot directory.
- ##
- ##
- ##
-@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',`
- ##
- ##
- #
--interface(`files_list_var_lib',`
-+interface(`files_read_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ read_files_pattern($1, boot_t, system_map_t)
- ')
-
--###########################################
-+########################################
- ##
--## Read-write /var/lib directories
-+## Delete a system.map in the /boot directory.
- ##
- ##
- ##
-@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',`
- ##
- ##
- #
--interface(`files_rw_var_lib_dirs',`
-+interface(`files_delete_kernel_symbol_table',`
- gen_require(`
-- type var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ delete_files_pattern($1, boot_t, system_map_t)
- ')
-
- ########################################
- ##
--## Create objects in the /var/lib directory
-+## Search the contents of /var.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
--## The object class.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_var_lib_filetrans',`
-+interface(`files_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Read generic files in /var/lib.
-+## Do not audit attempts to write to /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_var_lib_files',`
-+interface(`files_dontaudit_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_lib_t:dir list_dir_perms;
-- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ dontaudit $1 var_t:dir write;
- ')
-
- ########################################
- ##
--## Read generic symbolic links in /var/lib
-+## Allow attempts to write to /var.dirs
- ##
- ##
- ##
-@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',`
- ##
- ##
- #
--interface(`files_read_var_lib_symlinks',`
-+interface(`files_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ allow $1 var_t:dir write;
- ')
-
--# cjp: the next two interfaces really need to be fixed
--# in some way. They really neeed their own types.
--
- ########################################
- ##
--## Create, read, write, and delete the
--## pseudorandom number generator seed.
-+## Do not audit attempts to search
-+## the contents of /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_urandom_seed',`
-+interface(`files_dontaudit_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ dontaudit $1 var_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Allow domain to manage mount tables
--## necessary for rpcd, nfsd, etc.
-+## List the contents of /var.
- ##
- ##
- ##
-@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',`
- ##
- ##
- #
--interface(`files_manage_mounttab',`
-+interface(`files_list_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Set the attributes of the generic lock directories.
-+## Do not audit listing of the var directory (/var).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_dontaudit_list_var',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ dontaudit $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Search the locks directory (/var/lock).
-+## Create, read, write, and delete directories
-+## in the /var directory.
- ##
- ##
- ##
-@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',`
- ##
- ##
- #
--interface(`files_search_locks',`
-+interface(`files_manage_var_dirs',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_t:dir manage_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## locks directory (/var/lock).
-+## Read files in the /var directory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_locks',`
-+interface(`files_read_var_files',`
- gen_require(`
-- type var_lock_t;
-+ type var_t;
- ')
-
-- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_lock_t:dir search_dir_perms;
-+ read_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## List generic lock directories.
-+## Append files in the /var directory.
- ##
- ##
- ##
-@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',`
- ##
- ##
- #
--interface(`files_list_locks',`
-+interface(`files_append_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_lock_t)
-+ append_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Add and remove entries in the /var/lock
--## directories.
-+## Read and write files in the /var directory.
- ##
- ##
- ##
-@@ -5726,60 +6638,54 @@ interface(`files_list_locks',`
- ##
- ##
- #
--interface(`files_rw_lock_dirs',`
-+interface(`files_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- rw_dirs_pattern($1, var_t, var_lock_t)
-+ rw_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Create lock directories
-+## Do not audit attempts to read and write
-+## files in the /var directory.
- ##
- ##
--##
--## Domain allowed access
-+##
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_create_lock_dirs',`
-+interface(`files_dontaudit_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- create_dirs_pattern($1, var_lock_t, var_lock_t)
-+ dontaudit $1 var_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Relabel to and from all lock directory types.
-+## Create, read, write, and delete files in the /var directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_lock_dirs',`
-+interface(`files_manage_var_files',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- relabel_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Get the attributes of generic lock files.
-+## Read symbolic links in the /var directory.
- ##
- ##
- ##
-@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',`
- ##
- ##
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_read_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 var_lock_t:dir list_dir_perms;
-- getattr_files_pattern($1, var_lock_t, var_lock_t)
-+ read_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Delete generic lock files.
-+## Create, read, write, and delete symbolic
-+## links in the /var directory.
- ##
- ##
- ##
-@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',`
- ##
- ##
- #
--interface(`files_delete_generic_locks',`
-+interface(`files_manage_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ manage_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## lock files.
-+## Create objects in the /var directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_manage_generic_locks',`
-+interface(`files_var_filetrans',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-- manage_files_pattern($1, var_lock_t, var_lock_t)
-+ filetrans_pattern($1, var_t, $2, $3, $4)
- ')
-
-+
- ########################################
- ##
--## Delete all lock files.
-+## Relabel dirs in the /var directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_delete_all_locks',`
-+interface(`files_relabel_var_dirs',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t;
- ')
--
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, lockfile, lockfile)
-+ allow $1 var_t:dir relabel_dir_perms;
- ')
-
- ########################################
- ##
--## Read all lock files.
-+## Get the attributes of the /var/lib directory.
- ##
- ##
- ##
-@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',`
- ##
- ##
- #
--interface(`files_read_all_locks',`
-+interface(`files_getattr_var_lib_dirs',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- allow $1 lockfile:dir list_dir_perms;
-- read_files_pattern($1, lockfile, lockfile)
-- read_lnk_files_pattern($1, lockfile, lockfile)
-+ getattr_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## manage all lock files.
-+## Search the /var/lib directory.
- ##
-+##
-+##
-+## Search the /var/lib directory. This is
-+## necessary to access files or directories under
-+## /var/lib that have a private type. For example, a
-+## domain accessing a private library file in the
-+## /var/lib directory:
-+##
-+##
-+## allow mydomain_t mylibfile_t:file read_file_perms;
-+## files_search_var_lib(mydomain_t)
-+##
-+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_manage_all_locks',`
-+interface(`files_search_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- manage_dirs_pattern($1, lockfile, lockfile)
-- manage_files_pattern($1, lockfile, lockfile)
-- manage_lnk_files_pattern($1, lockfile, lockfile)
-+ search_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Create an object in the locks directory, with a private
--## type using a type transition.
-+## Do not audit attempts to search the
-+## contents of /var/lib.
- ##
- ##
- ##
--## Domain allowed access.
--##
--##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
-+## Domain to not audit.
- ##
- ##
-+##
- #
--interface(`files_lock_filetrans',`
-+interface(`files_dontaudit_search_var_lib',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+ dontaudit $1 var_lib_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of the /var/run directory.
-+## List the contents of the /var/lib directory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_pid_dirs',`
-+interface(`files_list_var_lib',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir getattr;
-+ list_dirs_pattern($1, var_t, var_lib_t)
- ')
-
--########################################
-+###########################################
- ##
--## Set the attributes of the /var/run directory.
-+## Read-write /var/lib directories
- ##
- ##
- ##
-@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_setattr_pid_dirs',`
-+interface(`files_rw_var_lib_dirs',`
- gen_require(`
-- type var_run_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir setattr;
-+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Search the contents of runtime process
--## ID directories (/var/run).
-+## Create directories in /var/lib
- ##
- ##
- ##
-@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_search_pids',`
-+interface(`files_create_var_lib_dirs',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_run_t)
-+ allow $1 var_lib_t:dir { create rw_dir_perms };
- ')
-
-+
- ########################################
- ##
--## Do not audit attempts to search
--## the /var/run directory.
-+## Create objects in the /var/lib directory
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
- ##
- ##
- #
--interface(`files_dontaudit_search_pids',`
-+interface(`files_var_lib_filetrans',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## List the contents of the runtime process
--## ID directories (/var/run).
-+## Read generic files in /var/lib.
- ##
- ##
- ##
-@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',`
- ##
- ##
- #
--interface(`files_list_pids',`
-+interface(`files_read_var_lib_files',`
- gen_require(`
-+ type var_t, var_lib_t;
+ ')
+
-+ allow $1 var_lib_t:dir list_dir_perms;
-+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ dontaudit $1 system_map_t:file getattr;
+')
+
+########################################
+##
-+## Read generic symbolic links in /var/lib
+ ## Read system.map in the /boot directory.
