-##
@@ -14905,95 +14977,96 @@ index f962f76..e06a46c 100644
-##
#
-interface(`files_search_var_lib',`
-+interface(`files_create_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- search_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## contents of /var/lib.
-+## Dontaudit getattr attempts on the system.map file
- ##
- ##
- ##
- ## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_dontaudit_search_var_lib',`
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
- gen_require(`
-- type var_lib_t;
-+ type system_map_t;
- ')
-
-- dontaudit $1 var_lib_t:dir search_dir_perms;
-+ dontaudit $1 system_map_t:file getattr;
- ')
-
- ########################################
- ##
--## List the contents of the /var/lib directory.
-+## Read system.map in the /boot directory.
- ##
- ##
- ##
-@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',`
- ##
- ##
- #
--interface(`files_list_var_lib',`
+interface(`files_read_kernel_symbol_table',`
gen_require(`
- type var_t, var_lib_t;
+ type boot_t, system_map_t;
')
-- list_dirs_pattern($1, var_t, var_lib_t)
+- search_dirs_pattern($1, var_t, var_lib_t)
+ allow $1 boot_t:dir list_dir_perms;
+ read_files_pattern($1, boot_t, system_map_t)
')
--###########################################
-+########################################
+ ########################################
##
--## Read-write /var/lib directories
+-## Do not audit attempts to search the
+-## contents of /var/lib.
+## Delete a system.map in the /boot directory.
##
##
##
-@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',`
+-## Domain to not audit.
++## Domain allowed access.
##
##
+-##
#
--interface(`files_rw_var_lib_dirs',`
+-interface(`files_dontaudit_search_var_lib',`
+interface(`files_delete_kernel_symbol_table',`
gen_require(`
- type var_lib_t;
+ type boot_t, system_map_t;
')
-- rw_dirs_pattern($1, var_lib_t, var_lib_t)
+- dontaudit $1 var_lib_t:dir search_dir_perms;
+ allow $1 boot_t:dir list_dir_perms;
+ delete_files_pattern($1, boot_t, system_map_t)
')
########################################
##
--## Create objects in the /var/lib directory
+-## List the contents of the /var/lib directory.
+## Search the contents of /var.
##
##
##
+@@ -5499,88 +6493,72 @@ interface(`files_dontaudit_search_var_lib',`
+ ##
+ ##
+ #
+-interface(`files_list_var_lib',`
++interface(`files_search_var',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- list_dirs_pattern($1, var_t, var_lib_t)
++ allow $1 var_t:dir search_dir_perms;
+ ')
+
+-###########################################
++########################################
+ ##
+-## Read-write /var/lib directories
++## Do not audit attempts to write to /var.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`files_rw_var_lib_dirs',`
++interface(`files_dontaudit_write_var_dirs',`
+ gen_require(`
+- type var_lib_t;
++ type var_t;
+ ')
+
+- rw_dirs_pattern($1, var_lib_t, var_lib_t)
++ dontaudit $1 var_t:dir write;
+ ')
+
+ ########################################
+ ##
+-## Create objects in the /var/lib directory
++## Allow attempts to write to /var.dirs
+ ##
+ ##
+ ##
## Domain allowed access.
##
##
@@ -15014,69 +15087,20 @@ index f962f76..e06a46c 100644
-##
#
-interface(`files_var_lib_filetrans',`
-+interface(`files_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Read generic files in /var/lib.
-+## Do not audit attempts to write to /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_var_lib_files',`
-+interface(`files_dontaudit_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_lib_t:dir list_dir_perms;
-- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ dontaudit $1 var_t:dir write;
- ')
-
- ########################################
- ##
--## Read generic symbolic links in /var/lib
-+## Allow attempts to write to /var.dirs
- ##
- ##
- ##
-@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',`
- ##
- ##
- #
--interface(`files_read_var_lib_symlinks',`
+interface(`files_write_var_dirs',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
')
-- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_lib_t, $2, $3, $4)
+ allow $1 var_t:dir write;
')
--# cjp: the next two interfaces really need to be fixed
--# in some way. They really neeed their own types.
--
########################################
##
--## Create, read, write, and delete the
--## pseudorandom number generator seed.
+-## Read generic files in /var/lib.
+## Do not audit attempts to search
+## the contents of /var.
