diff --git a/policy-f25-base.patch b/policy-f25-base.patch index cfee1da..b5ecae0 100644 --- a/policy-f25-base.patch +++ b/policy-f25-base.patch @@ -11237,7 +11237,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..12c026e 100644 +index f962f76..1ac470a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13188,7 +13188,34 @@ index f962f76..12c026e 100644 ') ######################################## -@@ -4012,6 +4908,7 @@ interface(`files_read_kernel_modules',` +@@ -3921,6 +4817,26 @@ interface(`files_read_mnt_symlinks',` + read_lnk_files_pattern($1, mnt_t, mnt_t) + ') + ++ ++######################################## ++## ++## Load kernel module files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_load_kernel_modules',` ++ gen_require(` ++ type modules_object_t; ++ ') ++ ++ files_read_kernel_modules($1) ++ allow $1 modules_object_t:system module_load; ++') ++ + ######################################## + ## + ## Create, read, write, and delete symbolic links in /mnt. +@@ -4012,6 +4928,7 @@ interface(`files_read_kernel_modules',` allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) @@ -13196,7 +13223,7 @@ index f962f76..12c026e 100644 ') ######################################## -@@ -4217,174 +5114,218 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,78 +5134,289 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13326,111 +13353,75 @@ index f962f76..12c026e 100644 ## # -interface(`files_search_tmp',` -- gen_require(` -- type tmp_t; -- ') +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; + ') - -- allow $1 tmp_t:dir search_dir_perms; ++ + relabelto_files_pattern($1, system_conf_t, system_conf_t) - ') - --######################################## ++') ++ +###################################### - ## --## Do not audit attempts to search the tmp directory (/tmp). ++## +## Relabel manageable system configuration files in /etc. - ## - ## --## --## Domain to not audit. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_search_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') - -- dontaudit $1 tmp_t:dir search_dir_perms; ++ + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) - ') - --######################################## ++') ++ +################################### - ## --## Read the tmp directory (/tmp). ++## +## Create files in /etc with the type used for +## the manageable system config files. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## The type of the process performing this action. +## - ## - # --interface(`files_list_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') - -- allow $1 tmp_t:dir list_dir_perms; ++ + filetrans_pattern($1, etc_t, system_conf_t, file) - ') - --######################################## ++') ++ +###################################### - ## --## Do not audit listing of the tmp directory (/tmp). ++## +## Manage manageable system db files in /var/lib. - ## - ## --## --## Domain not to audit. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_list_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_manage_system_db_files',` + gen_require(` + type var_lib_t, system_db_t; + ') - -- dontaudit $1 tmp_t:dir list_dir_perms; ++ + manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) + files_filetrans_system_db_named_files($1) - ') - --######################################## ++') ++ +##################################### - ## --## Remove entries from the tmp directory. ++## +## File name transition for system db files in /var/lib. - ## - ## ++## ++## +## +## Domain allowed access. +## @@ -13452,322 +13443,173 @@ index f962f76..12c026e 100644 +## temporary directory (/tmp). +## +## - ## --## Domain allowed access. ++## +## Type of the file to associate. - ## - ## - # --interface(`files_delete_tmp_dir_entry',` ++## ++## ++# +interface(`files_associate_tmp',` - gen_require(` - type tmp_t; - ') - -- allow $1 tmp_t:dir del_entry_dir_perms; ++ gen_require(` ++ type tmp_t; ++ ') ++ + allow $1 tmp_t:filesystem associate; - ') - - ######################################## - ## --## Read files in the tmp directory (/tmp). ++') ++ ++######################################## ++## +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system - ## --## ++## +## - ## --## Domain allowed access. ++## +## Type of the file to associate. - ## - ## - # --interface(`files_read_generic_tmp_files',` ++## ++## ++# +interface(`files_associate_rootfs',` - gen_require(` -- type tmp_t; ++ gen_require(` + type root_t; - ') - -- read_files_pattern($1, tmp_t, tmp_t) ++ ') ++ + allow $1 root_t:filesystem associate; - ') - - ######################################## - ## --## Manage temporary directories in /tmp. ++') ++ ++######################################## ++## +## Get the attributes of the tmp directory (/tmp). - ## - ## - ## -@@ -4392,53 +5333,56 @@ interface(`files_read_generic_tmp_files',` - ## - ## - # --interface(`files_manage_generic_tmp_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_getattr_tmp_dirs',` - gen_require(` - type tmp_t; - ') - -- manage_dirs_pattern($1, tmp_t, tmp_t) ++ gen_require(` ++ type tmp_t; ++ ') ++ + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; - ') - - ######################################## - ## --## Manage temporary files and directories in /tmp. ++') ++ ++######################################## ++## +## Do not audit attempts to check the +## access on tmp files - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_manage_generic_tmp_files',` ++## ++## ++# +interface(`files_dontaudit_access_check_tmp',` - gen_require(` -- type tmp_t; ++ gen_require(` + type etc_t; - ') - -- manage_files_pattern($1, tmp_t, tmp_t) ++ ') ++ + dontaudit $1 tmp_t:dir_file_class_set audit_access; - ') - - ######################################## - ## --## Read symbolic links in the tmp directory (/tmp). ++') ++ ++######################################## ++## +## Do not audit attempts to get the +## attributes of the tmp directory (/tmp). - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_read_generic_tmp_symlinks',` ++## ++## ++# +interface(`files_dontaudit_getattr_tmp_dirs',` - gen_require(` - type tmp_t; - ') - -- read_lnk_files_pattern($1, tmp_t, tmp_t) ++ gen_require(` ++ type tmp_t; ++ ') ++ + dontaudit $1 tmp_t:dir getattr; - ') - - ######################################## - ## --## Read and write generic named sockets in the tmp directory (/tmp). ++') ++ ++######################################## ++## +## Search the tmp directory (/tmp). - ## - ## - ## -@@ -4446,35 +5390,37 @@ interface(`files_read_generic_tmp_symlinks',` - ## - ## - # --interface(`files_rw_generic_tmp_sockets',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_search_tmp',` gen_require(` type tmp_t; ') -- rw_sock_files_pattern($1, tmp_t, tmp_t) + fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:dir search_dir_perms; + allow $1 tmp_t:dir search_dir_perms; ') - ######################################## - ## --## Set the attributes of all tmp directories. -+## Do not audit attempts to search the tmp directory (/tmp). - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_setattr_all_tmp_dirs',` -+interface(`files_dontaudit_search_tmp',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- allow $1 tmpfile:dir { search_dir_perms setattr }; -+ dontaudit $1 tmp_t:dir search_dir_perms; - ') - - ######################################## - ## --## List all tmp directories. -+## Read the tmp directory (/tmp). - ## - ## - ## -@@ -4482,59 +5428,55 @@ interface(`files_setattr_all_tmp_dirs',` - ## - ## - # --interface(`files_list_all_tmp',` -+interface(`files_list_tmp',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; +@@ -4325,6 +5453,7 @@ interface(`files_list_tmp',` + type tmp_t; ') -- allow $1 tmpfile:dir list_dir_perms; + read_lnk_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:dir list_dir_perms; + allow $1 tmp_t:dir list_dir_perms; ') - ######################################## - ## --## Relabel to and from all temporary --## directory types. -+## Do not audit listing of the tmp directory (/tmp). +@@ -4334,7 +5463,7 @@ interface(`files_list_tmp',` ## ## ## --## Domain allowed access. +-## Domain not to audit. +## Domain to not audit. ## ## --## # --interface(`files_relabel_all_tmp_dirs',` -+interface(`files_dontaudit_list_tmp',` - gen_require(` -- attribute tmpfile; -- type var_t; -+ type tmp_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- relabel_dirs_pattern($1, tmpfile, tmpfile) -+ dontaudit $1 tmp_t:dir list_dir_perms; +@@ -4346,6 +5475,25 @@ interface(`files_dontaudit_list_tmp',` + dontaudit $1 tmp_t:dir list_dir_perms; ') --######################################## +####################################### - ## --## Do not audit attempts to get the attributes --## of all tmp files. ++## +## Allow read and write to the tmp directory (/tmp). - ## - ## --## --## Domain not to audit. --## ++## ++## +## +## Domain not to audit. +## - ## - # --interface(`files_dontaudit_getattr_all_tmp_files',` -- gen_require(` -- attribute tmpfile; -- ') ++## ++# +interface(`files_rw_generic_tmp_dir',` + gen_require(` + type tmp_t; + ') - -- dontaudit $1 tmpfile:file getattr; ++ + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; - ') - ++') ++ ######################################## ## --## Allow attempts to get the attributes --## of all tmp files. -+## Remove entries from the tmp directory. - ## - ## - ## -@@ -4542,110 +5484,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` - ## - ## - # --interface(`files_getattr_all_tmp_files',` -+interface(`files_delete_tmp_dir_entry',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; + ## Remove entries from the tmp directory. +@@ -4361,6 +5509,7 @@ interface(`files_delete_tmp_dir_entry',` + type tmp_t; ') -- allow $1 tmpfile:file getattr; + files_search_tmp($1) -+ allow $1 tmp_t:dir del_entry_dir_perms; - ') - - ######################################## - ## --## Relabel to and from all temporary --## file types. -+## Read files in the tmp directory (/tmp). - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_relabel_all_tmp_files',` -+interface(`files_read_generic_tmp_files',` - gen_require(` -- attribute tmpfile; -- type var_t; -+ type tmp_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- relabel_files_pattern($1, tmpfile, tmpfile) -+ read_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir del_entry_dir_perms; ') - ######################################## - ## --## Do not audit attempts to get the attributes --## of all tmp sock_file. -+## Manage temporary directories in /tmp. - ## - ## - ## --## Domain not to audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_all_tmp_sockets',` -+interface(`files_manage_generic_tmp_dirs',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- dontaudit $1 tmpfile:sock_file getattr; -+ manage_dirs_pattern($1, tmp_t, tmp_t) - ') +@@ -4402,6 +5551,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## --## Read all tmp files. +## Allow shared library text relocations in tmp files. - ## ++## +## +##

