+ ##
+@@ -4113,6 +5037,25 @@ interface(`dev_write_urand',`
########################################
##
@@ -8208,7 +8184,7 @@ index 76f285e..0aef35e 100644
## Getattr generic the USB devices.
##
##
-@@ -4123,7 +5023,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +5066,7 @@ interface(`dev_write_urand',`
#
interface(`dev_getattr_generic_usb_dev',`
gen_require(`
@@ -8217,33 +8193,149 @@ index 76f285e..0aef35e 100644
')
getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4330,28 +5230,180 @@ interface(`dev_search_usbfs',`
+@@ -4409,9 +5352,9 @@ interface(`dev_rw_usbfs',`
+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
+
+-########################################
++######################################
+ ##
+-## Get the attributes of video4linux devices.
++## Read and write userio device.
+ ##
+ ##
+ ##
+@@ -4419,17 +5362,17 @@ interface(`dev_rw_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_getattr_video_dev',`
++interface(`dev_rw_userio_dev',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, userio_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+
+-######################################
++########################################
+ ##
+-## Read and write userio device.
++## Get the attributes of video4linux devices.
+ ##
+ ##
+ ##
+@@ -4437,12 +5380,12 @@ interface(`dev_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_userio_dev',`
++interface(`dev_getattr_video_dev',`
+ gen_require(`
+- type device_t, userio_device_t;
++ type device_t, v4l_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, userio_device_t)
++ getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+
+ ########################################
+@@ -4539,7 +5482,7 @@ interface(`dev_write_video_dev',`
+
+ ########################################
+ ##
+-## Allow read/write the vhost net device
++## Get the attributes of vfio devices.
+ ##
+ ##
+ ##
+@@ -4547,35 +5490,36 @@ interface(`dev_write_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_vhost',`
++interface(`dev_getattr_vfio_dev',`
+ gen_require(`
+- type device_t, vhost_device_t;
++ type device_t, vfio_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, vhost_device_t)
++ getattr_chr_files_pattern($1, device_t, vfio_device_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write VMWare devices.
++## Do not audit attempts to get the attributes
++## of vfio device nodes.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_rw_vmware',`
++interface(`dev_dontaudit_getattr_vfio_dev',`
+ gen_require(`
+- type device_t, vmware_device_t;
++ type vfio_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, vmware_device_t)
++ dontaudit $1 vfio_device_t:chr_file getattr;
+ ')
########################################
##
--## Allow caller to get a list of usb hardware.
-+## Allow caller to get a list of usb hardware.
+-## Read, write, and mmap VMWare devices.
++## Set the attributes of vfio device nodes.
+ ##
+ ##
+ ##
+@@ -4583,12 +5527,157 @@ interface(`dev_rw_vmware',`
+ ##
+ ##
+ #
+-interface(`dev_rwx_vmware',`
++interface(`dev_setattr_vfio_dev',`
+ gen_require(`
+- type device_t, vmware_device_t;
++ type device_t, vfio_device_t;
+ ')
+
+- dev_rw_vmware($1)
++ setattr_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to set the attributes
++## of vfio device nodes.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`dev_list_usbfs',`
++interface(`dev_dontaudit_setattr_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type vfio_device_t;
+ ')
+
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ getattr_files_pattern($1, usbfs_t, usbfs_t)
-+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ dontaudit $1 vfio_device_t:chr_file setattr;
+')
+
+########################################
+##
-+## Set the attributes of usbfs filesystem.
++## Read the vfio devices.
+##
+##
+##
@@ -8251,19 +8343,17 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_setattr_usbfs_files',`
++interface(`dev_read_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ setattr_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ read_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Read USB hardware information using
-+## the usbfs filesystem interface.
++## Write the vfio devices.
+##
+##
+##
@@ -8271,19 +8361,17 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_read_usbfs',`
++interface(`dev_write_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ read_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ write_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Allow caller to modify usb hardware configuration files.
++## Read and write the VFIO devices.
+##
+##
+##
@@ -8291,19 +8379,17 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_rw_usbfs',`
++interface(`dev_rw_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ rw_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
-+######################################
++########################################
+##
-+## Read and write userio device.
++## Allow read/write the vhost net device
+##
+##
+##
@@ -8311,17 +8397,17 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_rw_userio_dev',`
++interface(`dev_rw_vhost',`
+ gen_require(`
-+ type device_t, userio_device_t;
++ type device_t, vhost_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, userio_device_t)
++ rw_chr_files_pattern($1, device_t, vhost_device_t)
+')
+
+########################################
+##
-+## Get the attributes of video4linux devices.
++## Allow read/write inheretid the vhost net device
+##
+##
+##
@@ -8329,36 +8415,35 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_getattr_video_dev',`
++interface(`dev_rw_inherited_vhost',`
+ gen_require(`
-+ type device_t, v4l_device_t;
++ type device_t, vhost_device_t;
+ ')
+
-+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to get the attributes
-+## of video4linux device nodes.
