add lost_found_t manage, rename fs_type attribute to filesystem_type and rename fs_make_fs to fs_type

refpolicy/policy/modules/kernel/devices.te

@@ -148,7 +148,7 @@ fs_associate_tmpfs(sound_device_t)
 #
 type sysfs_t;
 files_mountpoint(sysfs_t)
-fs_make_fs(sysfs_t)
+fs_type(sysfs_t)
 genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
 
 #

refpolicy/policy/modules/kernel/filesystem.if

@@ -8,12 +8,12 @@
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`fs_make_fs',`
+interface(`fs_type',`
 	gen_require(`
-		attribute fs_type;
+		attribute filesystem_type;
 	')
 
-	typeattribute $1 fs_type;
+	typeattribute $1 filesystem_type;
 ')
 
 ########################################
@@ -31,7 +31,7 @@ interface(`fs_make_noxattr_fs',`
 		attribute noxattrfs;
 	')
 
-	fs_make_fs($1)
+	fs_type($1)
 
 	typeattribute $1 noxattrfs;
 ')
@@ -1498,11 +1498,11 @@ interface(`fs_manage_tmpfs_block_devices',`
 #
 interface(`fs_mount_all_fs',`
 	gen_require(`
-		attribute fs_type;
+		attribute filesystem_type;
 		class filesystem mount;
 	')
 
-	allow $1 fs_type:filesystem mount;
+	allow $1 filesystem_type:filesystem mount;
 ')
 
 ########################################
@@ -1516,11 +1516,11 @@ interface(`fs_mount_all_fs',`
 #
 interface(`fs_remount_all_fs',`
 	gen_require(`
-		attribute fs_type;
+		attribute filesystem_type;
 		class filesystem remount;
 	')
 
-	allow $1 fs_type:filesystem remount;
+	allow $1 filesystem_type:filesystem remount;
 ')
 
 ########################################
@@ -1533,11 +1533,11 @@ interface(`fs_remount_all_fs',`
 #
 interface(`fs_unmount_all_fs',`
 	gen_require(`
-		attribute fs_type;
+		attribute filesystem_type;
 		class filesystem unmount;
 	')
 
-	allow $1 fs_type:filesystem unmount;
+	allow $1 filesystem_type:filesystem unmount;
 ')
 
 ########################################
@@ -1552,11 +1552,11 @@ interface(`fs_unmount_all_fs',`
 #
 interface(`fs_getattr_all_fs',`
 	gen_require(`
-		attribute fs_type;
+		attribute filesystem_type;
 		class filesystem getattr;
 	')
 
-	allow $1 fs_type:filesystem getattr;
+	allow $1 filesystem_type:filesystem getattr;
 ')
 
 ########################################
@@ -1570,11 +1570,11 @@ interface(`fs_getattr_all_fs',`
 #
 interface(`fs_dontaudit_getattr_all_fs',`
 	gen_require(`
-		attribute fs_type;
+		attribute filesystem_type;
 		class filesystem getattr;
 	')
 
-	dontaudit $1 fs_type:filesystem getattr;
+	dontaudit $1 filesystem_type:filesystem getattr;
 ')
 
 ########################################
@@ -1587,11 +1587,11 @@ interface(`fs_dontaudit_getattr_all_fs',`
 #
 interface(`fs_get_all_fs_quotas',`
 	gen_require(`
-		attribute fs_type;
+		attribute filesystem_type;
 		class filesystem quotaget;
 	')
 
-	allow $1 fs_type:filesystem quotaget;
+	allow $1 filesystem_type:filesystem quotaget;
 ')
 
 ########################################
@@ -1604,11 +1604,11 @@ interface(`fs_get_all_fs_quotas',`
 #
 interface(`fs_set_all_quotas',`
 	gen_require(`
-		attribute fs_type;
+		attribute filesystem_type;
 		class filesystem quotamod;
 	')
 
-	allow $1 fs_type:filesystem quotamod;
+	allow $1 filesystem_type:filesystem quotamod;
 ')
 
 ########################################
@@ -1617,7 +1617,7 @@ interface(`fs_set_all_quotas',`
 #
 interface(`fs_getattr_all_files',`
 	gen_require(`
-		attribute fs_type;
+		attribute filesystem_type;
 		class dir { search getattr };
 		class file getattr;
 		class lnk_file getattr;
@@ -1625,10 +1625,10 @@ interface(`fs_getattr_all_files',`
 		class sock_file getattr;
 	')
 
