From 9e04f5c5be02b741ab2b65d34c6689401094ea04 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 31 Jan 2006 19:21:01 +0000 Subject: [PATCH] renaming from 20060131 interface review, round 3 --- refpolicy/policy/modules/admin/acct.te | 2 +- refpolicy/policy/modules/admin/amanda.te | 6 +- refpolicy/policy/modules/admin/consoletype.te | 2 +- refpolicy/policy/modules/admin/dmesg.te | 2 +- refpolicy/policy/modules/admin/kudzu.te | 4 +- refpolicy/policy/modules/admin/logrotate.te | 2 +- refpolicy/policy/modules/admin/prelink.te | 2 +- refpolicy/policy/modules/admin/quota.te | 4 +- refpolicy/policy/modules/admin/readahead.te | 2 +- refpolicy/policy/modules/admin/su.if | 4 +- refpolicy/policy/modules/admin/updfstab.te | 2 +- refpolicy/policy/modules/apps/userhelper.if | 2 +- refpolicy/policy/modules/kernel/bootloader.te | 10 +- refpolicy/policy/modules/kernel/files.if | 150 +++++------------- refpolicy/policy/modules/services/apache.te | 2 +- refpolicy/policy/modules/services/apm.te | 2 +- refpolicy/policy/modules/services/arpwatch.te | 2 +- .../policy/modules/services/automount.te | 10 +- refpolicy/policy/modules/services/avahi.te | 2 +- refpolicy/policy/modules/services/bind.te | 2 +- .../policy/modules/services/bluetooth.te | 2 +- refpolicy/policy/modules/services/canna.te | 4 +- .../policy/modules/services/cpucontrol.te | 4 +- refpolicy/policy/modules/services/cron.te | 6 +- refpolicy/policy/modules/services/cups.te | 8 +- refpolicy/policy/modules/services/cyrus.te | 2 +- refpolicy/policy/modules/services/dbus.te | 2 +- refpolicy/policy/modules/services/dhcp.te | 2 +- refpolicy/policy/modules/services/dictd.te | 2 +- refpolicy/policy/modules/services/distcc.te | 2 +- refpolicy/policy/modules/services/dovecot.te | 2 +- .../policy/modules/services/fetchmail.te | 2 +- refpolicy/policy/modules/services/finger.te | 2 +- refpolicy/policy/modules/services/ftp.te | 4 +- refpolicy/policy/modules/services/gpm.te | 2 +- refpolicy/policy/modules/services/hal.te | 2 +- refpolicy/policy/modules/services/howl.te | 2 +- .../policy/modules/services/i18n_input.te | 2 +- refpolicy/policy/modules/services/inetd.te | 2 +- refpolicy/policy/modules/services/inn.te | 2 +- .../policy/modules/services/irqbalance.te | 2 +- refpolicy/policy/modules/services/kerberos.te | 4 +- refpolicy/policy/modules/services/ldap.te | 2 +- refpolicy/policy/modules/services/lpd.te | 2 +- refpolicy/policy/modules/services/mta.if | 2 +- refpolicy/policy/modules/services/mta.te | 2 +- refpolicy/policy/modules/services/mysql.te | 4 +- .../policy/modules/services/networkmanager.te | 2 +- refpolicy/policy/modules/services/nis.te | 6 +- refpolicy/policy/modules/services/nscd.te | 2 +- refpolicy/policy/modules/services/ntp.te | 2 +- refpolicy/policy/modules/services/openct.te | 2 +- refpolicy/policy/modules/services/pegasus.te | 2 +- refpolicy/policy/modules/services/portmap.te | 2 +- refpolicy/policy/modules/services/postfix.if | 4 +- .../policy/modules/services/postgresql.te | 2 +- refpolicy/policy/modules/services/ppp.te | 4 +- refpolicy/policy/modules/services/privoxy.te | 2 +- refpolicy/policy/modules/services/procmail.te | 4 +- refpolicy/policy/modules/services/radius.te | 2 +- refpolicy/policy/modules/services/radvd.te | 2 +- refpolicy/policy/modules/services/rdisc.te | 2 +- .../policy/modules/services/remotelogin.te | 2 +- refpolicy/policy/modules/services/roundup.te | 2 +- refpolicy/policy/modules/services/rpc.if | 4 +- refpolicy/policy/modules/services/rpc.te | 2 +- refpolicy/policy/modules/services/samba.te | 6 +- refpolicy/policy/modules/services/sasl.te | 4 +- refpolicy/policy/modules/services/sendmail.te | 2 +- refpolicy/policy/modules/services/slrnpull.te | 2 +- refpolicy/policy/modules/services/smartmon.te | 2 +- refpolicy/policy/modules/services/snmp.te | 2 +- .../policy/modules/services/spamassassin.te | 2 +- refpolicy/policy/modules/services/squid.te | 4 +- refpolicy/policy/modules/services/ssh.te | 2 +- refpolicy/policy/modules/services/stunnel.te | 2 +- refpolicy/policy/modules/services/tftp.te | 4 +- refpolicy/policy/modules/services/timidity.te | 2 +- refpolicy/policy/modules/services/xfs.te | 2 +- refpolicy/policy/modules/services/zebra.te | 2 +- refpolicy/policy/modules/system/authlogin.te | 2 +- refpolicy/policy/modules/system/clock.te | 4 +- refpolicy/policy/modules/system/fstools.te | 6 +- refpolicy/policy/modules/system/hostname.te | 2 +- refpolicy/policy/modules/system/hotplug.te | 2 +- refpolicy/policy/modules/system/init.te | 17 +- refpolicy/policy/modules/system/ipsec.te | 4 +- refpolicy/policy/modules/system/iptables.te | 2 +- refpolicy/policy/modules/system/locallogin.te | 4 +- refpolicy/policy/modules/system/logging.te | 4 +- refpolicy/policy/modules/system/lvm.te | 8 +- refpolicy/policy/modules/system/modutils.te | 2 +- refpolicy/policy/modules/system/mount.te | 4 +- refpolicy/policy/modules/system/pcmcia.te | 2 +- refpolicy/policy/modules/system/raid.te | 2 +- .../policy/modules/system/selinuxutil.te | 6 +- refpolicy/policy/modules/system/sysnetwork.te | 4 +- refpolicy/policy/modules/system/udev.te | 2 +- refpolicy/policy/modules/system/userdomain.if | 6 +- 99 files changed, 195 insertions(+), 264 deletions(-) diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index 37e92562..4b65382f 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -74,7 +74,7 @@ userdom_dontaudit_use_unpriv_user_fd(acct_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(acct_t) term_dontaudit_use_generic_pty(acct_t) - files_dontaudit_read_root_file(acct_t) + files_dontaudit_read_root_files(acct_t) ') optional_policy(`cron',` diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index 367ec246..b83131ca 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -152,11 +152,11 @@ storage_raw_read_fixed_disk(amanda_t) files_read_etc_files(amanda_t) files_read_etc_runtime_files(amanda_t) -files_list_all_dirs(amanda_t) +files_list_all(amanda_t) files_read_all_files(amanda_t) files_read_all_symlinks(amanda_t) -files_read_all_blk_nodes(amanda_t) -files_read_all_chr_nodes(amanda_t) +files_read_all_blk_files(amanda_t) +files_read_all_chr_files(amanda_t) files_getattr_all_pipes(amanda_t) files_getattr_all_sockets(amanda_t) diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index bfe03fb2..bc7dd8b8 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -53,7 +53,7 @@ init_write_script_pipe(consoletype_t) domain_use_wide_inherit_fd(consoletype_t) -files_dontaudit_read_root_file(consoletype_t) +files_dontaudit_read_root_files(consoletype_t) files_list_usr(consoletype_t) libs_use_ld_so(consoletype_t) diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index 6aa6d269..334c5ab3 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -48,7 +48,7 @@ ifdef(`strict_policy',` files_list_etc(dmesg_t) # for when /usr is not mounted: - files_dontaudit_search_isid_type_dir(dmesg_t) + files_dontaudit_search_isid_type_dirs(dmesg_t) init_use_fd(dmesg_t) init_use_script_pty(dmesg_t) diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index 09d472eb..c69ecf44 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -98,7 +98,7 @@ files_read_usr_files(kudzu_t) # for /etc/sysconfig/hwconf - probably need a new type files_rw_etc_runtime_files(kudzu_t) # for file systems that are not yet mounted -files_dontaudit_search_isid_type_dir(kudzu_t) +files_dontaudit_search_isid_type_dirs(kudzu_t) init_use_fd(kudzu_t) init_use_script_pty(kudzu_t) @@ -125,7 +125,7 @@ userdom_dontaudit_use_unpriv_user_fd(kudzu_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(kudzu_t) term_dontaudit_use_generic_pty(kudzu_t) - files_dontaudit_read_root_file(kudzu_t) + files_dontaudit_read_root_files(kudzu_t) # cjp: this was originally in the else block # of ifdef userhelper.te, but it seems to diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 7ea0fd57..e7fd141e 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -98,7 +98,7 @@ files_read_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) # Write to /var/spool/slrnpull - should be moved into its own type. -files_manage_generic_spools(logrotate_t) +files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) # cjp: why is this needed? diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te index 934fa44f..7c2a0627 100644 --- a/refpolicy/policy/modules/admin/prelink.te +++ b/refpolicy/policy/modules/admin/prelink.te @@ -58,7 +58,7 @@ domain_mmap_all_entry_files(prelink_t) files_list_all(prelink_t) files_getattr_all_files(prelink_t) -files_write_non_security_dir(prelink_t) +files_write_non_security_dirs(prelink_t) files_read_etc_files(prelink_t) files_read_etc_runtime_files(prelink_t) diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te index 2d76768b..672c1eed 100644 --- a/refpolicy/policy/modules/admin/quota.te +++ b/refpolicy/policy/modules/admin/quota.te @@ -43,7 +43,7 @@ term_dontaudit_use_console(quota_t) domain_use_wide_inherit_fd(quota_t) -files_list_all_dirs(quota_t) +files_list_all(quota_t) files_read_all_files(quota_t) files_read_all_symlinks(quota_t) files_getattr_all_pipes(quota_t) @@ -64,7 +64,7 @@ userdom_dontaudit_use_unpriv_user_fd(quota_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(quota_t) term_dontaudit_use_generic_pty(quota_t) - files_dontaudit_read_root_file(quota_t) + files_dontaudit_read_root_files(quota_t) ') optional_policy(`selinuxutil',` diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index dba19427..45ce82f2 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -69,7 +69,7 @@ userdom_dontaudit_use_unpriv_user_fd(readahead_t) userdom_dontaudit_search_sysadm_home_dir(readahead_t) ifdef(`targeted_policy',` - files_dontaudit_read_root_file(readahead_t) + files_dontaudit_read_root_files(readahead_t) term_dontaudit_use_unallocated_tty(readahead_t) term_dontaudit_use_generic_pty(readahead_t) ') diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index f77cf952..d2dca6f6 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -43,7 +43,7 @@ template(`su_restricted_domain_template', ` files_read_etc_files($1_su_t) files_read_etc_runtime_files($1_su_t) files_search_var_lib($1_su_t) - files_dontaudit_getattr_tmp_dir($1_su_t) + files_dontaudit_getattr_tmp_dirs($1_su_t) auth_domtrans_chk_passwd($1_su_t) auth_dontaudit_read_shadow($1_su_t) @@ -162,7 +162,7 @@ template(`su_per_userdomain_template',` files_read_etc_files($1_su_t) files_read_etc_runtime_files($1_su_t) files_search_var_lib($1_su_t) - files_dontaudit_getattr_tmp_dir($1_su_t) + files_dontaudit_getattr_tmp_dirs($1_su_t) init_dontaudit_use_fd($1_su_t) # Write to utmp. diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index 83b4daf4..e429bfcb 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -88,7 +88,7 @@ userdom_dontaudit_use_unpriv_user_fd(updfstab_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(updfstab_t) term_dontaudit_use_generic_pty(updfstab_t) - files_dontaudit_read_root_file(updfstab_t) + files_dontaudit_read_root_files(updfstab_t) ') optional_policy(`authlogin',` diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if index 67abfd2a..28d8dd73 100644 --- a/refpolicy/policy/modules/apps/userhelper.if +++ b/refpolicy/policy/modules/apps/userhelper.if @@ -104,7 +104,7 @@ template(`userhelper_per_userdomain_template',` files_read_etc_files($1_userhelper_t) # Read /var. files_read_var_files($1_userhelper_t) - files_read_var_symlink($1_userhelper_t) + files_read_var_symlinks($1_userhelper_t) # for some PAM modules and for cwd files_search_home($1_userhelper_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index c52c8aa8..06ffc86d 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -184,11 +184,11 @@ ifdef(`distro_redhat',` files_mountpoint(bootloader_tmp_t) # new file system defaults to file_t, granting file_t access is still bad. - files_manage_isid_type_dir(bootloader_t) - files_manage_isid_type_file(bootloader_t) - files_manage_isid_type_symlink(bootloader_t) - files_manage_isid_type_blk_node(bootloader_t) - files_manage_isid_type_chr_node(bootloader_t) + files_manage_isid_type_dirs(bootloader_t) + files_manage_isid_type_files(bootloader_t) + files_manage_isid_type_symlinks(bootloader_t) + files_manage_isid_type_blk_files(bootloader_t) + files_manage_isid_type_chr_files(bootloader_t) # for mke2fs mount_domtrans(bootloader_t) diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 7dbb20b9..e17e312d 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -274,38 +274,6 @@ interface(`files_dontaudit_getattr_all_dirs',` dontaudit $1 file_type:dir getattr; ') -######################################## -## -## Search all directories. -## -## -## Domain allowed access. -## -# -interface(`files_search_all',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir { getattr search }; -') - -######################################## -## -## List the contents of all directories. -## -## -## Domain allowed access. -## -# -interface(`files_list_all',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir r_dir_perms; -') - ######################################## ## ## List all non-security directories. @@ -357,25 +325,6 @@ interface(`files_getattr_all_files',` allow $1 file_type:lnk_file getattr; ') -######################################## -## -## Get the attributes of all sockets -## with the type of a file. -## -## -## Domain allowed access. -## -# -# cjp: added for initrc_t/distro_redhat. I -# do not think it has any effect. -interface(`files_getattr_all_file_type_sockets',` - gen_require(` - attribute file_type; - ') - - allow $1 file_type:socket_class_set getattr; -') - ######################################## ## ## Do not audit attempts to get the attributes @@ -576,7 +525,7 @@ interface(`files_dontaudit_getattr_non_security_symlinks',` ## Domain to not audit. ## # -interface(`files_dontaudit_getattr_non_security_blk_dev',` +interface(`files_dontaudit_getattr_non_security_blk_files',` gen_require(` attribute file_type, security_file_type; ') @@ -593,7 +542,7 @@ interface(`files_dontaudit_getattr_non_security_blk_dev',` ## Domain to not audit. ## # -interface(`files_dontaudit_getattr_non_security_chr_dev',` +interface(`files_dontaudit_getattr_non_security_chr_files',` gen_require(` attribute file_type, security_file_type; ') @@ -728,7 +677,7 @@ interface(`files_dontaudit_getattr_non_security_sockets',` ## Domain allowed access. ## # -interface(`files_read_all_blk_nodes',` +interface(`files_read_all_blk_files',` gen_require(` attribute file_type; ') @@ -745,7 +694,7 @@ interface(`files_read_all_blk_nodes',` ## Domain allowed access. ## # -interface(`files_read_all_chr_nodes',` +interface(`files_read_all_chr_files',` gen_require(` attribute file_type; ') @@ -815,9 +764,9 @@ interface(`files_manage_all_files',` ######################################## # -# files_search_all_dirs(domain) +# files_search_all(domain) # -interface(`files_search_all_dirs',` +interface(`files_search_all',` gen_require(` attribute file_type; ') @@ -827,9 +776,9 @@ interface(`files_search_all_dirs',` ######################################## # -# files_list_all_dirs(domain) +# files_list_all(domain) # -interface(`files_list_all_dirs',` +interface(`files_list_all',` gen_require(` attribute file_type; ') @@ -943,9 +892,9 @@ interface(`files_filetrans_root',` ######################################## # -# files_dontaudit_read_root_file(domain) +# files_dontaudit_read_root_files(domain) # -interface(`files_dontaudit_read_root_file',` +interface(`files_dontaudit_read_root_files',` gen_require(` type root_t; ') @@ -955,9 +904,9 @@ interface(`files_dontaudit_read_root_file',` ######################################## # -# files_dontaudit_rw_root_file(domain) +# files_dontaudit_rw_root_files(domain) # -interface(`files_dontaudit_rw_root_file',` +interface(`files_dontaudit_rw_root_files',` gen_require(` type root_t; ') @@ -967,9 +916,9 @@ interface(`files_dontaudit_rw_root_file',` ######################################## # -# files_dontaudit_rw_root_chr_dev(domain) +# files_dontaudit_rw_root_chr_files(domain) # -interface(`files_dontaudit_rw_root_chr_dev',` +interface(`files_dontaudit_rw_root_chr_files',` gen_require(` type root_t; ') @@ -1009,7 +958,7 @@ interface(`files_unmount_rootfs',` ## Domain allowed access. ## # -interface(`files_getattr_default_dir',` +interface(`files_getattr_default_dirs',` gen_require(` type default_t; ') @@ -1026,7 +975,7 @@ interface(`files_getattr_default_dir',` ## Domain to not audit. ## # -interface(`files_dontaudit_getattr_default_dir',` +interface(`files_dontaudit_getattr_default_dirs',` gen_require(` type default_t; ') @@ -1217,7 +1166,7 @@ interface(`files_search_etc',` ## Domain allowed access. ## # -interface(`files_setattr_etc_dir',` +interface(`files_setattr_etc_dirs',` gen_require(` type etc_t; ') @@ -1445,7 +1394,7 @@ interface(`files_filetrans_etc',` ## The type of the process performing this action. ## # -interface(`files_getattr_isid_type_dir',` +interface(`files_getattr_isid_type_dirs',` gen_require(` type file_t; ') @@ -1462,7 +1411,7 @@ interface(`files_getattr_isid_type_dir',` ## The type of the process performing this action. ## # -interface(`files_dontaudit_search_isid_type_dir',` +interface(`files_dontaudit_search_isid_type_dirs',` gen_require(` type file_t; ') @@ -1479,7 +1428,7 @@ interface(`files_dontaudit_search_isid_type_dir',` ## The type of the process performing this action. ## # -interface(`files_list_isid_type_dir',` +interface(`files_list_isid_type_dirs',` gen_require(` type file_t; ') @@ -1496,7 +1445,7 @@ interface(`files_list_isid_type_dir',` ## The type of the process performing this action. ## # -interface(`files_rw_isid_type_dir',` +interface(`files_rw_isid_type_dirs',` gen_require(` type