Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branch 'master' of http://oss.tresys.com/git/refpolicy

Conflicts:
	policy/modules/admin/amanda.if
	policy/modules/system/init.te
	policy/modules/system/miscfiles.if
	policy/modules/system/miscfiles.te
	policy/modules/system/userdomain.if

policy/modules/admin/amanda.fc

@@ -1,4 +1,3 @@
-
 /etc/amanda(/.*)?			gen_context(system_u:object_r:amanda_config_t,s0)
 /etc/amanda/.*/tapelist(/.*)?		gen_context(system_u:object_r:amanda_data_t,s0)
 /etc/amandates				gen_context(system_u:object_r:amanda_amandates_t,s0)
@@ -8,13 +7,12 @@
 
 /root/restore			-d	gen_context(system_u:object_r:amanda_recover_dir_t,s0)
 
-/tmp/amanda(/.*)?			gen_context(system_u:object_r:amanda_tmp_t,s0)
-
 /usr/lib(64)?/amanda		-d	gen_context(system_u:object_r:amanda_usr_lib_t,s0)
 /usr/lib(64)?/amanda/.+		--	gen_context(system_u:object_r:amanda_exec_t,s0)
 /usr/lib(64)?/amanda/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/lib(64)?/amanda/amidxtaped	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
 /usr/lib(64)?/amanda/amindexd	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
 /usr/sbin/amrecover		--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
 
 /var/lib/amanda			-d	gen_context(system_u:object_r:amanda_var_lib_t,s0)

policy/modules/admin/amanda.if

@@ -2,8 +2,8 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run Amanda Recover.
+##	Execute a domain transition to run
+##	Amanda recover.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -16,16 +16,15 @@ interface(`amanda_domtrans_recover',`
 		type amanda_recover_t, amanda_recover_exec_t;
 	')
 
-	domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
 	corecmd_search_bin($1)
+	domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute a domain transition to
-##	run Amanda Recover and allow the
-##	specified role the Amanda Recover
-##	domain.
+##	Execute a domain transition to run
+##	Amanda recover, and allow the specified
+##	role the Amanda recover domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -50,7 +49,7 @@ interface(`amanda_run_recover',`
 
 ########################################
 ## <summary>
-##	Search Amanda lib directories.
+##	Search Amanda library directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -63,15 +62,13 @@ interface(`amanda_search_lib',`
 		type amanda_usr_lib_t;
 	')
 
-	allow $1 amanda_usr_lib_t:dir search_dir_perms;
 	files_search_usr($1)
-	libs_search_lib($1)
+	allow $1 amanda_usr_lib_t:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read
-##	dumpdates files.
+##	Do not audit attempts to read /etc/dumpdates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -84,12 +81,12 @@ interface(`amanda_dontaudit_read_dumpdates',`
 		type amanda_dumpdates_t;
 	')
 
-	dontaudit $1 amanda_dumpdates_t:file read_file_perms;
+	dontaudit $1 amanda_dumpdates_t:file { getattr read };
 ')
 
 ########################################
 ## <summary>
-##	Read and write dumpdates files.
+##	Read and write /etc/dumpdates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -102,13 +99,13 @@ interface(`amanda_rw_dumpdates_files',`
 		type amanda_dumpdates_t;
 	')
 
-	allow $1 amanda_dumpdates_t:file rw_file_perms;
 	files_search_etc($1)
+	allow $1 amanda_dumpdates_t:file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Search Amanda lib directories.
+##	Search Amanda library directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -121,14 +118,13 @@ interface(`amanda_manage_lib',`
 		type amanda_usr_lib_t;
 	')
 
-	allow $1 amanda_usr_lib_t:dir manage_dir_perms;
 	files_search_usr($1)
-	libs_search_lib($1)
+	allow $1 amanda_usr_lib_t:dir manage_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write Amanda logs.
+##	Read and append amanda logs.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -141,13 +137,13 @@ interface(`amanda_append_log_files',`
 		type amanda_log_t;
 	')
 
-	allow $1 amanda_log_t:file { read_file_perms append_file_perms };
 	logging_search_logs($1)
+	allow $1 amanda_log_t:file { read_file_perms append_file_perms };
 ')
 
 #######################################
 ## <summary>
-##	Search Amanda lib directories.
+##	Search Amanda var library directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -160,6 +156,6 @@ interface(`amanda_search_var_lib',`
 		type amanda_var_lib_t;
 	')
 
