diff --git a/policy-f25-base.patch b/policy-f25-base.patch
index cfee1da..b5ecae0 100644
--- a/policy-f25-base.patch
+++ b/policy-f25-base.patch
@@ -11237,7 +11237,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..12c026e 100644
+index f962f76..1ac470a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -13188,7 +13188,34 @@ index f962f76..12c026e 100644
')
########################################
-@@ -4012,6 +4908,7 @@ interface(`files_read_kernel_modules',`
+@@ -3921,6 +4817,26 @@ interface(`files_read_mnt_symlinks',`
+ read_lnk_files_pattern($1, mnt_t, mnt_t)
+ ')
+
++
++########################################
++##
++## Load kernel module files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_load_kernel_modules',`
++ gen_require(`
++ type modules_object_t;
++ ')
++
++ files_read_kernel_modules($1)
++ allow $1 modules_object_t:system module_load;
++')
++
+ ########################################
+ ##
+ ## Create, read, write, and delete symbolic links in /mnt.
+@@ -4012,6 +4928,7 @@ interface(`files_read_kernel_modules',`
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -13196,7 +13223,7 @@ index f962f76..12c026e 100644
')
########################################
-@@ -4217,174 +5114,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,78 +5134,289 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13326,111 +13353,75 @@ index f962f76..12c026e 100644
##
#
-interface(`files_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- allow $1 tmp_t:dir search_dir_perms;
++
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Do not audit attempts to search the tmp directory (/tmp).
++##
+## Relabel manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain to not audit.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- dontaudit $1 tmp_t:dir search_dir_perms;
++
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+###################################
- ##
--## Read the tmp directory (/tmp).
++##
+## Create files in /etc with the type used for
+## the manageable system config files.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## The type of the process performing this action.
+##
- ##
- #
--interface(`files_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:dir list_dir_perms;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Do not audit listing of the tmp directory (/tmp).
++##
+## Manage manageable system db files in /var/lib.
- ##
- ##
--##
--## Domain not to audit.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_manage_system_db_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-
-- dontaudit $1 tmp_t:dir list_dir_perms;
++
+ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
+ files_filetrans_system_db_named_files($1)
- ')
-
--########################################
++')
++
+#####################################
- ##
--## Remove entries from the tmp directory.
++##
+## File name transition for system db files in /var/lib.
- ##
- ##
++##
++##
+##
+## Domain allowed access.
+##
@@ -13452,322 +13443,173 @@ index f962f76..12c026e 100644
+## temporary directory (/tmp).
+##
+##
- ##
--## Domain allowed access.
++##
+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_delete_tmp_dir_entry',`
++##
++##
++#
+interface(`files_associate_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
-- allow $1 tmp_t:dir del_entry_dir_perms;
++ gen_require(`
++ type tmp_t;
++ ')
++
+ allow $1 tmp_t:filesystem associate;
- ')
-
- ########################################
- ##
--## Read files in the tmp directory (/tmp).
++')
++
++########################################
++##
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
- ##
--##
++##
+##
- ##
--## Domain allowed access.
++##
+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_read_generic_tmp_files',`
++##
++##
++#
+interface(`files_associate_rootfs',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type root_t;
- ')
-
-- read_files_pattern($1, tmp_t, tmp_t)
++ ')
++
+ allow $1 root_t:filesystem associate;
- ')
-
- ########################################
- ##
--## Manage temporary directories in /tmp.
++')
++
++########################################
++##
+## Get the attributes of the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4392,53 +5333,56 @@ interface(`files_read_generic_tmp_files',`
- ##
- ##
- #
--interface(`files_manage_generic_tmp_dirs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
- ')
-
-- manage_dirs_pattern($1, tmp_t, tmp_t)
++ gen_require(`
++ type tmp_t;
++ ')
++
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir getattr;
- ')
-
- ########################################
- ##
--## Manage temporary files and directories in /tmp.
++')
++
++########################################
++##
+## Do not audit attempts to check the
+## access on tmp files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_generic_tmp_files',`
++##
++##
++#
+interface(`files_dontaudit_access_check_tmp',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type etc_t;
- ')
-
-- manage_files_pattern($1, tmp_t, tmp_t)
++ ')
++
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## Read symbolic links in the tmp directory (/tmp).
++')
++
++########################################
++##
+## Do not audit attempts to get the
+## attributes of the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_generic_tmp_symlinks',`
++##
++##
++#
+interface(`files_dontaudit_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
- ')
-
-- read_lnk_files_pattern($1, tmp_t, tmp_t)
++ gen_require(`
++ type tmp_t;
++ ')
++
+ dontaudit $1 tmp_t:dir getattr;
- ')
-
- ########################################
- ##
--## Read and write generic named sockets in the tmp directory (/tmp).
++')
++
++########################################
++##
+## Search the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4446,35 +5390,37 @@ interface(`files_read_generic_tmp_symlinks',`
- ##
- ##
- #
--interface(`files_rw_generic_tmp_sockets',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_search_tmp',`
gen_require(`
type tmp_t;
')
-- rw_sock_files_pattern($1, tmp_t, tmp_t)
+ fs_search_tmpfs($1)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:dir search_dir_perms;
')
- ########################################
- ##
--## Set the attributes of all tmp directories.
-+## Do not audit attempts to search the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_setattr_all_tmp_dirs',`
-+interface(`files_dontaudit_search_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir { search_dir_perms setattr };
-+ dontaudit $1 tmp_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## List all tmp directories.
-+## Read the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4482,59 +5428,55 @@ interface(`files_setattr_all_tmp_dirs',`
- ##
- ##
- #
--interface(`files_list_all_tmp',`
-+interface(`files_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+@@ -4325,6 +5453,7 @@ interface(`files_list_tmp',`
+ type tmp_t;
')
-- allow $1 tmpfile:dir list_dir_perms;
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir list_dir_perms;
+ allow $1 tmp_t:dir list_dir_perms;
')
- ########################################
- ##
--## Relabel to and from all temporary
--## directory types.
-+## Do not audit listing of the tmp directory (/tmp).
+@@ -4334,7 +5463,7 @@ interface(`files_list_tmp',`
##
##
##
--## Domain allowed access.
+-## Domain not to audit.
+## Domain to not audit.
##
##
--##
#
--interface(`files_relabel_all_tmp_dirs',`
-+interface(`files_dontaudit_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
-+ dontaudit $1 tmp_t:dir list_dir_perms;
+@@ -4346,6 +5475,25 @@ interface(`files_dontaudit_list_tmp',`
+ dontaudit $1 tmp_t:dir list_dir_perms;
')
--########################################
+#######################################
- ##
--## Do not audit attempts to get the attributes
--## of all tmp files.
++##
+## Allow read and write to the tmp directory (/tmp).
- ##
- ##
--##
--## Domain not to audit.
--##
++##
++##
+##
+## Domain not to audit.
+##
- ##
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
-- gen_require(`
-- attribute tmpfile;
-- ')
++##
++#
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ ')
-
-- dontaudit $1 tmpfile:file getattr;
++
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
- ')
-
++')
++
########################################
##
--## Allow attempts to get the attributes
--## of all tmp files.
-+## Remove entries from the tmp directory.
- ##
- ##
- ##
-@@ -4542,110 +5484,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
- ##
- ##
- #
--interface(`files_getattr_all_tmp_files',`
-+interface(`files_delete_tmp_dir_entry',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ ## Remove entries from the tmp directory.
+@@ -4361,6 +5509,7 @@ interface(`files_delete_tmp_dir_entry',`
+ type tmp_t;
')
-- allow $1 tmpfile:file getattr;
+ files_search_tmp($1)
-+ allow $1 tmp_t:dir del_entry_dir_perms;
- ')
-
- ########################################
- ##
--## Relabel to and from all temporary
--## file types.