+## Allow shared library text relocations in tmp files. @@ -13776,437 +13618,153 @@ index f962f76..12c026e 100644 +## This is added to support java policy. +##

+## - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`files_read_all_tmp_files',` ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_execmod_tmp',` - gen_require(` - attribute tmpfile; - ') - -- read_files_pattern($1, tmpfile, tmpfile) ++ gen_require(` ++ attribute tmpfile; ++ ') ++ + allow $1 tmpfile:file execmod; - ') - - ######################################## - ## --## Create an object in the tmp directories, with a private --## type using a type transition. -+## Manage temporary files and directories in /tmp. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`files_tmp_filetrans',` -+interface(`files_manage_generic_tmp_files',` - gen_require(` - type tmp_t; - ') - -- filetrans_pattern($1, tmp_t, $2, $3, $4) -+ manage_files_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## Delete the contents of /tmp. -+## Read symbolic links in the tmp directory (/tmp). - ## - ## - ## -@@ -4653,22 +5583,17 @@ interface(`files_tmp_filetrans',` - ## - ## - # --interface(`files_purge_tmp',` -+interface(`files_read_generic_tmp_symlinks',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- allow $1 tmpfile:dir list_dir_perms; -- delete_dirs_pattern($1, tmpfile, tmpfile) -- delete_files_pattern($1, tmpfile, tmpfile) -- delete_lnk_files_pattern($1, tmpfile, tmpfile) -- delete_fifo_files_pattern($1, tmpfile, tmpfile) -- delete_sock_files_pattern($1, tmpfile, tmpfile) -+ read_lnk_files_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## Set the attributes of the /usr directory. -+## Read and write generic named sockets in the tmp directory (/tmp). ++') ++ ++######################################## ++## + ## Manage temporary files and directories in /tmp. ## ## - ## -@@ -4676,17 +5601,17 @@ interface(`files_purge_tmp',` - ## - ## - # --interface(`files_setattr_usr_dirs',` -+interface(`files_rw_generic_tmp_sockets',` - gen_require(` -- type usr_t; -+ type tmp_t; - ') - -- allow $1 usr_t:dir setattr; -+ rw_sock_files_pattern($1, tmp_t, tmp_t) - ') +@@ -4456,6 +5631,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## --## Search the content of /usr. +## Relabel a dir from the type used in /tmp. - ## - ## - ## -@@ -4694,18 +5619,17 @@ interface(`files_setattr_usr_dirs',` - ## - ## - # --interface(`files_search_usr',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabelfrom_tmp_dirs',` - gen_require(` -- type usr_t; ++ gen_require(` + type tmp_t; - ') - -- allow $1 usr_t:dir search_dir_perms; ++ ') ++ + relabelfrom_dirs_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## List the contents of generic --## directories in /usr. ++') ++ ++######################################## ++## +## Relabel a file from the type used in /tmp. - ## - ## - ## -@@ -4713,35 +5637,35 @@ interface(`files_search_usr',` - ## - ## - # --interface(`files_list_usr',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabelfrom_tmp_files',` - gen_require(` -- type usr_t; ++ gen_require(` + type tmp_t; - ') - -- allow $1 usr_t:dir list_dir_perms; ++ ') ++ + relabelfrom_files_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## Do not audit write of /usr dirs -+## Set the attributes of all tmp directories. ++') ++ ++######################################## ++## + ## Set the attributes of all tmp directories. ## ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_write_usr_dirs',` -+interface(`files_setattr_all_tmp_dirs',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- dontaudit $1 usr_t:dir write; -+ allow $1 tmpfile:dir { search_dir_perms setattr }; - ') +@@ -4474,6 +5685,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## --## Add and remove entries from /usr directories. +## Allow caller to read inherited tmp files. - ## - ## - ## -@@ -4749,36 +5673,35 @@ interface(`files_dontaudit_write_usr_dirs',` - ## - ## - # --interface(`files_rw_usr_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_read_inherited_tmp_files',` - gen_require(` -- type usr_t; ++ gen_require(` + attribute tmpfile; - ') - -- allow $1 usr_t:dir rw_dir_perms; ++ ') ++ + allow $1 tmpfile:file { append read_inherited_file_perms }; - ') - - ######################################## - ## --## Do not audit attempts to add and remove --## entries from /usr directories. ++') ++ ++######################################## ++## +## Allow caller to append inherited tmp files. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_rw_usr_dirs',` ++## ++## ++# +interface(`files_append_inherited_tmp_files',` - gen_require(` -- type usr_t; ++ gen_require(` + attribute tmpfile; - ') - -- dontaudit $1 usr_t:dir rw_dir_perms; ++ ') ++ + allow $1 tmpfile:file append_inherited_file_perms; - ') - - ######################################## - ## --## Delete generic directories in /usr in the caller domain. ++') ++ ++######################################## ++## +## Allow caller to read and write inherited tmp files. - ## - ## - ## -@@ -4786,17 +5709,17 @@ interface(`files_dontaudit_rw_usr_dirs',` - ## - ## - # --interface(`files_delete_usr_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_rw_inherited_tmp_file',` - gen_require(` -- type usr_t; ++ gen_require(` + attribute tmpfile; - ') - -- delete_dirs_pattern($1, usr_t, usr_t) ++ ') ++ + allow $1 tmpfile:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Delete generic files in /usr in the caller domain. -+## List all tmp directories. - ## - ## - ## -@@ -4804,73 +5727,59 @@ interface(`files_delete_usr_dirs',` - ## - ## - # --interface(`files_delete_usr_files',` -+interface(`files_list_all_tmp',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- delete_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:dir list_dir_perms; - ') - - ######################################## - ## --## Get the attributes of files in /usr. -+## Relabel to and from all temporary -+## directory types. ++') ++ ++######################################## ++## + ## List all tmp directories. ## ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`files_getattr_usr_files',` -+interface(`files_relabel_all_tmp_dirs',` - gen_require(` -- type usr_t; -+ attribute tmpfile; -+ type var_t; - ') - -- getattr_files_pattern($1, usr_t, usr_t) -+ allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) - ') - - ######################################## - ## --## Read generic files in /usr. -+## Do not audit attempts to get the attributes -+## of all tmp files. +@@ -4519,7 +5784,7 @@ interface(`files_relabel_all_tmp_dirs',` ## --## --##

--## Allow the specified domain to read generic --## files in /usr. These files are various program --## files that do not have more specific SELinux types. --## Some examples of these files are: --##

--##
    --##
  • /usr/include/*
    • --##
  • /usr/share/doc/*
    • --##
  • /usr/share/info/*
    • --##
--##