-	allow $1 fs_type:dir { search getattr };
+	allow $1 filesystem_type:dir { search getattr };
-	allow $1 fs_type:file getattr;
+	allow $1 filesystem_type:file getattr;
-	allow $1 fs_type:lnk_file getattr;
+	allow $1 filesystem_type:lnk_file getattr;
-	allow $1 fs_type:fifo_file getattr;
+	allow $1 filesystem_type:fifo_file getattr;
-	allow $1 fs_type:sock_file getattr;
+	allow $1 filesystem_type:sock_file getattr;
 ')
 

refpolicy/policy/modules/kernel/filesystem.te

@@ -1,7 +1,7 @@
 
 policy_module(filesystem,1.0)
 
-attribute fs_type;
+attribute filesystem_type;
 attribute noxattrfs;
 
 ########################################
@@ -9,7 +9,7 @@ attribute noxattrfs;
 # fs_t is the default type for persistent
 # filesystems with extended attributes
 #
-type fs_t, fs_type;
+type fs_t, filesystem_type;
 sid fs context_template(system_u:object_r:fs_t,s0)
 
 # Use xattrs for the following filesystem types.
@@ -31,37 +31,37 @@ fs_use_task sockfs context_template(system_u:object_r:fs_t,s0);
 #
 # Non-persistent/pseudo filesystems
 #
-type bdev_t, fs_type;
+type bdev_t, filesystem_type;
 genfscon bdev / context_template(system_u:object_r:bdev_t,s0)
 
-type binfmt_misc_fs_t, fs_type;
+type binfmt_misc_fs_t, filesystem_type;
 genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0)
 
-type eventpollfs_t, fs_type;
+type eventpollfs_t, filesystem_type;
 genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0)
 
-type futexfs_t, fs_type;
+type futexfs_t, filesystem_type;
 genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0)
 
-type nfsd_fs_t, fs_type;
+type nfsd_fs_t, filesystem_type;
 genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0)
 
-type ramfs_t, fs_type;
+type ramfs_t, filesystem_type;
 allow ramfs_t self:filesystem associate;
 genfscon ramfs / context_template(system_u:object_r:ramfs_t,s0)
 
-type romfs_t, fs_type;
+type romfs_t, filesystem_type;
 allow romfs_t self:filesystem associate;
 genfscon romfs / context_template(system_u:object_r:romfs_t,s0)
 genfscon cramfs / context_template(system_u:object_r:romfs_t,s0)
 
-type rpc_pipefs_t, fs_type;
+type rpc_pipefs_t, filesystem_type;
 genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
 
 #
 # tmpfs_t is the type for tmpfs filesystems
 #
-type tmpfs_t, fs_type;
+type tmpfs_t, filesystem_type;
 files_file_type(tmpfs_t)
 
 # Use a transition SID based on the allocating task SID and the
@@ -79,7 +79,7 @@ allow tmpfs_t noxattrfs:filesystem associate;
 #
 # Filesystems without extended attribute support
 #
-type autofs_t, fs_type, noxattrfs;
+type autofs_t, filesystem_type, noxattrfs;
 allow autofs_t self:filesystem associate;
 genfscon autofs / context_template(system_u:object_r:autofs_t,s0)
 genfscon automount / context_template(system_u:object_r:autofs_t,s0)
@@ -88,7 +88,7 @@ genfscon automount / context_template(system_u:object_r:autofs_t,s0)
 # cifs_t is the type for filesystems and their
 # files shared from Windows servers
 #
-type cifs_t alias sambafs_t, fs_type, noxattrfs;
+type cifs_t alias sambafs_t, filesystem_type, noxattrfs;
 allow cifs_t self:filesystem associate;
 genfscon cifs / context_template(system_u:object_r:cifs_t,s0)
 genfscon smbfs / context_template(system_u:object_r:cifs_t,s0)
@@ -97,7 +97,7 @@ genfscon smbfs / context_template(system_u:object_r:cifs_t,s0)
 # dosfs_t is the type for fat and vfat
 # filesystems and their files.
 #
-type dosfs_t, fs_type, noxattrfs;
+type dosfs_t, filesystem_type, noxattrfs;
 allow dosfs_t self:filesystem associate;
 genfscon vfat / context_template(system_u:object_r:dosfs_t,s0)
 genfscon msdos / context_template(system_u:object_r:dosfs_t,s0)
@@ -108,7 +108,7 @@ genfscon ntfs / context_template(system_u:object_r:dosfs_t,s0)
 # iso9660_t is the type for CD filesystems
 # and their files.
 #
-type iso9660_t, fs_type, noxattrfs;
+type iso9660_t, filesystem_type, noxattrfs;
 allow iso9660_t self:filesystem associate;
 genfscon iso9660 / context_template(system_u:object_r:iso9660_t,s0)
 genfscon udf / context_template(system_u:object_r:iso9660_t,s0)
@@ -116,14 +116,14 @@ genfscon udf / context_template(system_u:object_r:iso9660_t,s0)
 #
 # removable_t is the default type of all removable media
 #
-type removable_t, fs_type, noxattrfs;
+type removable_t, filesystem_type, noxattrfs;
 allow removable_t noxattrfs:filesystem associate;
 