+ ##
+ ##
+@@ -5241,6 +6577,24 @@ interface(`files_list_var',`
+
+ ########################################
+ ##
++## Do not audit listing of the var directory (/var).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_list_var',`
++ gen_require(`
++ type var_t;
++ ')
++
++ dontaudit $1 var_t:dir list_dir_perms;
++')
++
++########################################
++##
+ ## Create, read, write, and delete directories
+ ## in the /var directory.
+ ##
+@@ -5328,7 +6682,7 @@ interface(`files_dontaudit_rw_var_files',`
+ type var_t;
+ ')
+
+- dontaudit $1 var_t:file rw_file_perms;
++ dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -5419,6 +6773,24 @@ interface(`files_var_filetrans',`
+ filetrans_pattern($1, var_t, $2, $3, $4)
+ ')
+
++
++########################################
++##
++## Relabel dirs in the /var directory.
+##
+##
+##
@@ -15682,14 +13922,46 @@ index f962f76..e06a46c 100644
+##
+##
+#
-+interface(`files_read_var_lib_symlinks',`
++interface(`files_relabel_var_dirs',`
+ gen_require(`
-+ type var_t, var_lib_t;
++ type var_t;
+ ')
-+
-+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++ allow $1 var_t:dir relabel_dir_perms;
+')
+
+ ########################################
+ ##
+ ## Get the attributes of the /var/lib directory.
+@@ -5527,6 +6899,25 @@ interface(`files_rw_var_lib_dirs',`
+
+ ########################################
+ ##
++## Create directories in /var/lib
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ allow $1 var_lib_t:dir { create rw_dir_perms };
++')
++
++
++########################################
++##
+ ## Create objects in the /var/lib directory
+ ##
+ ##
+@@ -5596,6 +6987,25 @@ interface(`files_read_var_lib_symlinks',`
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
+########################################
+##
+## manage generic symbolic links
@@ -15709,29 +13981,13 @@ index f962f76..e06a46c 100644
+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
+')
+
-+# cjp: the next two interfaces really need to be fixed
-+# in some way. They really neeed their own types.
-+
-+########################################
-+##
-+## Create, read, write, and delete the
-+## pseudorandom number generator seed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_urandom_seed',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
+ # cjp: the next two interfaces really need to be fixed
+ # in some way. They really neeed their own types.
+
+@@ -5619,6 +7029,42 @@ interface(`files_manage_urandom_seed',`
+ manage_files_pattern($1, var_lib_t, var_lib_t)
+ ')
+
+
+########################################
+##
@@ -15768,87 +14024,47 @@ index f962f76..e06a46c 100644
+ allow $1 var_lib_t:dir relabel_dir_perms;
+')
+
-+########################################
-+##
-+## Allow domain to manage mount tables
-+## necessary for rpcd, nfsd, etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_mounttab',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+##
+ ########################################
+ ##
+ ## Allow domain to manage mount tables
+@@ -5641,7 +7087,7 @@ interface(`files_manage_mounttab',`
+
+ ########################################
+ ##
+-## Set the attributes of the generic lock directories.
+## List generic lock directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5649,12 +7095,13 @@ interface(`files_manage_mounttab',`
+ ##
+ ##
+ #
+-interface(`files_setattr_lock_dirs',`
+interface(`files_list_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+- setattr_dirs_pattern($1, var_t, var_lock_t)
+ files_search_locks($1)
+ list_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Search the locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ ')
+
+ ########################################
+@@ -5672,6 +7119,7 @@ interface(`files_search_locks',`
+ type var_t, var_lock_t;
+ ')
+
+ files_search_pids($1)
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the
-+## locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_lock_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_lock_t)
+ ')
+@@ -5698,7 +7146,26 @@ interface(`files_dontaudit_search_locks',`
+
+ ########################################
+ ##
+-## List generic lock directories.
+## Do not audit attempts to read/write inherited
+## locks (/var/lock).
+##
@@ -15869,100 +14085,65 @@ index f962f76..e06a46c 100644
+########################################
+##
+## Set the attributes of the /var/lock directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5706,13 +7173,12 @@ interface(`files_dontaudit_search_locks',`
+ ##
+ ##
+ #
+-interface(`files_list_locks',`
+interface(`files_setattr_lock_dirs',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_lock_t;
+ type var_lock_t;
-+ ')
-+
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_lock_t)
+ allow $1 var_lock_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Add and remove entries in the /var/lock
-+## directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ ')
+
+ ########################################
+@@ -5731,7 +7197,7 @@ interface(`files_rw_lock_dirs',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ files_search_locks($1)
-+ rw_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create lock directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_create_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ create_dirs_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Relabel to and from all lock directory types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_lock_dirs',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_dirs_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
+ rw_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+@@ -5764,7 +7230,6 @@ interface(`files_create_lock_dirs',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`files_relabel_all_lock_dirs',`
+ gen_require(`
+@@ -5779,7 +7244,7 @@ interface(`files_relabel_all_lock_dirs',`
+
+ ########################################
+ ##
+-## Get the attributes of generic lock files.
+## Relabel to and from all lock file types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5787,13 +7252,33 @@ interface(`files_relabel_all_lock_dirs',`
+ ##
+ ##
+ #
+-interface(`files_getattr_generic_locks',`
+interface(`files_relabel_all_lock_files',`
-+ gen_require(`
+ gen_require(`
+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ relabel_files_pattern($1, lockfile, lockfile)
+')
+
@@ -15982,210 +14163,86 @@ index f962f76..e06a46c 100644
+ ')
+
+ files_search_locks($1)
-+ allow $1 var_lock_t:dir list_dir_perms;
-+ getattr_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete generic lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_generic_locks',`
+ allow $1 var_lock_t:dir list_dir_perms;
+ getattr_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+@@ -5809,13 +7294,12 @@ interface(`files_getattr_generic_locks',`
+ ##
+ #
+ interface(`files_delete_generic_locks',`
+- gen_require(`
+ gen_require(`
-+ type var_t, var_lock_t;
+ type var_t, var_lock_t;
+- ')
+ ')
-+
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
+ files_search_locks($1)
+ delete_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ ')
+
+ ########################################
+@@ -5834,9 +7318,7 @@ interface(`files_manage_generic_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
+ files_search_locks($1)
-+ manage_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ delete_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Read all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
+ manage_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+@@ -5878,8 +7360,7 @@ interface(`files_read_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ files_search_locks($1)
-+ allow $1 lockfile:dir list_dir_perms;
-+ read_files_pattern($1, lockfile, lockfile)
-+ read_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## manage all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1, lockfile, lockfile)
+ read_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5901,8 +7382,7 @@ interface(`files_manage_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ files_search_locks($1)
-+ manage_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, lockfile, lockfile)
-+ manage_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Create an object in the locks directory, with a private
-+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_lock_filetrans',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5939,8 +7419,7 @@ interface(`files_lock_filetrans',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ files_search_locks($1)
-+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of the /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Set the attributes of the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
+ ')
+
+@@ -5979,7 +7458,7 @@ interface(`files_setattr_pid_dirs',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ allow $1 var_run_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Search the contents of runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
+ allow $1 var_run_t:dir setattr;
+ ')
+
+@@ -5999,10 +7478,48 @@ interface(`files_search_pids',`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:lnk_file read_lnk_file_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_run_t)
-+')
-+
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+######################################
+##
+## Add and remove entries from pid directories.
@@ -16223,28 +14280,13 @@ index f962f76..e06a46c 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
-+########################################
-+##
-+## Do not audit attempts to search
-+## the /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_pids',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
+ ########################################
+ ##
+ ## Do not audit attempts to search
+@@ -6025,6 +7542,43 @@ interface(`files_dontaudit_search_pids',`
+
+ ########################################
+ ##
+## Do not audit attempts to search
+## the all /var/run directory.