-+## Read files in the tmp directory (/tmp).
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_tmp_files',`
-+interface(`files_read_generic_tmp_files',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_files_pattern($1, tmpfile, tmpfile)
-+ read_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir del_entry_dir_perms;
')
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of all tmp sock_file.
-+## Manage temporary directories in /tmp.
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+interface(`files_manage_generic_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- dontaudit $1 tmpfile:sock_file getattr;
-+ manage_dirs_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4402,6 +5551,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
--## Read all tmp files.
+## Allow shared library text relocations in tmp files.
- ##
++##
+##
+##
+## Allow shared library text relocations in tmp files.
@@ -13776,437 +13618,153 @@ index f962f76..12c026e 100644
+## This is added to support java policy.
+##
+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`files_read_all_tmp_files',`
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_execmod_tmp',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- read_files_pattern($1, tmpfile, tmpfile)
++ gen_require(`
++ attribute tmpfile;
++ ')
++
+ allow $1 tmpfile:file execmod;
- ')
-
- ########################################
- ##
--## Create an object in the tmp directories, with a private
--## type using a type transition.
-+## Manage temporary files and directories in /tmp.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_tmp_filetrans',`
-+interface(`files_manage_generic_tmp_files',`
- gen_require(`
- type tmp_t;
- ')
-
-- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ manage_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Delete the contents of /tmp.
-+## Read symbolic links in the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4653,22 +5583,17 @@ interface(`files_tmp_filetrans',`
- ##
- ##
- #
--interface(`files_purge_tmp',`
-+interface(`files_read_generic_tmp_symlinks',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-- delete_dirs_pattern($1, tmpfile, tmpfile)
-- delete_files_pattern($1, tmpfile, tmpfile)
-- delete_lnk_files_pattern($1, tmpfile, tmpfile)
-- delete_fifo_files_pattern($1, tmpfile, tmpfile)
-- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Set the attributes of the /usr directory.
-+## Read and write generic named sockets in the tmp directory (/tmp).
++')
++
++########################################
++##
+ ## Manage temporary files and directories in /tmp.
##
##
- ##
-@@ -4676,17 +5601,17 @@ interface(`files_purge_tmp',`
- ##
- ##
- #
--interface(`files_setattr_usr_dirs',`
-+interface(`files_rw_generic_tmp_sockets',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir setattr;
-+ rw_sock_files_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4456,6 +5631,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
--## Search the content of /usr.
+## Relabel a dir from the type used in /tmp.
- ##
- ##
- ##
-@@ -4694,18 +5619,17 @@ interface(`files_setattr_usr_dirs',`
- ##
- ##
- #
--interface(`files_search_usr',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir search_dir_perms;
++ ')
++
+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## List the contents of generic
--## directories in /usr.
++')
++
++########################################
++##
+## Relabel a file from the type used in /tmp.
- ##
- ##
- ##
-@@ -4713,35 +5637,35 @@ interface(`files_search_usr',`
- ##
- ##
- #
--interface(`files_list_usr',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_relabelfrom_tmp_files',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
++ ')
++
+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit write of /usr dirs
-+## Set the attributes of all tmp directories.
++')
++
++########################################
++##
+ ## Set the attributes of all tmp directories.
##
##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir write;
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
+@@ -4474,6 +5685,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
--## Add and remove entries from /usr directories.
+## Allow caller to read inherited tmp files.
- ##
- ##
- ##
-@@ -4749,36 +5673,35 @@ interface(`files_dontaudit_write_usr_dirs',`
- ##
- ##
- #
--interface(`files_rw_usr_dirs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_read_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir rw_dir_perms;
++ ')
++
+ allow $1 tmpfile:file { append read_inherited_file_perms };
- ')
-
- ########################################
- ##
--## Do not audit attempts to add and remove
--## entries from /usr directories.
++')
++
++########################################
++##
+## Allow caller to append inherited tmp files.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_rw_usr_dirs',`
++##
++##
++#
+interface(`files_append_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir rw_dir_perms;
++ ')
++
+ allow $1 tmpfile:file append_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete generic directories in /usr in the caller domain.
++')
++
++########################################
++##
+## Allow caller to read and write inherited tmp files.
- ##
- ##
- ##
-@@ -4786,17 +5709,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
- ##
- ##
- #
--interface(`files_delete_usr_dirs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_rw_inherited_tmp_file',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- delete_dirs_pattern($1, usr_t, usr_t)
++ ')
++
+ allow $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete generic files in /usr in the caller domain.
-+## List all tmp directories.
- ##
- ##
- ##
-@@ -4804,73 +5727,59 @@ interface(`files_delete_usr_dirs',`
- ##
- ##
- #
--interface(`files_delete_usr_files',`
-+interface(`files_list_all_tmp',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- delete_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of files in /usr.
-+## Relabel to and from all temporary
-+## directory types.
++')
++
++########################################
++##
+ ## List all tmp directories.
##
##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_getattr_usr_files',`
-+interface(`files_relabel_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- getattr_files_pattern($1, usr_t, usr_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ##
--## Read generic files in /usr.
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
+@@ -4519,7 +5784,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
--##
--##
--## Allow the specified domain to read generic
--## files in /usr. These files are various program
--## files that do not have more specific SELinux types.
--## Some examples of these files are:
--##
--##
--## - /usr/include/*
--## - /usr/share/doc/*
--## - /usr/share/info/*
--##
--##
--## Generally, it is safe for many domains to have
--## this access.
--##
--##
##
##
--## Domain allowed access.
+-## Domain not to audit.
+## Domain to not audit.
##
##
--##
- #
--interface(`files_read_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-- read_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file getattr;
- ')
-
- ########################################
- ##
--## Execute generic programs in /usr in the caller domain.
-+## Allow attempts to get the attributes
-+## of all tmp files.
- ##
- ##
- ##
-@@ -4878,55 +5787,58 @@ interface(`files_read_usr_files',`
- ##
- ##
- #
--interface(`files_exec_usr_files',`
-+interface(`files_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-- exec_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file getattr;
- ')
-
- ########################################
- ##
--## dontaudit write of /usr files
-+## Relabel to and from all temporary
-+## file types.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
#
--interface(`files_dontaudit_write_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- dontaudit $1 usr_t:file write;
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files in the /usr directory.
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
+@@ -4579,7 +5844,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
--## Domain allowed access.
+-## Domain not to audit.
+## Domain to not audit.
##
##
#
--interface(`files_manage_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- manage_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:sock_file getattr;
- ')
-
- ########################################
- ##
--## Relabel a file to the type used in /usr.
-+## Read all tmp files.
- ##
- ##
- ##
-@@ -4934,67 +5846,70 @@ interface(`files_manage_usr_files',`
- ##
- ##
- #
--interface(`files_relabelto_usr_files',`
-+interface(`files_read_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- relabelto_files_pattern($1, usr_t, usr_t)
-+ read_files_pattern($1, tmpfile, tmpfile)
- ')
+@@ -4611,15 +5876,53 @@ interface(`files_read_all_tmp_files',`
########################################
##
--## Relabel a file from the type used in /usr.
+-## Create an object in the tmp directories, with a private
+-## type using a type transition.
+## Do not audit attempts to read or write
+## all leaked tmpfiles files.
##
@@ -14216,109 +13774,53 @@ index f962f76..12c026e 100644
+## Domain to not audit.
##
##
- #
--interface(`files_relabelfrom_usr_files',`
+-##
++#
+interface(`files_dontaudit_tmp_file_leaks',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- relabelfrom_files_pattern($1, usr_t, usr_t)
++ ')
++
+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Read symbolic links in /usr.
