diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 33dc3cc..21f9083 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -9762,7 +9762,7 @@ index c2c6e05..7996499 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..87da44f 100644
+index 64ff4d7..51cce06 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10018,7 +10018,50 @@ index 64ff4d7..87da44f 100644
allow $1 non_security_file_type:file mounton;
')
-@@ -620,6 +786,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+@@ -582,6 +748,42 @@ interface(`files_getattr_all_files',`
+
+ ########################################
+ ##
++## Get the attributes of all chr files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_all_chr_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ getattr_chr_files_pattern($1, file_type, file_type)
++')
++
++########################################
++##
++## Get the attributes of all blk files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_all_blk_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ getattr_blk_files_pattern($1, file_type, file_type)
++')
++
++########################################
++##
+ ## Do not audit attempts to get the attributes
+ ## of all files.
+ ##
+@@ -620,6 +822,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
########################################
##
@@ -10082,7 +10125,7 @@ index 64ff4d7..87da44f 100644
## Read all files.
##
##
-@@ -683,12 +906,125 @@ interface(`files_read_non_security_files',`
+@@ -683,88 +942,83 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
@@ -10093,122 +10136,303 @@ index 64ff4d7..87da44f 100644
########################################
##
+-## Read all directories on the filesystem, except
+-## the listed exceptions.
+## Read/Write all inherited non-security files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The types to be excluded. Each type or attribute
+-## must be negated by the caller.
+-##
+-##
++##
+ #
+-interface(`files_read_all_dirs_except',`
++interface(`files_rw_inherited_non_security_files',`
+ gen_require(`
+- attribute file_type;
++ attribute non_security_file_type;
+ ')
+
+- allow $1 { file_type $2 }:dir list_dir_perms;
++ allow $1 non_security_file_type:file { read write };
+ ')
+
+ ########################################
+ ##
+-## Read all files on the filesystem, except
+-## the listed exceptions.
++## Manage all non-security files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The types to be excluded. Each type or attribute
+-## must be negated by the caller.
+-##
+-##
++##
+ #
+-interface(`files_read_all_files_except',`
++interface(`files_manage_non_security_files',`
+ gen_require(`
+- attribute file_type;
++ attribute non_security_file_type;
+ ')
+
+- read_files_pattern($1, { file_type $2 }, { file_type $2 })
++ manage_files_pattern($1, non_security_file_type, non_security_file_type)
++ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ ')
+
+ ########################################
+ ##
+-## Read all symbolic links on the filesystem, except
+-## the listed exceptions.
++## Relabel all non-security files.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## The types to be excluded. Each type or attribute
+-## must be negated by the caller.
+-##
+-##
++##
+ #
+-interface(`files_read_all_symlinks_except',`
++interface(`files_relabel_non_security_files',`
+ gen_require(`
+- attribute file_type;
++ attribute non_security_file_type;
+ ')
+
+- read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
++ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
++ allow $1 { non_security_file_type }:dir list_dir_perms;
++ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++
++ # satisfy the assertions:
++ seutil_relabelto_bin_policy($1)
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of all symbolic links.
++## Search all base file dirs.
+ ##
+ ##
+ ##
+@@ -772,55 +1026,173 @@ interface(`files_read_all_symlinks_except',`
+ ##
+ ##
+ #
+-interface(`files_getattr_all_symlinks',`
++interface(`files_search_base_file_types',`
+ gen_require(`
+- attribute file_type;
++ attribute base_file_type;
+ ')
+
+- getattr_lnk_files_pattern($1, file_type, file_type)
++ allow $1 base_file_type:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of all symbolic links.