+##
@@ -16282,162 +14324,65 @@ index f962f76..e06a46c 100644
+
+########################################
+##
-+## List the contents of the runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ##
+@@ -6039,7 +7593,7 @@ interface(`files_list_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Read generic process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
+ list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+@@ -6058,7 +7612,7 @@ interface(`files_read_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ read_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Write named generic process ID pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_generic_pid_pipes',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
+ list_dirs_pattern($1, var_t, var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6078,7 +7632,7 @@ interface(`files_write_generic_pid_pipes',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ allow $1 var_run_t:fifo_file write;
-+')
-+
-+########################################
-+##
-+## Create an object in the process ID directory, with a private type.
-+##
-+##
-+##
-+## Create an object in the process ID directory (e.g., /var/run)
-+## with a private type. Typically this is used for creating
-+## private PID files in /var/run with the private type instead
-+## of the general PID file type. To accomplish this goal,
-+## either the program must be SELinux-aware, or use this interface.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+## - files_pid_file()
-+##
-+##
-+## Example usage with a domain that can create and
-+## write its PID file with a private PID file type in the
-+## /var/run directory:
-+##
-+##
-+## type mypidfile_t;
-+## files_pid_file(mypidfile_t)
-+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-+## files_pid_filetrans(mydomain_t, mypidfile_t, file)
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+##
-+#
-+interface(`files_pid_filetrans',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_run_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Create a generic lock directory within the run directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_pid_filetrans_lock_dir',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ files_pid_filetrans($1, var_lock_t, dir, $2)
-+')
-+
-+########################################
-+##
+ allow $1 var_run_t:fifo_file write;
+ ')
+
+@@ -6140,7 +7694,6 @@ interface(`files_pid_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
+ ')
+
+@@ -6169,7 +7722,7 @@ interface(`files_pid_filetrans_lock_dir',`
+
+ ########################################
+ ##
+-## Read and write generic process ID files.
+## rw generic pid files inherited from another process
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6177,12 +7730,30 @@ interface(`files_pid_filetrans_lock_dir',`
+ ##
+ ##
+ #
+-interface(`files_rw_generic_pids',`
+interface(`files_rw_inherited_generic_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_run_t;
+ type var_run_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:file rw_inherited_file_perms;
+')
+
@@ -16457,72 +14402,13 @@ index f962f76..e06a46c 100644
+ ')
+
+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ rw_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes of
-+## daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file getattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write to daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_write_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file write;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to ioctl daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_ioctl_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file ioctl;
-+')
-+
-+########################################
-+##
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6249,6 +7820,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+
+ ########################################
+ ##
+## Relable all pid directories
+##
+##
@@ -16633,23 +14519,20 @@ index f962f76..e06a46c 100644
+
+########################################
+##
-+## Read all process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_read_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
+ ## Read all process ID files.
+ ##
+ ##
+@@ -6261,12 +7942,105 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ interface(`files_read_all_pids',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ type var_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
+')
+
@@ -16744,59 +14627,33 @@ index f962f76..e06a46c 100644
+ ')
+
+ allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+##
-+## Delete all process IDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+##
-+## Delete all process ID directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
+ ')
+
+ ########################################
+@@ -6286,8 +8060,8 @@ interface(`files_delete_all_pids',`
type var_t, var_run_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+@@ -6311,36 +8085,80 @@ interface(`files_delete_all_pid_dirs',`
+ type var_t, var_run_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Make the specified type a file
+## used for spool files.
+##
@@ -16846,36 +14703,47 @@ index f962f76..e06a46c 100644
+########################################
+##
+## Create all spool sockets
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain alloed access.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`files_manage_all_pids',`
+interface(`files_create_all_spool_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute pidfile;
+ attribute spoolfile;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
+ allow $1 spoolfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Delete all spool sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6348,12 +8166,33 @@ interface(`files_manage_all_pids',`
+ ##
+ ##
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_spool_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute spoolfile;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
@@ -16898,282 +14766,28 @@ index f962f76..e06a46c 100644
+ ')
+
+ relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
-+########################################
-+##
-+## Search the contents of generic spool
-+## directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search generic
-+## spool directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_spool',`
-+ gen_require(`
-+ type var_spool_t;
-+ ')
-+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List the contents of generic spool
-+## (/var/spool) directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
')
########################################
- ##
--## Read generic process ID files.
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
- ##
- ##
- ##
-@@ -6053,19 +8243,18 @@ interface(`files_list_pids',`
- ##
- ##
- #
--interface(`files_read_generic_pids',`
-+interface(`files_manage_generic_spool_dirs',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_t, var_spool_t;
- ')
+@@ -6580,3 +8419,605 @@ interface(`files_unconfined',`
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ typeattribute $1 files_unconfined_type;
')
-
- ########################################
- ##
--## Write named generic process ID pipes
-+## Read generic spool files.
- ##
- ##
- ##
-@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',`
- ##
- ##
- #
--interface(`files_write_generic_pid_pipes',`
-+interface(`files_read_generic_spool',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Create an object in the process ID directory, with a private type.
-+## Create, read, write, and delete generic
-+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create objects in the spool directory
-+## with a private type with a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Type to which the created node will be transitioned.
-+##
-+##
-+##
-+##
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_spool_filetrans',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_polyinstantiate_all',`
-+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
-+ ')
-+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
-+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
-+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
-+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
-+ ')
-+')
-+
-+########################################
-+##
-+## Unconfined access to files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_unconfined',`
-+ gen_require(`
-+ attribute files_unconfined_type;
-+ ')
-+
-+ typeattribute $1 files_unconfined_type;
-+')
+
+########################################
+##
+## Create a core files in /
- ##
- ##
- ##
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
--##
--##
--## Related interfaces:
--##
--##
--## - files_pid_file()
--##
--##
--## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
--##
--##
--## type mypidfile_t;
--## files_pid_file(mypidfile_t)
--## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
--## files_pid_filetrans(mydomain_t, mypidfile_t, file)
++##
++##
++##
+## Create a core file in /,
- ##
- ##
- ##
-@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',`
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
+#
+interface(`files_manage_root_files',`
@@ -17214,14 +14828,12 @@ index f962f76..e06a46c 100644
+## type transition.
+##
+##
- ##
--## The type of the object to be created.
++##
+## Domain allowed access.
- ##
- ##
- ##
- ##
--## The object class of the object being created.
++##
++##
++##
++##
+## The class of the object being created.
+##
+##
@@ -17252,11 +14864,10 @@ index f962f76..e06a46c 100644
+##
+##
+## The class of the object being created.
- ##
- ##
- ##
- ##
--## The name of the object being created.
++##
++##
++##
++##
+## The name of the object being created.
+##
+##
@@ -17277,433 +14888,315 @@ index f962f76..e06a46c 100644
+##
+##
+## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_pid_filetrans',`
++##
++##
++#
+interface(`files_manage_generic_pids_symlinks',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ type var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_run_t, $2, $3, $4)
++ ')
++
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
- ')
-
- ########################################
- ##
--## Create a generic lock directory within the run directories
++')
++
++########################################
++##
+## Do not audit attempts to getattr
+## all tmpfs files.
- ##
- ##
--##
--## Domain allowed access
--##
--##
--##
- ##
--## The name of the object being created.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_pid_filetrans_lock_dir',`
++##
++##
++#
+interface(`files_dontaudit_getattr_tmpfs_files',`
- gen_require(`
-- type var_lock_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- files_pid_filetrans($1, var_lock_t, dir, $2)
++ ')
++
+ allow $1 tmpfsfile:file getattr;
- ')
-
- ########################################
- ##
--## Read and write generic process ID files.
++')
++
++########################################
++##
+## Allow delete all tmpfs files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_rw_generic_pids',`
++##
++##
++#
+interface(`files_delete_tmpfs_files',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- rw_files_pattern($1, var_run_t, var_run_t)
++ ')
++
+ allow $1 tmpfsfile:file delete_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes of
--## daemon runtime data files.