file_t; ') @@ -1513,7 +1462,7 @@ interface(`files_rw_isid_type_dir',` ## The type of the process performing this action. ## # -interface(`files_manage_isid_type_dir',` +interface(`files_manage_isid_type_dirs',` gen_require(` type file_t; ') @@ -1530,7 +1479,7 @@ interface(`files_manage_isid_type_dir',` ## The type of the process performing this action. ## # -interface(`files_mounton_isid_type_dir',` +interface(`files_mounton_isid_type_dirs',` gen_require(` type file_t; ') @@ -1547,7 +1496,7 @@ interface(`files_mounton_isid_type_dir',` ## The type of the process performing this action. ## # -interface(`files_read_isid_type_file',` +interface(`files_read_isid_type_files',` gen_require(` type file_t; ') @@ -1565,7 +1514,7 @@ interface(`files_read_isid_type_file',` ## The type of the process performing this action. ## # -interface(`files_manage_isid_type_file',` +interface(`files_manage_isid_type_files',` gen_require(` type file_t; ') @@ -1583,7 +1532,7 @@ interface(`files_manage_isid_type_file',` ## The type of the process performing this action. ## # -interface(`files_manage_isid_type_symlink',` +interface(`files_manage_isid_type_symlinks',` gen_require(` type file_t; ') @@ -1601,7 +1550,7 @@ interface(`files_manage_isid_type_symlink',` ## The type of the process performing this action. ## # -interface(`files_rw_isid_type_blk_node',` +interface(`files_rw_isid_type_blk_files',` gen_require(` type file_t; ') @@ -1619,7 +1568,7 @@ interface(`files_rw_isid_type_blk_node',` ## The type of the process performing this action. ## # -interface(`files_manage_isid_type_blk_node',` +interface(`files_manage_isid_type_blk_files',` gen_require(` type file_t; ') @@ -1637,7 +1586,7 @@ interface(`files_manage_isid_type_blk_node',` ## The type of the process performing this action. ## # -interface(`files_manage_isid_type_chr_node',` +interface(`files_manage_isid_type_chr_files',` gen_require(` type file_t; ') @@ -1994,7 +1943,7 @@ interface(`files_associate_tmp',` ## Domain allowed access. ## # -interface(`files_getattr_tmp_dir',` +interface(`files_getattr_tmp_dirs',` gen_require(` type tmp_t; ') @@ -2011,7 +1960,7 @@ interface(`files_getattr_tmp_dir',` ## The type of the process performing this action. ## # -interface(`files_dontaudit_getattr_tmp_dir',` +interface(`files_dontaudit_getattr_tmp_dirs',` gen_require(` type tmp_t; ') @@ -2374,7 +2323,7 @@ interface(`files_search_var',` ## Domain to not audit. ## # -interface(`files_dontaudit_write_var',` +interface(`files_dontaudit_write_var_dirs',` gen_require(` type var_t; ') @@ -2474,7 +2423,7 @@ interface(`files_manage_var_files',` ## Domain allowed access. ## # -interface(`files_read_var_symlink',` +interface(`files_read_var_symlinks',` gen_require(` type var_t; ') @@ -2529,23 +2478,6 @@ interface(`files_filetrans_var',` ') ') -######################################## -## -## Search directories in /var/lib. -## -## -## The type of the process performing this action. -## -# -interface(`files_search_var_lib_dir',` - gen_require(` - type var_t, var_lib_t; - ') - - allow $1 var_t:dir search; - allow $1 var_lib_t:dir search; -') - ######################################## ## ## Get the attributes of the /var/lib directory. @@ -2554,7 +2486,7 @@ interface(`files_search_var_lib_dir',` ## The type of the process performing this action. ## # -interface(`files_getattr_var_lib_dir',` +interface(`files_getattr_var_lib_dirs',` gen_require(` type var_t, var_lib_t; ') @@ -2733,7 +2665,7 @@ interface(`files_dontaudit_search_locks',` ## Domain allowed access. ## # -interface(`files_rw_locks_dir',` +interface(`files_rw_lock_dirs',` gen_require(` type var_t, var_lock_t; ') @@ -2830,7 +2762,7 @@ interface(`files_filetrans_lock',` ## Domain to not audit. ## # -interface(`files_dontaudit_getattr_pid_dir',` +interface(`files_dontaudit_getattr_pid_dirs',` gen_require(` type var_run_t; ') @@ -3068,9 +3000,9 @@ interface(`files_manage_generic_spool_dirs',` ######################################## # -# files_read_generic_spools(domain) +# files_read_generic_spool(domain) # -interface(`files_read_generic_spools',` +interface(`files_read_generic_spool',` gen_require(` type var_t, var_spool_t; ') @@ -3082,9 +3014,9 @@ interface(`files_read_generic_spools',` ######################################## # -# files_manage_generic_spools(domain) +# files_manage_generic_spool(domain) # -interface(`files_manage_generic_spools',` +interface(`files_manage_generic_spool',` gen_require(` type var_t, var_spool_t; ') @@ -3175,7 +3107,7 @@ interface(`files_unconfined',` ## Domain to allow ## # -interface(`files_write_non_security_dir',` +interface(`files_write_non_security_dirs',` gen_require(` attribute file_type, security_file_type; ') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index e97e8df5..a00b7d22 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -289,7 +289,7 @@ mta_send_mail(httpd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(httpd_t) term_dontaudit_use_generic_pty(httpd_t) - files_dontaudit_read_root_file(httpd_t) + files_dontaudit_read_root_files(httpd_t) tunable_policy(`httpd_enable_homedirs',` userdom_search_generic_user_home_dir(httpd_t) diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 969d0e6f..fd51e934 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -182,7 +182,7 @@ ifdef(`distro_suse',` ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(apmd_t) term_dontaudit_use_generic_pty(apmd_t) - files_dontaudit_read_root_file(apmd_t) + files_dontaudit_read_root_files(apmd_t) unconfined_domain_template(apmd_t) ') diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te index 3a8cc404..b74964fe 100644 --- a/refpolicy/policy/modules/services/arpwatch.te +++ b/refpolicy/policy/modules/services/arpwatch.te @@ -96,7 +96,7 @@ mta_send_mail(arpwatch_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(arpwatch_t) term_dontaudit_use_generic_pty(arpwatch_t) - files_dontaudit_read_root_file(arpwatch_t) + files_dontaudit_read_root_files(arpwatch_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index 861ccef1..863741ef 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -90,15 +90,15 @@ dev_read_urand(automount_t) domain_use_wide_inherit_fd(automount_t) -files_dontaudit_write_var(automount_t) -files_search_var_lib_dir(automount_t) +files_dontaudit_write_var_dirs(automount_t) +files_search_var_lib(automount_t) files_search_mnt(automount_t) files_getattr_home_dir(automount_t) files_read_etc_files(automount_t) files_read_etc_runtime_files(automount_t) # for if the mount point is not labelled -files_getattr_isid_type_dir(automount_t) -files_getattr_default_dir(automount_t) +files_getattr_isid_type_dirs(automount_t) +files_getattr_default_dirs(automount_t) # because config files can be shell scripts files_exec_etc_files(automount_t) @@ -132,7 +132,7 @@ userdom_dontaudit_use_unpriv_user_fd(automount_t) userdom_dontaudit_search_sysadm_home_dir(automount_t) ifdef(`targeted_policy', ` - files_dontaudit_read_root_file(automount_t) + files_dontaudit_read_root_files(automount_t) term_dontaudit_use_unallocated_tty(automount_t) term_dontaudit_use_generic_pty(automount_t) ') diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te index 687be8f2..bd5fa55d 100644 --- a/refpolicy/policy/modules/services/avahi.te +++ b/refpolicy/policy/modules/services/avahi.te @@ -84,7 +84,7 @@ userdom_dontaudit_search_sysadm_home_dir(avahi_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(avahi_t) term_dontaudit_use_generic_pty(avahi_t) - files_dontaudit_read_root_file(avahi_t) + files_dontaudit_read_root_files(avahi_t) ') optional_policy(`dbus',` diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index 269857fc..796a196d 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -148,7 +148,7 @@ userdom_dontaudit_search_sysadm_home_dir(named_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(named_t) term_dontaudit_use_generic_pty(named_t) - files_dontaudit_read_root_file(named_t) + files_dontaudit_read_root_files(named_t) ') tunable_policy(`named_write_master_zones',` diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 6bb985f7..160d4ec0 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -139,7 +139,7 @@ userdom_dontaudit_search_sysadm_home_dir(bluetooth_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(bluetooth_t) term_dontaudit_use_generic_pty(bluetooth_t) - files_dontaudit_read_root_file(bluetooth_t) + files_dontaudit_read_root_files(bluetooth_t) ') optional_policy(`dbus',` diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index 29908142..5a1233a8 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -70,7 +70,7 @@ files_read_etc_files(canna_t) files_read_etc_runtime_files(canna_t) files_read_usr_files(canna_t) files_search_tmp(canna_t) -files_dontaudit_read_root_file(canna_t) +files_dontaudit_read_root_files(canna_t) init_use_fd(canna_t) init_use_script_pty(canna_t) @@ -90,7 +90,7 @@ userdom_dontaudit_search_sysadm_home_dir(canna_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(canna_t) term_dontaudit_use_generic_pty(canna_t) - files_dontaudit_read_root_file(canna_t) + files_dontaudit_read_root_files(canna_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te index cc2819df..9bbcbf2c 100644 --- a/refpolicy/policy/modules/services/cpucontrol.te +++ b/refpolicy/policy/modules/services/cpucontrol.te @@ -58,7 +58,7 @@ userdom_dontaudit_use_unpriv_user_fd(cpucontrol_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(cpucontrol_t) term_dontaudit_use_generic_pty(cpucontrol_t) - files_dontaudit_read_root_file(cpucontrol_t) + files_dontaudit_read_root_files(cpucontrol_t) ') optional_policy(`nscd',` @@ -112,7 +112,7 @@ userdom_dontaudit_use_unpriv_user_fd(cpuspeed_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(cpuspeed_t) term_dontaudit_use_generic_pty(cpuspeed_t) - files_dontaudit_read_root_file(cpuspeed_t) + files_dontaudit_read_root_files(cpuspeed_t) ') optional_policy(`nscd',` diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index ea29b8f6..5377ac21 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -112,7 +112,7 @@ corecmd_list_sbin(crond_t) domain_use_wide_inherit_fd(crond_t) files_read_etc_files(crond_t) -files_read_generic_spools(crond_t) +files_read_generic_spool(crond_t) files_list_usr(crond_t) # Read from /var/spool/cron. files_search_var_lib(crond_t) @@ -314,7 +314,7 @@ ifdef(`targeted_policy',` files_exec_etc_files(system_crond_t) files_read_etc_files(system_crond_t) files_read_etc_runtime_files(system_crond_t) - files_list_all_dirs(system_crond_t) + files_list_all(system_crond_t) files_getattr_all_dirs(system_crond_t) files_getattr_all_files(system_crond_t) files_getattr_all_symlinks(system_crond_t) @@ -326,7 +326,7 @@ ifdef(`targeted_policy',` files_dontaudit_search_pids(system_crond_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. - files_manage_generic_spools(system_crond_t) + files_manage_generic_spool(system_crond_t) init_use_fd(system_crond_t) init_use_script_fd(system_crond_t) diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 27058998..29ccff26 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -198,7 +198,7 @@ lpd_manage_spool(cupsd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(cupsd_t) term_dontaudit_use_generic_pty(cupsd_t) - files_dontaudit_read_root_file(cupsd_t) + files_dontaudit_read_root_files(cupsd_t) ') optional_policy(`cron',` @@ -350,7 +350,7 @@ userdom_dontaudit_search_all_users_home(ptal_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(ptal_t) term_dontaudit_use_generic_pty(ptal_t) - files_dontaudit_read_root_file(ptal_t) + files_dontaudit_read_root_files(ptal_t) ') optional_policy(`selinuxutil',` @@ -449,7 +449,7 @@ lpd_read_config(cupsd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(hplip_t) term_dontaudit_use_generic_pty(hplip_t) - files_dontaudit_read_root_file(hplip_t) + files_dontaudit_read_root_files(hplip_t) ') optional_policy(`mount',` @@ -576,7 +576,7 @@ ifdef(`distro_redhat',` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(cupsd_config_t) term_dontaudit_use_generic_pty(cupsd_config_t) - files_dontaudit_read_root_file(cupsd_config_t) + files_dontaudit_read_root_files(cupsd_config_t) ') optional_policy(`cron',` diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te index 87648db3..1a545a3e 100644 --- a/refpolicy/policy/modules/services/cyrus.te +++ b/refpolicy/policy/modules/services/cyrus.te @@ -115,7 +115,7 @@ mta_manage_spool(cyrus_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(cyrus_t) term_dontaudit_use_generic_pty(cyrus_t) - files_dontaudit_read_root_file(cyrus_t) + files_dontaudit_read_root_files(cyrus_t) ') optional_policy(`cron',` diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index 07ab4fd3..1e6b77a1 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -113,7 +113,7 @@ userdom_dontaudit_search_sysadm_home_dir(system_dbusd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(system_dbusd_t) term_dontaudit_use_generic_pty(system_dbusd_t) - files_dontaudit_read_root_file(system_dbusd_t) + files_dontaudit_read_root_files(system_dbusd_t) ') tunable_policy(`read_default_t',` diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index 161750b0..d13181c7 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -112,7 +112,7 @@ ifdef(`distro_gentoo',` ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(dhcpd_t) term_dontaudit_use_generic_pty(dhcpd_t) - files_dontaudit_read_root_file(dhcpd_t) + files_dontaudit_read_root_files(dhcpd_t) ') optional_policy(`bind',` diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te index d35f0e12..56fb9eaf 100644 --- a/refpolicy/policy/modules/services/dictd.te +++ b/refpolicy/policy/modules/services/dictd.te @@ -84,7 +84,7 @@ userdom_dontaudit_use_unpriv_user_fd(dictd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(dictd_t) term_dontaudit_use_generic_pty(dictd_t) - files_dontaudit_read_root_file(dictd_t) + files_dontaudit_read_root_files(dictd_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te index 6adf88db..eb337624 100644 --- a/refpolicy/policy/modules/services/distcc.te +++ b/refpolicy/policy/modules/services/distcc.te @@ -92,7 +92,7 @@ userdom_dontaudit_search_sysadm_home_dir(distccd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(distccd_t) term_dontaudit_use_generic_pty(distccd_t) - files_dontaudit_read_root_file(distccd_t) + files_dontaudit_read_root_files(distccd_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index c02c30df..be406dcf 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -121,7 +121,7 @@ mta_manage_spool(dovecot_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(dovecot_t) term_dontaudit_use_generic_pty(dovecot_t) - files_dontaudit_read_root_file(dovecot_t) + files_dontaudit_read_root_files(dovecot_t) ') optional_policy(`kerberos',` diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te index 1c624e04..31d197bb 100644 --- a/refpolicy/policy/modules/services/fetchmail.te +++ b/refpolicy/policy/modules/services/fetchmail.te @@ -93,7 +93,7 @@ userdom_dontaudit_search_sysadm_home_dir(fetchmail_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(fetchmail_t) term_dontaudit_use_generic_pty(fetchmail_t) - files_dontaudit_read_root_file(fetchmail_t) + files_dontaudit_read_root_files(fetchmail_t) ') optional_policy(`selinuxutil',` diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index c564a85b..86ef3536 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -107,7 +107,7 @@ userdom_dontaudit_search_user_home_dirs(fingerd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(fingerd_t) term_dontaudit_use_generic_pty(fingerd_t) - files_dontaudit_read_root_file(fingerd_t) + files_dontaudit_read_root_files(fingerd_t) ') optional_policy(`cron',` diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index 840969ed..15392318 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -97,7 +97,7 @@ domain_use_wide_inherit_fd(ftpd_t) files_search_etc(ftpd_t) files_read_etc_files(ftpd_t) files_read_etc_runtime_files(ftpd_t) -files_search_var_lib_dir(ftpd_t) +files_search_var_lib(ftpd_t) fs_search_auto_mountpoints(ftpd_t) fs_getattr_all_fs(ftpd_t) @@ -130,7 +130,7 @@ userdom_dontaudit_search_sysadm_home_dir(ftpd_t) userdom_dontaudit_use_unpriv_user_fd(ftpd_t) ifdef(`targeted_policy',` - files_dontaudit_read_root_file(ftpd_t) + files_dontaudit_read_root_files(ftpd_t) term_dontaudit_use_generic_pty(ftpd_t) term_dontaudit_use_unallocated_tty(ftpd_t) diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index 7113bf9b..1904619a 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -81,7 +81,7 @@ userdom_dontaudit_search_sysadm_home_dir(gpm_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(gpm_t) term_dontaudit_use_generic_pty(gpm_t) - files_dontaudit_read_root_file(gpm_t) + files_dontaudit_read_root_files(gpm_t) ') optional_policy(`selinuxutil',` diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 382fca35..ac05ab66 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -140,7 +140,7 @@ userdom_dontaudit_search_sysadm_home_dir(hald_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(hald_t) term_dontaudit_use_generic_pty(hald_t) - files_dontaudit_read_root_file(hald_t) + files_dontaudit_read_root_files(hald_t) files_dontaudit_getattr_home_dir(hald_t) ') diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index b798d935..c5e0db2f 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -79,7 +79,7 @@ userdom_dontaudit_search_sysadm_home_dir(howl_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(howl_t) term_dontaudit_use_generic_pty(howl_t) - files_dontaudit_read_root_file(howl_t) + files_dontaudit_read_root_files(howl_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te