##
@@ -15087,45 +15111,47 @@ index f962f76..e06a46c 100644
##
##
#
--interface(`files_manage_urandom_seed',`
+-interface(`files_read_var_lib_files',`
+interface(`files_dontaudit_search_var',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
+- allow $1 var_lib_t:dir list_dir_perms;
+- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ dontaudit $1 var_t:dir search_dir_perms;
')
########################################
##
--## Allow domain to manage mount tables
--## necessary for rpcd, nfsd, etc.
+-## Read generic symbolic links in /var/lib
+## List the contents of /var.
##
##
##
-@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5588,41 +6566,36 @@ interface(`files_read_var_lib_files',`
##
##
#
--interface(`files_manage_mounttab',`
+-interface(`files_read_var_lib_symlinks',`
+interface(`files_list_var',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
')
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
+- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ allow $1 var_t:dir list_dir_perms;
')
+-# cjp: the next two interfaces really need to be fixed
+-# in some way. They really neeed their own types.
+-
########################################
##
--## Set the attributes of the generic lock directories.
+-## Create, read, write, and delete the
+-## pseudorandom number generator seed.
+## Do not audit listing of the var directory (/var).
##
##
@@ -15135,31 +15161,78 @@ index f962f76..e06a46c 100644
##
##
#
--interface(`files_setattr_lock_dirs',`
+-interface(`files_manage_urandom_seed',`
+interface(`files_dontaudit_list_var',`
gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_lib_t, var_lib_t)
++ dontaudit $1 var_t:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Allow domain to manage mount tables
+-## necessary for rpcd, nfsd, etc.
++## Create, read, write, and delete directories
++## in the /var directory.
+ ##
+ ##
+ ##
+@@ -5630,18 +6603,17 @@ interface(`files_manage_urandom_seed',`
+ ##
+ ##
+ #
+-interface(`files_manage_mounttab',`
++interface(`files_manage_var_dirs',`
+ gen_require(`
+- type var_t, var_lib_t;
++ type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_lib_t, var_lib_t)
++ allow $1 var_t:dir manage_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of the generic lock directories.
++## Read files in the /var directory.
+ ##
+ ##
+ ##
+@@ -5649,17 +6621,17 @@ interface(`files_manage_mounttab',`
+ ##
+ ##
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_read_var_files',`
+ gen_require(`
- type var_t, var_lock_t;
+ type var_t;
')
- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ dontaudit $1 var_t:dir list_dir_perms;
++ read_files_pattern($1, var_t, var_t)
')
########################################
##
-## Search the locks directory (/var/lock).
-+## Create, read, write, and delete directories
-+## in the /var directory.
++## Append files in the /var directory.
##
##
##
-@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,58 +6639,54 @@ interface(`files_setattr_lock_dirs',`
##
##
#
-interface(`files_search_locks',`
-+interface(`files_manage_var_dirs',`
++interface(`files_append_var_files',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15167,14 +15240,14 @@ index f962f76..e06a46c 100644
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- search_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_t:dir manage_dir_perms;
++ append_files_pattern($1, var_t, var_t)
')
########################################
##
-## Do not audit attempts to search the
-## locks directory (/var/lock).
-+## Read files in the /var directory.
++## Read and write files in the /var directory.
##
##
##
@@ -15184,7 +15257,7 @@ index f962f76..e06a46c 100644
##
#
-interface(`files_dontaudit_search_locks',`
-+interface(`files_read_var_files',`
++interface(`files_rw_var_files',`
gen_require(`
- type var_lock_t;
+ type var_t;
@@ -15192,22 +15265,24 @@ index f962f76..e06a46c 100644
- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
- dontaudit $1 var_lock_t:dir search_dir_perms;
-+ read_files_pattern($1, var_t, var_t)
++ rw_files_pattern($1, var_t, var_t)
')
########################################
##
-## List generic lock directories.
-+## Append files in the /var directory.
++## Do not audit attempts to read and write
++## files in the /var directory.
##
##
##
-@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',`
+-## Domain allowed access.
++## Domain to not audit.
##
##
#
-interface(`files_list_locks',`
-+interface(`files_append_var_files',`
++interface(`files_dontaudit_rw_var_files',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15215,23 +15290,23 @@ index f962f76..e06a46c 100644
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_lock_t)
-+ append_files_pattern($1, var_t, var_t)
++ dontaudit $1 var_t:file rw_inherited_file_perms;
')
########################################
##
-## Add and remove entries in the /var/lock
-## directories.
-+## Read and write files in the /var directory.
++## Create, read, write, and delete files in the /var directory.