-	allow $1 amanda_var_lib_t:dir search_dir_perms;
 	files_search_var_lib($1)
+	allow $1 amanda_var_lib_t:dir search_dir_perms;
 ')

policy/modules/admin/amanda.te

@@ -1,4 +1,4 @@
-policy_module(amanda, 1.12.0)
+policy_module(amanda, 1.12.1)
 
 #######################################
 #
@@ -16,44 +16,35 @@ domain_entry_file(amanda_t, amanda_exec_t)
 type amanda_log_t;
 logging_log_file(amanda_log_t)
 
-# type for amanda configurations files
 type amanda_config_t;
 files_type(amanda_config_t)
 
-# type for files in /usr/lib/amanda
 type amanda_usr_lib_t;
 files_type(amanda_usr_lib_t)
 
-# type for all files in /var/lib/amanda
 type amanda_var_lib_t;
 files_type(amanda_var_lib_t)
 
-# type for all files in /var/lib/amanda/gnutar-lists/
 type amanda_gnutarlists_t;
 files_type(amanda_gnutarlists_t)
 
 type amanda_tmp_t;
 files_tmp_file(amanda_tmp_t)
 
-# type for /etc/amandates
 type amanda_amandates_t;
 files_type(amanda_amandates_t)
 
-# type for /etc/dumpdates
 type amanda_dumpdates_t;
 files_type(amanda_dumpdates_t)
 
-# type for amanda data
 type amanda_data_t;
 files_type(amanda_data_t)
 
-# type for amrecover
 type amanda_recover_t;
 type amanda_recover_exec_t;
 application_domain(amanda_recover_t, amanda_recover_exec_t)
 role system_r types amanda_recover_t;
 
-# type for recover files ( restored data )
 type amanda_recover_dir_t;
 files_type(amanda_recover_dir_t)
 
@@ -74,24 +65,19 @@ allow amanda_t self:unix_dgram_socket create_socket_perms;
 allow amanda_t self:tcp_socket create_stream_socket_perms;
 allow amanda_t self:udp_socket create_socket_perms;
 
-# access to amanda_amandates_t
 allow amanda_t amanda_amandates_t:file rw_file_perms;
 
-# configuration files -> read only
 allow amanda_t amanda_config_t:file read_file_perms;
 
-# access to amandas data structure
 manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
 manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
 
-# access to amanda_dumpdates_t
 allow amanda_t amanda_dumpdates_t:file rw_file_perms;
 
 can_exec(amanda_t, amanda_exec_t)
 can_exec(amanda_t, amanda_inetd_exec_t)
 
-# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
 allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
 allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
 allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
@@ -151,19 +137,15 @@ storage_raw_read_fixed_disk(amanda_t)
 storage_read_tape(amanda_t)
 storage_write_tape(amanda_t)
 
-# Added for targeted policy
-term_use_unallocated_ttys(amanda_t)
-
 auth_use_nsswitch(amanda_t)
 auth_read_shadow(amanda_t)
 
-optional_policy(`
-	logging_send_syslog_msg(amanda_t)
-')
+logging_send_syslog_msg(amanda_t)
 
 ########################################
 #
 # Amanda recover local policy
+#
 
 allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
 allow amanda_recover_t self:process { sigkill sigstop signal };
@@ -175,7 +157,6 @@ allow amanda_recover_t self:udp_socket create_socket_perms;
 manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
 manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
 
-# access to amanda_recover_dir_t
 manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
 manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
 manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)

policy/modules/admin/amtu.if

@@ -1,8 +1,8 @@
-## <summary>Abstract Machine Test Utility</summary>
+## <summary>Abstract Machine Test Utility.</summary>
 
 ########################################
 ## <summary>
-##	Execute amtu in the amtu domain.
+##	Execute a domain transition to run Amtu.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -21,8 +21,9 @@ interface(`amtu_domtrans',`
 
 ########################################
 ## <summary>
-##	Execute amtu in the amtu domain, and
-##	allow the specified role the amtu domain.
+##	Execute a domain transition to run
+##	Amtu, and allow the specified role
+##	the Amtu domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

policy/modules/admin/anaconda.fc

@@ -1,5 +1 @@
-#
-# Currently anaconda does not have any file context since it is
-# started during install.  This is a placeholder to satisfy
-# the policy Makefile dependencies.
-#
+# No file context specifications.