--## Generally, it is safe for many domains to have --## this access. --##

--## ## ## --## Domain allowed access. +-## Domain not to audit. +## Domain to not audit. ## ## --## - # --interface(`files_read_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- allow $1 usr_t:dir list_dir_perms; -- read_files_pattern($1, usr_t, usr_t) -- read_lnk_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:file getattr; - ') - - ######################################## - ## --## Execute generic programs in /usr in the caller domain. -+## Allow attempts to get the attributes -+## of all tmp files. - ## - ## - ## -@@ -4878,55 +5787,58 @@ interface(`files_read_usr_files',` - ## - ## - # --interface(`files_exec_usr_files',` -+interface(`files_getattr_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- allow $1 usr_t:dir list_dir_perms; -- exec_files_pattern($1, usr_t, usr_t) -- read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file getattr; - ') - - ######################################## - ## --## dontaudit write of /usr files -+## Relabel to and from all temporary -+## file types. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## -+## # --interface(`files_dontaudit_write_usr_files',` -+interface(`files_relabel_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; -+ type var_t; - ') - -- dontaudit $1 usr_t:file write; -+ allow $1 var_t:dir search_dir_perms; -+ relabel_files_pattern($1, tmpfile, tmpfile) - ') - - ######################################## - ## --## Create, read, write, and delete files in the /usr directory. -+## Do not audit attempts to get the attributes -+## of all tmp sock_file. +@@ -4579,7 +5844,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## --## Domain allowed access. +-## Domain not to audit. +## Domain to not audit. ## ## # --interface(`files_manage_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_sockets',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- manage_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:sock_file getattr; - ') - - ######################################## - ## --## Relabel a file to the type used in /usr. -+## Read all tmp files. - ## - ## - ## -@@ -4934,67 +5846,70 @@ interface(`files_manage_usr_files',` - ## - ## - # --interface(`files_relabelto_usr_files',` -+interface(`files_read_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- relabelto_files_pattern($1, usr_t, usr_t) -+ read_files_pattern($1, tmpfile, tmpfile) - ') +@@ -4611,15 +5876,53 @@ interface(`files_read_all_tmp_files',` ######################################## ## --## Relabel a file from the type used in /usr. +-## Create an object in the tmp directories, with a private +-## type using a type transition. +## Do not audit attempts to read or write +## all leaked tmpfiles files. ## @@ -14216,109 +13774,53 @@ index f962f76..12c026e 100644 +## Domain to not audit. ## ## - # --interface(`files_relabelfrom_usr_files',` +-## ++# +interface(`files_dontaudit_tmp_file_leaks',` - gen_require(` -- type usr_t; ++ gen_require(` + attribute tmpfile; - ') - -- relabelfrom_files_pattern($1, usr_t, usr_t) ++ ') ++ + dontaudit $1 tmpfile:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Read symbolic links in /usr. ++') ++ ++######################################## ++## +## Do allow attempts to read or write +## all leaked tmpfiles files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_read_usr_symlinks',` ++## ++## ++# +interface(`files_rw_tmp_file_leaks',` - gen_require(` -- type usr_t; ++ gen_require(` + attribute tmpfile; - ') - -- read_lnk_files_pattern($1, usr_t, usr_t) ++ ') ++ + allow $1 tmpfile:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Create objects in the /usr directory ++') ++ ++######################################## ++## +## Create an object in the tmp directories, with a private +## type using a type transition. - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +## ## --## The type of the object to be created -+## The type of the object to be created. - ## - ## --## -+## - ## --## The object class. -+## The object class of the object being created. - ## - ## - ## -@@ -5003,35 +5918,50 @@ interface(`files_read_usr_symlinks',` + ## The type of the object to be created. ## - ## - # --interface(`files_usr_filetrans',` -+interface(`files_tmp_filetrans',` - gen_require(` -- type usr_t; -+ type tmp_t; - ') - -- filetrans_pattern($1, usr_t, $2, $3, $4) -+ filetrans_pattern($1, tmp_t, $2, $3, $4) - ') - - ######################################## - ## --## Do not audit attempts to search /usr/src. -+## Delete the contents of /tmp. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_search_src',` -+interface(`files_purge_tmp',` - gen_require(` -- type src_t; -+ attribute tmpfile; - ') - -- dontaudit $1 src_t:dir search_dir_perms; -+ allow $1 tmpfile:dir list_dir_perms; -+ delete_dirs_pattern($1, tmpfile, tmpfile) -+ delete_files_pattern($1, tmpfile, tmpfile) -+ delete_lnk_files_pattern($1, tmpfile, tmpfile) -+ delete_fifo_files_pattern($1, tmpfile, tmpfile) -+ delete_sock_files_pattern($1, tmpfile, tmpfile) +@@ -4664,6 +5967,16 @@ interface(`files_purge_tmp',` + delete_lnk_files_pattern($1, tmpfile, tmpfile) + delete_fifo_files_pattern($1, tmpfile, tmpfile) + delete_sock_files_pattern($1, tmpfile, tmpfile) + delete_chr_files_pattern($1, tmpfile, tmpfile) + delete_blk_files_pattern($1, tmpfile, tmpfile) + files_list_isid_type_dirs($1) @@ -14332,1623 +13834,302 @@ index f962f76..12c026e 100644 ') ######################################## +@@ -5112,6 +6425,24 @@ interface(`files_create_kernel_symbol_table',` + + ######################################## ## --## Get the attributes of files in /usr/src. -+## Set the attributes of the /usr directory. ++## Dontaudit getattr attempts on the system.map file ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaduit_getattr_kernel_symbol_table',` ++ gen_require(` ++ type system_map_t; ++ ') ++ ++ dontaudit $1 system_map_t:file getattr; ++') ++ ++######################################## ++## + ## Read system.map in the /boot directory. ## ## - ## -@@ -5039,20 +5969,17 @@ interface(`files_dontaudit_search_src',` - ## - ## - # --interface(`files_getattr_usr_src_files',` -+interface(`files_setattr_usr_dirs',` - gen_require(` -- type usr_t, src_t; -+ type usr_t; - ') - -- getattr_files_pattern($1, src_t, src_t) -- -- # /usr/src/linux symlink: -- read_lnk_files_pattern($1, usr_t, src_t) -+ allow $1 usr_t:dir setattr; - ') +@@ -5241,6 +6572,24 @@ interface(`files_list_var',` ######################################## ## --## Read files in /usr/src. -+## Search the content of /usr. ++## Do not audit listing of the var directory (/var). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_list_var',` ++ gen_require(` ++ type var_t; ++ ') ++ ++ dontaudit $1 var_t:dir list_dir_perms; ++') ++ ++######################################## ++## + ## Create, read, write, and delete directories + ## in the /var directory. ## - ## - ## -@@ -5060,20 +5987,18 @@ interface(`files_getattr_usr_src_files',` - ## - ## - # --interface(`files_read_usr_src_files',` -+interface(`files_search_usr',` - gen_require(` -- type usr_t, src_t; -+ type usr_t; +@@ -5328,7 +6677,7 @@ interface(`files_dontaudit_rw_var_files',` + type var_t; ') - allow $1 usr_t:dir search_dir_perms; -- read_files_pattern($1, { usr_t src_t }, src_t) -- read_lnk_files_pattern($1, { usr_t src_t }, src_t) -- allow $1 src_t:dir list_dir_perms; +- dontaudit $1 var_t:file rw_file_perms; ++ dontaudit $1 var_t:file rw_inherited_file_perms; + ') + + ######################################## +@@ -5419,6 +6768,24 @@ interface(`files_var_filetrans',` + filetrans_pattern($1, var_t, $2, $3, $4) ') ++ ++######################################## ++## ++## Relabel dirs in the /var directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_var_dirs',` ++ gen_require(` ++ type var_t; ++ ') ++ allow $1 var_t:dir relabel_dir_perms; ++') ++ + ######################################## + ## + ## Get the attributes of the /var/lib directory. +@@ -5527,6 +6894,25 @@ interface(`files_rw_var_lib_dirs',` + ######################################## ## --## Execute programs in /usr/src in the caller domain. -+## List the contents of generic -+## directories in /usr. ++## Create directories in /var/lib ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_var_lib_dirs',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ ++ allow $1 var_lib_t:dir { create rw_dir_perms }; ++') ++ ++ ++######################################## ++## + ## Create objects in the /var/lib directory ## ## - ## -@@ -5081,38 +6006,35 @@ interface(`files_read_usr_src_files',` - ## - ## - # --interface(`files_exec_usr_src_files',` -+interface(`files_list_usr',` - gen_require(` -- type usr_t, src_t; -+ type usr_t; - ') +@@ -5596,6 +6982,25 @@ interface(`files_read_var_lib_symlinks',` + read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + ++######################################## ++## ++## manage generic symbolic links ++## in the /var/lib directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_var_lib_symlinks',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ ++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) ++') ++ + # cjp: the next two interfaces really need to be fixed + # in some way. They really neeed their own types. -- list_dirs_pattern($1, usr_t, src_t) -- exec_files_pattern($1, src_t, src_t) -- read_lnk_files_pattern($1, src_t, src_t) -+ allow $1 usr_t:dir list_dir_perms; +@@ -5619,6 +7024,42 @@ interface(`files_manage_urandom_seed',` + manage_files_pattern($1, var_lib_t, var_lib_t) ') ++ ++######################################## ++## ++## Relabel to dirs in the /var/lib directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelto_var_lib_dirs',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ allow $1 var_lib_t:dir relabelto; ++') ++ ++ ++######################################## ++## ++## Relabel dirs in the /var/lib directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_var_lib_dirs',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ allow $1 var_lib_t:dir relabel_dir_perms; ++') ++ + ######################################## + ## + ## Allow domain to manage mount tables +@@ -5641,7 +7082,7 @@ interface(`files_manage_mounttab',` + ######################################## ## --## Install a system.map into the /boot directory. -+## Do not audit write of /usr dirs +-## Set the attributes of the generic lock directories. ++## List generic lock directories. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -5649,12 +7090,13 @@ interface(`files_manage_mounttab',` ## ## # --interface(`files_create_kernel_symbol_table',` -+interface(`files_dontaudit_write_usr_dirs',` +-interface(`files_setattr_lock_dirs',` ++interface(`files_list_locks',` gen_require(` -- type boot_t, system_map_t; -+ type usr_t; + type var_t, var_lock_t; ') -- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -- allow $1 system_map_t:file { create_file_perms rw_file_perms }; -+ dontaudit $1 usr_t:dir write; +- setattr_dirs_pattern($1, var_t, var_lock_t) ++ files_search_locks($1) ++ list_dirs_pattern($1, var_t, var_lock_t) ') ######################################## - ## --## Read system.map in the /boot directory. -+## Add and remove entries from /usr directories. - ## - ## - ## -@@ -5120,37 +6042,36 @@ interface(`files_create_kernel_symbol_table',` - ## - ## - # --interface(`files_read_kernel_symbol_table',` -+interface(`files_rw_usr_dirs',` - gen_require(` -- type boot_t, system_map_t; -+ type usr_t; +@@ -5672,6 +7114,7 @@ interface(`files_search_locks',` + type var_t, var_lock_t; ') -- allow $1 boot_t:dir list_dir_perms; -- read_files_pattern($1, boot_t, system_map_t) -+ allow $1 usr_t:dir rw_dir_perms; ++ files_search_pids($1) + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_lock_t) ') +@@ -5698,7 +7141,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## --## Delete a system.map in the /boot directory. -+## Do not audit attempts to add and remove -+## entries from /usr directories. +-## List generic lock directories. ++## Do not audit attempts to read/write inherited ++## locks (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_rw_inherited_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/lock directory. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -5706,13 +7168,12 @@ interface(`files_dontaudit_search_locks',` ## ## # --interface(`files_delete_kernel_symbol_table',` -+interface(`files_dontaudit_rw_usr_dirs',` +-interface(`files_list_locks',` ++interface(`files_setattr_lock_dirs',` gen_require(` -- type boot_t, system_map_t; -+ type usr_t; +- type var_t, var_lock_t; ++ type var_lock_t; ') -- allow $1 boot_t:dir list_dir_perms; -- delete_files_pattern($1, boot_t, system_map_t) -+ dontaudit $1 usr_t:dir rw_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_lock_t) ++ allow $1 var_lock_t:dir setattr; ') ######################################## - ## --## Search the contents of /var. -+## Delete generic directories in /usr in the caller domain. - ## - ## - ## -@@ -5158,35 +6079,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5731,7 +7192,7 @@ interface(`files_rw_lock_dirs',` + type var_t, var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ files_search_locks($1) + rw_dirs_pattern($1, var_t, var_lock_t) + ') + +@@ -5764,7 +7225,6 @@ interface(`files_create_lock_dirs',` + ## Domain allowed access. ## ## +-## # --interface(`files_search_var',` -+interface(`files_delete_usr_dirs',` + interface(`files_relabel_all_lock_dirs',` gen_require(` -- type var_t; -+ type usr_t; - ') - -- allow $1 var_t:dir search_dir_perms; -+ delete_dirs_pattern($1, usr_t, usr_t) - ') +@@ -5779,7 +7239,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## --## Do not audit attempts to write to /var. -+## Delete generic files in /usr in the caller domain. +-## Get the attributes of generic lock files. ++## Relabel to and from all lock file types. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5787,13 +7247,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # --interface(`files_dontaudit_write_var_dirs',` -+interface(`files_delete_usr_files',` +-interface(`files_getattr_generic_locks',` ++interface(`files_relabel_all_lock_files',` gen_require(` -- type var_t; -+ type usr_t; ++ attribute lockfile; + type var_t, var_lock_t; ') -- dontaudit $1 var_t:dir write; -+ delete_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Allow attempts to write to /var.dirs -+## Get the attributes of files in /usr. - ## - ## - ## -@@ -5194,36 +6115,55 @@ interface(`files_dontaudit_write_var_dirs',` - ## - ## - # --interface(`files_write_var_dirs',` -+interface(`files_getattr_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- allow $1 var_t:dir write; -+ getattr_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Do not audit attempts to search --## the contents of /var. -+## Read generic files in /usr. - ## -+## -+##