++## Relabel all base file types.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_getattr_all_symlinks',`
++interface(`files_relabel_base_file_types',`
+ gen_require(`
+- attribute file_type;
++ attribute base_file_type;
+ ')
+
+- dontaudit $1 file_type:lnk_file getattr;
++ allow $1 base_file_type:dir list_dir_perms;
++ relabel_dirs_pattern($1, base_file_type , base_file_type )
++ relabel_files_pattern($1, base_file_type , base_file_type )
++ relabel_lnk_files_pattern($1, base_file_type , base_file_type )
++ relabel_fifo_files_pattern($1, base_file_type , base_file_type )
++ relabel_sock_files_pattern($1, base_file_type , base_file_type )
++ relabel_blk_files_pattern($1, base_file_type , base_file_type )
++ relabel_chr_files_pattern($1, base_file_type , base_file_type )
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read all symbolic links.
++## Read all directories on the filesystem, except
++## the listed exceptions.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
++##
++##
++##
++##
++## The types to be excluded. Each type or attribute
++## must be negated by the caller.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_read_all_symlinks',`
++interface(`files_read_all_dirs_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+- dontaudit $1 file_type:lnk_file read;
++ allow $1 { file_type $2 }:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of non security symbolic links.
++## Read all files on the filesystem, except
++## the listed exceptions.
+##
+##
+##
+## Domain allowed access.
+##
+##
-+##
++##
++##
++## The types to be excluded. Each type or attribute
++## must be negated by the caller.
++##
++##
+#
-+interface(`files_rw_inherited_non_security_files',`
++interface(`files_read_all_files_except',`
+ gen_require(`
-+ attribute non_security_file_type;
++ attribute file_type;
+ ')
+
-+ allow $1 non_security_file_type:file { read write };
++ read_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+##
-+## Manage all non-security files.
++## Read all symbolic links on the filesystem, except
++## the listed exceptions.
+##
+##
+##
+## Domain allowed access.
+##
+##
-+##
++##
++##
++## The types to be excluded. Each type or attribute
++## must be negated by the caller.
++##
++##
+#
-+interface(`files_manage_non_security_files',`
++interface(`files_read_all_symlinks_except',`
+ gen_require(`
-+ attribute non_security_file_type;
++ attribute file_type;
+ ')
+
-+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
-+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
++ read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+##
-+## Relabel all non-security files.
++## Get the attributes of all symbolic links.
+##
+##
+##
+## Domain allowed access.
+##
+##
-+##
+#
-+interface(`files_relabel_non_security_files',`
++interface(`files_getattr_all_symlinks',`
+ gen_require(`
-+ attribute non_security_file_type;
++ attribute file_type;
+ ')
+
-+ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
-+ allow $1 { non_security_file_type }:dir list_dir_perms;
-+ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
-+
-+ # satisfy the assertions:
-+ seutil_relabelto_bin_policy($1)
++ getattr_lnk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+##
-+## Search all base file dirs.
++## Do not audit attempts to get the attributes
++## of all symbolic links.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_search_base_file_types',`
++interface(`files_dontaudit_getattr_all_symlinks',`
+ gen_require(`
-+ attribute base_file_type;
++ attribute file_type;
+ ')
+
-+ allow $1 base_file_type:dir search_dir_perms;
++ dontaudit $1 file_type:lnk_file getattr;
+')
+
+########################################
+##
-+## Relabel all base file types.
++## Do not audit attempts to read all symbolic links.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_relabel_base_file_types',`
++interface(`files_dontaudit_read_all_symlinks',`
+ gen_require(`
-+ attribute base_file_type;
++ attribute file_type;
+ ')
+
-+ allow $1 base_file_type:dir list_dir_perms;
-+ relabel_dirs_pattern($1, base_file_type , base_file_type )
-+ relabel_files_pattern($1, base_file_type , base_file_type )
-+ relabel_lnk_files_pattern($1, base_file_type , base_file_type )
-+ relabel_fifo_files_pattern($1, base_file_type , base_file_type )
-+ relabel_sock_files_pattern($1, base_file_type , base_file_type )
-+ relabel_blk_files_pattern($1, base_file_type , base_file_type )
-+ relabel_chr_files_pattern($1, base_file_type , base_file_type )
++ dontaudit $1 file_type:lnk_file read;
+')
+
+########################################
+##
- ## Read all directories on the filesystem, except
- ## the listed exceptions.