index dcf18e26..7e058a02 100644 --- a/refpolicy/policy/modules/services/i18n_input.te +++ b/refpolicy/policy/modules/services/i18n_input.te @@ -89,7 +89,7 @@ userdom_read_unpriv_user_home_files(i18n_input_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(i18n_input_t) term_dontaudit_use_generic_pty(i18n_input_t) - files_dontaudit_read_root_file(i18n_input_t) + files_dontaudit_read_root_files(i18n_input_t) ') tunable_policy(`use_nfs_home_dirs',` diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 4ad06e2f..201ae7f1 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -124,7 +124,7 @@ userdom_dontaudit_search_sysadm_home_dir(inetd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(inetd_t) term_dontaudit_use_generic_pty(inetd_t) - files_dontaudit_read_root_file(inetd_t) + files_dontaudit_read_root_files(inetd_t) ') optional_policy(`amanda',` diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index 202eedd8..0a97db40 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -119,7 +119,7 @@ mta_send_mail(innd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(innd_t) term_dontaudit_use_generic_pty(innd_t) - files_dontaudit_read_root_file(innd_t) + files_dontaudit_read_root_files(innd_t) ') optional_policy(`cron',` diff --git a/refpolicy/policy/modules/services/irqbalance.te b/refpolicy/policy/modules/services/irqbalance.te index 0368165d..1ce41808 100644 --- a/refpolicy/policy/modules/services/irqbalance.te +++ b/refpolicy/policy/modules/services/irqbalance.te @@ -54,7 +54,7 @@ userdom_dontaudit_search_sysadm_home_dir(irqbalance_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(irqbalance_t) term_dontaudit_use_generic_pty(irqbalance_t) - files_dontaudit_read_root_file(irqbalance_t) + files_dontaudit_read_root_files(irqbalance_t) ') optional_policy(`selinuxutil',` diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index f21527c4..fc4392db 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -134,7 +134,7 @@ userdom_dontaudit_search_sysadm_home_dir(kadmind_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(kadmind_t) term_dontaudit_use_generic_pty(kadmind_t) - files_dontaudit_read_root_file(kadmind_t) + files_dontaudit_read_root_files(kadmind_t) ') optional_policy(`nis',` @@ -234,7 +234,7 @@ userdom_dontaudit_search_sysadm_home_dir(krb5kdc_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(krb5kdc_t) term_dontaudit_use_generic_pty(krb5kdc_t) - files_dontaudit_read_root_file(krb5kdc_t) + files_dontaudit_read_root_files(krb5kdc_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 6998bb5b..b5b609f1 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -135,7 +135,7 @@ ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(slapd_t) term_dontaudit_use_generic_pty(slapd_t) - files_dontaudit_read_root_file(slapd_t) + files_dontaudit_read_root_files(slapd_t) ') optional_policy(`kerberos',` diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index bda1eeb1..3c04e2ac 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -220,7 +220,7 @@ userdom_dontaudit_search_sysadm_home_dir(lpd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(lpd_t) term_dontaudit_use_generic_pty(lpd_t) - files_dontaudit_read_root_file(lpd_t) + files_dontaudit_read_root_files(lpd_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 6d773821..99d095c1 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -287,7 +287,7 @@ template(`mta_admin_template',` files_filetrans_etc($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) # postfix needs this for newaliases - files_getattr_tmp_dir($1_mail_t) + files_getattr_tmp_dirs($1_mail_t) postfix_exec_master($1_mail_t) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index c2ad9a15..a82b54f4 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -142,7 +142,7 @@ optional_policy(`postfix',` domain_use_wide_inherit_fd(system_mail_t) # postfix needs this for newaliases - files_getattr_tmp_dir(system_mail_t) + files_getattr_tmp_dirs(system_mail_t) postfix_exec_master(system_mail_t) diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index 4f09d20d..80e8abf3 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -88,7 +88,7 @@ term_dontaudit_use_console(mysqld_t) domain_use_wide_inherit_fd(mysqld_t) -files_getattr_var_lib_dir(mysqld_t) +files_getattr_var_lib_dirs(mysqld_t) files_read_etc_runtime_files(mysqld_t) files_read_etc_files(mysqld_t) files_read_usr_files(mysqld_t) @@ -118,7 +118,7 @@ ifdef(`distro_redhat',` ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(mysqld_t) term_dontaudit_use_generic_pty(mysqld_t) - files_dontaudit_read_root_file(mysqld_t) + files_dontaudit_read_root_files(mysqld_t) ') optional_policy(`daemontools',` diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index d95c42bf..cb5058e4 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -111,7 +111,7 @@ userdom_dontaudit_use_unpriv_user_tty(NetworkManager_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(NetworkManager_t) term_dontaudit_use_generic_pty(NetworkManager_t) - files_dontaudit_read_root_file(NetworkManager_t) + files_dontaudit_read_root_files(NetworkManager_t) ') optional_policy(`bind',` diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index d1097813..2f63b1f8 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -120,7 +120,7 @@ portmap_udp_sendto(ypbind_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(ypbind_t) term_dontaudit_use_generic_pty(ypbind_t) - files_dontaudit_read_root_file(ypbind_t) + files_dontaudit_read_root_files(ypbind_t) ') optional_policy(`mount',` @@ -221,7 +221,7 @@ portmap_udp_sendto(yppasswdd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(yppasswdd_t) term_dontaudit_use_generic_pty(yppasswdd_t) - files_dontaudit_read_root_file(yppasswdd_t) + files_dontaudit_read_root_files(yppasswdd_t) ') optional_policy(`hostname',` @@ -316,7 +316,7 @@ portmap_udp_sendto(ypserv_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(ypserv_t) term_dontaudit_use_generic_pty(ypserv_t) - files_dontaudit_read_root_file(ypserv_t) + files_dontaudit_read_root_files(ypserv_t) ') optional_policy(`selinuxutil',` diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 088dc7d0..f7602187 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -119,7 +119,7 @@ ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(nscd_t) term_dontaudit_use_generic_pty(nscd_t) - files_dontaudit_read_root_file(nscd_t) + files_dontaudit_read_root_files(nscd_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 018d6afb..11d28207 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -119,7 +119,7 @@ userdom_dontaudit_list_sysadm_home_dir(ntpd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(ntpd_t) term_dontaudit_use_generic_pty(ntpd_t) - files_dontaudit_read_root_file(ntpd_t) + files_dontaudit_read_root_files(ntpd_t) ') optional_policy(`cron',` diff --git a/refpolicy/policy/modules/services/openct.te b/refpolicy/policy/modules/services/openct.te index 8887143b..48b7cb72 100644 --- a/refpolicy/policy/modules/services/openct.te +++ b/refpolicy/policy/modules/services/openct.te @@ -59,7 +59,7 @@ userdom_dontaudit_search_sysadm_home_dir(openct_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(openct_t) term_dontaudit_use_generic_pty(openct_t) - files_dontaudit_read_root_file(openct_t) + files_dontaudit_read_root_files(openct_t) ') optional_policy(`selinuxutil',` diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te index f21e8f83..c731210a 100644 --- a/refpolicy/policy/modules/services/pegasus.te +++ b/refpolicy/policy/modules/services/pegasus.te @@ -114,7 +114,7 @@ userdom_dontaudit_search_sysadm_home_dir(pegasus_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(pegasus_t) term_dontaudit_use_generic_pty(pegasus_t) - files_dontaudit_read_root_file(pegasus_t) + files_dontaudit_read_root_files(pegasus_t) ') optional_policy(`logging',` diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index bc5969bd..f754662a 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -100,7 +100,7 @@ userdom_dontaudit_search_sysadm_home_dir(portmap_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(portmap_t) term_dontaudit_use_generic_pty(portmap_t) - files_dontaudit_read_root_file(portmap_t) + files_dontaudit_read_root_files(portmap_t) ') optional_policy(`inetd',` diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index 003c7e0b..e9f661d9 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -68,7 +68,7 @@ template(`postfix_domain_template',` files_read_etc_runtime_files(postfix_$1_t) files_read_usr_symlinks(postfix_$1_t) files_search_spool(postfix_$1_t) - files_getattr_tmp_dir(postfix_$1_t) + files_getattr_tmp_dirs(postfix_$1_t) init_use_fd(postfix_$1_t) init_sigchld(postfix_$1_t) @@ -86,7 +86,7 @@ template(`postfix_domain_template',` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(postfix_$1_t) term_dontaudit_use_generic_pty(postfix_$1_t) - files_dontaudit_read_root_file(postfix_$1_t) + files_dontaudit_read_root_files(postfix_$1_t) ') optional_policy(`nscd',` diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te index e6cf8d9a..ecfb1f9a 100644 --- a/refpolicy/policy/modules/services/postgresql.te +++ b/refpolicy/policy/modules/services/postgresql.te @@ -143,7 +143,7 @@ userdom_dontaudit_use_unpriv_user_fd(postgresql_t) mta_getattr_spool(postgresql_t) ifdef(`targeted_policy', ` - files_dontaudit_read_root_file(postgresql_t) + files_dontaudit_read_root_files(postgresql_t) term_dontaudit_use_generic_pty(postgresql_t) term_dontaudit_use_unallocated_tty(postgresql_t) ') diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index 0cef95f6..e7fd70a0 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -179,7 +179,7 @@ userdom_search_unpriv_user_home_dirs(pppd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(pppd_t) term_dontaudit_use_generic_pty(pppd_t) - files_dontaudit_read_root_file(pppd_t) + files_dontaudit_read_root_files(pppd_t) optional_policy(`postfix',` gen_require(` @@ -299,7 +299,7 @@ userdom_dontaudit_search_sysadm_home_dir(pptp_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(pptp_t) term_dontaudit_use_generic_pty(pptp_t) - files_dontaudit_read_root_file(pptp_t) + files_dontaudit_read_root_files(pptp_t) ') optional_policy(`hostname',` diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index f95456cd..3d594d8b 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -83,7 +83,7 @@ userdom_use_sysadm_terms(privoxy_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(privoxy_t) term_dontaudit_use_generic_pty(privoxy_t) - files_dontaudit_read_root_file(privoxy_t) + files_dontaudit_read_root_files(privoxy_t) ') optional_policy(`mount',` diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te index 2471486c..8ea75fcc 100644 --- a/refpolicy/policy/modules/services/procmail.te +++ b/refpolicy/policy/modules/services/procmail.te @@ -76,7 +76,7 @@ ifdef(`hide_broken_symptoms',` ifdef(`targeted_policy', ` corenet_udp_bind_generic_port(procmail_t) - files_getattr_tmp_dir(procmail_t) + files_getattr_tmp_dirs(procmail_t) ') optional_policy(`logging',` @@ -102,7 +102,7 @@ optional_policy(`spamassassin',` corenet_udp_bind_generic_port(procmail_t) corenet_tcp_connect_spamd_port(procmail_t) - files_getattr_tmp_dir(procmail_t) + files_getattr_tmp_dirs(procmail_t) spamassassin_exec(procmail_t) spamassassin_exec_client(procmail_t) diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te index 5cbd243e..54399532 100644 --- a/refpolicy/policy/modules/services/radius.te +++ b/refpolicy/policy/modules/services/radius.te @@ -106,7 +106,7 @@ userdom_dontaudit_getattr_sysadm_home_dir(radiusd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(radiusd_t) term_dontaudit_use_generic_pty(radiusd_t) - files_dontaudit_read_root_file(radiusd_t) + files_dontaudit_read_root_files(radiusd_t) ') optional_policy(`cron',` diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te index 23c05026..0251303f 100644 --- a/refpolicy/policy/modules/services/radvd.te +++ b/refpolicy/policy/modules/services/radvd.te @@ -81,7 +81,7 @@ userdom_dontaudit_search_sysadm_home_dir(radvd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(radvd_t) term_dontaudit_use_generic_pty(radvd_t) - files_dontaudit_read_root_file(radvd_t) + files_dontaudit_read_root_files(radvd_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/rdisc.te b/refpolicy/policy/modules/services/rdisc.te index d7e522c9..864a5ce0 100644 --- a/refpolicy/policy/modules/services/rdisc.te +++ b/refpolicy/policy/modules/services/rdisc.te @@ -59,7 +59,7 @@ userdom_dontaudit_use_unpriv_user_fd(rdisc_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(rdisc_t) term_dontaudit_use_generic_pty(rdisc_t) - files_dontaudit_read_root_file(rdisc_t) + files_dontaudit_read_root_files(rdisc_t) ') optional_policy(`selinuxutil',` diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 81168943..e917daf9 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -97,7 +97,7 @@ files_read_world_readable_pipes(remote_login_t) files_read_world_readable_sockets(remote_login_t) files_list_mnt(remote_login_t) # for when /var/mail is a sym-link -files_read_var_symlink(remote_login_t) +files_read_var_symlinks(remote_login_t) init_rw_utmp(remote_login_t) diff --git a/refpolicy/policy/modules/services/roundup.te b/refpolicy/policy/modules/services/roundup.te index 4019879c..cc0a0bfd 100644 --- a/refpolicy/policy/modules/services/roundup.te +++ b/refpolicy/policy/modules/services/roundup.te @@ -89,7 +89,7 @@ userdom_dontaudit_use_unpriv_user_fd(roundup_t) userdom_dontaudit_search_sysadm_home_dir(roundup_t) ifdef(`targeted_policy',` - files_dontaudit_read_root_file(roundup_t) + files_dontaudit_read_root_files(roundup_t) term_dontaudit_use_unallocated_tty(roundup_t) term_dontaudit_use_generic_pty(roundup_t) ') diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if index a06f4d99..f3267c67 100644 --- a/refpolicy/policy/modules/services/rpc.if +++ b/refpolicy/policy/modules/services/rpc.if @@ -77,7 +77,7 @@ template(`rpc_domain_template', ` files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) files_search_var($1_t) - files_search_var_lib_dir($1_t) + files_search_var_lib($1_t) init_use_fd($1_t) init_use_script_pty($1_t) @@ -96,7 +96,7 @@ template(`rpc_domain_template', ` ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty($1_t) term_dontaudit_use_generic_pty($1_t) - files_dontaudit_read_root_file($1_t) + files_dontaudit_read_root_files($1_t) ') optional_policy(`mount',` diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te index 87430332..7501a149 100644 --- a/refpolicy/policy/modules/services/rpc.te +++ b/refpolicy/policy/modules/services/rpc.te @@ -100,7 +100,7 @@ term_use_controlling_term(nfsd_t) # does not really need this, but it is easier to just allow it files_search_pids(nfsd_t) # for exportfs and rpc.mountd -files_getattr_tmp_dir(nfsd_t) +files_getattr_tmp_dirs(nfsd_t) # cjp: this should really have its own type files_manage_mounttab(rpcd_t) diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index b0fdc609..0ffedb0d 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -289,7 +289,7 @@ userdom_dontaudit_use_unpriv_user_fd(smbd_t) userdom_use_unpriv_users_fd(smbd_t) ifdef(`targeted_policy', ` - files_dontaudit_read_root_file(smbd_t) + files_dontaudit_read_root_files(smbd_t) term_dontaudit_use_generic_pty(smbd_t) term_dontaudit_use_unallocated_tty(smbd_t) ') @@ -420,7 +420,7 @@ userdom_dontaudit_use_unpriv_user_fd(nmbd_t) userdom_use_unpriv_users_fd(nmbd_t) ifdef(`targeted_policy', ` - files_dontaudit_read_root_file(nmbd_t) + files_dontaudit_read_root_files(nmbd_t) term_dontaudit_use_generic_pty(nmbd_t) term_dontaudit_use_unallocated_tty(nmbd_t) ') @@ -714,7 +714,7 @@ userdom_priveleged_home_dir_manager(winbind_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(winbind_t) term_dontaudit_use_generic_pty(winbind_t) - files_dontaudit_read_root_file(winbind_t) + files_dontaudit_read_root_files(winbind_t) ') optional_policy(`kerberos',` diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index 065726eb..38e85d69 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -60,7 +60,7 @@ files_read_etc_files(saslauthd_t) files_dontaudit_read_etc_runtime_files(saslauthd_t) files_search_var_lib(saslauthd_t) files_dontaudit_getattr_home_dir(saslauthd_t) -files_dontaudit_getattr_tmp_dir(saslauthd_t) +files_dontaudit_getattr_tmp_dirs(saslauthd_t) init_use_fd(saslauthd_t) init_use_script_pty(saslauthd_t) @@ -84,7 +84,7 @@ userdom_dontaudit_search_sysadm_home_dir(saslauthd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(saslauthd_t) term_dontaudit_use_generic_pty(saslauthd_t) - files_dontaudit_read_root_file(saslauthd_t) + files_dontaudit_read_root_files(saslauthd_t) ') # cjp: typeattribute dont work in conditionals yet diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index fd16c09e..fca880d7 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -105,7 +105,7 @@ ifdef(`targeted_policy',` unconfined_domain_template(sendmail_t) term_dontaudit_use_unallocated_tty(sendmail_t) term_dontaudit_use_generic_pty(sendmail_t) - files_dontaudit_read_root_file(sendmail_t) + files_dontaudit_read_root_files(sendmail_t) ',` allow sendmail_t sendmail_tmp_t:dir create_dir_perms; allow sendmail_t sendmail_tmp_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/slrnpull.te b/refpolicy/policy/modules/services/slrnpull.te index c3462c80..8ccc4755 100644 --- a/refpolicy/policy/modules/services/slrnpull.te +++ b/refpolicy/policy/modules/services/slrnpull.te @@ -69,7 +69,7 @@ userdom_dontaudit_use_unpriv_user_fd(slrnpull_t) userdom_dontaudit_search_sysadm_home_dir(slrnpull_t) ifdef(`targeted_policy',` - files_dontaudit_read_root_file(slrnpull_t) + files_dontaudit_read_root_files(slrnpull_t) term_dontaudit_use_unallocated_tty(slrnpull_t) term_dontaudit_use_generic_pty(slrnpull_t) ') diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te index 79802276..7681839c 100644 --- a/refpolicy/policy/modules/services/smartmon.te +++ b/refpolicy/policy/modules/services/smartmon.te @@ -91,7 +91,7 @@ userdom_dontaudit_search_sysadm_home_dir(fsdaemon_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(fsdaemon_t) term_dontaudit_use_generic_pty(fsdaemon_t) - files_dontaudit_read_root_file(fsdaemon_t) + files_dontaudit_read_root_files(fsdaemon_t) ') optional_policy(`mta',` diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index 9d2a4995..03e06129 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -126,7 +126,7 @@ ifdef(`distro_redhat', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(snmpd_t) term_dontaudit_use_generic_pty(snmpd_t) - files_dontaudit_read_root_file(snmpd_t) + files_dontaudit_read_root_files(snmpd_t) ') optional_policy(`amanda',` diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index 099addac..066909cf 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -119,7 +119,7 @@ userdom_dontaudit_search_sysadm_home_dir(spamd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(spamd_t) term_dontaudit_use_generic_pty(spamd_t) - files_dontaudit_read_root_file(spamd_t) + files_dontaudit_read_root_files(spamd_t) userdom_manage_generic_user_home_dirs(spamd_t) userdom_manage_generic_user_home_files(spamd_t) ') diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index 74dd8fc0..d3dc3814 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -113,7 +113,7 @@ files_read_etc_files(squid_t) files_read_etc_runtime_files(squid_t) files_read_usr_files(squid_t) files_search_spool(squid_t) -files_dontaudit_getattr_tmp_dir(squid_t) +files_dontaudit_getattr_tmp_dirs(squid_t) files_getattr_home_dir(squid_t) init_use_fd(squid_t) @@ -138,7 +138,7 @@ userdom_dontaudit_search_sysadm_home_dir(squid_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(squid_t) term_dontaudit_use_generic_pty(squid_t) - files_dontaudit_read_root_file(squid_t) + files_dontaudit_read_root_files(squid_t) ') tunable_policy(`squid_connect_any',` diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 2f4f84d0..51eb4d34 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -255,7 +255,7 @@ ifdef(`targeted_policy',`',` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(ssh_keygen_t) term_dontaudit_use_generic_pty(ssh_keygen_t) - files_dontaudit_read_root_file(ssh_keygen_t) + files_dontaudit_read_root_files(ssh_keygen_t) ') optional_policy(`selinuxutil',` diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te index c0f99206..b2e32f12 100644 --- a/refpolicy/policy/modules/services/stunnel.te +++ b/refpolicy/policy/modules/services/stunnel.te @@ -100,7 +100,7 @@ ifdef(`distro_gentoo', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(stunnel_t) term_dontaudit_use_generic_pty(stunnel_t) - files_dontaudit_read_root_file(stunnel_t) + files_dontaudit_read_root_files(stunnel_t) ') optional_policy(`daemontools',` diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te index 44fb4153..b51075b1 100644 --- a/refpolicy/policy/modules/services/tftp.te +++ b/refpolicy/policy/modules/services/tftp.te @@ -65,7 +65,7 @@ domain_use_wide_inherit_fd(tftpd_t) files_read_etc_files(tftpd_t); files_read_var_files(tftpd_t) -files_read_var_symlink(tftpd_t) +files_read_var_symlinks(tftpd_t) files_search_var(tftpd_t) init_use_fd(tftpd_t) @@ -87,7 +87,7 @@ userdom_dontaudit_search_sysadm_home_dir(tftpd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(tftpd_t) term_dontaudit_use_generic_pty(tftpd_t) - files_dontaudit_read_root_file(tftpd_t) + files_dontaudit_read_root_files(tftpd_t) ') optional_policy(`mount',` diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te index b66b5dbf..da3e5a67 100644 --- a/refpolicy/policy/modules/services/timidity.te +++ b/refpolicy/policy/modules/services/timidity.te @@ -88,7 +88,7 @@ userdom_search_sysadm_home_dir(timidity_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(timidity_t) term_dontaudit_use_generic_pty(timidity_t) - files_dontaudit_read_root_file(timidity_t) + files_dontaudit_read_root_files(timidity_t) ') optional_policy(`selinuxutil',` diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te index fb806d93..a805e4c5 100644 --- a/refpolicy/policy/modules/services/xfs.te +++ b/refpolicy/policy/modules/services/xfs.te @@ -76,7 +76,7 @@ ifdef(`distro_debian',` ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(xfs_t) term_dontaudit_use_generic_pty(xfs_t) - files_dontaudit_read_root_file(xfs_t) + files_dontaudit_read_root_files(xfs_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index 85c5834b..2f6fc24e 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -109,7 +109,7 @@ userdom_dontaudit_search_sysadm_home_dir(zebra_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(zebra_t) term_dontaudit_use_generic_pty(zebra_t) - files_dontaudit_read_root_file(zebra_t) + files_dontaudit_read_root_files(zebra_t) unconfined_sigchld(zebra_t) ') diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index f9c4fc0e..6cc38e10 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -218,7 +218,7 @@ ifdef(`direct_sysadm_daemon', ` ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(pam_console_t) term_dontaudit_use_generic_pty(pam_console_t) - files_dontaudit_read_root_file(pam_console_t) + files_dontaudit_read_root_files(pam_console_t) ') optional_policy(`gpm',` diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index fac03e2e..92d9fe5b 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -52,7 +52,7 @@ init_use_script_pty(hwclock_t) files_read_etc_files(hwclock_t) # for when /usr is not mounted: -files_dontaudit_search_isid_type_dir(hwclock_t) +files_dontaudit_search_isid_type_dirs(hwclock_t) libs_use_ld_so(hwclock_t) libs_use_shared_libs(hwclock_t) @@ -64,7 +64,7 @@ miscfiles_read_localization(hwclock_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(hwclock_t) term_dontaudit_use_generic_pty(hwclock_t) - files_dontaudit_read_root_file(hwclock_t) + files_dontaudit_read_root_files(hwclock_t) ') optional_policy(`apm',` diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 354fbd35..25f84f1c 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -112,12 +112,12 @@ files_list_home(fsadm_t) files_read_usr_files(fsadm_t) files_read_etc_files(fsadm_t) files_manage_lost_found(fsadm_t) -files_manage_isid_type_dir(fsadm_t) +files_manage_isid_type_dirs(fsadm_t) # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) # Access to /initrd devices -files_rw_isid_type_dir(fsadm_t) -files_rw_isid_type_blk_node(fsadm_t) +files_rw_isid_type_dirs(fsadm_t) +files_rw_isid_type_blk_files(fsadm_t) # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 51b0172a..317c055c 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -44,7 +44,7 @@ domain_use_wide_inherit_fd(hostname_t) files_read_etc_files(hostname_t) files_dontaudit_search_var(hostname_t) # for when /usr is not mounted: -files_dontaudit_search_isid_type_dir(hostname_t) +files_dontaudit_search_isid_type_dirs(hostname_t) libs_use_ld_so(hostname_t) libs_use_shared_libs(hostname_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 04e5d894..5ede4647 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -93,7 +93,7 @@ files_read_etc_files(hotplug_t) files_manage_etc_runtime_files(hotplug_t) files_exec_etc_files(hotplug_t) # for when filesystems are not mounted early in the boot: -files_dontaudit_search_isid_type_dir(hotplug_t) +files_dontaudit_search_isid_type_dirs(hotplug_t) init_use_fd(hotplug_t) init_use_script_pty(hotplug_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 230a10b5..402748f4 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -140,13 +140,13 @@ domain_sigchld_all_domains(init_t) files_read_etc_files(init_t) files_rw_generic_pids(init_t) -files_dontaudit_search_isid_type_dir(init_t) +files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) # Run /etc/X11/prefdm: files_exec_etc_files(init_t) # file descriptors inherited from the rootfs: -files_dontaudit_rw_root_file(init_t) -files_dontaudit_rw_root_chr_dev(init_t) +files_dontaudit_rw_root_files(init_t) +files_dontaudit_rw_root_chr_files(init_t) libs_use_ld_so(init_t) libs_use_shared_libs(init_t) @@ -337,11 +337,11 @@ files_manage_generic_locks(initrc_t) files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -files_manage_generic_spools(initrc_t) +files_manage_generic_spool(initrc_t) # Mount and unmount file systems. # cjp: not sure why these are here; should use mount policy -files_list_isid_type_dir(initrc_t) -files_mounton_isid_type_dir(initrc_t) +files_list_isid_type_dirs(initrc_t) +files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -390,7 +390,7 @@ ifdef(`distro_debian',` fs_setattr_tmpfs_dir(initrc_t) storage_create_fixed_disk_tmpfs(initrc_t) - files_setattr_etc_dir(initrc_t) + files_setattr_etc_dirs(initrc_t) ') ifdef(`distro_gentoo',` @@ -410,7 +410,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd kernel_dontaudit_use_fd(initrc_t) - files_dontaudit_read_root_file(initrc_t) + files_dontaudit_read_root_files(initrc_t) selinux_set_enforce_mode(initrc_t) @@ -434,7 +434,6 @@ ifdef(`distro_redhat',` storage_getattr_removable_device(initrc_t) files_create_boot_flag(initrc_t) - files_getattr_all_file_type_sockets(initrc_t) # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index 36f4a197..5ba6060a 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -127,7 +127,7 @@ userdom_dontaudit_search_sysadm_home_dir(ipsec_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(ipsec_t) term_dontaudit_use_generic_pty(ipsec_t) - files_dontaudit_read_root_file(ipsec_t) + files_dontaudit_read_root_files(ipsec_t) ') optional_policy(`nis',` @@ -236,7 +236,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) -files_dontaudit_getattr_default_dir(ipsec_mgmt_t) +files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) init_use_script_pty(ipsec_mgmt_t) diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 9f8860fe..5de2de24 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -78,7 +78,7 @@ userdom_use_all_user_fd(iptables_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(iptables_t) term_dontaudit_use_generic_pty(iptables_t) - files_dontaudit_read_root_file(iptables_t) + files_dontaudit_read_root_files(iptables_t) ') optional_policy(`firstboot',` diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index ab4111ac..2f42111a 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -140,7 +140,7 @@ files_read_world_readable_symlinks(local_login_t) files_read_world_readable_pipes(local_login_t) files_read_world_readable_sockets(local_login_t) # for when /var/mail is a symlink -files_read_var_symlink(local_login_t) +files_read_var_symlinks(local_login_t) init_rw_utmp(local_login_t) init_dontaudit_use_fd(local_login_t) @@ -243,7 +243,7 @@ fs_use_tmpfs_chr_dev(sulogin_t) files_read_etc_files(sulogin_t) # because file systems are not mounted: -files_dontaudit_search_isid_type_dir(sulogin_t) +files_dontaudit_search_isid_type_dirs(sulogin_t) init_get_script_process_group(sulogin_t) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 27b922e7..2c601ed8 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -335,7 +335,7 @@ domain_use_wide_inherit_fd(syslogd_t) files_read_etc_files(syslogd_t) files_read_etc_runtime_files(syslogd_t) # /initrd is not umounted before minilog starts -files_dontaudit_search_isid_type_dir(syslogd_t) +files_dontaudit_search_isid_type_dirs(syslogd_t) libs_use_ld_so(syslogd_t) libs_use_shared_libs(syslogd_t) @@ -359,7 +359,7 @@ ifdef(`targeted_policy',` allow syslogd_t var_run_t:fifo_file { ioctl read write }; term_dontaudit_use_unallocated_tty(syslogd_t) term_dontaudit_use_generic_pty(syslogd_t) - files_dontaudit_read_root_file(syslogd_t) + files_dontaudit_read_root_files(syslogd_t) ') optional_policy(`inn',` diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 47dcf519..f2b8a4bc 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -103,7 +103,7 @@ userdom_dontaudit_search_sysadm_home_dir(clvmd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(clvmd_t) term_dontaudit_use_generic_pty(clvmd_t) - files_dontaudit_read_root_file(clvmd_t) + files_dontaudit_read_root_files(clvmd_t) ') optional_policy(`mount',` @@ -220,7 +220,7 @@ domain_use_wide_inherit_fd(lvm_t) files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: -files_dontaudit_search_isid_type_dir(lvm_t) +files_dontaudit_search_isid_type_dirs(lvm_t) init_use_fd(lvm_t) init_dontaudit_getattr_initctl(lvm_t) @@ -240,14 +240,14 @@ seutil_sigchld_newrole(lvm_t) ifdef(`distro_redhat',` # this is from the initrd: - files_rw_isid_type_dir(lvm_t) + files_rw_isid_type_dirs(lvm_t) ') ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(lvm_t) term_dontaudit_use_generic_pty(lvm_t) - files_dontaudit_read_root_file(lvm_t) + files_dontaudit_read_root_files(lvm_t) ') optional_policy(`bootloader',` diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index fd42f00b..8ac532ca 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -98,7 +98,7 @@ files_exec_etc_files(insmod_t) # for nscd: files_dontaudit_search_pids(insmod_t) # for when /var is not mounted early in the boot: -files_dontaudit_search_isid_type_dir(insmod_t) +files_dontaudit_search_isid_type_dirs(insmod_t) init_use_initctl(insmod_t) init_use_fd(insmod_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 8552c97f..335f5611 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -56,7 +56,7 @@ corecmd_exec_bin(mount_t) domain_use_wide_inherit_fd(mount_t) -files_search_all_dirs(mount_t) +files_search_all(mount_t) files_read_etc_files(mount_t) files_manage_etc_runtime_files(mount_t) files_mounton_all_mountpoints(mount_t) @@ -67,7 +67,7 @@ files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type # cjp: this seems wrong, the type should probably be etc -files_read_isid_type_file(mount_t) +files_read_isid_type_files(mount_t) init_use_fd(mount_t) init_use_script_pty(mount_t) diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 41c28050..64c6099e 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -125,7 +125,7 @@ ifdef(`targeted_policy',` term_use_generic_pty(cardmgr_t) term_dontaudit_use_unallocated_tty(cardmgr_t) term_dontaudit_use_generic_pty(cardmgr_t) - files_dontaudit_read_root_file(cardmgr_t) + files_dontaudit_read_root_files(cardmgr_t) ') optional_policy(`selinuxutil',` diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index f700da62..3a2135ee 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -72,7 +72,7 @@ mta_send_mail(mdadm_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(mdadm_t) term_dontaudit_use_generic_pty(mdadm_t) - files_dontaudit_read_root_file(mdadm_t) + files_dontaudit_read_root_files(mdadm_t) ') optional_policy(`selinux',` diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 5854cbc5..951ff534 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -264,7 +264,7 @@ init_rw_utmp(newrole_t) files_read_etc_files(newrole_t) files_read_var_files(newrole_t) -files_read_var_symlink(newrole_t) +files_read_var_symlinks(newrole_t) libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) @@ -364,7 +364,7 @@ kernel_relabel_unlabeled(restorecon_t) dev_relabel_all_dev_nodes(restorecon_t) files_relabel_all_files(restorecon_t) -files_list_all_dirs(restorecon_t) +files_list_all(restorecon_t) # this is to satisfy the assertion: auth_relabelto_shadow(restorecon_t) @@ -517,7 +517,7 @@ userdom_read_all_user_files(setfiles_t) # relabeling rules kernel_relabel_unlabeled(setfiles_t) dev_relabel_all_dev_nodes(setfiles_t) -files_list_all_dirs(setfiles_t) +files_list_all(setfiles_t) files_relabel_all_files(setfiles_t) # this is to satisfy the assertion: auth_relabelto_shadow(setfiles_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 6dde0b32..3ae35f7d 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -154,7 +154,7 @@ ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(dhcpc_t) term_dontaudit_use_generic_pty(dhcpc_t) - files_dontaudit_read_root_file(dhcpc_t) + files_dontaudit_read_root_files(dhcpc_t) ') optional_policy(`consoletype',` @@ -294,7 +294,7 @@ term_dontaudit_use_all_user_ptys(ifconfig_t) domain_use_wide_inherit_fd(ifconfig_t) -files_dontaudit_read_root_file(ifconfig_t) +files_dontaudit_read_root_files(ifconfig_t) init_use_fd(ifconfig_t) init_use_script_pty(ifconfig_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 9cd4157b..1a48e577 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -111,7 +111,7 @@ domain_dontaudit_list_all_domains_proc(udev_t) files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) files_exec_etc_files(udev_t) -files_dontaudit_search_isid_type_dir(udev_t) +files_dontaudit_search_isid_type_dirs(udev_t) files_getattr_generic_locks(udev_t) files_search_mnt(udev_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 469fdac9..c34e6666 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -229,8 +229,8 @@ template(`base_user_template',` files_dontaudit_getattr_non_security_symlinks($1_t) files_dontaudit_getattr_non_security_pipes($1_t) files_dontaudit_getattr_non_security_sockets($1_t) - files_dontaudit_getattr_non_security_blk_dev($1_t) - files_dontaudit_getattr_non_security_chr_dev($1_t) + files_dontaudit_getattr_non_security_blk_files($1_t) + files_dontaudit_getattr_non_security_chr_files($1_t) # Caused by su - init scripts init_dontaudit_use_script_pty($1_t) @@ -411,7 +411,7 @@ template(`base_user_template',` ') optional_policy(`rpm',` - files_getattr_var_lib_dir($1_t) + files_getattr_var_lib_dirs($1_t) files_search_var_lib($1_t) ')