++')
++
++########################################
++##
+## Allow read write all tmpfs files
- ##
- ##
- ##
-@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_pids',`
-+interface(`files_rw_tmpfs_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
-+ attribute tmpfsfile;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file getattr;
-+ allow $1 tmpfsfile:file { read write };
- ')
-
- ########################################
- ##
--## Do not audit attempts to write to daemon runtime data files.
-+## Do not audit attempts to read security files
- ##
- ##
- ##
-@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_write_all_pids',`
-+interface(`files_dontaudit_read_security_files',`
- gen_require(`
-- attribute pidfile;
-+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file write;
-+ dontaudit $1 security_file_type:file read_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to ioctl daemon runtime data files.
-+## Do not audit attempts to search security files
- ##
- ##
- ##
-@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_ioctl_all_pids',`
-+interface(`files_dontaudit_search_security_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
-+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file ioctl;
-+ dontaudit $1 security_file_type:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read all process ID files.
-+## Do not audit attempts to read security dirs
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_read_all_pids',`
-+interface(`files_dontaudit_list_security_dirs',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++##
++##
++#
++interface(`files_rw_tmpfs_files',`
++ gen_require(`
++ attribute tmpfsfile;
++ ')
++
++ allow $1 tmpfsfile:file { read write };
++')
++
++########################################
++##
++## Do not audit attempts to read security files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_read_security_files',`
++ gen_require(`
+ attribute security_file_type;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
++ ')
++
++ dontaudit $1 security_file_type:file read_file_perms;
++')
++
++########################################
++##
++## Do not audit attempts to search security files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_security_files',`
++ gen_require(`
++ attribute security_file_type;
++ ')
++
++ dontaudit $1 security_file_type:dir search_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to read security dirs
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_list_security_dirs',`
++ gen_require(`
++ attribute security_file_type;
++ ')
++
+ dontaudit $1 security_file_type:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Delete all process IDs.
++')
++
++########################################
++##
+## rw any files inherited from another process
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
+##
+## Object type.
+##
+##
- #
--interface(`files_delete_all_pids',`
++#
+interface(`files_rw_all_inherited_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ ')
++
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
- ##
--## Delete all process ID directories.
++')
++
++########################################
++##
+## Allow any file point to be the entrypoint of this domain
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`files_delete_all_pid_dirs',`
++#
+interface(`files_entrypoint_all_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
+ type unlabeled_t;
- ')
--
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
++ ')
+ allow $1 {file_type -unlabeled_t} :file entrypoint;
- ')
-
- ########################################
- ##
--## Create, read, write and delete all
--## var_run (pid) content
++')
++
++########################################
++##
+## Do not audit attempts to rw inherited file perms
+## of non security files.
- ##
- ##
- ##
--## Domain alloed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_all_pids',`
++##
++##
++#
+interface(`files_dontaudit_all_non_security_leaks',`
- gen_require(`
-- attribute pidfile;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
++ ')
++
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Mount filesystems on all polyinstantiation
--## member directories.
++')
++
++########################################
++##
+## Do not audit attempts to read or write
+## all leaked files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_mounton_all_poly_members',`
++##
++##
++#
+interface(`files_dontaudit_leaks',`
- gen_require(`
-- attribute polymember;
++ gen_require(`
+ attribute file_type;
- ')
-
-- allow $1 polymember:dir mounton;
++ ')
++
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
- ')
-
- ########################################
- ##
--## Search the contents of generic spool
--## directories (/var/spool).
++')
++
++########################################
++##
+## Allow domain to create_file_ass all types
- ##
- ##
- ##
-@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',`
- ##
- ##
- #
--interface(`files_search_spool',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_create_as_is_all_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute file_type;
+ class kernel_service create_files_as;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ allow $1 file_type:kernel_service create_files_as;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search generic
--## spool directories.
++')
++
++########################################
++##
+## Do not audit attempts to check the
+## access on all files
- ##
- ##
- ##
-@@ -6386,132 +8748,227 @@ interface(`files_search_spool',`
- ##
- ##
- #
--interface(`files_dontaudit_search_spool',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_all_access_check',`
- gen_require(`
-- type var_spool_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- dontaudit $1 var_spool_t:dir search_dir_perms;
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## List the contents of generic spool
--## (/var/spool) directories.
++')
++
++########################################
++##
+## Do not audit attempts to write to all files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_spool',`
++##
++##
++#
+interface(`files_dontaudit_write_all_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set write;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
++')
++
++########################################
++##
+## Allow domain to delete to all files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_generic_spool_dirs',`
++##
++##
++#
+interface(`files_delete_all_non_security_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ allow $1 non_security_file_type:dir del_entry_dir_perms;
+ allow $1 non_security_file_type:file_class_set delete_file_perms;
- ')
-
- ########################################
- ##
--## Read generic spool files.
++')
++
++########################################
++##
+## Allow domain to delete to all dirs
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_generic_spool',`
++##
++##
++#
+interface(`files_delete_all_non_security_dirs',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool files.
++')
++
++########################################
++##
+## Transition named content in the var_run_t directory
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_manage_generic_spool',`
++##
++##
++#
+interface(`files_filetrans_named_content',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ type etc_t;
+ type mnt_t;
+ type usr_t;
@@ -17712,10 +15205,8 @@ index f962f76..e06a46c 100644
+ type var_run_t;
+ type var_lock_t;
+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ files_pid_filetrans($1, mnt_t, dir, "media")
+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -17755,16 +15246,13 @@ index f962f76..e06a46c 100644
+ files_var_filetrans($1, tmp_t, dir, "tmp")
+ files_var_filetrans($1, var_run_t, dir, "run")
+ files_var_filetrans($1, etc_runtime_t, file, ".updated")
- ')
-
- ########################################
- ##
--## Create objects in the spool directory
--## with a private type with a type transition.
++')
++
++########################################
++##
+## Make the specified type a
+## base file.
- ##
--##
++##
+##
+##
+## Identify file type as base file type. Tools will use this attribute,
@@ -17772,12 +15260,10 @@ index f962f76..e06a46c 100644
+##
+##
+##
- ##
--## Domain allowed access.
++##
+## Type to be used as a base files.
- ##
- ##
--##
++##
++##
+##
+#
+interface(`files_base_file',`
@@ -17799,12 +15285,10 @@ index f962f76..e06a46c 100644
+##
+##
+##
- ##
--## Type to which the created node will be transitioned.
++##
+## Type to be used as a base read only files.
- ##
- ##
--##
++##
++##
+##
+#
+interface(`files_ro_base_file',`
@@ -17820,13 +15304,10 @@ index f962f76..e06a46c 100644
+## Read all ro base files.
+##
+##
- ##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
++##
+## Domain allowed access.
- ##
- ##
--##
++##
++##
+##
+#
+interface(`files_read_all_base_ro_files',`
@@ -17844,106 +15325,56 @@ index f962f76..e06a46c 100644
+## Execute all base ro files.
+##
+##
- ##
--## The name of the object being created.
++##
+## Domain allowed access.
- ##
- ##
++##
++##
+##
- #
--interface(`files_spool_filetrans',`
++#
+interface(`files_exec_all_base_ro_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_ro_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ ')
++
+ can_exec($1, base_ro_file_type)
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++##
+## Allow the specified domain to modify the systemd configuration of
+## any file.
- ##
- ##
- ##
-@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',`
- ##
- ##
- #
--interface(`files_polyinstantiate_all',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_config_all_files',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
--
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-- ')
++ ')
++
+ allow $1 file_type:service all_service_perms;
- ')
-
- ########################################
- ##
--## Unconfined access to files.