++')
++
++########################################
++##
+## Do allow attempts to read or write
+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_usr_symlinks',`
++##
++##
++#
+interface(`files_rw_tmp_file_leaks',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- read_lnk_files_pattern($1, usr_t, usr_t)
++ ')
++
+ allow $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Create objects in the /usr directory
++')
++
++########################################
++##
+## Create an object in the tmp directories, with a private
+## type using a type transition.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
##
--## The type of the object to be created
-+## The type of the object to be created.
- ##
- ##
--##
-+##
- ##
--## The object class.
-+## The object class of the object being created.
- ##
- ##
- ##
-@@ -5003,35 +5918,50 @@ interface(`files_read_usr_symlinks',`
+ ## The type of the object to be created.
##
- ##
- #
--interface(`files_usr_filetrans',`
-+interface(`files_tmp_filetrans',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- filetrans_pattern($1, usr_t, $2, $3, $4)
-+ filetrans_pattern($1, tmp_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search /usr/src.
-+## Delete the contents of /tmp.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_src',`
-+interface(`files_purge_tmp',`
- gen_require(`
-- type src_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 src_t:dir search_dir_perms;
-+ allow $1 tmpfile:dir list_dir_perms;
-+ delete_dirs_pattern($1, tmpfile, tmpfile)
-+ delete_files_pattern($1, tmpfile, tmpfile)
-+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
-+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
-+ delete_sock_files_pattern($1, tmpfile, tmpfile)
+@@ -4664,6 +5967,16 @@ interface(`files_purge_tmp',`
+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ delete_sock_files_pattern($1, tmpfile, tmpfile)
+ delete_chr_files_pattern($1, tmpfile, tmpfile)
+ delete_blk_files_pattern($1, tmpfile, tmpfile)
+ files_list_isid_type_dirs($1)
@@ -14332,1623 +13834,302 @@ index f962f76..12c026e 100644
')
########################################
+@@ -5112,6 +6425,24 @@ interface(`files_create_kernel_symbol_table',`
+
+ ########################################
##
--## Get the attributes of files in /usr/src.
-+## Set the attributes of the /usr directory.
++## Dontaudit getattr attempts on the system.map file
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
++ gen_require(`
++ type system_map_t;
++ ')
++
++ dontaudit $1 system_map_t:file getattr;
++')
++
++########################################
++##
+ ## Read system.map in the /boot directory.
##
##
- ##
-@@ -5039,20 +5969,17 @@ interface(`files_dontaudit_search_src',`
- ##
- ##
- #
--interface(`files_getattr_usr_src_files',`
-+interface(`files_setattr_usr_dirs',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
-- getattr_files_pattern($1, src_t, src_t)
--
-- # /usr/src/linux symlink:
-- read_lnk_files_pattern($1, usr_t, src_t)
-+ allow $1 usr_t:dir setattr;
- ')
+@@ -5241,6 +6572,24 @@ interface(`files_list_var',`
########################################
##
--## Read files in /usr/src.
-+## Search the content of /usr.
++## Do not audit listing of the var directory (/var).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_list_var',`
++ gen_require(`
++ type var_t;
++ ')
++
++ dontaudit $1 var_t:dir list_dir_perms;
++')
++
++########################################
++##
+ ## Create, read, write, and delete directories
+ ## in the /var directory.
##
- ##
- ##
-@@ -5060,20 +5987,18 @@ interface(`files_getattr_usr_src_files',`
- ##
- ##
- #
--interface(`files_read_usr_src_files',`
-+interface(`files_search_usr',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
+@@ -5328,7 +6677,7 @@ interface(`files_dontaudit_rw_var_files',`
+ type var_t;
')
- allow $1 usr_t:dir search_dir_perms;
-- read_files_pattern($1, { usr_t src_t }, src_t)
-- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-- allow $1 src_t:dir list_dir_perms;
+- dontaudit $1 var_t:file rw_file_perms;
++ dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -5419,6 +6768,24 @@ interface(`files_var_filetrans',`
+ filetrans_pattern($1, var_t, $2, $3, $4)
')
++
++########################################
++##
++## Relabel dirs in the /var directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabel_var_dirs',`
++ gen_require(`
++ type var_t;
++ ')
++ allow $1 var_t:dir relabel_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Get the attributes of the /var/lib directory.
+@@ -5527,6 +6894,25 @@ interface(`files_rw_var_lib_dirs',`
+
########################################
##
--## Execute programs in /usr/src in the caller domain.
-+## List the contents of generic
-+## directories in /usr.
++## Create directories in /var/lib
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ allow $1 var_lib_t:dir { create rw_dir_perms };
++')
++
++
++########################################
++##
+ ## Create objects in the /var/lib directory
##
##
- ##
-@@ -5081,38 +6006,35 @@ interface(`files_read_usr_src_files',`
- ##
- ##
- #
--interface(`files_exec_usr_src_files',`
-+interface(`files_list_usr',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
+@@ -5596,6 +6982,25 @@ interface(`files_read_var_lib_symlinks',`
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
++########################################
++##
++## manage generic symbolic links
++## in the /var/lib directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_var_lib_symlinks',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
++')
++
+ # cjp: the next two interfaces really need to be fixed
+ # in some way. They really neeed their own types.
-- list_dirs_pattern($1, usr_t, src_t)
-- exec_files_pattern($1, src_t, src_t)
-- read_lnk_files_pattern($1, src_t, src_t)
-+ allow $1 usr_t:dir list_dir_perms;
+@@ -5619,6 +7024,42 @@ interface(`files_manage_urandom_seed',`
+ manage_files_pattern($1, var_lib_t, var_lib_t)
')
++
++########################################
++##
++## Relabel to dirs in the /var/lib directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabelto_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++ allow $1 var_lib_t:dir relabelto;
++')
++
++
++########################################
++##
++## Relabel dirs in the /var/lib directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabel_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++ allow $1 var_lib_t:dir relabel_dir_perms;
++')
++
+ ########################################
+ ##
+ ## Allow domain to manage mount tables
+@@ -5641,7 +7082,7 @@ interface(`files_manage_mounttab',`
+
########################################
##
--## Install a system.map into the /boot directory.
-+## Do not audit write of /usr dirs
+-## Set the attributes of the generic lock directories.
++## List generic lock directories.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+@@ -5649,12 +7090,13 @@ interface(`files_manage_mounttab',`
##
##
#
--interface(`files_create_kernel_symbol_table',`
-+interface(`files_dontaudit_write_usr_dirs',`
+-interface(`files_setattr_lock_dirs',`
++interface(`files_list_locks',`
gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
+ type var_t, var_lock_t;
')
-- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-- allow $1 system_map_t:file { create_file_perms rw_file_perms };
-+ dontaudit $1 usr_t:dir write;
+- setattr_dirs_pattern($1, var_t, var_lock_t)
++ files_search_locks($1)
++ list_dirs_pattern($1, var_t, var_lock_t)
')
########################################
- ##
--## Read system.map in the /boot directory.
-+## Add and remove entries from /usr directories.
- ##
- ##
- ##
-@@ -5120,37 +6042,36 @@ interface(`files_create_kernel_symbol_table',`
- ##
- ##
- #
--interface(`files_read_kernel_symbol_table',`
-+interface(`files_rw_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
+@@ -5672,6 +7114,7 @@ interface(`files_search_locks',`
+ type var_t, var_lock_t;
')
-- allow $1 boot_t:dir list_dir_perms;
-- read_files_pattern($1, boot_t, system_map_t)
-+ allow $1 usr_t:dir rw_dir_perms;
++ files_search_pids($1)
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_lock_t)
')
+@@ -5698,7 +7141,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
--## Delete a system.map in the /boot directory.
-+## Do not audit attempts to add and remove
-+## entries from /usr directories.
+-## List generic lock directories.