-+## Allow the specified domain to read generic -+## files in /usr. These files are various program -+## files that do not have more specific SELinux types. -+## Some examples of these files are: -+##

-+##
    -+##
  • /usr/include/*
    • -+##
  • /usr/share/doc/*
    • -+##
  • /usr/share/info/*
    • -+##
-+##

-+## Generally, it is safe for many domains to have -+## this access. -+##

-+## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## -+## - # --interface(`files_dontaudit_search_var',` -+interface(`files_read_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- dontaudit $1 var_t:dir search_dir_perms; -+ allow $1 usr_t:dir list_dir_perms; -+ read_files_pattern($1, usr_t, usr_t) -+ read_lnk_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## List the contents of /var. -+## Execute generic programs in /usr in the caller domain. - ## - ## - ## -@@ -5231,36 +6171,37 @@ interface(`files_dontaudit_search_var',` - ## - ## - # --interface(`files_list_var',` -+interface(`files_exec_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- allow $1 var_t:dir list_dir_perms; -+ allow $1 usr_t:dir list_dir_perms; -+ exec_files_pattern($1, usr_t, usr_t) -+ read_lnk_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Create, read, write, and delete directories --## in the /var directory. -+## dontaudit write of /usr files - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_manage_var_dirs',` -+interface(`files_dontaudit_write_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- allow $1 var_t:dir manage_dir_perms; -+ dontaudit $1 usr_t:file write; - ') - - ######################################## - ## --## Read files in the /var directory. -+## Create, read, write, and delete files in the /usr directory. - ## - ## - ## -@@ -5268,17 +6209,17 @@ interface(`files_manage_var_dirs',` - ## - ## - # --interface(`files_read_var_files',` -+interface(`files_manage_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- read_files_pattern($1, var_t, var_t) -+ manage_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Append files in the /var directory. -+## Relabel a file to the type used in /usr. - ## - ## - ## -@@ -5286,17 +6227,17 @@ interface(`files_read_var_files',` - ## - ## - # --interface(`files_append_var_files',` -+interface(`files_relabelto_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- append_files_pattern($1, var_t, var_t) -+ relabelto_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Read and write files in the /var directory. -+## Relabel a file from the type used in /usr. - ## - ## - ## -@@ -5304,73 +6245,86 @@ interface(`files_append_var_files',` - ## - ## - # --interface(`files_rw_var_files',` -+interface(`files_relabelfrom_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- rw_files_pattern($1, var_t, var_t) -+ relabelfrom_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Do not audit attempts to read and write --## files in the /var directory. -+## Read symbolic links in /usr. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_rw_var_files',` -+interface(`files_read_usr_symlinks',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- dontaudit $1 var_t:file rw_file_perms; -+ read_lnk_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Create, read, write, and delete files in the /var directory. -+## Create objects in the /usr directory - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## - # --interface(`files_manage_var_files',` -+interface(`files_usr_filetrans',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- manage_files_pattern($1, var_t, var_t) -+ filetrans_pattern($1, usr_t, $2, $3, $4) - ') - - ######################################## - ## --## Read symbolic links in the /var directory. -+## Do not audit attempts to search /usr/src. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_var_symlinks',` -+interface(`files_dontaudit_search_src',` - gen_require(` -- type var_t; -+ type src_t; - ') - -- read_lnk_files_pattern($1, var_t, var_t) -+ dontaudit $1 src_t:dir search_dir_perms; - ') - - ######################################## - ## --## Create, read, write, and delete symbolic --## links in the /var directory. -+## Get the attributes of files in /usr/src. - ## - ## - ## -@@ -5378,50 +6332,41 @@ interface(`files_read_var_symlinks',` - ## - ## - # --interface(`files_manage_var_symlinks',` -+interface(`files_getattr_usr_src_files',` - gen_require(` -- type var_t; -+ type usr_t, src_t; - ') - -- manage_lnk_files_pattern($1, var_t, var_t) -+ getattr_files_pattern($1, src_t, src_t) -+ -+ # /usr/src/linux symlink: -+ read_lnk_files_pattern($1, usr_t, src_t) - ') - - ######################################## - ## --## Create objects in the /var directory -+## Read files in /usr/src. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## The type of the object to be created --## --## --## --## --## The object class. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`files_var_filetrans',` -+interface(`files_read_usr_src_files',` - gen_require(` -- type var_t; -+ type usr_t, src_t; - ') - -- filetrans_pattern($1, var_t, $2, $3, $4) -+ allow $1 usr_t:dir search_dir_perms; -+ read_files_pattern($1, { usr_t src_t }, src_t) -+ read_lnk_files_pattern($1, { usr_t src_t }, src_t) -+ allow $1 src_t:dir list_dir_perms; - ') - - ######################################## - ## --## Get the attributes of the /var/lib directory. -+## Execute programs in /usr/src in the caller domain. - ## - ## - ## -@@ -5429,69 +6374,56 @@ interface(`files_var_filetrans',` - ## - ## - # --interface(`files_getattr_var_lib_dirs',` -+interface(`files_exec_usr_src_files',` - gen_require(` -- type var_t, var_lib_t; -+ type usr_t, src_t; - ') - -- getattr_dirs_pattern($1, var_t, var_lib_t) -+ list_dirs_pattern($1, usr_t, src_t) -+ exec_files_pattern($1, src_t, src_t) -+ read_lnk_files_pattern($1, src_t, src_t) - ') - - ######################################## - ## --## Search the /var/lib directory. -+## Install a system.map into the /boot directory. - ## --## --##

--## Search the /var/lib directory. This is --## necessary to access files or directories under --## /var/lib that have a private type. For example, a --## domain accessing a private library file in the --## /var/lib directory: --##

--##

--## allow mydomain_t mylibfile_t:file read_file_perms; --## files_search_var_lib(mydomain_t) --##

--## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_search_var_lib',` -+interface(`files_create_kernel_symbol_table',` - gen_require(` -- type var_t, var_lib_t; -+ type boot_t, system_map_t; - ') - -- search_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -+ allow $1 system_map_t:file { create_file_perms rw_file_perms }; - ') - - ######################################## - ## --## Do not audit attempts to search the --## contents of /var/lib. -+## Dontaudit getattr attempts on the system.map file - ## - ## - ## - ## Domain to not audit. - ## - ## --## - # --interface(`files_dontaudit_search_var_lib',` -+interface(`files_dontaduit_getattr_kernel_symbol_table',` - gen_require(` -- type var_lib_t; -+ type system_map_t; - ') - -- dontaudit $1 var_lib_t:dir search_dir_perms; -+ dontaudit $1 system_map_t:file getattr; - ') - - ######################################## - ## --## List the contents of the /var/lib directory. -+## Read system.map in the /boot directory. - ## - ## - ## -@@ -5499,17 +6431,18 @@ interface(`files_dontaudit_search_var_lib',` - ## - ## - # --interface(`files_list_var_lib',` -+interface(`files_read_kernel_symbol_table',` - gen_require(` -- type var_t, var_lib_t; -+ type boot_t, system_map_t; - ') - -- list_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 boot_t:dir list_dir_perms; -+ read_files_pattern($1, boot_t, system_map_t) - ') - --########################################### -+######################################## - ## --## Read-write /var/lib directories -+## Delete a system.map in the /boot directory. - ## - ## - ## -@@ -5517,70 +6450,54 @@ interface(`files_list_var_lib',` - ## - ## - # --interface(`files_rw_var_lib_dirs',` -+interface(`files_delete_kernel_symbol_table',` - gen_require(` -- type var_lib_t; -+ type boot_t, system_map_t; - ') - -- rw_dirs_pattern($1, var_lib_t, var_lib_t) -+ allow $1 boot_t:dir list_dir_perms; -+ delete_files_pattern($1, boot_t, system_map_t) - ') - - ######################################## - ## --## Create objects in the /var/lib directory -+## Search the contents of /var. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## The type of the object to be created --## --## --## --## --## The object class. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`files_var_lib_filetrans',` -+interface(`files_search_var',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - - allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_lib_t, $2, $3, $4) - ') - - ######################################## - ## --## Read generic files in /var/lib. -+## Do not audit attempts to write to /var. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_var_lib_files',` -+interface(`files_dontaudit_write_var_dirs',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- allow $1 var_lib_t:dir list_dir_perms; -- read_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ dontaudit $1 var_t:dir write; - ') - - ######################################## - ## --## Read generic symbolic links in /var/lib -+## Allow attempts to write to /var.dirs - ## - ## - ## -@@ -5588,41 +6505,36 @@ interface(`files_read_var_lib_files',` - ## - ## - # --interface(`files_read_var_lib_symlinks',` -+interface(`files_write_var_dirs',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ allow $1 var_t:dir write; - ') - --# cjp: the next two interfaces really need to be fixed --# in some way. They really neeed their own types. -- - ######################################## - ## --## Create, read, write, and delete the --## pseudorandom number generator seed. -+## Do not audit attempts to search -+## the contents of /var. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_manage_urandom_seed',` -+interface(`files_dontaudit_search_var',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_lib_t, var_lib_t) -+ dontaudit $1 var_t:dir search_dir_perms; - ') - - ######################################## - ## --## Allow domain to manage mount tables --## necessary for rpcd, nfsd, etc. -+## List the contents of /var. - ## - ## - ## -@@ -5630,36 +6542,36 @@ interface(`files_manage_urandom_seed',` - ## - ## - # --interface(`files_manage_mounttab',` -+interface(`files_list_var',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_lib_t, var_lib_t) -+ allow $1 var_t:dir list_dir_perms; - ') - - ######################################## - ## --## Set the attributes of the generic lock directories. -+## Do not audit listing of the var directory (/var). - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_setattr_lock_dirs',` -+interface(`files_dontaudit_list_var',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- setattr_dirs_pattern($1, var_t, var_lock_t) -+ dontaudit $1 var_t:dir list_dir_perms; - ') - - ######################################## - ## --## Search the locks directory (/var/lock). -+## Create, read, write, and delete directories -+## in the /var directory. - ## - ## - ## -@@ -5667,38 +6579,35 @@ interface(`files_setattr_lock_dirs',` - ## - ## - # --interface(`files_search_locks',` -+interface(`files_manage_var_dirs',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- search_dirs_pattern($1, var_t, var_lock_t) -+ allow $1 var_t:dir manage_dir_perms; - ') - - ######################################## - ## --## Do not audit attempts to search the --## locks directory (/var/lock). -+## Read files in the /var directory. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_search_locks',` -+interface(`files_read_var_files',` - gen_require(` -- type var_lock_t; -+ type var_t; - ') - -- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_lock_t:dir search_dir_perms; -+ read_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## List generic lock directories. -+## Append files in the /var directory. - ## - ## - ## -@@ -5706,19 +6615,17 @@ interface(`files_dontaudit_search_locks',` - ## - ## - # --interface(`files_list_locks',` -+interface(`files_append_var_files',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_lock_t) -+ append_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Add and remove entries in the /var/lock --## directories. -+## Read and write files in the /var directory. - ## - ## - ## -@@ -5726,60 +6633,54 @@ interface(`files_list_locks',` - ## - ## - # --interface(`files_rw_lock_dirs',` -+interface(`files_rw_var_files',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- rw_dirs_pattern($1, var_t, var_lock_t) -+ rw_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Create lock directories -+## Do not audit attempts to read and write -+## files in the /var directory. - ## - ## --## --## Domain allowed access -+## -+## Domain to not audit. - ## - ## - # --interface(`files_create_lock_dirs',` -+interface(`files_dontaudit_rw_var_files',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- create_dirs_pattern($1, var_lock_t, var_lock_t) -+ dontaudit $1 var_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Relabel to and from all lock directory types. -+## Create, read, write, and delete files in the /var directory. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_relabel_all_lock_dirs',` -+interface(`files_manage_var_files',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- relabel_dirs_pattern($1, lockfile, lockfile) -+ manage_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Get the attributes of generic lock files. -+## Read symbolic links in the /var directory. - ## - ## - ## -@@ -5787,20 +6688,18 @@ interface(`files_relabel_all_lock_dirs',` - ## - ## - # --interface(`files_getattr_generic_locks',` -+interface(`files_read_var_symlinks',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 var_lock_t:dir list_dir_perms; -- getattr_files_pattern($1, var_lock_t, var_lock_t) -+ read_lnk_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Delete generic lock files. -+## Create, read, write, and delete symbolic -+## links in the /var directory. - ## - ## - ## -@@ -5808,63 +6707,68 @@ interface(`files_getattr_generic_locks',` - ## - ## - # --interface(`files_delete_generic_locks',` -+interface(`files_manage_var_symlinks',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) -+ manage_lnk_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Create, read, write, and delete generic --## lock files. -+## Create objects in the /var directory - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## - # --interface(`files_manage_generic_locks',` -+interface(`files_var_filetrans',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -- manage_files_pattern($1, var_lock_t, var_lock_t) -+ filetrans_pattern($1, var_t, $2, $3, $4) - ') - -+ - ######################################## - ## --## Delete all lock files. -+## Relabel dirs in the /var directory. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_delete_all_locks',` -+interface(`files_relabel_var_dirs',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_t; - ') -- -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, lockfile, lockfile) -+ allow $1 var_t:dir relabel_dir_perms; - ') - - ######################################## - ## --## Read all lock files. -+## Get the attributes of the /var/lib directory. - ## - ## - ## -@@ -5872,101 +6776,87 @@ interface(`files_delete_all_locks',` - ## - ## - # --interface(`files_read_all_locks',` -+interface(`files_getattr_var_lib_dirs',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_t, var_lib_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- allow $1 lockfile:dir list_dir_perms; -- read_files_pattern($1, lockfile, lockfile) -- read_lnk_files_pattern($1, lockfile, lockfile) -+ getattr_dirs_pattern($1, var_t, var_lib_t) - ') - - ######################################## - ## --## manage all lock files. -+## Search the /var/lib directory. - ## -+## -+##

-+## Search the /var/lib directory. This is -+## necessary to access files or directories under -+## /var/lib that have a private type. For example, a -+## domain accessing a private library file in the -+## /var/lib directory: -+##

-+##

-+## allow mydomain_t mylibfile_t:file read_file_perms; -+## files_search_var_lib(mydomain_t) -+##