++')
++
++########################################
++##
+## Get the status of etc_t files
- ##
- ##
- ##
-@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',`
- ##
- ##
- #
--interface(`files_unconfined',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_status_etc',`
- gen_require(`
-- attribute files_unconfined_type;
++ gen_require(`
+ type etc_t;
- ')
-
-- typeattribute $1 files_unconfined_type;
++ ')
++
+ allow $1 etc_t:service status;
- ')
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..3221f80 100644
--- a/policy/modules/kernel/files.te
@@ -18191,7 +15622,7 @@ index d7c11a0..f521a50 100644
/var/run/shm/.* <>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..b38387e 100644
+index 8416beb..f1ebb1b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18690,7 +16121,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2122,835 @@ interface(`fs_search_fusefs',`
##
##
#
@@ -18796,7 +16227,6 @@ index 8416beb..b38387e 100644
-#
-interface(`fs_exec_fusefs_files',`
- gen_require(`
-- type fusefs_t;
+##
+##
+## Execute a file on a FUSE filesystem
@@ -18830,110 +16260,88 @@ index 8416beb..b38387e 100644
+interface(`fs_ecryptfs_domtrans',`
+ gen_require(`
+ type ecryptfs_t;
- ')
-
-- exec_files_pattern($1, fusefs_t, fusefs_t)
++ ')
++
+ allow $1 ecryptfs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files
--## on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Mount a FUSE filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_manage_fusefs_files',`
-+interface(`fs_mount_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- manage_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 fusefs_t:filesystem mount;
- ')
-
- ########################################
- ##
--## Do not audit attempts to create,
--## read, write, and delete files
--## on a FUSEFS filesystem.
-+## Unmount a FUSE filesystem.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_manage_fusefs_files',`
++##
++##
++#
++interface(`fs_mount_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:filesystem mount;
++')
++
++########################################
++##
++## Unmount a FUSE filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_unmount_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- dontaudit $1 fusefs_t:file manage_file_perms;
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Read symbolic links on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Mounton a FUSEFS filesystem.
- ##
- ##
- ##
-@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',`
- ##
- ##
- #
--interface(`fs_read_fusefs_symlinks',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_mounton_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- allow $1 fusefs_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:dir mounton;
- ')
-
- ########################################
- ##
--## Get the attributes of an hugetlbfs
--## filesystem.
++')
++
++########################################
++##
+## Search directories
+## on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`fs_getattr_hugetlbfs',`
++#
+interface(`fs_search_fusefs',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem getattr;
++ ')
++
+ allow $1 fusefs_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## List hugetlbfs.
++')
++
++########################################
++##
+## Do not audit attempts to list the contents
+## of directories on a FUSEFS filesystem.
+##
@@ -18955,28 +16363,24 @@ index 8416beb..b38387e 100644
+##
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`fs_list_hugetlbfs',`
++#
+interface(`fs_manage_fusefs_dirs',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:dir list_dir_perms;
++ ')
++
+ allow $1 fusefs_t:dir manage_dir_perms;
- ')
-
- ########################################
- ##
--## Manage hugetlbfs dirs.
++')
++
++########################################
++##
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a FUSEFS filesystem.
@@ -18998,157 +16402,129 @@ index 8416beb..b38387e 100644
+########################################
+##
+## Read, a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_manage_hugetlbfs_dirs',`
-+interface(`fs_read_fusefs_files',`
- gen_require(`
-- type hugetlbfs_t;
-+ type fusefs_t;
- ')
-
-- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ read_files_pattern($1, fusefs_t, fusefs_t)
- ')
-
- ########################################
- ##
--## Read and write hugetlbfs files.
-+## Execute files on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`fs_rw_hugetlbfs_files',`
-+interface(`fs_exec_fusefs_files',`
- gen_require(`
-- type hugetlbfs_t;
-+ type fusefs_t;
- ')
-
-- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
-+ exec_files_pattern($1, fusefs_t, fusefs_t)
- ')
-
- ########################################
- ##
--## Allow the type to associate to hugetlbfs filesystems.
-+## Make general progams in FUSEFS an entrypoint for
-+## the specified domain.
- ##
--##
++##
+##
- ##
--## The type of the object to be associated.
-+## The domain for which fusefs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_associate_hugetlbfs',`
-+interface(`fs_fusefs_entry_type',`
- gen_require(`
-- type hugetlbfs_t;
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_read_fusefs_files',`
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem associate;
-+ domain_entry_file($1, fusefs_t)
- ')
-
- ########################################
- ##
--## Search inotifyfs filesystem.
++ ')
++
++ read_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++##
++## Execute files on a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`fs_exec_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ exec_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++##
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## The domain for which fusefs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_search_inotifyfs',`
-+interface(`fs_fusefs_entrypoint',`
- gen_require(`
-- type inotifyfs_t;
++##
++##
++#
++interface(`fs_fusefs_entry_type',`
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 inotifyfs_t:dir search_dir_perms;
++ ')
++
++ domain_entry_file($1, fusefs_t)
++')
++
++########################################
++##
++## Make general progams in FUSEFS an entrypoint for
++## the specified domain.
++##
++##
++##
++## The domain for which fusefs_t is an entrypoint.
++##
++##
++#
++interface(`fs_fusefs_entrypoint',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:file entrypoint;
- ')
-
- ########################################
- ##
--## List inotifyfs filesystem.
++')
++
++########################################
++##
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`fs_list_inotifyfs',`
++#
+interface(`fs_manage_fusefs_files',`
- gen_require(`
-- type inotifyfs_t;
-+ type fusefs_t;
++ gen_require(`
+ type fusefs_t;
')
-- allow $1 inotifyfs_t:dir list_dir_perms;
+- exec_files_pattern($1, fusefs_t, fusefs_t)
+ manage_files_pattern($1, fusefs_t, fusefs_t)
- ')
-
- ########################################
- ##
--## Dontaudit List inotifyfs filesystem.
++')
++
++########################################
++##
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
- ##
- ##
- ##
-@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',`
- ##
- ##
- #
--interface(`fs_dontaudit_list_inotifyfs',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`fs_dontaudit_manage_fusefs_files',`
- gen_require(`
-- type inotifyfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- dontaudit $1 inotifyfs_t:dir list_dir_perms;
++ ')
++
+ dontaudit $1 fusefs_t:file manage_file_perms;
- ')
-
- ########################################
- ##
--## Create an object in a hugetlbfs filesystem, with a private
--## type using a type transition.
++')
++
++########################################
++##
+## Read symbolic links on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`fs_read_fusefs_symlinks',`
+ gen_require(`
@@ -19164,12 +16540,10 @@ index 8416beb..b38387e 100644
+## Manage symbolic links on a FUSEFS filesystem.
+##
+##
- ##
--## The type of the object to be created.
++##
+## Domain allowed access.
- ##
- ##
--##
++##
++##
+#
+interface(`fs_manage_fusefs_symlinks',`
+ gen_require(`
@@ -19204,94 +16578,73 @@ index 8416beb..b38387e 100644
+##
+##
+##
- ##
--## The object class of the object being created.
++##
+## Domain allowed to transition.
- ##
- ##
--##
++##
++##
+##
- ##
--## The name of the object being created.
++##
+## The type of the new process.
- ##
- ##
- #
--interface(`fs_hugetlbfs_filetrans',`
++##
++##
++#
+interface(`fs_fusefs_domtrans',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $2 hugetlbfs_t:filesystem associate;
-- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
++ ')
++
+ allow $1 fusefs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, fusefs_t, $2)
- ')
-
- ########################################
- ##
--## Mount an iso9660 filesystem, which
--## is usually used on CDs.
++')
++
++########################################
++##
+## Get the attributes of a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`fs_mount_iso9660_fs',`
++#
+interface(`fs_getattr_fusefs',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 iso9660_t:filesystem mount;
++ ')
++
+ allow $1 fusefs_t:filesystem getattr;
- ')
-
- ########################################
- ##
--## Remount an iso9660 filesystem, which
--## is usually used on CDs. This allows
--## some mount options to be changed.
++')
++
++########################################
++##
+## Get the attributes of an hugetlbfs
+## filesystem.