policy/modules/admin/anaconda.if

@@ -1 +1 @@
-## <summary>Policy for the Anaconda installer.</summary>
+## <summary>Anaconda installer.</summary>

policy/modules/admin/anaconda.te

@@ -20,7 +20,6 @@ allow anaconda_t self:process execmem;
 
 kernel_domtrans_to(anaconda_t, anaconda_exec_t)
 
-# Run other rc scripts in the anaconda_t domain.
 init_domtrans_script(anaconda_t)
 
 libs_domtrans_ldconfig(anaconda_t)

policy/modules/admin/certwatch.te

@@ -1,4 +1,4 @@
-policy_module(certwatch, 1.5.0)
+policy_module(certwatch, 1.5.1)
 
 ########################################
 #
@@ -31,7 +31,7 @@ auth_var_filetrans_cache(certwatch_t)
 
 logging_send_syslog_msg(certwatch_t)
 
-miscfiles_read_certs(certwatch_t)
+miscfiles_read_generic_certs(certwatch_t)
 miscfiles_read_localization(certwatch_t)
 
 userdom_use_user_terminals(certwatch_t)

policy/modules/apps/evolution.te

@@ -1,4 +1,4 @@
-policy_module(evolution, 2.1.1)
+policy_module(evolution, 2.1.2)
 
 ########################################
 #
@@ -541,7 +541,7 @@ fs_search_auto_mountpoints(evolution_server_t)
 
 miscfiles_read_localization(evolution_server_t)
 # Look in /etc/pki
-miscfiles_read_certs(evolution_server_t)
+miscfiles_read_generic_certs(evolution_server_t)
 
 # Talk to ldap (address book)
 sysnet_read_config(evolution_server_t)

policy/modules/services/abrt.te

@@ -147,7 +147,7 @@ sysnet_dns_name_resolve(abrt_t)
 logging_read_generic_logs(abrt_t)
 logging_send_syslog_msg(abrt_t)
 
-miscfiles_read_certs(abrt_t)
+miscfiles_read_generic_certs(abrt_t)
 miscfiles_read_localization(abrt_t)
 
 userdom_dontaudit_read_user_home_content_files(abrt_t)

policy/modules/services/amavis.te

@@ -144,7 +144,7 @@ init_stream_connect_script(amavis_t)
 
 logging_send_syslog_msg(amavis_t)
 
-miscfiles_read_certs(amavis_t)
+miscfiles_read_generic_certs(amavis_t)
 miscfiles_read_localization(amavis_t)
 
 sysnet_dns_name_resolve(amavis_t)

policy/modules/services/apache.te

@@ -484,7 +484,7 @@ logging_send_syslog_msg(httpd_t)
 miscfiles_read_localization(httpd_t)
 miscfiles_read_fonts(httpd_t)
 miscfiles_read_public_files(httpd_t)
-miscfiles_read_certs(httpd_t)
+miscfiles_read_generic_certs(httpd_t)
 
 seutil_dontaudit_search_config(httpd_t)
 

policy/modules/services/automount.te

@@ -141,7 +141,7 @@ logging_send_syslog_msg(automount_t)
 logging_search_logs(automount_t)
 
 miscfiles_read_localization(automount_t)
-miscfiles_read_certs(automount_t)
+miscfiles_read_generic_certs(automount_t)
 
 # Run mount in the mount_t domain.
 mount_domtrans(automount_t)

policy/modules/services/avahi.te

@@ -86,7 +86,7 @@ init_signull_script(avahi_t)
 logging_send_syslog_msg(avahi_t)
 
 miscfiles_read_localization(avahi_t)
-miscfiles_read_certs(avahi_t)
+miscfiles_read_generic_certs(avahi_t)
 
 sysnet_domtrans_ifconfig(avahi_t)
 sysnet_manage_config(avahi_t)

policy/modules/services/bind.te

@@ -143,7 +143,7 @@ auth_use_nsswitch(named_t)
 logging_send_syslog_msg(named_t)
 
 miscfiles_read_localization(named_t)
-miscfiles_read_certs(named_t)
+miscfiles_read_generic_certs(named_t)
 
 userdom_dontaudit_use_unpriv_user_fds(named_t)
 userdom_dontaudit_search_user_home_dirs(named_t)