##
##
##
-@@ -5726,60 +6638,54 @@ interface(`files_list_locks',`
+@@ -5726,81 +6694,88 @@ interface(`files_list_locks',`
##
##
#
-interface(`files_rw_lock_dirs',`
-+interface(`files_rw_var_files',`
++interface(`files_manage_var_files',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15239,25 +15314,24 @@ index f962f76..e06a46c 100644
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- rw_dirs_pattern($1, var_t, var_lock_t)
-+ rw_files_pattern($1, var_t, var_t)
++ manage_files_pattern($1, var_t, var_t)
')
########################################
##
-## Create lock directories
-+## Do not audit attempts to read and write
-+## files in the /var directory.
++## Read symbolic links in the /var directory.
##
##
-##
-## Domain allowed access
+##
-+## Domain to not audit.
++## Domain allowed access.
##
##
#
-interface(`files_create_lock_dirs',`
-+interface(`files_dontaudit_rw_var_files',`
++interface(`files_read_var_symlinks',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15266,13 +15340,14 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- create_dirs_pattern($1, var_lock_t, var_lock_t)
-+ dontaudit $1 var_t:file rw_inherited_file_perms;
++ read_lnk_files_pattern($1, var_t, var_t)
')
########################################
##
-## Relabel to and from all lock directory types.
-+## Create, read, write, and delete files in the /var directory.
++## Create, read, write, and delete symbolic
++## links in the /var directory.
##
##
##
@@ -15282,7 +15357,7 @@ index f962f76..e06a46c 100644
-##
#
-interface(`files_relabel_all_lock_dirs',`
-+interface(`files_manage_var_files',`
++interface(`files_manage_var_symlinks',`
gen_require(`
- attribute lockfile;
- type var_t, var_lock_t;
@@ -15292,63 +15367,12 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- relabel_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Get the attributes of generic lock files.
-+## Read symbolic links in the /var directory.
- ##
- ##
- ##
-@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',`
- ##
- ##
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_read_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 var_lock_t:dir list_dir_perms;
-- getattr_files_pattern($1, var_lock_t, var_lock_t)
-+ read_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Delete generic lock files.
-+## Create, read, write, and delete symbolic
-+## links in the /var directory.
- ##
- ##
- ##
-@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',`
- ##
- ##
- #
--interface(`files_delete_generic_locks',`
-+interface(`files_manage_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
+ manage_lnk_files_pattern($1, var_t, var_t)
')
########################################
##
--## Create, read, write, and delete generic
--## lock files.
+-## Get the attributes of generic lock files.
+## Create objects in the /var directory
##
##
@@ -15372,7 +15396,7 @@ index f962f76..e06a46c 100644
+##
+##
#
--interface(`files_manage_generic_locks',`
+-interface(`files_getattr_generic_locks',`
+interface(`files_var_filetrans',`
gen_require(`
- type var_t, var_lock_t;
@@ -15381,68 +15405,65 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-- manage_files_pattern($1, var_lock_t, var_lock_t)
+- allow $1 var_lock_t:dir list_dir_perms;
+- getattr_files_pattern($1, var_lock_t, var_lock_t)
+ filetrans_pattern($1, var_t, $2, $3, $4)
')
+
########################################
##
--## Delete all lock files.
+-## Delete generic lock files.
+## Relabel dirs in the /var directory.
##
##
##
- ## Domain allowed access.
+@@ -5808,20 +6783,16 @@ interface(`files_getattr_generic_locks',`
##
##
--##
#
--interface(`files_delete_all_locks',`
+-interface(`files_delete_generic_locks',`
+interface(`files_relabel_var_dirs',`
gen_require(`
-- attribute lockfile;
- type var_t, var_lock_t;
+ type var_t;
')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, lockfile, lockfile)
+- delete_files_pattern($1, var_lock_t, var_lock_t)
+ allow $1 var_t:dir relabel_dir_perms;
')
########################################
##
--## Read all lock files.
+-## Create, read, write, and delete generic
+-## lock files.
+## Get the attributes of the /var/lib directory.