- ##
- ##
- ##
-@@ -2234,18 +2588,17 @@ interface(`fs_mount_iso9660_fs',`
- ##
- ##
- #
--interface(`fs_remount_iso9660_fs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_getattr_hugetlbfs',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type hugetlbfs_t;
- ')
-
-- allow $1 iso9660_t:filesystem remount;
++ ')
++
+ allow $1 hugetlbfs_t:filesystem getattr;
- ')
-
- ########################################
- ##
--## Unmount an iso9660 filesystem, which
--## is usually used on CDs.
++')
++
++########################################
++##
+## List hugetlbfs.
- ##
- ##
- ##
-@@ -2253,38 +2606,725 @@ interface(`fs_remount_iso9660_fs',`
- ##
- ##
- #
--interface(`fs_unmount_iso9660_fs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_list_hugetlbfs',`
+ gen_require(`
+ type hugetlbfs_t;
@@ -19576,18 +16929,21 @@ index 8416beb..b38387e 100644
+ ')
+
+ dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete files
+-## on a FUSEFS filesystem.
+## Create an object in a hugetlbfs filesystem, with a private
+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+##
+##
+## The type of the object to be created.
@@ -19603,217 +16959,271 @@ index 8416beb..b38387e 100644
+## The name of the object being created.
+##
+##
-+#
+ #
+-interface(`fs_manage_fusefs_files',`
+interface(`fs_hugetlbfs_filetrans',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- manage_files_pattern($1, fusefs_t, fusefs_t)
+ allow $2 hugetlbfs_t:filesystem associate;
+ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to create,
+-## read, write, and delete files
+-## on a FUSEFS filesystem.
+## Mount an iso9660 filesystem, which
+## is usually used on CDs.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_manage_fusefs_files',`
+interface(`fs_mount_iso9660_fs',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 fusefs_t:file manage_file_perms;
+ allow $1 iso9660_t:filesystem mount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read symbolic links on a FUSEFS filesystem.
+## Remount an iso9660 filesystem, which
+## is usually used on CDs. This allows
+## some mount options to be changed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2014,19 +2958,18 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+ ##
+ ##
+ #
+-interface(`fs_read_fusefs_symlinks',`
+interface(`fs_remount_iso9660_fs',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 iso9660_t:filesystem remount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of an hugetlbfs
+-## filesystem.
+## Unmount an iso9660 filesystem, which
+## is usually used on CDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2034,35 +2977,38 @@ interface(`fs_read_fusefs_symlinks',`
+ ##
+ ##
+ #
+-interface(`fs_getattr_hugetlbfs',`
+interface(`fs_unmount_iso9660_fs',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:filesystem getattr;
+ allow $1 iso9660_t:filesystem unmount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List hugetlbfs.
+## Get the attributes of an iso9660
+## filesystem, which is usually used on CDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_list_hugetlbfs',`
+interface(`fs_getattr_iso9660_fs',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:dir list_dir_perms;
+ allow $1 iso9660_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Manage hugetlbfs dirs.
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2070,17 +3016,19 @@ interface(`fs_list_hugetlbfs',`
+ ##
+ ##
+ #
+-interface(`fs_manage_hugetlbfs_dirs',`
+interface(`fs_getattr_iso9660_files',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read and write hugetlbfs files.
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2088,35 +3036,38 @@ interface(`fs_manage_hugetlbfs_dirs',`
+ ##
+ ##
+ #
+-interface(`fs_rw_hugetlbfs_files',`
+interface(`fs_read_iso9660_files',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ allow $1 iso9660_t:dir list_dir_perms;
+ read_files_pattern($1, iso9660_t, iso9660_t)
+ read_lnk_files_pattern($1, iso9660_t, iso9660_t)
-+')
+ ')
+
+
-+
-+########################################
-+##
+ ########################################
+ ##
+-## Allow the type to associate to hugetlbfs filesystems.
+## Mount kdbus filesystems.
-+##
+ ##
+-##
+##
-+##
+ ##
+-## The type of the object to be associated.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_associate_hugetlbfs',`
+interface(`fs_mount_kdbus', `
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:filesystem associate;
+ allow $1 kdbusfs_t:filesystem mount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Search inotifyfs filesystem.
+## Remount kdbus filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2124,17 +3075,17 @@ interface(`fs_associate_hugetlbfs',`
+ ##
+ ##
+ #
+-interface(`fs_search_inotifyfs',`
+interface(`fs_remount_kdbus', `
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- allow $1 inotifyfs_t:dir search_dir_perms;
+ allow $1 kdbusfs_t:filesystem remount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List inotifyfs filesystem.
+## Unmount kdbus filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2142,71 +3093,134 @@ interface(`fs_search_inotifyfs',`
+ ##
+ ##
+ #
+-interface(`fs_list_inotifyfs',`
+interface(`fs_unmount_kdbus', `
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- allow $1 inotifyfs_t:dir list_dir_perms;
+ allow $1 kdbusfs_t:filesystem unmount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Dontaudit List inotifyfs filesystem.
+## Get attributes of kdbus filesystems.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_list_inotifyfs',`
+interface(`fs_getattr_kdbus',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 inotifyfs_t:dir list_dir_perms;
+ allow $1 kdbusfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in a hugetlbfs filesystem, with a private
+-## type using a type transition.
+## Search kdbusfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+#
+interface(`fs_search_kdbus_dirs',`
+ gen_require(`
@@ -19831,10 +17241,12 @@ index 8416beb..b38387e 100644
+## Relabel kdbusfs directories.
+##
+##
-+##
+ ##
+-## The type of the object to be created.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+-##
+#
+interface(`fs_relabel_kdbus_dirs',`
+ gen_require(`
@@ -19850,10 +17262,12 @@ index 8416beb..b38387e 100644
+## List kdbusfs directories.
+##
+##
-+##
+ ##
+-## The object class of the object being created.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+-##
+#
+interface(`fs_list_kdbus_dirs',`
+ gen_require(`
@@ -19889,103 +17303,101 @@ index 8416beb..b38387e 100644
+## Delete kdbusfs directories.
+##
+##
-+##
+ ##
+-## The name of the object being created.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_hugetlbfs_filetrans',`
+interface(`fs_delete_kdbus_dirs', `
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- allow $2 hugetlbfs_t:filesystem associate;
+- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Mount an iso9660 filesystem, which
+-## is usually used on CDs.
+## Manage kdbusfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2214,19 +3228,19 @@ interface(`fs_hugetlbfs_filetrans',`
+ ##
+ ##
+ #
+-interface(`fs_mount_iso9660_fs',`
+interface(`fs_manage_kdbus_dirs',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+- ')
+ type kdbusfs_t;
-+
+
+- allow $1 iso9660_t:filesystem mount;
+ ')
+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Remount an iso9660 filesystem, which
+-## is usually used on CDs. This allows
+-## some mount options to be changed.
+## Read kdbusfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2234,18 +3248,21 @@ interface(`fs_mount_iso9660_fs',`
+ ##
+ ##
+ #
+-interface(`fs_remount_iso9660_fs',`
+interface(`fs_read_kdbus_files',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type cgroup_t;
+
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem remount;
+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Unmount an iso9660 filesystem, which
+-## is usually used on CDs.
+## Write kdbusfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2253,38 +3270,61 @@ interface(`fs_remount_iso9660_fs',`
+ ##
+ ##
+ #
+-interface(`fs_unmount_iso9660_fs',`
+interface(`fs_write_kdbus_files', `
-+ gen_require(`
-+ type kdbusfs_t;
-+ ')
-+
-+ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+##
-+## Read and write kdbusfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
+ type kdbusfs_t;
-+
')
- allow $1 iso9660_t:filesystem unmount;
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -19994,33 +17406,54 @@ index 8416beb..b38387e 100644
##
-## Get the attributes of an iso9660
-## filesystem, which is usually used on CDs.
-+## Do not audit attempts to open,
-+## get attributes, read and write
-+## cgroup files.