++## Do not audit attempts to read/write inherited
++## locks (/var/lock).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Set the attributes of the /var/lock directory.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+@@ -5706,13 +7168,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
--interface(`files_delete_kernel_symbol_table',`
-+interface(`files_dontaudit_rw_usr_dirs',`
+-interface(`files_list_locks',`
++interface(`files_setattr_lock_dirs',`
gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
+- type var_t, var_lock_t;
++ type var_lock_t;
')
-- allow $1 boot_t:dir list_dir_perms;
-- delete_files_pattern($1, boot_t, system_map_t)
-+ dontaudit $1 usr_t:dir rw_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_lock_t)
++ allow $1 var_lock_t:dir setattr;
')
########################################
- ##
--## Search the contents of /var.
-+## Delete generic directories in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5158,35 +6079,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5731,7 +7192,7 @@ interface(`files_rw_lock_dirs',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ rw_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+@@ -5764,7 +7225,6 @@ interface(`files_create_lock_dirs',`
+ ## Domain allowed access.
##
##
+-##
#
--interface(`files_search_var',`
-+interface(`files_delete_usr_dirs',`
+ interface(`files_relabel_all_lock_dirs',`
gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, usr_t, usr_t)
- ')
+@@ -5779,7 +7239,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
--## Do not audit attempts to write to /var.
-+## Delete generic files in /usr in the caller domain.
+-## Get the attributes of generic lock files.
++## Relabel to and from all lock file types.
##
##
##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -5787,13 +7247,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
--interface(`files_dontaudit_write_var_dirs',`
-+interface(`files_delete_usr_files',`
+-interface(`files_getattr_generic_locks',`
++interface(`files_relabel_all_lock_files',`
gen_require(`
-- type var_t;
-+ type usr_t;
++ attribute lockfile;
+ type var_t, var_lock_t;
')
-- dontaudit $1 var_t:dir write;
-+ delete_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Allow attempts to write to /var.dirs
-+## Get the attributes of files in /usr.
- ##
- ##
- ##
-@@ -5194,36 +6115,55 @@ interface(`files_dontaudit_write_var_dirs',`
- ##
- ##
- #
--interface(`files_write_var_dirs',`
-+interface(`files_getattr_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir write;
-+ getattr_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search
--## the contents of /var.
-+## Read generic files in /usr.
- ##
-+##
-+##
-+## Allow the specified domain to read generic
-+## files in /usr. These files are various program
-+## files that do not have more specific SELinux types.
-+## Some examples of these files are:
-+##
-+##
-+## - /usr/include/*
-+## - /usr/share/doc/*
-+## - /usr/share/info/*
-+##
-+##
-+## Generally, it is safe for many domains to have
-+## this access.
-+##
-+##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_dontaudit_search_var',`
-+interface(`files_read_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:dir search_dir_perms;
-+ allow $1 usr_t:dir list_dir_perms;
-+ read_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## List the contents of /var.
-+## Execute generic programs in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5231,36 +6171,37 @@ interface(`files_dontaudit_search_var',`
- ##
- ##
- #
--interface(`files_list_var',`
-+interface(`files_exec_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir list_dir_perms;
-+ allow $1 usr_t:dir list_dir_perms;
-+ exec_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete directories
--## in the /var directory.
-+## dontaudit write of /usr files
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_var_dirs',`
-+interface(`files_dontaudit_write_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir manage_dir_perms;
-+ dontaudit $1 usr_t:file write;
- ')
-
- ########################################
- ##
--## Read files in the /var directory.
-+## Create, read, write, and delete files in the /usr directory.
- ##
- ##
- ##
-@@ -5268,17 +6209,17 @@ interface(`files_manage_var_dirs',`
- ##
- ##
- #
--interface(`files_read_var_files',`
-+interface(`files_manage_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- read_files_pattern($1, var_t, var_t)
-+ manage_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Append files in the /var directory.
-+## Relabel a file to the type used in /usr.
- ##
- ##
- ##
-@@ -5286,17 +6227,17 @@ interface(`files_read_var_files',`
- ##
- ##
- #
--interface(`files_append_var_files',`
-+interface(`files_relabelto_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- append_files_pattern($1, var_t, var_t)
-+ relabelto_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Read and write files in the /var directory.
-+## Relabel a file from the type used in /usr.
- ##
- ##
- ##
-@@ -5304,73 +6245,86 @@ interface(`files_append_var_files',`
- ##
- ##
- #
--interface(`files_rw_var_files',`
-+interface(`files_relabelfrom_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- rw_files_pattern($1, var_t, var_t)
-+ relabelfrom_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and write
--## files in the /var directory.
-+## Read symbolic links in /usr.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_rw_var_files',`
-+interface(`files_read_usr_symlinks',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:file rw_file_perms;
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files in the /var directory.
-+## Create objects in the /usr directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_manage_var_files',`
-+interface(`files_usr_filetrans',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- manage_files_pattern($1, var_t, var_t)
-+ filetrans_pattern($1, usr_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Read symbolic links in the /var directory.
-+## Do not audit attempts to search /usr/src.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_var_symlinks',`
-+interface(`files_dontaudit_search_src',`
- gen_require(`
-- type var_t;
-+ type src_t;
- ')
-
-- read_lnk_files_pattern($1, var_t, var_t)
-+ dontaudit $1 src_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete symbolic
--## links in the /var directory.
-+## Get the attributes of files in /usr/src.
- ##
- ##
- ##
-@@ -5378,50 +6332,41 @@ interface(`files_read_var_symlinks',`
- ##
- ##
- #
--interface(`files_manage_var_symlinks',`
-+interface(`files_getattr_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- manage_lnk_files_pattern($1, var_t, var_t)
-+ getattr_files_pattern($1, src_t, src_t)
-+
-+ # /usr/src/linux symlink:
-+ read_lnk_files_pattern($1, usr_t, src_t)
- ')
-
- ########################################
- ##
--## Create objects in the /var directory
-+## Read files in /usr/src.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
--## The object class.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_var_filetrans',`
-+interface(`files_read_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- filetrans_pattern($1, var_t, $2, $3, $4)
-+ allow $1 usr_t:dir search_dir_perms;
-+ read_files_pattern($1, { usr_t src_t }, src_t)
-+ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-+ allow $1 src_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of the /var/lib directory.
-+## Execute programs in /usr/src in the caller domain.
- ##
- ##
- ##
-@@ -5429,69 +6374,56 @@ interface(`files_var_filetrans',`
- ##
- ##
- #
--interface(`files_getattr_var_lib_dirs',`
-+interface(`files_exec_usr_src_files',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type usr_t, src_t;
- ')
-
-- getattr_dirs_pattern($1, var_t, var_lib_t)
-+ list_dirs_pattern($1, usr_t, src_t)
-+ exec_files_pattern($1, src_t, src_t)
-+ read_lnk_files_pattern($1, src_t, src_t)
- ')
-
- ########################################
- ##
--## Search the /var/lib directory.
-+## Install a system.map into the /boot directory.
- ##
--##
--##
--## Search the /var/lib directory. This is
--## necessary to access files or directories under
--## /var/lib that have a private type. For example, a
--## domain accessing a private library file in the
--## /var/lib directory:
--##
--##
--## allow mydomain_t mylibfile_t:file read_file_perms;
--## files_search_var_lib(mydomain_t)
--##
--##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_search_var_lib',`
-+interface(`files_create_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- search_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## contents of /var/lib.
-+## Dontaudit getattr attempts on the system.map file
- ##
- ##
- ##
- ## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_dontaudit_search_var_lib',`
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
- gen_require(`
-- type var_lib_t;
-+ type system_map_t;
- ')
-
-- dontaudit $1 var_lib_t:dir search_dir_perms;
-+ dontaudit $1 system_map_t:file getattr;
- ')
-
- ########################################
- ##
--## List the contents of the /var/lib directory.
-+## Read system.map in the /boot directory.