-+## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`files_manage_all_locks',` -+interface(`files_search_var_lib',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_t, var_lib_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- manage_dirs_pattern($1, lockfile, lockfile) -- manage_files_pattern($1, lockfile, lockfile) -- manage_lnk_files_pattern($1, lockfile, lockfile) -+ search_dirs_pattern($1, var_t, var_lib_t) - ') - - ######################################## - ## --## Create an object in the locks directory, with a private --## type using a type transition. -+## Do not audit attempts to search the -+## contents of /var/lib. - ## - ## - ## --## Domain allowed access. --## --## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. -+## Domain to not audit. - ## - ## -+## - # --interface(`files_lock_filetrans',` -+interface(`files_dontaudit_search_var_lib',` - gen_require(` -- type var_t, var_lock_t; -+ type var_lib_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_lock_t, $2, $3, $4) -+ dontaudit $1 var_lib_t:dir search_dir_perms; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes --## of the /var/run directory. -+## List the contents of the /var/lib directory. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_pid_dirs',` -+interface(`files_list_var_lib',` - gen_require(` -- type var_run_t; -+ type var_t, var_lib_t; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir getattr; -+ list_dirs_pattern($1, var_t, var_lib_t) - ') - --######################################## -+########################################### - ## --## Set the attributes of the /var/run directory. -+## Read-write /var/lib directories - ## - ## - ## -@@ -5974,19 +6864,17 @@ interface(`files_dontaudit_getattr_pid_dirs',` - ## - ## - # --interface(`files_setattr_pid_dirs',` -+interface(`files_rw_var_lib_dirs',` - gen_require(` -- type var_run_t; -+ type var_lib_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir setattr; -+ rw_dirs_pattern($1, var_lib_t, var_lib_t) - ') - - ######################################## - ## --## Search the contents of runtime process --## ID directories (/var/run). -+## Create directories in /var/lib - ## - ## - ## -@@ -5994,39 +6882,52 @@ interface(`files_setattr_pid_dirs',` - ## - ## - # --interface(`files_search_pids',` -+interface(`files_create_var_lib_dirs',` - gen_require(` -- type var_t, var_run_t; -+ type var_lib_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- search_dirs_pattern($1, var_t, var_run_t) -+ allow $1 var_lib_t:dir { create rw_dir_perms }; - ') - -+ - ######################################## - ## --## Do not audit attempts to search --## the /var/run directory. -+## Create objects in the /var/lib directory - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. - ## - ## - # --interface(`files_dontaudit_search_pids',` -+interface(`files_var_lib_filetrans',` - gen_require(` -- type var_run_t; -+ type var_t, var_lib_t; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir search_dir_perms; -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_lib_t, $2, $3, $4) - ') - - ######################################## - ## --## List the contents of the runtime process --## ID directories (/var/run). -+## Read generic files in /var/lib. - ## - ## - ## -@@ -6034,18 +6935,1302 @@ interface(`files_dontaudit_search_pids',` - ## - ## - # --interface(`files_list_pids',` -+interface(`files_read_var_lib_files',` - gen_require(` -+ type var_t, var_lib_t; -+ ') -+ -+ allow $1 var_lib_t:dir list_dir_perms; -+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+') -+ -+######################################## -+## -+## Read generic symbolic links in /var/lib -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_var_lib_symlinks',` -+ gen_require(` -+ type var_t, var_lib_t; -+ ') -+ -+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+') -+ -+######################################## -+## -+## manage generic symbolic links -+## in the /var/lib directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_var_lib_symlinks',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ -+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) -+') -+ -+# cjp: the next two interfaces really need to be fixed -+# in some way. They really neeed their own types. -+ -+######################################## -+## -+## Create, read, write, and delete the -+## pseudorandom number generator seed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_urandom_seed',` -+ gen_require(` -+ type var_t, var_lib_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_lib_t, var_lib_t) -+') -+ -+ -+######################################## -+## -+## Relabel to dirs in the /var/lib directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabelto_var_lib_dirs',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ allow $1 var_lib_t:dir relabelto; -+') -+ -+ -+######################################## -+## -+## Relabel dirs in the /var/lib directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_var_lib_dirs',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ allow $1 var_lib_t:dir relabel_dir_perms; -+') -+ -+######################################## -+## -+## Allow domain to manage mount tables -+## necessary for rpcd, nfsd, etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_mounttab',` -+ gen_require(` -+ type var_t, var_lib_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_lib_t, var_lib_t) -+') -+ -+######################################## -+## -+## List generic lock directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ list_dirs_pattern($1, var_t, var_lock_t) -+') -+ -+######################################## -+## -+## Search the locks directory (/var/lock). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ search_dirs_pattern($1, var_t, var_lock_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to search the -+## locks directory (/var/lock). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_locks',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 var_lock_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read/write inherited -+## locks (/var/lock). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_rw_inherited_locks',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ dontaudit $1 var_lock_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Set the attributes of the /var/lock directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_setattr_lock_dirs',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ allow $1 var_lock_t:dir setattr; -+') -+ -+######################################## -+## -+## Add and remove entries in the /var/lock -+## directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_lock_dirs',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ rw_dirs_pattern($1, var_t, var_lock_t) -+') -+ -+######################################## -+## -+## Create lock directories -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`files_create_lock_dirs',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ create_dirs_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Relabel to and from all lock directory types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_lock_dirs',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ relabel_dirs_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Relabel to and from all lock file types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_lock_files',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; + allow $1 var_t:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + relabel_files_pattern($1, lockfile, lockfile) +') + @@ -15968,210 +14149,86 @@ index f962f76..12c026e 100644 + ') + + files_search_locks($1) -+ allow $1 var_lock_t:dir list_dir_perms; -+ getattr_files_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Delete generic lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_generic_locks',` + allow $1 var_lock_t:dir list_dir_perms; + getattr_files_pattern($1, var_lock_t, var_lock_t) + ') +@@ -5809,13 +7289,12 @@ interface(`files_getattr_generic_locks',` + ## + # + interface(`files_delete_generic_locks',` +- gen_require(` + gen_require(` -+ type var_t, var_lock_t; + type var_t, var_lock_t; +- ') + ') -+ + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, var_lock_t, var_lock_t) + files_search_locks($1) + delete_files_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ manage_files_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Delete all lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_delete_all_locks',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ delete_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Read all lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_all_locks',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ allow $1 lockfile:dir list_dir_perms; -+ read_files_pattern($1, lockfile, lockfile) -+ read_lnk_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## manage all lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_all_locks',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ manage_dirs_pattern($1, lockfile, lockfile) -+ manage_files_pattern($1, lockfile, lockfile) -+ manage_lnk_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Create an object in the locks directory, with a private -+## type using a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`files_lock_filetrans',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ filetrans_pattern($1, var_lock_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes -+## of the /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_getattr_pid_dirs',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 var_run_t:dir getattr; -+') -+ -+######################################## -+## -+## Set the attributes of the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_setattr_pid_dirs',` -+ gen_require(` -+ type var_run_t; -+ ') -+ + ') + + ######################################## +@@ -5834,9 +7313,7 @@ interface(`files_manage_generic_locks',` + type var_t, var_lock_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- manage_dirs_pattern($1, var_lock_t, var_lock_t) ++ files_search_locks($1) + manage_files_pattern($1, var_lock_t, var_lock_t) + ') + +@@ -5878,8 +7355,7 @@ interface(`files_read_all_locks',` + type var_t, var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ files_search_locks($1) + allow $1 lockfile:dir list_dir_perms; + read_files_pattern($1, lockfile, lockfile) + read_lnk_files_pattern($1, lockfile, lockfile) +@@ -5901,8 +7377,7 @@ interface(`files_manage_all_locks',` + type var_t, var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ files_search_locks($1) + manage_dirs_pattern($1, lockfile, lockfile) + manage_files_pattern($1, lockfile, lockfile) + manage_lnk_files_pattern($1, lockfile, lockfile) +@@ -5939,8 +7414,7 @@ interface(`files_lock_filetrans',` + type var_t, var_lock_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ files_search_locks($1) + filetrans_pattern($1, var_lock_t, $2, $3, $4) + ') + +@@ -5979,7 +7453,7 @@ interface(`files_setattr_pid_dirs',` + type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + files_search_pids($1) -+ allow $1 var_run_t:dir setattr; -+') -+ -+######################################## -+## -+## Search the contents of runtime process -+## ID directories (/var/run). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ + allow $1 var_run_t:dir setattr; + ') + +@@ -5999,10 +7473,48 @@ interface(`files_search_pids',` + type var_t, var_run_t; + ') + + allow $1 var_t:lnk_file read_lnk_file_perms; -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ search_dirs_pattern($1, var_t, var_run_t) -+') -+ + allow $1 var_run_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_run_t) + ') + +###################################### +## +## Add and remove entries from pid directories. @@ -16201,256 +14258,23 @@ index f962f76..12c026e 100644 +## +# +interface(`files_create_var_run_dirs',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir create_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search -+## the /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_pids',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 var_run_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search -+## the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Allow search the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List the contents of the runtime process -+## ID directories (/var/run). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+') -+ -+######################################## -+## -+## Read generic process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+ read_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## -+## Write named generic process ID pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_write_generic_pid_pipes',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 var_run_t:fifo_file write; -+') -+ -+######################################## -+## -+## Create an object in the process ID directory, with a private type. -+## -+## -+##

-+## Create an object in the process ID directory (e.g., /var/run) -+## with a private type. Typically this is used for creating -+## private PID files in /var/run with the private type instead -+## of the general PID file type. To accomplish this goal, -+## either the program must be SELinux-aware, or use this interface. -+##

-+##

-+## Related interfaces: -+##

-+##
    -+##
  • files_pid_file()
    • -+##
-+##

-+## Example usage with a domain that can create and -+## write its PID file with a private PID file type in the -+## /var/run directory: -+##

-+##

-+## type mypidfile_t; -+## files_pid_file(mypidfile_t) -+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; -+## files_pid_filetrans(mydomain_t, mypidfile_t, file) -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+## -+# -+interface(`files_pid_filetrans',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_run_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Create a generic lock directory within the run directories -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`files_pid_filetrans_lock_dir',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ files_pid_filetrans($1, var_lock_t, dir, $2) -+') -+ -+######################################## -+## -+## rw generic pid files inherited from another process -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_inherited_generic_pid_files',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ allow $1 var_run_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Read and write generic process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_generic_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') ++ gen_require(` ++ type var_t, var_run_t; ++ ') + -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+ rw_files_pattern($1, var_run_t, var_run_t) ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir create_dir_perms; +') + -+######################################## -+## -+## Do not audit attempts to get the attributes of -+## daemon runtime data files. + ######################################## + ## + ## Do not audit attempts to search +@@ -6025,6 +7537,43 @@ interface(`files_dontaudit_search_pids',` + + ######################################## + ## ++## Do not audit attempts to search ++## the all /var/run directory. +## +## +## @@ -16458,19 +14282,17 @@ index f962f76..12c026e 100644 +## +## +# -+interface(`files_dontaudit_getattr_all_pids',` ++interface(`files_dontaudit_search_all_pids',` + gen_require(` + attribute pidfile; -+ type var_run_t; + ') + -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 pidfile:file getattr; ++ dontaudit $1 pidfile:dir search_dir_perms; +') + +######################################## +## -+## Do not audit attempts to write to daemon runtime data files. ++## Allow search the all /var/run directory. +## +## +## @@ -16478,37 +14300,101 @@ index f962f76..12c026e 100644 +## +## +# -+interface(`files_dontaudit_write_all_pids',` ++interface(`files_search_all_pids',` + gen_require(` + attribute pidfile; + ') + -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 pidfile:file write; ++ allow $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## ++## + ## List the contents of the runtime process + ## ID directories (/var/run). + ## +@@ -6039,7 +7588,7 @@ interface(`files_list_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + ') + +@@ -6058,7 +7607,7 @@ interface(`files_read_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + read_files_pattern($1, var_run_t, var_run_t) + ') +@@ -6078,7 +7627,7 @@ interface(`files_write_generic_pid_pipes',` + type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + allow $1 var_run_t:fifo_file write; + ') + +@@ -6140,7 +7689,6 @@ interface(`files_pid_filetrans',` + ') + + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + filetrans_pattern($1, var_run_t, $2, $3, $4) + ') + +@@ -6169,7 +7717,7 @@ interface(`files_pid_filetrans_lock_dir',` + + ######################################## + ## +-## Read and write generic process ID files. ++## rw generic pid files inherited from another process + ## + ## + ## +@@ -6177,12 +7725,30 @@ interface(`files_pid_filetrans_lock_dir',` + ## + ## + # +-interface(`files_rw_generic_pids',` ++interface(`files_rw_inherited_generic_pid_files',` + gen_require(` +- type var_t, var_run_t; ++ type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ allow $1 var_run_t:file rw_inherited_file_perms; +') + +######################################## +## -+## Do not audit attempts to ioctl daemon runtime data files. ++## Read and write generic process ID files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_ioctl_all_pids',` ++interface(`files_rw_generic_pids',` + gen_require(` -+ attribute pidfile; -+ type var_run_t; ++ type var_t, var_run_t; + ') + -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 pidfile:file ioctl; -+') -+ -+######################################## -+## ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + rw_files_pattern($1, var_run_t, var_run_t) + ') +@@ -6249,6 +7815,116 @@ interface(`files_dontaudit_ioctl_all_pids',` + + ######################################## + ## +## Relable all pid directories +## +## @@ -16619,23 +14505,20 @@ index f962f76..12c026e 100644 + +######################################## +## -+## Read all process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_read_all_pids',` -+ gen_require(` -+ attribute pidfile; + ## Read all process ID files. + ## + ## +@@ -6261,12 +7937,105 @@ interface(`files_dontaudit_ioctl_all_pids',` + interface(`files_read_all_pids',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + type var_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, pidfile) -+ read_files_pattern($1, pidfile, pidfile) + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, var_t, pidfile) + read_files_pattern($1, pidfile, pidfile) + read_lnk_files_pattern($1, pidfile, pidfile) +') + @@ -16730,59 +14613,33 @@ index f962f76..12c026e 100644 + ') + + allow $1 polymember:dir mounton; -+') -+ -+######################################## -+## -+## Delete all process IDs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_delete_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ type var_t, var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir rmdir; -+ allow $1 var_run_t:lnk_file delete_lnk_file_perms; -+ delete_files_pattern($1, pidfile, pidfile) -+ delete_fifo_files_pattern($1, pidfile, pidfile) -+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) -+') -+ -+######################################## -+## -+## Delete all process ID directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; + ') + + ######################################## +@@ -6286,8 +8055,8 @@ interface(`files_delete_all_pids',` type var_t, var_run_t; ') ++ files_search_pids($1) + allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) +@@ -6311,36 +8080,80 @@ interface(`files_delete_all_pid_dirs',` + type var_t, var_run_t; + ') + + files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; -+ delete_dirs_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + delete_dirs_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Make the specified type a file +## used for spool files. +## @@ -16805,361 +14662,118 @@ index f962f76..12c026e 100644 +## write its spool file in the system spool file +## directories (/var/spool): +##