##
##
##
-@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',`
+@@ -5829,65 +6800,69 @@ interface(`files_delete_generic_locks',`
##
##
#
--interface(`files_read_all_locks',`
+-interface(`files_manage_generic_locks',`
+interface(`files_getattr_var_lib_dirs',`
gen_require(`
-- attribute lockfile;
- type var_t, var_lock_t;
+ type var_t, var_lib_t;
')
+- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- allow $1 lockfile:dir list_dir_perms;
-- read_files_pattern($1, lockfile, lockfile)
-- read_lnk_files_pattern($1, lockfile, lockfile)
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
+- manage_files_pattern($1, var_lock_t, var_lock_t)
+ getattr_dirs_pattern($1, var_t, var_lib_t)
')
########################################
##
--## manage all lock files.
+-## Delete all lock files.
+## Search the /var/lib directory.
##
+##
@@ -15463,9 +15484,10 @@ index f962f76..e06a46c 100644
## Domain allowed access.
##
##
+-##
+##
#
--interface(`files_manage_all_locks',`
+-interface(`files_delete_all_locks',`
+interface(`files_search_var_lib',`
gen_require(`
- attribute lockfile;
@@ -15473,26 +15495,81 @@ index f962f76..e06a46c 100644
+ type var_t, var_lib_t;
')
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, lockfile, lockfile)
++ search_dirs_pattern($1, var_t, var_lib_t)
+ ')
+
+ ########################################
+ ##
+-## Read all lock files.
++## Do not audit attempts to search the
++## contents of /var/lib.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
++##
+ #
+-interface(`files_read_all_locks',`
++interface(`files_dontaudit_search_var_lib',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_lib_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- allow $1 lockfile:dir list_dir_perms;
+- read_files_pattern($1, lockfile, lockfile)
+- read_lnk_files_pattern($1, lockfile, lockfile)
++ dontaudit $1 var_lib_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## manage all lock files.
++## List the contents of the /var/lib directory.
+ ##
+ ##
+ ##
+@@ -5895,78 +6870,1372 @@ interface(`files_read_all_locks',`
+ ##
+ ##
+ #
+-interface(`files_manage_all_locks',`
++interface(`files_list_var_lib',`
+ gen_require(`
+- attribute lockfile;
+- type var_t, var_lock_t;
++ type var_t, var_lib_t;
+ ')
+
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
- manage_dirs_pattern($1, lockfile, lockfile)
- manage_files_pattern($1, lockfile, lockfile)
- manage_lnk_files_pattern($1, lockfile, lockfile)
-+ search_dirs_pattern($1, var_t, var_lib_t)
++ list_dirs_pattern($1, var_t, var_lib_t)
')
- ########################################
+-########################################
++###########################################
##
-## Create an object in the locks directory, with a private
-## type using a type transition.
-+## Do not audit attempts to search the
-+## contents of /var/lib.
++## Read-write /var/lib directories
##
##
##
--## Domain allowed access.
--##
--##
+ ## Domain allowed access.
+ ##
+ ##
-##
-##
-## The type of the object to be created.
@@ -15506,13 +15583,11 @@ index f962f76..e06a46c 100644
-##
-##
-## The name of the object being created.
-+## Domain to not audit.
- ##
- ##
-+##
+-##
+-##
#
-interface(`files_lock_filetrans',`
-+interface(`files_dontaudit_search_var_lib',`
++interface(`files_rw_var_lib_dirs',`
gen_require(`
- type var_t, var_lock_t;
+ type var_lib_t;
@@ -15521,14 +15596,14 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+ dontaudit $1 var_lib_t:dir search_dir_perms;
++ rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
########################################
##
-## Do not audit attempts to get the attributes
-## of the /var/run directory.
-+## List the contents of the /var/lib directory.
++## Create directories in /var/lib
##
##
##
@@ -15538,75 +15613,25 @@ index f962f76..e06a46c 100644
##
#
-interface(`files_dontaudit_getattr_pid_dirs',`
-+interface(`files_list_var_lib',`
++interface(`files_create_var_lib_dirs',`
gen_require(`
- type var_run_t;
-+ type var_t, var_lib_t;
++ type var_lib_t;
')
- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
- dontaudit $1 var_run_t:dir getattr;
-+ list_dirs_pattern($1, var_t, var_lib_t)
- ')
-
--########################################
-+###########################################
- ##
--## Set the attributes of the /var/run directory.
-+## Read-write /var/lib directories
- ##
- ##
- ##
-@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_setattr_pid_dirs',`
-+interface(`files_rw_var_lib_dirs',`
- gen_require(`
-- type var_run_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir setattr;
-+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Search the contents of runtime process
--## ID directories (/var/run).