- ##
- ##
- ##
-@@ -5499,17 +6431,18 @@ interface(`files_dontaudit_search_var_lib',`
- ##
- ##
- #
--interface(`files_list_var_lib',`
-+interface(`files_read_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ read_files_pattern($1, boot_t, system_map_t)
- ')
-
--###########################################
-+########################################
- ##
--## Read-write /var/lib directories
-+## Delete a system.map in the /boot directory.
- ##
- ##
- ##
-@@ -5517,70 +6450,54 @@ interface(`files_list_var_lib',`
- ##
- ##
- #
--interface(`files_rw_var_lib_dirs',`
-+interface(`files_delete_kernel_symbol_table',`
- gen_require(`
-- type var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ delete_files_pattern($1, boot_t, system_map_t)
- ')
-
- ########################################
- ##
--## Create objects in the /var/lib directory
-+## Search the contents of /var.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
--## The object class.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_var_lib_filetrans',`
-+interface(`files_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Read generic files in /var/lib.
-+## Do not audit attempts to write to /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_var_lib_files',`
-+interface(`files_dontaudit_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_lib_t:dir list_dir_perms;
-- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ dontaudit $1 var_t:dir write;
- ')
-
- ########################################
- ##
--## Read generic symbolic links in /var/lib
-+## Allow attempts to write to /var.dirs
- ##
- ##
- ##
-@@ -5588,41 +6505,36 @@ interface(`files_read_var_lib_files',`
- ##
- ##
- #
--interface(`files_read_var_lib_symlinks',`
-+interface(`files_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ allow $1 var_t:dir write;
- ')
-
--# cjp: the next two interfaces really need to be fixed
--# in some way. They really neeed their own types.
--
- ########################################
- ##
--## Create, read, write, and delete the
--## pseudorandom number generator seed.
-+## Do not audit attempts to search
-+## the contents of /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_urandom_seed',`
-+interface(`files_dontaudit_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ dontaudit $1 var_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Allow domain to manage mount tables
--## necessary for rpcd, nfsd, etc.
-+## List the contents of /var.
- ##
- ##
- ##
-@@ -5630,36 +6542,36 @@ interface(`files_manage_urandom_seed',`
- ##
- ##
- #
--interface(`files_manage_mounttab',`
-+interface(`files_list_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Set the attributes of the generic lock directories.
-+## Do not audit listing of the var directory (/var).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_dontaudit_list_var',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ dontaudit $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Search the locks directory (/var/lock).
-+## Create, read, write, and delete directories
-+## in the /var directory.
- ##
- ##
- ##
-@@ -5667,38 +6579,35 @@ interface(`files_setattr_lock_dirs',`
- ##
- ##
- #
--interface(`files_search_locks',`
-+interface(`files_manage_var_dirs',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_t:dir manage_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## locks directory (/var/lock).
-+## Read files in the /var directory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_locks',`
-+interface(`files_read_var_files',`
- gen_require(`
-- type var_lock_t;
-+ type var_t;
- ')
-
-- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_lock_t:dir search_dir_perms;
-+ read_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## List generic lock directories.
-+## Append files in the /var directory.
- ##
- ##
- ##
-@@ -5706,19 +6615,17 @@ interface(`files_dontaudit_search_locks',`
- ##
- ##
- #
--interface(`files_list_locks',`
-+interface(`files_append_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_lock_t)
-+ append_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Add and remove entries in the /var/lock
--## directories.
-+## Read and write files in the /var directory.
- ##
- ##
- ##
-@@ -5726,60 +6633,54 @@ interface(`files_list_locks',`
- ##
- ##
- #
--interface(`files_rw_lock_dirs',`
-+interface(`files_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- rw_dirs_pattern($1, var_t, var_lock_t)
-+ rw_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Create lock directories
-+## Do not audit attempts to read and write
-+## files in the /var directory.
- ##
- ##
--##
--## Domain allowed access
-+##
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_create_lock_dirs',`
-+interface(`files_dontaudit_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- create_dirs_pattern($1, var_lock_t, var_lock_t)
-+ dontaudit $1 var_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Relabel to and from all lock directory types.
-+## Create, read, write, and delete files in the /var directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_lock_dirs',`
-+interface(`files_manage_var_files',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- relabel_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Get the attributes of generic lock files.
-+## Read symbolic links in the /var directory.
- ##
- ##
- ##
-@@ -5787,20 +6688,18 @@ interface(`files_relabel_all_lock_dirs',`
- ##
- ##
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_read_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 var_lock_t:dir list_dir_perms;
-- getattr_files_pattern($1, var_lock_t, var_lock_t)
-+ read_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Delete generic lock files.
-+## Create, read, write, and delete symbolic
-+## links in the /var directory.
- ##
- ##
- ##
-@@ -5808,63 +6707,68 @@ interface(`files_getattr_generic_locks',`
- ##
- ##
- #
--interface(`files_delete_generic_locks',`
-+interface(`files_manage_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ manage_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## lock files.
-+## Create objects in the /var directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_manage_generic_locks',`
-+interface(`files_var_filetrans',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-- manage_files_pattern($1, var_lock_t, var_lock_t)
-+ filetrans_pattern($1, var_t, $2, $3, $4)
- ')
-
-+
- ########################################
- ##
--## Delete all lock files.
-+## Relabel dirs in the /var directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_delete_all_locks',`
-+interface(`files_relabel_var_dirs',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t;
- ')
--
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, lockfile, lockfile)
-+ allow $1 var_t:dir relabel_dir_perms;
- ')
-
- ########################################
- ##
--## Read all lock files.
-+## Get the attributes of the /var/lib directory.
- ##
- ##
- ##
-@@ -5872,101 +6776,87 @@ interface(`files_delete_all_locks',`
- ##
- ##
- #
--interface(`files_read_all_locks',`
-+interface(`files_getattr_var_lib_dirs',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- allow $1 lockfile:dir list_dir_perms;
-- read_files_pattern($1, lockfile, lockfile)
-- read_lnk_files_pattern($1, lockfile, lockfile)
-+ getattr_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## manage all lock files.
-+## Search the /var/lib directory.
- ##
-+##
-+##
-+## Search the /var/lib directory. This is
-+## necessary to access files or directories under
-+## /var/lib that have a private type. For example, a
-+## domain accessing a private library file in the
-+## /var/lib directory:
-+##
-+##
-+## allow mydomain_t mylibfile_t:file read_file_perms;
-+## files_search_var_lib(mydomain_t)
-+##
-+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_manage_all_locks',`
-+interface(`files_search_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- manage_dirs_pattern($1, lockfile, lockfile)
-- manage_files_pattern($1, lockfile, lockfile)
-- manage_lnk_files_pattern($1, lockfile, lockfile)
-+ search_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Create an object in the locks directory, with a private
--## type using a type transition.
-+## Do not audit attempts to search the
-+## contents of /var/lib.
- ##
- ##
- ##
--## Domain allowed access.
--##
--##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
-+## Domain to not audit.
- ##
- ##
-+##
- #
--interface(`files_lock_filetrans',`
-+interface(`files_dontaudit_search_var_lib',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+ dontaudit $1 var_lib_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of the /var/run directory.
-+## List the contents of the /var/lib directory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_pid_dirs',`
-+interface(`files_list_var_lib',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir getattr;
-+ list_dirs_pattern($1, var_t, var_lib_t)
- ')
-
--########################################
-+###########################################
- ##
--## Set the attributes of the /var/run directory.
-+## Read-write /var/lib directories
- ##
- ##
- ##
-@@ -5974,19 +6864,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_setattr_pid_dirs',`
-+interface(`files_rw_var_lib_dirs',`
- gen_require(`
-- type var_run_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir setattr;
-+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Search the contents of runtime process
--## ID directories (/var/run).