-+##

-+## type myspoolfile_t; -+## files_spool_file(myfile_spool_t) -+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; -+## files_spool_filetrans(mydomain_t, myfile_spool_t, file) -+##

-+## -+## -+## -+## Type of the file to be used as a -+## spool file. -+## -+## -+## -+# -+interface(`files_spool_file',` -+ gen_require(` -+ attribute spoolfile; -+ ') -+ -+ files_type($1) -+ typeattribute $1 spoolfile; -+') -+ -+######################################## -+## -+## Create all spool sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_all_spool_sockets',` -+ gen_require(` -+ attribute spoolfile; -+ ') -+ -+ allow $1 spoolfile:sock_file create_sock_file_perms; -+') -+ -+######################################## -+## -+## Delete all spool sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_spool_sockets',` -+ gen_require(` -+ attribute spoolfile; -+ ') -+ -+ allow $1 spoolfile:sock_file delete_sock_file_perms; -+') -+ -+######################################## -+## -+## Relabel to and from all spool -+## directory types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_relabel_all_spool_dirs',` -+ gen_require(` -+ attribute spoolfile; -+ type var_t; -+ ') -+ -+ relabel_dirs_pattern($1, spoolfile, spoolfile) -+') -+ -+######################################## -+## -+## Search the contents of generic spool -+## directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ search_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to search generic -+## spool directories. -+## -+## ++##

++## type myspoolfile_t; ++## files_spool_file(myfile_spool_t) ++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ++## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ++##

++## ++## +## -+## Domain to not audit. ++## Type of the file to be used as a ++## spool file. +## +## ++## +# -+interface(`files_dontaudit_search_spool',` ++interface(`files_spool_file',` + gen_require(` -+ type var_spool_t; ++ attribute spoolfile; + ') + -+ dontaudit $1 var_spool_t:dir search_dir_perms; ++ files_type($1) ++ typeattribute $1 spoolfile; +') + +######################################## +## -+## List the contents of generic spool -+## (/var/spool) directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) - ') - - ######################################## - ## --## Read generic process ID files. -+## Create, read, write, and delete generic -+## spool directories (/var/spool). ++## Create all spool sockets ## ## ## -@@ -6053,19 +8238,18 @@ interface(`files_list_pids',` +-## Domain alloed access. ++## Domain allowed access. ## ## # --interface(`files_read_generic_pids',` -+interface(`files_manage_generic_spool_dirs',` +-interface(`files_manage_all_pids',` ++interface(`files_create_all_spool_sockets',` gen_require(` -- type var_t, var_run_t; -+ type var_t, var_spool_t; +- attribute pidfile; ++ attribute spoolfile; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) -+ allow $1 var_t:dir search_dir_perms; -+ manage_dirs_pattern($1, var_spool_t, var_spool_t) +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) ++ allow $1 spoolfile:sock_file create_sock_file_perms; ') ######################################## ## --## Write named generic process ID pipes -+## Read generic spool files. +-## Mount filesystems on all polyinstantiation +-## member directories. ++## Delete all spool sockets ## ## ## -@@ -6073,43 +8257,151 @@ interface(`files_read_generic_pids',` +@@ -6348,12 +8161,33 @@ interface(`files_manage_all_pids',` ## ## # --interface(`files_write_generic_pid_pipes',` -+interface(`files_read_generic_spool',` +-interface(`files_mounton_all_poly_members',` ++interface(`files_delete_all_spool_sockets',` gen_require(` -- type var_run_t; -+ type var_t, var_spool_t; +- attribute polymember; ++ attribute spoolfile; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:fifo_file write; -+ list_dirs_pattern($1, var_t, var_spool_t) -+ read_files_pattern($1, var_spool_t, var_spool_t) - ') - - ######################################## - ## --## Create an object in the process ID directory, with a private type. -+## Create, read, write, and delete generic -+## spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create objects in the spool directory -+## with a private type with a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Type to which the created node will be transitioned. -+## -+## -+## -+## -+## Object class(es) (single or set including {}) for which this -+## the transition will occur. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`files_spool_filetrans',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_spool_t, $2, $3, $4) +- allow $1 polymember:dir mounton; ++ allow $1 spoolfile:sock_file delete_sock_file_perms; +') + +######################################## +## -+## Allow access to manage all polyinstantiated -+## directories on the system. ++## Relabel to and from all spool ++## directory types. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`files_polyinstantiate_all',` ++interface(`files_relabel_all_spool_dirs',` + gen_require(` -+ attribute polydir, polymember, polyparent; -+ type poly_t; ++ attribute spoolfile; ++ type var_t; + ') + -+ # Need to give access to /selinux/member -+ selinux_compute_member($1) -+ -+ # Need sys_admin capability for mounting -+ allow $1 self:capability { chown fsetid sys_admin fowner }; -+ -+ # Need to give access to the directories to be polyinstantiated -+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -+ -+ # Need to give access to the polyinstantiated subdirectories -+ allow $1 polymember:dir search_dir_perms; -+ -+ # Need to give access to parent directories where original -+ # is remounted for polyinstantiation aware programs (like gdm) -+ allow $1 polyparent:dir { getattr mounton }; -+ -+ # Need to give permission to create directories where applicable -+ allow $1 self:process setfscreate; -+ allow $1 polymember: dir { create setattr relabelto }; -+ allow $1 polydir: dir { write add_name open }; -+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -+ -+ # Default type for mountpoints -+ allow $1 poly_t:dir { create mounton }; -+ fs_unmount_xattr_fs($1) -+ -+ fs_mount_tmpfs($1) -+ fs_unmount_tmpfs($1) -+ -+ ifdef(`distro_redhat',` -+ # namespace.init -+ files_search_tmp($1) -+ files_search_home($1) -+ corecmd_exec_bin($1) -+ seutil_domtrans_setfiles($1) -+ ') -+') ++ relabel_dirs_pattern($1, spoolfile, spoolfile) + ') + + ######################################## +@@ -6580,3 +8414,605 @@ interface(`files_unconfined',` + + typeattribute $1 files_unconfined_type; + ') + +######################################## +## -+## Unconfined access to files. ++## Create a core files in / +## ++## ++##

++## Create a core file in /, ++##

++## +## +## +## Domain allowed access. +## +## -+# -+interface(`files_unconfined',` -+ gen_require(` -+ attribute files_unconfined_type; -+ ') -+ -+ typeattribute $1 files_unconfined_type; -+') -+ -+######################################## -+## -+## Create a core files in / - ## - ## - ##

--## Create an object in the process ID directory (e.g., /var/run) --## with a private type. Typically this is used for creating --## private PID files in /var/run with the private type instead --## of the general PID file type. To accomplish this goal, --## either the program must be SELinux-aware, or use this interface. --##

--##

--## Related interfaces: --##

--##
    --##
  • files_pid_file()
    • --##
--##

--## Example usage with a domain that can create and --## write its PID file with a private PID file type in the --## /var/run directory: --##

--##

--## type mypidfile_t; --## files_pid_file(mypidfile_t) --## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; --## files_pid_filetrans(mydomain_t, mypidfile_t, file) -+## Create a core file in /, - ##

