diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 742d6370..d365295a 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1968,6 +1968,25 @@ interface(`files_read_usr_files',`
allow $1 usr_t:{ file lnk_file } r_file_perms;
')
+########################################
+##
+## Execute generic programs in /usr in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`files_exec_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir r_dir_perms;
+ allow $1 usr_t:lnk_file r_file_perms;
+ can_exec($1,usr_t)
+
+')
+
########################################
##
## Relabel a file to the type used in /usr.
@@ -2041,18 +2060,15 @@ interface(`files_create_usr',`
## The type of the process performing this action.
##
#
-interface(`files_exec_usr_files',`
+interface(`files_exec_usr_src_files',`
gen_require(`
type usr_t, src_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
')
allow $1 usr_t:dir search;
allow $1 src_t:dir r_dir_perms;
allow $1 src_t:lnk_file r_file_perms;
can_exec($1,src_t)
-
')
########################################
@@ -2060,12 +2076,11 @@ interface(`files_exec_usr_files',`
# files_dontaudit_search_src(domain)
#
interface(`files_dontaudit_search_src',`
- gen_require(`
- type src_t;
- class dir search;
- ')
+ gen_require(`
+ type src_t;
+ ')
- allow $1 src_t:dir search;
+ allow $1 src_t:dir search;
')
########################################
@@ -2075,9 +2090,6 @@ interface(`files_dontaudit_search_src',`
interface(`files_read_usr_src_files',`
gen_require(`
type usr_t, src_t;
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
')
allow $1 usr_t:dir search;
@@ -2086,31 +2098,54 @@ interface(`files_read_usr_src_files',`
')
########################################
-#
-# files_search_var(domain)
+##
+## Search the contents of /var.
+##
+##
+## Domain allowed access.
+##
#
interface(`files_search_var',`
gen_require(`
type var_t;
- class dir search;
')
allow $1 var_t:dir search;
')
########################################
-#
-# files_dontaudit_search_var(domain)
+##
+## Do not audit attempts to search
+## the contents of /var.
+##
+##
+## Domain to not audit.
+##
#
interface(`files_dontaudit_search_var',`
gen_require(`
type var_t;
- class dir search;
')
dontaudit $1 var_t:dir search;
')
+########################################
+##
+## List the contents of /var.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_list_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir r_dir_perms;
+')
+
########################################
##
## Create, read, write, and delete directories
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 55a87ef3..bcfde858 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -210,7 +210,6 @@ template(`base_user_template',`
domain_dontaudit_getsession_all_domains($1_t)
files_exec_etc_files($1_t)
- files_read_usr_src_files($1_t)
files_search_locks($1_t)
# old broswer_domain():
files_dontaudit_list_non_security($1_t)
@@ -868,7 +867,7 @@ template(`admin_user_template',`
# for lsof
domain_getattr_all_sockets($1_t)
- files_exec_usr_files($1_t)
+ files_exec_usr_src_files($1_t)
init_use_initctl($1_t)