-+## Create directories in /var/lib
- ##
- ##
- ##
-@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_search_pids',`
-+interface(`files_create_var_lib_dirs',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_run_t)
+ allow $1 var_lib_t:dir { create rw_dir_perms };
')
+
########################################
##
--## Do not audit attempts to search
--## the /var/run directory.
+-## Set the attributes of the /var/run directory.
+## Create objects in the /var/lib directory
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
+##
+##
@@ -15623,37 +15648,30 @@ index f962f76..e06a46c 100644
+##
+##
+## The name of the object being created.
- ##
- ##
- #
--interface(`files_dontaudit_search_pids',`
++##
++##
++#
+interface(`files_var_lib_filetrans',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## List the contents of the runtime process
--## ID directories (/var/run).
++')
++
++########################################
++##
+## Read generic files in /var/lib.
- ##
- ##
- ##
-@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',`
- ##
- ##
- #
--interface(`files_list_pids',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_read_var_lib_files',`
- gen_require(`
++ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
@@ -16774,11 +16792,9 @@ index f962f76..e06a46c 100644
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
++ type var_t, var_run_t;
++ ')
++
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
@@ -16931,34 +16947,39 @@ index f962f76..e06a46c 100644
+##
+## List the contents of generic spool
+## (/var/spool) directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5974,19 +8243,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+ ##
+ ##
+ #
+-interface(`files_setattr_pid_dirs',`
+interface(`files_list_spool',`
-+ gen_require(`
+ gen_require(`
+- type var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir setattr;
+ list_dirs_pattern($1, var_t, var_spool_t)
')
########################################
##
--## Read generic process ID files.
+-## Search the contents of runtime process
+-## ID directories (/var/run).
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
##
##
##
-@@ -6053,19 +8243,18 @@ interface(`files_list_pids',`
+@@ -5994,39 +8262,38 @@ interface(`files_setattr_pid_dirs',`
##
##
#
--interface(`files_read_generic_pids',`
+-interface(`files_search_pids',`
+interface(`files_manage_generic_spool_dirs',`
gen_require(`
- type var_t, var_run_t;
@@ -16966,67 +16987,74 @@ index f962f76..e06a46c 100644
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
+- search_dirs_pattern($1, var_t, var_run_t)
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
')
########################################
##
--## Write named generic process ID pipes
+-## Do not audit attempts to search
+-## the /var/run directory.
+## Read generic spool files.
##
##
##
-@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',`
+-## Domain to not audit.
++## Domain allowed access.
##
##
#
--interface(`files_write_generic_pid_pipes',`
+-interface(`files_dontaudit_search_pids',`
+interface(`files_read_generic_spool',`
gen_require(`
- type var_run_t;
+ type var_t, var_spool_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir search_dir_perms;
+ list_dirs_pattern($1, var_t, var_spool_t)
+ read_files_pattern($1, var_spool_t, var_spool_t)
')
########################################
##
--## Create an object in the process ID directory, with a private type.
+-## List the contents of the runtime process
+-## ID directories (/var/run).
+## Create, read, write, and delete generic
+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6034,38 +8301,55 @@ interface(`files_dontaudit_search_pids',`
+ ##
+ ##
+ #
+-interface(`files_list_pids',`
+interface(`files_manage_generic_spool',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read generic process ID files.
+## Create objects in the spool directory
+## with a private type with a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
+##
+## Type to which the created node will be transitioned.
@@ -17043,33 +17071,43 @@ index f962f76..e06a46c 100644
+## The name of the object being created.
+##
+##
-+#
+ #
+-interface(`files_read_generic_pids',`
+interface(`files_spool_filetrans',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Write named generic process ID pipes
+## Allow access to manage all polyinstantiated
+## directories on the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6073,43 +8357,75 @@ interface(`files_read_generic_pids',`
+ ##
+ ##
+ #
+-interface(`files_write_generic_pid_pipes',`
+interface(`files_polyinstantiate_all',`
-+ gen_require(`
+ gen_require(`
+- type var_run_t;
+ attribute polydir, polymember, polyparent;
+ type poly_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
+ # Need to give access to /selinux/member
+ selinux_compute_member($1)
+
@@ -17106,10 +17144,11 @@ index f962f76..e06a46c 100644
+ corecmd_exec_bin($1)
+ seutil_domtrans_setfiles($1)
+ ')
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in the process ID directory, with a private type.
+## Unconfined access to files.
+##
+##
@@ -17158,7 +17197,7 @@ index f962f76..e06a46c 100644
##
##
##