++## Read and write kdbusfs files.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+ ## Domain allowed access.
##
##
-##
#
-interface(`fs_getattr_iso9660_fs',`
-+interface(`fs_dontaudit_rw_kdbus_files',`
++interface(`fs_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
+ type kdbusfs_t;
++
')
- allow $1 iso9660_t:filesystem getattr;
-+ dontaudit $1 kdbusfs_t:file rw_file_perms;
++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
')
########################################
##
-## Read files on an iso9660 filesystem, which
-## is usually used on CDs.
++## Do not audit attempts to open,
++## get attributes, read and write
++## cgroup files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_rw_kdbus_files',`
++ gen_require(`
++ type kdbusfs_t;
++ ')
++
++ dontaudit $1 kdbusfs_t:file rw_file_perms;
++')
++
++########################################
++##
+## Manage kdbusfs files.
##
##
@@ -20363,7 +17796,7 @@ index 8416beb..b38387e 100644
## Mount a NFS server pseudo filesystem.
##
##
-@@ -3255,17 +4470,126 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,17 +4470,182 @@ interface(`fs_list_nfsd_fs',`
##
##
#
@@ -20478,13 +17911,69 @@ index 8416beb..b38387e 100644
+##
+#
+interface(`fs_rw_nsfs_files',`
++ gen_require(`
++ type nsfs_t;
++ ')
++
++ rw_files_pattern($1, nsfs_t, nsfs_t)
++')
++
++
++########################################
++##
++## Mount a nsfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_mount_nsfs',`
++ gen_require(`
++ type nsfs_t;
++ ')
++
++ allow $1 nsfs_t:filesystem mount;
++')
++
++
++########################################
++##
++## Remount a tmpfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_remount_nsfs',`
++ gen_require(`
++ type nsfs_t;
++ ')
++
++ allow $1 nsfs_t:filesystem remount;
++')
++
++########################################
++##
++## Unmount a tmpfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_unmount_nsfs',`
gen_require(`
- type nfsd_fs_t;
+ type nsfs_t;
')
- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+ rw_files_pattern($1, nsfs_t, nsfs_t)
++ allow $1 nsfs_t:filesystem unmount;
')
########################################
@@ -20494,7 +17983,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3273,12 +4597,12 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3273,12 +4653,12 @@ interface(`fs_getattr_nfsd_files',`
##
##
#
@@ -20509,7 +17998,7 @@ index 8416beb..b38387e 100644
')
########################################
-@@ -3301,6 +4625,24 @@ interface(`fs_associate_ramfs',`
+@@ -3301,6 +4681,24 @@ interface(`fs_associate_ramfs',`
########################################
##
@@ -20534,7 +18023,7 @@ index 8416beb..b38387e 100644
## Mount a RAM filesystem.
##
##
-@@ -3392,7 +4734,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4790,7 @@ interface(`fs_search_ramfs',`
########################################
##
@@ -20543,7 +18032,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3429,7 +4771,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4827,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
##
@@ -20552,7 +18041,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3447,7 +4789,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4845,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
##
@@ -20561,7 +18050,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3779,6 +5121,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5177,24 @@ interface(`fs_mount_tmpfs',`
########################################
##
@@ -20586,7 +18075,7 @@ index 8416beb..b38387e 100644
## Remount a tmpfs filesystem.
##
##
-@@ -3815,6 +5175,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5231,24 @@ interface(`fs_unmount_tmpfs',`
########################################
##
@@ -20611,7 +18100,7 @@ index 8416beb..b38387e 100644
## Get the attributes of a tmpfs
## filesystem.
##
-@@ -3908,7 +5286,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5342,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
##
@@ -20620,7 +18109,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3916,17 +5294,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5350,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
##
##
#
@@ -20641,7 +18130,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3934,17 +5312,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5368,17 @@ interface(`fs_mounton_tmpfs',`
##
##
#
@@ -20662,7 +18151,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3952,17 +5330,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5386,36 @@ interface(`fs_setattr_tmpfs_dirs',`
##
##
#
@@ -20702,7 +18191,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3970,31 +5367,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5423,48 @@ interface(`fs_search_tmpfs',`
##
##
#
@@ -20758,7 +18247,7 @@ index 8416beb..b38387e 100644
')
########################################
-@@ -4057,23 +5471,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5527,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
##
##
##
@@ -20935,7 +18424,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4081,18 +5642,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5698,18 @@ interface(`fs_tmpfs_filetrans',`
##
##
#
@@ -20958,7 +18447,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4100,54 +5661,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5717,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
##
##
#
@@ -21025,7 +18514,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4155,17 +5715,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5771,18 @@ interface(`fs_read_tmpfs_files',`
##
##
#
@@ -21047,7 +18536,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4173,17 +5734,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5790,18 @@ interface(`fs_rw_tmpfs_files',`
##
##
#
@@ -21069,7 +18558,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4191,37 +5753,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5809,36 @@ interface(`fs_read_tmpfs_symlinks',`
##
##
#
@@ -21115,7 +18604,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4229,18 +5790,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5846,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
##
##
#
@@ -21137,7 +18626,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4248,18 +5809,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5865,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
##
##
#
@@ -21161,7 +18650,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4267,32 +5829,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +5885,31 @@ interface(`fs_rw_tmpfs_blk_files',`
##
##
#
@@ -21200,7 +18689,7 @@ index 8416beb..b38387e 100644
')
########################################
-@@ -4407,6 +5968,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6024,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -21226,7 +18715,7 @@ index 8416beb..b38387e 100644
########################################
##
## Create, read, write, and delete directories
-@@ -4503,6 +6083,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6139,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -21235,7 +18724,7 @@ index 8416beb..b38387e 100644
')
########################################
-@@ -4549,7 +6131,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6187,7 @@ interface(`fs_unmount_all_fs',`
##
##
## Allow the specified domain to
@@ -21244,7 +18733,7 @@ index 8416beb..b38387e 100644
## Example attributes:
##
##
-@@ -4596,6 +6178,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6234,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