++## Read and write VMWare devices.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`dev_dontaudit_getattr_video_dev',`
++interface(`dev_rw_vmware',`
+ gen_require(`
-+ type v4l_device_t;
++ type device_t, vmware_device_t;
+ ')
+
-+ dontaudit $1 v4l_device_t:chr_file getattr;
++ rw_chr_files_pattern($1, device_t, vmware_device_t)
+')
+
+########################################
+##
-+## Set the attributes of video4linux device nodes.
++## Read, write, and mmap VMWare devices.
+##
+##
+##
@@ -8366,296 +8451,16 @@ index 76f285e..0aef35e 100644
+##
+##
+#
-+interface(`dev_setattr_video_dev',`
++interface(`dev_rwx_vmware',`
+ gen_require(`
-+ type device_t, v4l_device_t;
++ type device_t, vmware_device_t;
+ ')
+
-+ setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to set the attributes
-+## of video4linux device nodes.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_list_usbfs',`
-+interface(`dev_dontaudit_setattr_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type v4l_device_t;
- ')
-
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- getattr_files_pattern($1, usbfs_t, usbfs_t)
--
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ dontaudit $1 v4l_device_t:chr_file setattr;
++ dev_rw_vmware($1)
+ allow $1 vmware_device_t:chr_file execute;
')
- ########################################
- ##
--## Set the attributes of usbfs filesystem.
-+## Read the video4linux devices.
- ##
- ##
- ##
-@@ -4359,19 +5411,17 @@ interface(`dev_list_usbfs',`
- ##
- ##
- #
--interface(`dev_setattr_usbfs_files',`
-+interface(`dev_read_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- setattr_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ read_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
--## Read USB hardware information using
--## the usbfs filesystem interface.
-+## Write the video4linux devices.
- ##
- ##
- ##
-@@ -4379,19 +5429,17 @@ interface(`dev_setattr_usbfs_files',`
- ##
- ##
- #
--interface(`dev_read_usbfs',`
-+interface(`dev_write_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- read_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ write_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
--## Allow caller to modify usb hardware configuration files.
-+## Get the attributes of vfio devices.
- ##
- ##
- ##
-@@ -4399,37 +5447,36 @@ interface(`dev_read_usbfs',`
- ##
- ##
- #
--interface(`dev_rw_usbfs',`
-+interface(`dev_getattr_vfio_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, vfio_device_t;
- ')
-
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-- rw_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ getattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Get the attributes of video4linux devices.
-+## Do not audit attempts to get the attributes
-+## of vfio device nodes.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_getattr_video_dev',`
-+interface(`dev_dontaudit_getattr_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type vfio_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ dontaudit $1 vfio_device_t:chr_file getattr;
- ')
-
--######################################
-+########################################
- ##
--## Read and write userio device.
-+## Set the attributes of vfio device nodes.
- ##
- ##
- ##
-@@ -4437,18 +5484,18 @@ interface(`dev_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_userio_dev',`
-+interface(`dev_setattr_vfio_dev',`
- gen_require(`
-- type device_t, userio_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, userio_device_t)
-+ setattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of video4linux device nodes.
-+## Do not audit attempts to set the attributes
-+## of vfio device nodes.
- ##
- ##
- ##
-@@ -4456,17 +5503,17 @@ interface(`dev_rw_userio_dev',`
- ##
- ##
- #
--interface(`dev_dontaudit_getattr_video_dev',`
-+interface(`dev_dontaudit_setattr_vfio_dev',`
- gen_require(`
-- type v4l_device_t;
-+ type vfio_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file getattr;
-+ dontaudit $1 vfio_device_t:chr_file setattr;
- ')
-
- ########################################
- ##
--## Set the attributes of video4linux device nodes.
-+## Read the vfio devices.
- ##
- ##
- ##
-@@ -4474,36 +5521,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_setattr_video_dev',`
-+interface(`dev_read_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ read_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to set the attributes
--## of video4linux device nodes.
-+## Write the vfio devices.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_setattr_video_dev',`
-+interface(`dev_write_vfio_dev',`
- gen_require(`
-- type v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file setattr;
-+ write_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Read the video4linux devices.
-+## Read and write the VFIO devices.
- ##
- ##
- ##
-@@ -4511,17 +5557,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
- ##
- ##
- #
--interface(`dev_read_video_dev',`
-+interface(`dev_rw_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Write the video4linux devices.
-+## Allow read/write the vhost net device
- ##
- ##
- ##
-@@ -4529,17 +5575,17 @@ interface(`dev_read_video_dev',`
- ##
- ##
- #
--interface(`dev_write_video_dev',`
-+interface(`dev_rw_vhost',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vhost_device_t;
- ')
-
-- write_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, vhost_device_t)
- ')
-
- ########################################
- ##
--## Allow read/write the vhost net device
-+## Allow read/write inheretid the vhost net device
- ##
- ##
- ##
-@@ -4547,12 +5593,12 @@ interface(`dev_write_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_vhost',`
-+interface(`dev_rw_inherited_vhost',`
- gen_require(`
- type device_t, vhost_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, vhost_device_t)