-+## Create directories in /var/lib
- ##
- ##
- ##
-@@ -5994,39 +6882,52 @@ interface(`files_setattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_search_pids',`
-+interface(`files_create_var_lib_dirs',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_run_t)
-+ allow $1 var_lib_t:dir { create rw_dir_perms };
- ')
-
-+
- ########################################
- ##
--## Do not audit attempts to search
--## the /var/run directory.
-+## Create objects in the /var/lib directory
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
- ##
- ##
- #
--interface(`files_dontaudit_search_pids',`
-+interface(`files_var_lib_filetrans',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## List the contents of the runtime process
--## ID directories (/var/run).
-+## Read generic files in /var/lib.
- ##
- ##
- ##
-@@ -6034,18 +6935,1302 @@ interface(`files_dontaudit_search_pids',`
- ##
- ##
- #
--interface(`files_list_pids',`
-+interface(`files_read_var_lib_files',`
- gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_lib_t:dir list_dir_perms;
-+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read generic symbolic links in /var/lib
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_var_lib_symlinks',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+')
-+
-+########################################
-+##
-+## manage generic symbolic links
-+## in the /var/lib directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_var_lib_symlinks',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
-+# cjp: the next two interfaces really need to be fixed
-+# in some way. They really neeed their own types.
-+
-+########################################
-+##
-+## Create, read, write, and delete the
-+## pseudorandom number generator seed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_urandom_seed',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## Relabel to dirs in the /var/lib directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelto_var_lib_dirs',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+ allow $1 var_lib_t:dir relabelto;
-+')
-+
-+
-+########################################
-+##
-+## Relabel dirs in the /var/lib directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_var_lib_dirs',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+ allow $1 var_lib_t:dir relabel_dir_perms;
-+')
-+
-+########################################
-+##
-+## Allow domain to manage mount tables
-+## necessary for rpcd, nfsd, etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_mounttab',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+##
-+## List generic lock directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ list_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Search the locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the
-+## locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_lock_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read/write inherited
-+## locks (/var/lock).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_rw_inherited_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Set the attributes of the /var/lock directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_lock_dirs',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ allow $1 var_lock_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Add and remove entries in the /var/lock
-+## directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ rw_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create lock directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_create_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ create_dirs_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Relabel to and from all lock directory types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_lock_dirs',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_dirs_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Relabel to and from all lock file types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_lock_files',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ relabel_files_pattern($1, lockfile, lockfile)
+')
+
@@ -15968,210 +14149,86 @@ index f962f76..12c026e 100644
+ ')
+
+ files_search_locks($1)
-+ allow $1 var_lock_t:dir list_dir_perms;
-+ getattr_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete generic lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_generic_locks',`
+ allow $1 var_lock_t:dir list_dir_perms;
+ getattr_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+@@ -5809,13 +7289,12 @@ interface(`files_getattr_generic_locks',`
+ ##
+ #
+ interface(`files_delete_generic_locks',`
+- gen_require(`
+ gen_require(`
-+ type var_t, var_lock_t;
+ type var_t, var_lock_t;
+- ')
+ ')
-+
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
+ files_search_locks($1)
+ delete_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ manage_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ delete_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Read all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ allow $1 lockfile:dir list_dir_perms;
-+ read_files_pattern($1, lockfile, lockfile)
-+ read_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## manage all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ manage_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, lockfile, lockfile)
-+ manage_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Create an object in the locks directory, with a private
-+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_lock_filetrans',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of the /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Set the attributes of the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
+ ')
+
+ ########################################
+@@ -5834,9 +7313,7 @@ interface(`files_manage_generic_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
++ files_search_locks($1)
+ manage_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+@@ -5878,8 +7355,7 @@ interface(`files_read_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1, lockfile, lockfile)
+ read_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5901,8 +7377,7 @@ interface(`files_manage_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5939,8 +7414,7 @@ interface(`files_lock_filetrans',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
+ ')
+
+@@ -5979,7 +7453,7 @@ interface(`files_setattr_pid_dirs',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ allow $1 var_run_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Search the contents of runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
+ allow $1 var_run_t:dir setattr;
+ ')
+
+@@ -5999,10 +7473,48 @@ interface(`files_search_pids',`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:lnk_file read_lnk_file_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_run_t)
-+')
-+
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+######################################
+##
+## Add and remove entries from pid directories.
@@ -16201,256 +14258,23 @@ index f962f76..12c026e 100644
+##
+#
+interface(`files_create_var_run_dirs',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir create_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search
-+## the /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_pids',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search
-+## the all /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Allow search the all /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_search_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List the contents of the runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Read generic process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ read_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Write named generic process ID pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_generic_pid_pipes',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_run_t:fifo_file write;
-+')
-+
-+########################################
-+##
-+## Create an object in the process ID directory, with a private type.
-+##
-+##
-+##
-+## Create an object in the process ID directory (e.g., /var/run)
-+## with a private type. Typically this is used for creating
-+## private PID files in /var/run with the private type instead
-+## of the general PID file type. To accomplish this goal,
-+## either the program must be SELinux-aware, or use this interface.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+## - files_pid_file()
-+##
-+##
-+## Example usage with a domain that can create and
-+## write its PID file with a private PID file type in the
-+## /var/run directory:
-+##
-+##
-+## type mypidfile_t;
-+## files_pid_file(mypidfile_t)
-+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-+## files_pid_filetrans(mydomain_t, mypidfile_t, file)
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+##
-+#
-+interface(`files_pid_filetrans',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_run_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Create a generic lock directory within the run directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_pid_filetrans_lock_dir',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ files_pid_filetrans($1, var_lock_t, dir, $2)
-+')
-+
-+########################################
-+##
-+## rw generic pid files inherited from another process
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_inherited_generic_pid_files',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ allow $1 var_run_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write generic process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
++ gen_require(`
++ type var_t, var_run_t;
++ ')
+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ rw_files_pattern($1, var_run_t, var_run_t)
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir create_dir_perms;
+')
+
-+########################################
-+##
-+## Do not audit attempts to get the attributes of
-+## daemon runtime data files.
+ ########################################
+ ##
+ ## Do not audit attempts to search
+@@ -6025,6 +7537,43 @@ interface(`files_dontaudit_search_pids',`
+
+ ########################################
+ ##
++## Do not audit attempts to search
++## the all /var/run directory.
+##
+##
+##
@@ -16458,19 +14282,17 @@ index f962f76..12c026e 100644
+##
+##
+#
-+interface(`files_dontaudit_getattr_all_pids',`
++interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
+ attribute pidfile;
-+ type var_run_t;
+ ')
+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file getattr;
++ dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to write to daemon runtime data files.
++## Allow search the all /var/run directory.
+##
+##
+##
@@ -16478,37 +14300,101 @@ index f962f76..12c026e 100644
+##
+##
+#
-+interface(`files_dontaudit_write_all_pids',`
++interface(`files_search_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file write;
++ allow $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++##
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ##
+@@ -6039,7 +7588,7 @@ interface(`files_list_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+@@ -6058,7 +7607,7 @@ interface(`files_read_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6078,7 +7627,7 @@ interface(`files_write_generic_pid_pipes',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:fifo_file write;
+ ')
+
+@@ -6140,7 +7689,6 @@ interface(`files_pid_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
+ ')
+
+@@ -6169,7 +7717,7 @@ interface(`files_pid_filetrans_lock_dir',`
+
+ ########################################
+ ##
+-## Read and write generic process ID files.
++## rw generic pid files inherited from another process
+ ##
+ ##
+ ##
+@@ -6177,12 +7725,30 @@ interface(`files_pid_filetrans_lock_dir',`
+ ##
+ ##
+ #
+-interface(`files_rw_generic_pids',`
++interface(`files_rw_inherited_generic_pid_files',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ allow $1 var_run_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to ioctl daemon runtime data files.