##
@@ -21271,7 +18760,7 @@ index 8416beb..b38387e 100644
## Get the quotas of all filesystems.
##
##
-@@ -4671,6 +6273,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6329,25 @@ interface(`fs_getattr_all_dirs',`
########################################
##
@@ -21297,7 +18786,7 @@ index 8416beb..b38387e 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6533,175 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6589,175 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -32127,7 +29616,7 @@ index 6bf0ecc..e6be63a 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..b4908dd 100644
+index 8b40377..84a88ff 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -32486,7 +29975,7 @@ index 8b40377..b4908dd 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +420,104 @@ optional_policy(`
+@@ -300,64 +420,105 @@ optional_policy(`
# XDM Local policy
#
@@ -32495,6 +29984,7 @@ index 8b40377..b4908dd 100644
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability2 { block_suspend };
+dontaudit xdm_t self:capability sys_admin;
++dontaudit xdm_t self:capability2 wake_alarm;
+tunable_policy(`deny_ptrace',`',`
+ allow xdm_t self:process ptrace;
+')
@@ -32604,7 +30094,7 @@ index 8b40377..b4908dd 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +527,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -32637,7 +30127,7 @@ index 8b40377..b4908dd 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +559,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +560,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -32692,7 +30182,7 @@ index 8b40377..b4908dd 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +613,30 @@ files_list_mnt(xdm_t)
+@@ -431,9 +614,30 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -32723,7 +30213,7 @@ index 8b40377..b4908dd 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +645,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +646,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -32774,7 +30264,7 @@ index 8b40377..b4908dd 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +693,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +694,163 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -32944,7 +30434,7 @@ index 8b40377..b4908dd 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +862,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +863,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -32976,7 +30466,7 @@ index 8b40377..b4908dd 100644
')
optional_policy(`
-@@ -518,8 +897,36 @@ optional_policy(`
+@@ -518,8 +898,36 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -33014,7 +30504,7 @@ index 8b40377..b4908dd 100644
')
')
-@@ -530,6 +937,20 @@ optional_policy(`
+@@ -530,6 +938,20 @@ optional_policy(`
')
optional_policy(`
@@ -33035,7 +30525,7 @@ index 8b40377..b4908dd 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +968,78 @@ optional_policy(`
+@@ -547,28 +969,78 @@ optional_policy(`
')
optional_policy(`
@@ -33123,7 +30613,7 @@ index 8b40377..b4908dd 100644
')
optional_policy(`
-@@ -580,6 +1051,14 @@ optional_policy(`
+@@ -580,6 +1052,14 @@ optional_policy(`
')
optional_policy(`
@@ -33138,7 +30628,7 @@ index 8b40377..b4908dd 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1073,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1074,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -33147,7 +30637,7 @@ index 8b40377..b4908dd 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1083,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1084,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -33160,7 +30650,7 @@ index 8b40377..b4908dd 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1100,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1101,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -33176,7 +30666,7 @@ index 8b40377..b4908dd 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1116,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1117,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -33187,7 +30677,7 @@ index 8b40377..b4908dd 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1131,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1132,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -33229,7 +30719,7 @@ index 8b40377..b4908dd 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1182,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1183,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -33261,7 +30751,7 @@ index 8b40377..b4908dd 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1215,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1216,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -33276,7 +30766,7 @@ index 8b40377..b4908dd 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1236,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1237,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -33300,7 +30790,7 @@ index 8b40377..b4908dd 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1255,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1256,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -33309,7 +30799,7 @@ index 8b40377..b4908dd 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1299,54 @@ optional_policy(`
+@@ -785,17 +1300,54 @@ optional_policy(`
')
optional_policy(`
@@ -33366,7 +30856,7 @@ index 8b40377..b4908dd 100644
')
optional_policy(`
-@@ -803,6 +1354,10 @@ optional_policy(`
+@@ -803,6 +1355,10 @@ optional_policy(`
')
optional_policy(`
@@ -33377,7 +30867,7 @@ index 8b40377..b4908dd 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1373,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1374,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -33402,7 +30892,7 @@ index 8b40377..b4908dd 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1396,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1397,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -33437,7 +30927,7 @@ index 8b40377..b4908dd 100644
')
optional_policy(`
-@@ -912,7 +1461,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1462,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -33446,7 +30936,7 @@ index 8b40377..b4908dd 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1515,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1516,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -33478,7 +30968,7 @@ index 8b40377..b4908dd 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1561,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1562,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -40312,7 +37802,7 @@ index 0000000..c814795
+fs_manage_kdbus_dirs(systemd_logind_t)
+fs_manage_kdbus_files(systemd_logind_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..fffae71 100644
+index 73bb3c0..7b05663 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -40383,7 +37873,7 @@ index 73bb3c0..fffae71 100644
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-@@ -125,10 +135,12 @@ ifdef(`distro_redhat',`
+@@ -125,13 +135,16 @@ ifdef(`distro_redhat',`
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40396,7 +37886,11 @@ index 73bb3c0..fffae71 100644
/usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -141,19 +153,23 @@ ifdef(`distro_redhat',`
++/usr/lib/libGLdispatch/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -141,19 +154,23 @@ ifdef(`distro_redhat',`
/usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40425,7 +37919,7 @@ index 73bb3c0..fffae71 100644
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -182,11 +198,13 @@ ifdef(`distro_redhat',`
+@@ -182,11 +199,13 @@ ifdef(`distro_redhat',`
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40439,7 +37933,7 @@ index 73bb3c0..fffae71 100644
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -241,13 +259,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
+@@ -241,13 +260,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40455,7 +37949,7 @@ index 73bb3c0..fffae71 100644
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -269,20 +285,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -269,20 +286,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40486,7 +37980,7 @@ index 73bb3c0..fffae71 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +314,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +315,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -43682,7 +41176,7 @@ index 7449974..b792900 100644
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a363b8..3f02a36 100644
+index 7a363b8..6d92782 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
@@ -43828,7 +41322,7 @@ index 7a363b8..3f02a36 100644
kernel_setsched(insmod_t)
corecmd_exec_bin(insmod_t)
-@@ -142,6 +159,7 @@ dev_rw_agp(insmod_t)
+@@ -142,40 +159,55 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -43836,7 +41330,10 @@ index 7a363b8..3f02a36 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -151,31 +169,44 @@ files_read_etc_runtime_files(insmod_t)
+
+ files_read_kernel_modules(insmod_t)
++files_load_kernel_modules(insmod_t)
+ files_read_etc_runtime_files(insmod_t)
files_read_etc_files(insmod_t)
files_read_usr_files(insmod_t)
files_exec_etc_files(insmod_t)
@@ -43885,7 +41382,7 @@ index 7a363b8..3f02a36 100644
kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +215,33 @@ optional_policy(`
+@@ -184,28 +216,33 @@ optional_policy(`
')
optional_policy(`
@@ -43926,7 +41423,7 @@ index 7a363b8..3f02a36 100644
')
optional_policy(`
-@@ -225,6 +261,7 @@ optional_policy(`
+@@ -225,6 +262,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -43934,7 +41431,7 @@ index 7a363b8..3f02a36 100644
')
optional_policy(`
-@@ -233,6 +270,10 @@ optional_policy(`
+@@ -233,6 +271,10 @@ optional_policy(`
')
optional_policy(`
@@ -43945,7 +41442,7 @@ index 7a363b8..3f02a36 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -291,11 +332,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +333,10 @@ init_use_script_ptys(update_modules_t)
logging_send_syslog_msg(update_modules_t)
@@ -47253,7 +44750,7 @@ index 2cea692..e3cb4f2 100644
+ files_etc_filetrans($1, net_conf_t, file)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..98c5f23 100644
+index a392fc4..b7497fc 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -47496,7 +44993,7 @@ index a392fc4..98c5f23 100644
vmware_append_log(dhcpc_t)
')
-@@ -264,32 +322,70 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,32 +322,72 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -47564,10 +45061,12 @@ index a392fc4..98c5f23 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
+fs_read_nsfs_files(ifconfig_t)
++fs_mount_nsfs(ifconfig_t)
++fs_unmount_nsfs(ifconfig_t)
selinux_dontaudit_getattr_fs(ifconfig_t)
-@@ -299,33 +395,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +397,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -47625,7 +45124,7 @@ index a392fc4..98c5f23 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -336,7 +450,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +452,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -47638,7 +45137,7 @@ index a392fc4..98c5f23 100644
')
optional_policy(`
-@@ -350,7 +468,16 @@ optional_policy(`
+@@ -350,7 +470,16 @@ optional_policy(`
')
optional_policy(`
@@ -47656,7 +45155,7 @@ index a392fc4..98c5f23 100644
')
optional_policy(`
-@@ -371,3 +498,17 @@ optional_policy(`
+@@ -371,3 +500,17 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -49572,10 +47071,10 @@ index 0000000..86e3d01
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b06bf32
+index 0000000..c6280dc
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1016 @@
+@@ -0,0 +1,1017 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -50587,6 +48086,7 @@ index 0000000..b06bf32
+#
+# systemd_modules_load domain
+#
++allow systemd_initctl_t self:unix_dgram_socket create_socket_perms;
+
+kernel_dgram_send(systemd_initctl_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 19632f9b..5862875b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 239%{?dist}
+Release: 240%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,13 @@ exit 0
%endif
%changelog
+* Wed Feb 15 2017 Lukas Vrabec - 3.13.1-240
+- Dontaudit xdm_t wake_alarm capability2
+- Allow systemd_initctl_t to create and connect unix_dgram sockets
+- Allow ifconfig_t to mount/unmount nsfs_t filesystem
+- Add interfaces allowing mount/unmount nsfs_t filesystem
+- Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944)
+
* Mon Feb 13 2017 Lukas Vrabec - 3.13.1-239
- Allow syslog client to connect to kernel socket. BZ(1419946)