- ## - ## -@@ -6117,80 +8409,157 @@ interface(`files_write_generic_pid_pipes',` - ## Domain allowed access. - ## - ## --## +## +# +interface(`files_manage_root_files',` @@ -17200,14 +14814,12 @@ index f962f76..12c026e 100644 +## type transition. +## +## - ## --## The type of the object to be created. ++## +## Domain allowed access. - ## - ## - ## - ## --## The object class of the object being created. ++## ++## ++## ++## +## The class of the object being created. +## +## @@ -17238,11 +14850,10 @@ index f962f76..12c026e 100644 +## +## +## The class of the object being created. - ## - ## - ## - ## --## The name of the object being created. ++## ++## ++## ++## +## The name of the object being created. +## +## @@ -17263,433 +14874,315 @@ index f962f76..12c026e 100644 +## +## +## Domain allowed access. - ## - ## --## - # --interface(`files_pid_filetrans',` ++## ++## ++# +interface(`files_manage_generic_pids_symlinks',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + type var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_run_t, $2, $3, $4) ++ ') ++ + manage_lnk_files_pattern($1,var_run_t,var_run_t) - ') - - ######################################## - ## --## Create a generic lock directory within the run directories ++') ++ ++######################################## ++## +## Do not audit attempts to getattr +## all tmpfs files. - ## - ## --## --## Domain allowed access --## --## --## - ## --## The name of the object being created. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_pid_filetrans_lock_dir',` ++## ++## ++# +interface(`files_dontaudit_getattr_tmpfs_files',` - gen_require(` -- type var_lock_t; ++ gen_require(` + attribute tmpfsfile; - ') - -- files_pid_filetrans($1, var_lock_t, dir, $2) ++ ') ++ + allow $1 tmpfsfile:file getattr; - ') - - ######################################## - ## --## Read and write generic process ID files. ++') ++ ++######################################## ++## +## Allow delete all tmpfs files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_rw_generic_pids',` ++## ++## ++# +interface(`files_delete_tmpfs_files',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + attribute tmpfsfile; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- rw_files_pattern($1, var_run_t, var_run_t) ++ ') ++ + allow $1 tmpfsfile:file delete_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes of --## daemon runtime data files. -+## Allow read write all tmpfs files - ## - ## - ## -@@ -6198,19 +8567,17 @@ interface(`files_rw_generic_pids',` - ## - ## - # --interface(`files_dontaudit_getattr_all_pids',` ++') ++ ++######################################## ++## ++## Allow read write all tmpfs files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_rw_tmpfs_files',` - gen_require(` -- attribute pidfile; -- type var_run_t; ++ gen_require(` + attribute tmpfsfile; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file getattr; ++ ') ++ + allow $1 tmpfsfile:file { read write }; - ') - - ######################################## - ## --## Do not audit attempts to write to daemon runtime data files. ++') ++ ++######################################## ++## +## Do not audit attempts to read security files - ## - ## - ## -@@ -6218,18 +8585,17 @@ interface(`files_dontaudit_getattr_all_pids',` - ## - ## - # --interface(`files_dontaudit_write_all_pids',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_dontaudit_read_security_files',` - gen_require(` -- attribute pidfile; ++ gen_require(` + attribute security_file_type; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file write; ++ ') ++ + dontaudit $1 security_file_type:file read_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to ioctl daemon runtime data files. ++') ++ ++######################################## ++## +## Do not audit attempts to search security files - ## - ## - ## -@@ -6237,129 +8603,119 @@ interface(`files_dontaudit_write_all_pids',` - ## - ## - # --interface(`files_dontaudit_ioctl_all_pids',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_dontaudit_search_security_files',` - gen_require(` -- attribute pidfile; -- type var_run_t; ++ gen_require(` + attribute security_file_type; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file ioctl; ++ ') ++ + dontaudit $1 security_file_type:dir search_dir_perms; - ') - - ######################################## - ## --## Read all process ID files. ++') ++ ++######################################## ++## +## Do not audit attempts to read security dirs - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## --## - # --interface(`files_read_all_pids',` ++## ++## ++# +interface(`files_dontaudit_list_security_dirs',` - gen_require(` -- attribute pidfile; -- type var_t, var_run_t; ++ gen_require(` + attribute security_file_type; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) ++ ') ++ + dontaudit $1 security_file_type:dir list_dir_perms; - ') - - ######################################## - ## --## Delete all process IDs. ++') ++ ++######################################## ++## +## rw any files inherited from another process - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +## +## +## Object type. +## +## - # --interface(`files_delete_all_pids',` ++# +interface(`files_rw_all_inherited_files',` - gen_require(` -- attribute pidfile; -- type var_t, var_run_t; ++ gen_require(` + attribute file_type; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ ') ++ + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## - ## --## Delete all process ID directories. ++') ++ ++######################################## ++## +## Allow any file point to be the entrypoint of this domain - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_delete_all_pid_dirs',` ++# +interface(`files_entrypoint_all_files',` - gen_require(` -- attribute pidfile; -- type var_t, var_run_t; ++ gen_require(` + attribute file_type; + type unlabeled_t; - ') -- -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) ++ ') + allow $1 {file_type -unlabeled_t} :file entrypoint; - ') - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content ++') ++ ++######################################## ++## +## Do not audit attempts to rw inherited file perms +## of non security files. - ## - ## - ## --## Domain alloed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_manage_all_pids',` ++## ++## ++# +interface(`files_dontaudit_all_non_security_leaks',` - gen_require(` -- attribute pidfile; ++ gen_require(` + attribute non_security_file_type; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) ++ ') ++ + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; - ') - - ######################################## - ## --## Mount filesystems on all polyinstantiation --## member directories. ++') ++ ++######################################## ++## +## Do not audit attempts to read or write +## all leaked files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_mounton_all_poly_members',` ++## ++## ++# +interface(`files_dontaudit_leaks',` - gen_require(` -- attribute polymember; ++ gen_require(` + attribute file_type; - ') - -- allow $1 polymember:dir mounton; ++ ') ++ + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; - ') - - ######################################## - ## --## Search the contents of generic spool --## directories (/var/spool). ++') ++ ++######################################## ++## +## Allow domain to create_file_ass all types - ## - ## - ## -@@ -6367,18 +8723,19 @@ interface(`files_mounton_all_poly_members',` - ## - ## - # --interface(`files_search_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_create_as_is_all_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute file_type; + class kernel_service create_files_as; - ') - -- search_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + allow $1 file_type:kernel_service create_files_as; - ') - - ######################################## - ## --## Do not audit attempts to search generic --## spool directories. ++') ++ ++######################################## ++## +## Do not audit attempts to check the +## access on all files - ## - ## - ## -@@ -6386,132 +8743,227 @@ interface(`files_search_spool',` - ## - ## - # --interface(`files_dontaudit_search_spool',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_dontaudit_all_access_check',` - gen_require(` -- type var_spool_t; ++ gen_require(` + attribute file_type; - ') - -- dontaudit $1 var_spool_t:dir search_dir_perms; ++ ') ++ + dontaudit $1 file_type:dir_file_class_set audit_access; - ') - - ######################################## - ## --## List the contents of generic spool --## (/var/spool) directories. ++') ++ ++######################################## ++## +## Do not audit attempts to write to all files - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_list_spool',` ++## ++## ++# +interface(`files_dontaudit_write_all_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute file_type; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + dontaudit $1 file_type:dir_file_class_set write; - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool directories (/var/spool). ++') ++ ++######################################## ++## +## Allow domain to delete to all files - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_manage_generic_spool_dirs',` ++## ++## ++# +interface(`files_delete_all_non_security_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute non_security_file_type; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; - ') - - ######################################## - ## --## Read generic spool files. ++') ++ ++######################################## ++## +## Allow domain to delete to all dirs - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_read_generic_spool',` ++## ++## ++# +interface(`files_delete_all_non_security_dirs',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute non_security_file_type; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool files. ++') ++ ++######################################## ++## +## Transition named content in the var_run_t directory - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_manage_generic_spool',` ++## ++## ++# +interface(`files_filetrans_named_content',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + type etc_t; + type mnt_t; + type usr_t; @@ -17698,10 +15191,8 @@ index f962f76..12c026e 100644 + type var_run_t; + type var_lock_t; + type tmp_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + files_pid_filetrans($1, mnt_t, dir, "media") + files_root_filetrans($1, etc_runtime_t, file, ".readahead") + files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") @@ -17741,16 +15232,13 @@ index f962f76..12c026e 100644 + files_var_filetrans($1, tmp_t, dir, "tmp") + files_var_filetrans($1, var_run_t, dir, "run") + files_var_filetrans($1, etc_runtime_t, file, ".updated") - ') - - ######################################## - ## --## Create objects in the spool directory --## with a private type with a type transition. ++') ++ ++######################################## ++## +## Make the specified type a +## base file. - ## --## ++## +## +##

+## Identify file type as base file type. Tools will use this attribute, @@ -17758,12 +15246,10 @@ index f962f76..12c026e 100644 +##

+## +## - ## --## Domain allowed access. ++## +## Type to be used as a base files. - ## - ## --## ++## ++## +## +# +interface(`files_base_file',` @@ -17785,12 +15271,10 @@ index f962f76..12c026e 100644 +##

+## +## - ## --## Type to which the created node will be transitioned. ++## +## Type to be used as a base read only files. - ## - ## --## ++## ++## +## +# +interface(`files_ro_base_file',` @@ -17806,13 +15290,10 @@ index f962f76..12c026e 100644 +## Read all ro base files. +## +## - ## --## Object class(es) (single or set including {}) for which this --## the transition will occur. ++## +## Domain allowed access. - ## - ## --## ++## ++## +## +# +interface(`files_read_all_base_ro_files',` @@ -17830,106 +15311,56 @@ index f962f76..12c026e 100644 +## Execute all base ro files. +## +## - ## --## The name of the object being created. ++## +## Domain allowed access. - ## - ## ++## ++## +## - # --interface(`files_spool_filetrans',` ++# +interface(`files_exec_all_base_ro_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute base_ro_file_type; - ') - -- allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ ') ++ + can_exec($1, base_ro_file_type) - ') - - ######################################## - ## --## Allow access to manage all polyinstantiated --## directories on the system. ++') ++ ++######################################## ++## +## Allow the specified domain to modify the systemd configuration of +## any file. - ## - ## - ## -@@ -6519,53 +8971,17 @@ interface(`files_spool_filetrans',` - ## - ## - # --interface(`files_polyinstantiate_all',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_config_all_files',` - gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; ++ gen_require(` + attribute file_type; - ') - -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) -- -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) -- ') ++ ') ++ + allow $1 file_type:service all_service_perms; - ') - - ######################################## - ## --## Unconfined access to files. ++') ++ ++######################################## ++## +## Get the status of etc_t files - ## - ## - ## -@@ -6573,10 +8989,10 @@ interface(`files_polyinstantiate_all',` - ## - ## - # --interface(`files_unconfined',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_status_etc',` - gen_require(` -- attribute files_unconfined_type; ++ gen_require(` + type etc_t; - ') - -- typeattribute $1 files_unconfined_type; ++ ') ++ + allow $1 etc_t:service status; - ') ++') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 1a03abd..3221f80 100644 --- a/policy/modules/kernel/files.te