-+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
-@@ -4630,6 +5676,24 @@ interface(`dev_write_watchdog',`
+@@ -4630,6 +5719,24 @@ interface(`dev_write_watchdog',`
########################################
##
@@ -8680,7 +8485,7 @@ index 76f285e..0aef35e 100644
## Read and write the the wireless device.
##
##
-@@ -4762,6 +5826,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5869,44 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -8725,7 +8530,7 @@ index 76f285e..0aef35e 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5953,1020 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5996,1020 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -10232,7 +10037,7 @@ index 6a1e4d1..26e5558 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..7b76b77 100644
+index cf04cb5..466882e 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10365,8 +10170,11 @@ index cf04cb5..7b76b77 100644
')
########################################
-@@ -147,12 +217,18 @@ optional_policy(`
+@@ -145,14 +215,21 @@ optional_policy(`
+ # be used on an attribute.
+
# Use/sendto/connectto sockets created by any domain.
++allow unconfined_domain_type self:cap_userns all_cap_userns_perms;
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+allow unconfined_domain_type domain:system all_system_perms;
@@ -10385,7 +10193,7 @@ index cf04cb5..7b76b77 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +242,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +243,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -17953,7 +17761,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..761fbab 100644
+index 8416beb..c17a25a 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18452,7 +18260,7 @@ index 8416beb..761fbab 100644
##
##
##
-@@ -1878,135 +2122,740 @@ interface(`fs_search_fusefs',`
+@@ -1878,95 +2122,169 @@ interface(`fs_search_fusefs',`
##
##
#
@@ -18609,14 +18417,16 @@ index 8416beb..761fbab 100644
+#
+interface(`fs_mount_fusefs',`
+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ type fusefs_t;
+ ')
+
+- exec_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 fusefs_t:filesystem mount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete files
+## Unmount a FUSE filesystem.
+##
+##
@@ -18654,226 +18464,277 @@ index 8416beb..761fbab 100644
+########################################
+##
+## Search directories
-+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
+ ## on a FUSEFS filesystem.
+ ##
+ ##
+@@ -1976,19 +2294,18 @@ interface(`fs_exec_fusefs_files',`
+ ##
+ ##
+ #
+-interface(`fs_manage_fusefs_files',`
+interface(`fs_search_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- manage_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 fusefs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to create,
+-## read, write, and delete files
+-## on a FUSEFS filesystem.
+## Do not audit attempts to list the contents
+## of directories on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -1996,217 +2313,274 @@ interface(`fs_manage_fusefs_files',`
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_manage_fusefs_files',`
+interface(`fs_dontaudit_list_fusefs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- dontaudit $1 fusefs_t:file manage_file_perms;
+ dontaudit $1 fusefs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read symbolic links on a FUSEFS filesystem.
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_read_fusefs_symlinks',`
+interface(`fs_manage_fusefs_dirs',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
+ gen_require(`
+ type fusefs_t;
+ ')
+
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of an hugetlbfs
+-## filesystem.
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a FUSEFS filesystem.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_getattr_hugetlbfs',`
+interface(`fs_dontaudit_manage_fusefs_dirs',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:filesystem getattr;
+ dontaudit $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List hugetlbfs.
+## Read, a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_list_hugetlbfs',`
+interface(`fs_read_fusefs_files',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:dir list_dir_perms;
+ read_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Manage hugetlbfs dirs.
+## Execute files on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_manage_hugetlbfs_dirs',`
+interface(`fs_exec_fusefs_files',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ exec_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read and write hugetlbfs files.
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## The domain for which fusefs_t is an entrypoint.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_rw_hugetlbfs_files',`
+interface(`fs_fusefs_entry_type',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ domain_entry_file($1, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Allow the type to associate to hugetlbfs filesystems.
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
-+##
+ ##
+-##
+##
-+##
+ ##
+-## The type of the object to be associated.
+## The domain for which fusefs_t is an entrypoint.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_associate_hugetlbfs',`
+interface(`fs_fusefs_entrypoint',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:filesystem associate;
+ allow $1 fusefs_t:file entrypoint;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Search inotifyfs filesystem.
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_search_inotifyfs',`
+interface(`fs_manage_fusefs_files',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 inotifyfs_t:dir search_dir_perms;
+ manage_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List inotifyfs filesystem.
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_list_inotifyfs',`
+interface(`fs_dontaudit_manage_fusefs_files',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- allow $1 inotifyfs_t:dir list_dir_perms;
+ dontaudit $1 fusefs_t:file manage_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Dontaudit List inotifyfs filesystem.
+## Read symbolic links on a FUSEFS filesystem.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_list_inotifyfs',`
+interface(`fs_read_fusefs_symlinks',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type fusefs_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 inotifyfs_t:dir list_dir_perms;
+ allow $1 fusefs_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in a hugetlbfs filesystem, with a private
+-## type using a type transition.
+## Manage symbolic links on a FUSEFS filesystem.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+#
+interface(`fs_manage_fusefs_symlinks',`
+ gen_require(`
@@ -18908,15 +18769,19 @@ index 8416beb..761fbab 100644
+##
+##
+##