 #
 # nfs_t is the default type for NFS file systems
 # and their files.
 #
-type nfs_t, fs_type, noxattrfs;
+type nfs_t, filesystem_type, noxattrfs;
 files_mountpoint(nfs_t)
 allow nfs_t self:filesystem associate;
 genfscon nfs / context_template(system_u:object_r:nfs_t,s0)

refpolicy/policy/modules/kernel/kernel.te

@@ -55,7 +55,7 @@ sid tcp_socket		context_template(system_u:object_r:unlabeled_t,s0)
 
 type proc_t;
 files_mountpoint(proc_t)
-fs_make_fs(proc_t)
+fs_type(proc_t)
 genfscon proc / context_template(system_u:object_r:proc_t,s0)
 genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0)
 

refpolicy/policy/modules/kernel/selinux.te

@@ -12,6 +12,6 @@ policy_module(selinux,1.0)
 # applied to selinuxfs inodes.
 #
 type security_t;
-fs_make_fs(security_t)
+fs_type(security_t)
 sid security context_template(system_u:object_r:security_t,s0)
 genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)

refpolicy/policy/modules/kernel/terminal.te

@@ -22,7 +22,7 @@ dev_node(console_device_t)
 #
 type devpts_t;
 files_mountpoint(devpts_t)
-fs_make_fs(devpts_t)
+fs_type(devpts_t)
 fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0);
 
 #

refpolicy/policy/modules/system/files.if

@@ -747,9 +747,9 @@ interface(`files_manage_isid_type_chr_node',`
 ')
 
 ########################################
-## <desc>
+## <summary>
-##	Get listing home home directories.
+##	Get listing of home directories.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -763,6 +763,32 @@ interface(`files_list_home',`
 	allow $1 home_root_t:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete objects in
+##	lost+found directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_lost_found',`
+	gen_require(`
+		type lost_found_t;
+		class dir create_dir_perms;
+		class file create_file_perms;
+		class sock_file create_file_perms;
+		class fifo_file create_file_perms;
+		class lnk_file create_lnk_perms;
+	')
+
+	allow $1 lost_found_t:dir create_dir_perms;
+	allow $1 lost_found_t:file create_file_perms;
+	allow $1 lost_found_t:sock_file create_file_perms;
+	allow $1 lost_found_t:fifo_file create_file_perms;
+	allow $1 lost_found_t:lnk_file create_lnk_perms;
+')
+
 ########################################
 #
 # files_search_mnt(domain)

refpolicy/policy/modules/system/fstools.te

@@ -75,6 +75,7 @@ files_list_home(fsadm_t)
 files_read_usr_files(fsadm_t)
 files_read_generic_etc_files(fsadm_t)
 files_list_mnt(fsadm_t)
+files_manage_lost_found(fsadm_t)
 # Write to /etc/mtab.
 files_manage_etc_runtime_files(fsadm_t)
 # Access to /initrd devices
@@ -122,11 +123,6 @@ allow fsadm_t default_t:notdevfile_class_set r_file_perms;
 # mkreiserfs needs this
 allow fsadm_t proc_t:filesystem getattr;
 
-# Access lost+found.
-allow fsadm_t lost_found_t:dir create_dir_perms;
-allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
-allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
-
 allow fsadm_t file_t:dir { search read getattr rmdir create };
 
 # Recreate /mnt/cdrom.