policy/modules/services/certmaster.if

@@ -129,8 +129,8 @@ interface(`certmaster_admin',`
 	allow $2 system_r;
 
 	files_list_etc($1)
-	miscfiles_manage_cert_dirs($1)	
-	miscfiles_manage_cert_files($1)	
+	miscfiles_manage_generic_cert_dirs($1)	
+	miscfiles_manage_generic_cert_files($1)	
 
 	admin_pattern($1, certmaster_etc_rw_t)
 

policy/modules/services/certmaster.te

@@ -1,4 +1,4 @@
-policy_module(certmaster, 1.1.0)
+policy_module(certmaster, 1.1.1)
 
 ########################################
 #
@@ -68,5 +68,5 @@ auth_use_nsswitch(certmaster_t)
 
 miscfiles_read_localization(certmaster_t)
 
-miscfiles_manage_cert_dirs(certmaster_t)
-miscfiles_manage_cert_files(certmaster_t)
+miscfiles_manage_generic_cert_dirs(certmaster_t)
+miscfiles_manage_generic_cert_files(certmaster_t)

policy/modules/services/certmonger.te

@@ -54,7 +54,7 @@ files_list_tmp(certmonger_t)
 logging_send_syslog_msg(certmonger_t)
 
 miscfiles_read_localization(certmonger_t)
-miscfiles_manage_cert_files(certmonger_t)
+miscfiles_manage_generic_cert_files(certmonger_t)
 
 sysnet_dns_name_resolve(certmonger_t)
 

policy/modules/services/cyrus.te

@@ -104,7 +104,7 @@ libs_exec_lib_files(cyrus_t)
 logging_send_syslog_msg(cyrus_t)
 
 miscfiles_read_localization(cyrus_t)
-miscfiles_read_certs(cyrus_t)
+miscfiles_read_generic_certs(cyrus_t)
 
 sysnet_read_config(cyrus_t)
 

policy/modules/services/dbus.te

@@ -130,7 +130,7 @@ logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
 
 miscfiles_read_localization(system_dbusd_t)
-miscfiles_read_certs(system_dbusd_t)
+miscfiles_read_generic_certs(system_dbusd_t)
 
 seutil_read_config(system_dbusd_t)
 seutil_read_default_contexts(system_dbusd_t)

policy/modules/services/dovecot.te

@@ -143,7 +143,7 @@ auth_use_nsswitch(dovecot_t)
 
 logging_send_syslog_msg(dovecot_t)
 
-miscfiles_read_certs(dovecot_t)
+miscfiles_read_generic_certs(dovecot_t)
 miscfiles_read_localization(dovecot_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dovecot_t)

policy/modules/services/exim.te

@@ -123,7 +123,7 @@ auth_use_nsswitch(exim_t)
 logging_send_syslog_msg(exim_t)
 
 miscfiles_read_localization(exim_t)
-miscfiles_read_certs(exim_t)
+miscfiles_read_generic_certs(exim_t)
 
 userdom_dontaudit_search_user_home_dirs(exim_t)
 

policy/modules/services/fetchmail.te

@@ -80,7 +80,7 @@ domain_use_interactive_fds(fetchmail_t)
 logging_send_syslog_msg(fetchmail_t)
 
 miscfiles_read_localization(fetchmail_t)
-miscfiles_read_certs(fetchmail_t)
+miscfiles_read_generic_certs(fetchmail_t)
 
 sysnet_read_config(fetchmail_t)
 

policy/modules/services/ldap.te

@@ -123,7 +123,7 @@ auth_use_nsswitch(slapd_t)
 
 logging_send_syslog_msg(slapd_t)
 