++## Read and write generic process ID files.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`files_dontaudit_ioctl_all_pids',`
++interface(`files_rw_generic_pids',`
+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
++ type var_t, var_run_t;
+ ')
+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file ioctl;
-+')
-+
-+########################################
-+##
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6249,6 +7815,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+
+ ########################################
+ ##
+## Relable all pid directories
+##
+##
@@ -16619,23 +14505,20 @@ index f962f76..12c026e 100644
+
+########################################
+##
-+## Read all process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_read_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
+ ## Read all process ID files.
+ ##
+ ##
+@@ -6261,12 +7937,105 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ interface(`files_read_all_pids',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ type var_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
+')
+
@@ -16730,59 +14613,33 @@ index f962f76..12c026e 100644
+ ')
+
+ allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+##
-+## Delete all process IDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+##
-+## Delete all process ID directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
+ ')
+
+ ########################################
+@@ -6286,8 +8055,8 @@ interface(`files_delete_all_pids',`
type var_t, var_run_t;
')
++ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+@@ -6311,36 +8080,80 @@ interface(`files_delete_all_pid_dirs',`
+ type var_t, var_run_t;
+ ')
+
+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Make the specified type a file
+## used for spool files.
+##
@@ -16805,361 +14662,118 @@ index f962f76..12c026e 100644
+## write its spool file in the system spool file
+## directories (/var/spool):
+##
-+##
-+## type myspoolfile_t;
-+## files_spool_file(myfile_spool_t)
-+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+##
-+##
-+##
-+##
-+## Type of the file to be used as a
-+## spool file.
-+##
-+##
-+##
-+#
-+interface(`files_spool_file',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ files_type($1)
-+ typeattribute $1 spoolfile;
-+')
-+
-+########################################
-+##
-+## Create all spool sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_all_spool_sockets',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete all spool sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_spool_sockets',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Relabel to and from all spool
-+## directory types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_relabel_all_spool_dirs',`
-+ gen_require(`
-+ attribute spoolfile;
-+ type var_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
-+########################################
-+##
-+## Search the contents of generic spool
-+## directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search generic
-+## spool directories.
-+##
-+##
++##
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++##
++##
++##
+##
-+## Domain to not audit.
++## Type of the file to be used as a
++## spool file.
+##
+##
++##
+#
-+interface(`files_dontaudit_search_spool',`
++interface(`files_spool_file',`
+ gen_require(`
-+ type var_spool_t;
++ attribute spoolfile;
+ ')
+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
++ files_type($1)
++ typeattribute $1 spoolfile;
+')
+
+########################################
+##
-+## List the contents of generic spool
-+## (/var/spool) directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Read generic process ID files.
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
++## Create all spool sockets
##
##
##
-@@ -6053,19 +8238,18 @@ interface(`files_list_pids',`
+-## Domain alloed access.
++## Domain allowed access.
##
##
#
--interface(`files_read_generic_pids',`
-+interface(`files_manage_generic_spool_dirs',`
+-interface(`files_manage_all_pids',`
++interface(`files_create_all_spool_sockets',`
gen_require(`
-- type var_t, var_run_t;
-+ type var_t, var_spool_t;
+- attribute pidfile;
++ attribute spoolfile;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
++ allow $1 spoolfile:sock_file create_sock_file_perms;
')
########################################
##
--## Write named generic process ID pipes
-+## Read generic spool files.
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Delete all spool sockets
##
##
##
-@@ -6073,43 +8257,151 @@ interface(`files_read_generic_pids',`
+@@ -6348,12 +8161,33 @@ interface(`files_manage_all_pids',`
##
##
#
--interface(`files_write_generic_pid_pipes',`
-+interface(`files_read_generic_spool',`
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_spool_sockets',`
gen_require(`
-- type var_run_t;
-+ type var_t, var_spool_t;
+- attribute polymember;
++ attribute spoolfile;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Create an object in the process ID directory, with a private type.
-+## Create, read, write, and delete generic
-+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create objects in the spool directory
-+## with a private type with a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Type to which the created node will be transitioned.
-+##
-+##
-+##
-+##
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_spool_filetrans',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
+- allow $1 polymember:dir mounton;
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+##
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
++## Relabel to and from all spool
++## directory types.
+##
+##
+##
+## Domain allowed access.
+##
+##
++##
+#
-+interface(`files_polyinstantiate_all',`
++interface(`files_relabel_all_spool_dirs',`
+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
++ attribute spoolfile;
++ type var_t;
+ ')
+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
-+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
-+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
-+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
-+ ')
-+')
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
+ ')
+
+ ########################################
+@@ -6580,3 +8414,605 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
+
+########################################
+##
-+## Unconfined access to files.
++## Create a core files in /
+##
++##
++##
++## Create a core file in /,
++##
++##
+##
+##
+## Domain allowed access.
+##
+##
-+#
-+interface(`files_unconfined',`
-+ gen_require(`
-+ attribute files_unconfined_type;
-+ ')
-+
-+ typeattribute $1 files_unconfined_type;
-+')
-+
-+########################################
-+##
-+## Create a core files in /
- ##
- ##
- ##
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
--##
--##
--## Related interfaces:
--##
--##
--## - files_pid_file()
--##
--##
--## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
--##
--##
--## type mypidfile_t;
--## files_pid_file(mypidfile_t)
--## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
--## files_pid_filetrans(mydomain_t, mypidfile_t, file)
-+## Create a core file in /,
- ##
- ##
- ##
-@@ -6117,80 +8409,157 @@ interface(`files_write_generic_pid_pipes',`
- ## Domain allowed access.
- ##
- ##
--##
+##
+#
+interface(`files_manage_root_files',`
@@ -17200,14 +14814,12 @@ index f962f76..12c026e 100644
+## type transition.
+##
+##
- ##
--## The type of the object to be created.
++##
+## Domain allowed access.
- ##
- ##
- ##
- ##
--## The object class of the object being created.
++##
++##
++##
++##
+## The class of the object being created.
+##
+##
@@ -17238,11 +14850,10 @@ index f962f76..12c026e 100644
+##
+##
+## The class of the object being created.
- ##
- ##
- ##
- ##
--## The name of the object being created.
++##
++##
++##
++##
+## The name of the object being created.
+##
+##
@@ -17263,433 +14874,315 @@ index f962f76..12c026e 100644
+##
+##
+## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_pid_filetrans',`
++##
++##
++#
+interface(`files_manage_generic_pids_symlinks',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ type var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_run_t, $2, $3, $4)
++ ')
++
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
- ')
-
- ########################################
- ##
--## Create a generic lock directory within the run directories
++')
++
++########################################
++##
+## Do not audit attempts to getattr
+## all tmpfs files.
- ##
- ##
--##
--## Domain allowed access
--##
--##
--##
- ##
--## The name of the object being created.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_pid_filetrans_lock_dir',`
++##
++##
++#
+interface(`files_dontaudit_getattr_tmpfs_files',`
- gen_require(`
-- type var_lock_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- files_pid_filetrans($1, var_lock_t, dir, $2)
++ ')
++
+ allow $1 tmpfsfile:file getattr;
- ')
-
- ########################################
- ##
--## Read and write generic process ID files.
++')
++
++########################################
++##
+## Allow delete all tmpfs files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_rw_generic_pids',`
++##
++##
++#
+interface(`files_delete_tmpfs_files',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- rw_files_pattern($1, var_run_t, var_run_t)
++ ')
++
+ allow $1 tmpfsfile:file delete_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes of
--## daemon runtime data files.
