diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index 4a6af133..b853c527 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -7,8 +7,8 @@ policy_module(bind,1.0)
#
# for DNSSEC key files
-type dnssec_t; #, secure_file_type;
-files_type(dnssec_t)
+type dnssec_t;
+files_security_file(dnssec_t)
type named_t;
type named_exec_t;
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index 27fac589..67014654 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -23,8 +23,8 @@ type krb5_conf_t;
files_type(krb5_conf_t)
# types for general configuration files in /etc
-type krb5_keytab_t; #, secure_file_type;
-files_type(krb5_keytab_t)
+type krb5_keytab_t;
+files_security_file(krb5_keytab_t)
# types for KDC configs and principal file(s)
type krb5kdc_conf_t;
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index f59f4850..c0910e88 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -151,6 +151,26 @@ interface(`files_poly_member_tmp',`
type_member $1 tmp_t:dir $2;
')
+########################################
+##
+## Make the specified type a file that
+## should not be dontaudited from
+## browsing from user domains.
+##
+##
+## Type of the file to be used as a
+## member directory.
+##
+#
+interface(`files_security_file',`
+ gen_require(`
+ attribute security_file_type;
+ ')
+
+ files_type($1)
+ typeattribute $1 security_file_type;
+')
+
########################################
##
## Make the specified type a file
@@ -245,6 +265,23 @@ interface(`files_list_all_dirs',`
allow $1 file_type:dir r_dir_perms;
')
+########################################
+##
+## Do not audit attempts to list all
+## non security directories.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`files_dontaudit_list_non_security',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
+')
+
########################################
##
## Get the attributes of all files.
@@ -276,12 +313,28 @@ interface(`files_getattr_all_files',`
interface(`files_dontaudit_getattr_all_files',`
gen_require(`
attribute file_type;
- class file getattr;
')
dontaudit $1 file_type:file getattr;
')
+########################################
+##
+## Do not audit attempts to get the attributes
+## of non security files.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`files_dontaudit_getattr_non_security_files',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:file getattr;
+')
+
########################################
##
## Read all files.
@@ -342,6 +395,57 @@ interface(`files_dontaudit_getattr_all_symlinks',`
dontaudit $1 file_type:lnk_file getattr;
')
+########################################
+##
+## Do not audit attempts to get the attributes
+## of non security symbolic links.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`files_dontaudit_getattr_non_security_symlinks',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
+## of non security block devices.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`files_dontaudit_getattr_non_security_blk_dev',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:blk_file getattr;
+')
+
+########################################
+##
+## Do not audit attempts to get the attributes
+## of non security character devices.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`files_dontaudit_getattr_non_security_chr_dev',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:chr_file getattr;
+')
+
########################################
##
## Read all symbolic links.
@@ -398,6 +502,23 @@ interface(`files_dontaudit_getattr_all_pipes',`
dontaudit $1 file_type:fifo_file getattr;
')
+########################################
+##
+## Do not audit attempts to get the attributes
+## of non security named pipes.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`files_dontaudit_getattr_non_security_pipes',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
+')
+
########################################
##
## Get the attributes of all named sockets.
@@ -435,6 +556,23 @@ interface(`files_dontaudit_getattr_all_sockets',`
dontaudit $1 file_type:sock_file getattr;
')
+########################################
+##
+## Do not audit attempts to get the attributes
+## of non security named sockets.
+##
+##
+## Domain to not audit.
+##
+#
+interface(`files_dontaudit_getattr_non_security_sockets',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:sock_file getattr;
+')
+
########################################
##
## Relabel all files on the filesystem, except
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
index 281fac46..3545494a 100644
--- a/refpolicy/policy/modules/system/files.te
+++ b/refpolicy/policy/modules/system/files.te
@@ -22,6 +22,10 @@ attribute polyparent;
# And labeling for the member directories
attribute polymember;
+# sensitive security files whose accesses should
+# not be dontaudited for uses
+attribute security_file_type;
+
attribute tmpfile;
attribute tmpfsfile;
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index cdc5495c..d23c918e 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -13,11 +13,11 @@ type auditctl_exec_t;
init_system_domain(auditctl_t,auditctl_exec_t)
role system_r types auditctl_t;
-type auditd_etc_t; #, secure_file_type;
-files_type(auditd_etc_t)
+type auditd_etc_t;
+files_security_file(auditd_etc_t)
-type auditd_log_t; # secure_file_type;
-files_type(auditd_log_t)
+type auditd_log_t;
+files_security_file(auditd_log_t)
type auditd_t;
type auditd_exec_t;
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 0950c76e..8ccac59c 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -212,6 +212,14 @@ template(`base_user_template',`
files_exec_etc_files($1_t)
files_read_usr_src_files($1_t)
files_search_locks($1_t)
+ # old broswer_domain():
+ files_dontaudit_list_non_security($1_t)
+ files_dontaudit_getattr_non_security_files($1_t)
+ files_dontaudit_getattr_non_security_symlinks($1_t)
+ files_dontaudit_getattr_non_security_pipes($1_t)
+ files_dontaudit_getattr_non_security_sockets($1_t)
+ files_dontaudit_getattr_non_security_blk_dev($1_t)
+ files_dontaudit_getattr_non_security_chr_dev($1_t)
# Caused by su - init scripts
init_dontaudit_use_script_pty($1_t)
@@ -385,9 +393,7 @@ template(`base_user_template',`
allow $1_t fs_type:dir getattr;
- dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
- dontaudit $1 file_type - secure_file_type:dir search;
- dontaudit $1 file_type - secure_file_type:dir read;
+ # old browser_domain():
dontaudit $1 unlabeled_t:dir_file_class_set getattr;
dontaudit $1 unlabeled_t:dir search;
dontaudit $1 unlabeled_t:dir read;