-miscfiles_read_certs(slapd_t)
+miscfiles_read_generic_certs(slapd_t)
 miscfiles_read_localization(slapd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(slapd_t)

policy/modules/services/networkmanager.te

@@ -132,7 +132,7 @@ auth_use_nsswitch(NetworkManager_t)
 logging_send_syslog_msg(NetworkManager_t)
 
 miscfiles_read_localization(NetworkManager_t)
-miscfiles_read_certs(NetworkManager_t)
+miscfiles_read_generic_certs(NetworkManager_t)
 
 modutils_domtrans_insmod(NetworkManager_t)
 

policy/modules/services/openvpn.te

@@ -113,7 +113,7 @@ auth_use_pam(openvpn_t)
 logging_send_syslog_msg(openvpn_t)
 
 miscfiles_read_localization(openvpn_t)
-miscfiles_read_certs(openvpn_t)
+miscfiles_read_all_certs(openvpn_t)
 
 sysnet_dns_name_resolve(openvpn_t)
 sysnet_exec_ifconfig(openvpn_t)

policy/modules/services/postfix.if

@@ -91,7 +91,7 @@ template(`postfix_domain_template',`
 	logging_send_syslog_msg(postfix_$1_t)
 
 	miscfiles_read_localization(postfix_$1_t)
-	miscfiles_read_certs(postfix_$1_t)
+	miscfiles_read_generic_certs(postfix_$1_t)
 
 	userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
 

policy/modules/services/radius.te

@@ -111,7 +111,7 @@ libs_exec_lib_files(radiusd_t)
 logging_send_syslog_msg(radiusd_t)
 
 miscfiles_read_localization(radiusd_t)
-miscfiles_read_certs(radiusd_t)
+miscfiles_read_generic_certs(radiusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
 userdom_dontaudit_search_user_home_dirs(radiusd_t)

policy/modules/services/rpc.te

@@ -94,7 +94,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
 
 selinux_dontaudit_read_fs(rpcd_t)
 
-miscfiles_read_certs(rpcd_t)
+miscfiles_read_generic_certs(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
 
@@ -222,7 +222,7 @@ files_dontaudit_write_var_dirs(gssd_t)
 auth_use_nsswitch(gssd_t)
 auth_manage_cache(gssd_t)
 
-miscfiles_read_certs(gssd_t)
+miscfiles_read_generic_certs(gssd_t)
 
 mount_signal(gssd_t)
 

policy/modules/services/sasl.te

@@ -83,7 +83,7 @@ init_dontaudit_stream_connect_script(saslauthd_t)
 logging_send_syslog_msg(saslauthd_t)
 
 miscfiles_read_localization(saslauthd_t)
-miscfiles_read_certs(saslauthd_t)
+miscfiles_read_generic_certs(saslauthd_t)
 
 seutil_dontaudit_read_config(saslauthd_t)
 

policy/modules/services/sendmail.te

@@ -104,7 +104,7 @@ libs_read_lib_files(sendmail_t)
 logging_send_syslog_msg(sendmail_t)
 logging_dontaudit_write_generic_logs(sendmail_t)
 
-miscfiles_read_certs(sendmail_t)
+miscfiles_read_generic_certs(sendmail_t)
 miscfiles_read_localization(sendmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)

policy/modules/services/squid.te

@@ -160,7 +160,7 @@ libs_exec_lib_files(squid_t)
 
 logging_send_syslog_msg(squid_t)
 
-miscfiles_read_certs(squid_t)
+miscfiles_read_generic_certs(squid_t)
 miscfiles_read_localization(squid_t)
 
 userdom_use_unpriv_users_fds(squid_t)

policy/modules/services/ssh.if

@@ -401,7 +401,7 @@ template(`ssh_role_template',`
 	logging_send_syslog_msg($1_ssh_agent_t)
 
 	miscfiles_read_localization($1_ssh_agent_t)
-	miscfiles_read_certs($1_ssh_agent_t)
+	miscfiles_read_generic_certs($1_ssh_agent_t)
 
 	seutil_dontaudit_read_config($1_ssh_agent_t)
 

policy/modules/services/virt.te

@@ -341,7 +341,7 @@ term_use_ptmx(virtd_t)
 auth_use_nsswitch(virtd_t)
 
 miscfiles_read_localization(virtd_t)
-miscfiles_read_certs(virtd_t)
+miscfiles_read_generic_certs(virtd_t)
 miscfiles_read_hwdata(virtd_t)
 
 modutils_read_module_deps(virtd_t)

policy/modules/services/w3c.te

@@ -26,7 +26,7 @@ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
 corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
 corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
 
-miscfiles_read_certs(httpd_w3c_validator_script_t)
+miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
 
 sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
 

policy/modules/system/authlogin.if

@@ -401,7 +401,7 @@ interface(`auth_domtrans_chk_passwd',`
 
 	logging_send_audit_msgs($1)
 