-+## Allow read write all tmpfs files
- ##
- ##
- ##
-@@ -6198,19 +8567,17 @@ interface(`files_rw_generic_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_pids',`
++')
++
++########################################
++##
++## Allow read write all tmpfs files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_rw_tmpfs_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file getattr;
++ ')
++
+ allow $1 tmpfsfile:file { read write };
- ')
-
- ########################################
- ##
--## Do not audit attempts to write to daemon runtime data files.
++')
++
++########################################
++##
+## Do not audit attempts to read security files
- ##
- ##
- ##
-@@ -6218,18 +8585,17 @@ interface(`files_dontaudit_getattr_all_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_write_all_pids',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_read_security_files',`
- gen_require(`
-- attribute pidfile;
++ gen_require(`
+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file write;
++ ')
++
+ dontaudit $1 security_file_type:file read_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to ioctl daemon runtime data files.
++')
++
++########################################
++##
+## Do not audit attempts to search security files
- ##
- ##
- ##
-@@ -6237,129 +8603,119 @@ interface(`files_dontaudit_write_all_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_ioctl_all_pids',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_search_security_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
++ gen_require(`
+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file ioctl;
++ ')
++
+ dontaudit $1 security_file_type:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read all process ID files.
++')
++
++########################################
++##
+## Do not audit attempts to read security dirs
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_read_all_pids',`
++##
++##
++#
+interface(`files_dontaudit_list_security_dirs',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute security_file_type;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
++ ')
++
+ dontaudit $1 security_file_type:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Delete all process IDs.
++')
++
++########################################
++##
+## rw any files inherited from another process
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
+##
+## Object type.
+##
+##
- #
--interface(`files_delete_all_pids',`
++#
+interface(`files_rw_all_inherited_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ ')
++
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
- ##
--## Delete all process ID directories.
++')
++
++########################################
++##
+## Allow any file point to be the entrypoint of this domain
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`files_delete_all_pid_dirs',`
++#
+interface(`files_entrypoint_all_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
+ type unlabeled_t;
- ')
--
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
++ ')
+ allow $1 {file_type -unlabeled_t} :file entrypoint;
- ')
-
- ########################################
- ##
--## Create, read, write and delete all
--## var_run (pid) content
++')
++
++########################################
++##
+## Do not audit attempts to rw inherited file perms
+## of non security files.
- ##
- ##
- ##
--## Domain alloed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_all_pids',`
++##
++##
++#
+interface(`files_dontaudit_all_non_security_leaks',`
- gen_require(`
-- attribute pidfile;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
++ ')
++
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Mount filesystems on all polyinstantiation
--## member directories.
++')
++
++########################################
++##
+## Do not audit attempts to read or write
+## all leaked files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_mounton_all_poly_members',`
++##
++##
++#
+interface(`files_dontaudit_leaks',`
- gen_require(`
-- attribute polymember;
++ gen_require(`
+ attribute file_type;
- ')
-
-- allow $1 polymember:dir mounton;
++ ')
++
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
- ')
-
- ########################################
- ##
--## Search the contents of generic spool
--## directories (/var/spool).
++')
++
++########################################
++##
+## Allow domain to create_file_ass all types
- ##
- ##
- ##
-@@ -6367,18 +8723,19 @@ interface(`files_mounton_all_poly_members',`
- ##
- ##
- #
--interface(`files_search_spool',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_create_as_is_all_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute file_type;
+ class kernel_service create_files_as;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ allow $1 file_type:kernel_service create_files_as;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search generic
--## spool directories.
++')
++
++########################################
++##
+## Do not audit attempts to check the
+## access on all files
- ##
- ##
- ##
-@@ -6386,132 +8743,227 @@ interface(`files_search_spool',`
- ##
- ##
- #
--interface(`files_dontaudit_search_spool',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_all_access_check',`
- gen_require(`
-- type var_spool_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- dontaudit $1 var_spool_t:dir search_dir_perms;
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## List the contents of generic spool
--## (/var/spool) directories.
++')
++
++########################################
++##
+## Do not audit attempts to write to all files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_spool',`
++##
++##
++#
+interface(`files_dontaudit_write_all_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set write;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
++')
++
++########################################
++##
+## Allow domain to delete to all files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_generic_spool_dirs',`
++##
++##
++#
+interface(`files_delete_all_non_security_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ allow $1 non_security_file_type:dir del_entry_dir_perms;
+ allow $1 non_security_file_type:file_class_set delete_file_perms;
- ')
-
- ########################################
- ##
--## Read generic spool files.
++')
++
++########################################
++##
+## Allow domain to delete to all dirs
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_generic_spool',`
++##
++##
++#
+interface(`files_delete_all_non_security_dirs',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool files.
++')
++
++########################################
++##
+## Transition named content in the var_run_t directory
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_manage_generic_spool',`
++##
++##
++#
+interface(`files_filetrans_named_content',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ type etc_t;
+ type mnt_t;
+ type usr_t;
@@ -17698,10 +15191,8 @@ index f962f76..12c026e 100644
+ type var_run_t;
+ type var_lock_t;
+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ files_pid_filetrans($1, mnt_t, dir, "media")
+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -17741,16 +15232,13 @@ index f962f76..12c026e 100644
+ files_var_filetrans($1, tmp_t, dir, "tmp")
+ files_var_filetrans($1, var_run_t, dir, "run")
+ files_var_filetrans($1, etc_runtime_t, file, ".updated")
- ')
-
- ########################################
- ##
--## Create objects in the spool directory
--## with a private type with a type transition.
++')
++
++########################################
++##
+## Make the specified type a
+## base file.
- ##
--##
++##
+##
+##
+## Identify file type as base file type. Tools will use this attribute,
@@ -17758,12 +15246,10 @@ index f962f76..12c026e 100644
+##
+##
+##
- ##
--## Domain allowed access.
++##
+## Type to be used as a base files.
- ##
- ##
--##
++##
++##
+##
+#
+interface(`files_base_file',`
@@ -17785,12 +15271,10 @@ index f962f76..12c026e 100644
+##
+##
+##
- ##
--## Type to which the created node will be transitioned.
++##
+## Type to be used as a base read only files.
- ##
- ##
--##
++##
++##
+##
+#
+interface(`files_ro_base_file',`
@@ -17806,13 +15290,10 @@ index f962f76..12c026e 100644
+## Read all ro base files.
+##
+##
- ##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
++##
+## Domain allowed access.
- ##
- ##
--##
++##
++##
+##
+#
+interface(`files_read_all_base_ro_files',`
@@ -17830,106 +15311,56 @@ index f962f76..12c026e 100644
+## Execute all base ro files.
+##
+##
- ##
--## The name of the object being created.
++##
+## Domain allowed access.
- ##
- ##
++##
++##
+##
- #
--interface(`files_spool_filetrans',`
++#
+interface(`files_exec_all_base_ro_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_ro_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ ')
++
+ can_exec($1, base_ro_file_type)
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++##
+## Allow the specified domain to modify the systemd configuration of
+## any file.
- ##
- ##
- ##
-@@ -6519,53 +8971,17 @@ interface(`files_spool_filetrans',`
- ##
- ##
- #
--interface(`files_polyinstantiate_all',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_config_all_files',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
--
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-- ')
++ ')
++
+ allow $1 file_type:service all_service_perms;
- ')
-
- ########################################
- ##
--## Unconfined access to files.
++')
++
++########################################
++##
+## Get the status of etc_t files
- ##
- ##
- ##
-@@ -6573,10 +8989,10 @@ interface(`files_polyinstantiate_all',`
- ##
- ##
- #
--interface(`files_unconfined',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_status_etc',`
- gen_require(`
-- attribute files_unconfined_type;
++ gen_require(`
+ type etc_t;
- ')
-
-- typeattribute $1 files_unconfined_type;
++ ')
++
+ allow $1 etc_t:service status;
- ')
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..3221f80 100644
--- a/policy/modules/kernel/files.te