-	miscfiles_read_certs($1)
+	miscfiles_read_generic_certs($1)
 
 	optional_policy(`
 		kerberos_read_keytab($1)
@@ -1574,7 +1574,7 @@ interface(`auth_use_nsswitch',`
 	# read /etc/nsswitch.conf
 	files_read_etc_files($1)
 
-	miscfiles_read_certs($1)
+	miscfiles_read_generic_certs($1)
 
 	sysnet_dns_name_resolve($1)
 	sysnet_use_ldap($1)

policy/modules/system/authlogin.te

@@ -281,7 +281,7 @@ init_use_script_ptys(pam_console_t)
 logging_send_syslog_msg(pam_console_t)
 
 miscfiles_read_localization(pam_console_t)
-miscfiles_read_certs(pam_console_t)
+miscfiles_read_generic_certs(pam_console_t)
 
 seutil_read_file_contexts(pam_console_t)
 

policy/modules/system/init.te

@@ -1,4 +1,4 @@
-policy_module(init, 1.15.2)
+policy_module(init, 1.15.3)
 
 gen_require(`
 	class passwd rootok;

policy/modules/system/miscfiles.if

@@ -46,7 +46,7 @@ interface(`miscfiles_cert_type',`
 
 ########################################
 ## <summary>
-##	Read system SSL certificates.
+##	Read all SSL certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -55,7 +55,7 @@ interface(`miscfiles_cert_type',`
 ## </param>
 ## <rolecap/>
 #
-interface(`miscfiles_read_certs',`
+interface(`miscfiles_read_all_certs',`
 	gen_require(`
 		attribute cert_type;
 	')
@@ -67,7 +67,7 @@ interface(`miscfiles_read_certs',`
 
 ########################################
 ## <summary>
-##	manange system SSL certificates.
+##	Read generic SSL certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -76,7 +76,27 @@ interface(`miscfiles_read_certs',`
 ## </param>
 ## <rolecap/>
 #
-interface(`miscfiles_manage_cert_dirs',`
+interface(`miscfiles_read_generic_certs',`
+	gen_require(`
+		type cert_t;
+	')
+
+	allow $1 cert_t:dir list_dir_perms;
+	read_files_pattern($1, cert_t, cert_t)
+	read_lnk_files_pattern($1, cert_t, cert_t)
+')
+
+########################################
+## <summary>
+##	Manage generic SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_generic_cert_dirs',`
 	gen_require(`
 		type cert_t;
 	')
@@ -86,7 +106,7 @@ interface(`miscfiles_manage_cert_dirs',`
 
 ########################################
 ## <summary>
-##	manange system SSL certificates.
+##	Manage generic SSL certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -95,7 +115,7 @@ interface(`miscfiles_manage_cert_dirs',`
 ## </param>
 ## <rolecap/>
 #
-interface(`miscfiles_manage_cert_files',`
+interface(`miscfiles_manage_generic_cert_files',`
 	gen_require(`
 		type cert_t;
 	')
@@ -104,6 +124,51 @@ interface(`miscfiles_manage_cert_files',`
 	read_lnk_files_pattern($1, cert_t, cert_t)
 ')
 
+########################################
+## <summary>
+##	Read SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_read_certs',`
+	miscfiles_read_generic_certs($1)
+	refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.')
+')
+
+########################################
+## <summary>
+##	Manage SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_cert_dirs',`
+	miscfiles_manage_generic_cert_dirs($1)
+	refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.')
+')
+
+########################################
+## <summary>
+##	Manage SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_cert_files',`
+	miscfiles_manage_generic_cert_files($1)
+	refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.')
+')
+
 ########################################
 ## <summary>
 ##	Read fonts.

policy/modules/system/miscfiles.te

@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.8.0)
+policy_module(miscfiles, 1.8.1)
 
 ########################################
 #

policy/modules/system/userdomain.if

@@ -126,7 +126,10 @@ template(`userdom_base_user_template',`
 
 	libs_exec_ld_so($1_usertype)
 
-	miscfiles_read_certs($1_usertype)
+	miscfiles_read_localization($1_t)
+	miscfiles_read_generic_certs($1_t)
+
+	miscfiles_read_all_certs($1_usertype)
 	miscfiles_read_localization($1_usertype)
 	miscfiles_read_man_pages($1_usertype)
 	miscfiles_read_public_files($1_usertype)