++## Do not audit attempts to get the attributes
++## of non security symbolic links.
##
-@@ -953,6 +1289,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+ ##
+ ##
+@@ -953,6 +1325,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
########################################
##
@@ -10234,29 +10458,24 @@ index 64ff4d7..87da44f 100644
## Get the attributes of all named sockets.
##
##
-@@ -991,8 +1346,8 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1382,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
########################################
##
--## Do not audit attempts to get the attributes
--## of non security named sockets.
+## Do not audit attempts to read
+## of all named sockets.
- ##
- ##
- ##
-@@ -1000,12 +1355,50 @@ interface(`files_dontaudit_getattr_all_sockets',`
- ##
- ##
- #
--interface(`files_dontaudit_getattr_non_security_sockets',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_read_all_sockets',`
- gen_require(`
-- attribute non_security_file_type;
++ gen_require(`
+ attribute file_type;
- ')
-
-- dontaudit $1 non_security_file_type:sock_file getattr;
++ ')
++
+ dontaudit $1 file_type:sock_file read;
+')
+
@@ -10281,25 +10500,10 @@ index 64ff4d7..87da44f 100644
+
+########################################
+##
-+## Do not audit attempts to get the attributes
-+## of non security named sockets.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_non_security_sockets',`
-+ gen_require(`
-+ attribute non_security_file_type;
-+ ')
-+
-+ dontaudit $1 non_security_file_type:sock_file getattr;
- ')
-
- ########################################
-@@ -1073,10 +1466,8 @@ interface(`files_relabel_all_files',`
+ ## Do not audit attempts to get the attributes
+ ## of non security named sockets.
+ ##
+@@ -1073,10 +1502,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -10312,7 +10516,7 @@ index 64ff4d7..87da44f 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1573,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1609,6 @@ interface(`files_list_all',`
########################################
##
@@ -10337,7 +10541,7 @@ index 64ff4d7..87da44f 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,9 +1816,6 @@ interface(`files_relabel_non_auth_files',`
+@@ -1443,9 +1852,6 @@ interface(`files_relabel_non_auth_files',`
# device nodes with file types.
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
@@ -10347,7 +10551,7 @@ index 64ff4d7..87da44f 100644
')
#############################################
-@@ -1583,6 +1953,24 @@ interface(`files_getattr_all_mountpoints',`
+@@ -1583,6 +1989,24 @@ interface(`files_getattr_all_mountpoints',`
########################################
##
@@ -10372,7 +10576,7 @@ index 64ff4d7..87da44f 100644
## Set the attributes of all mount points.
##
##
-@@ -1601,6 +1989,24 @@ interface(`files_setattr_all_mountpoints',`
+@@ -1601,6 +2025,24 @@ interface(`files_setattr_all_mountpoints',`
########################################
##
@@ -10397,7 +10601,7 @@ index 64ff4d7..87da44f 100644
## Do not audit attempts to set the attributes on all mount points.
##
##
-@@ -1673,6 +2079,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1673,6 +2115,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
@@ -10422,7 +10626,7 @@ index 64ff4d7..87da44f 100644
## Do not audit attempts to write to mount points.
##
##
-@@ -1691,6 +2115,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +2151,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
##
@@ -10465,13 +10669,54 @@ index 64ff4d7..87da44f 100644
## List the contents of the root directory.
##
##
-@@ -1707,6 +2167,23 @@ interface(`files_list_root',`
+@@ -1707,7 +2203,6 @@ interface(`files_list_root',`
allow $1 root_t:dir list_dir_perms;
allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
')
+-
+ ########################################
+ ##
+ ## Do not audit attempts to write to / dirs.
+@@ -1718,18 +2213,17 @@ interface(`files_list_root',`
+ ##
+ ##
+ #
+-interface(`files_dontaudit_write_root_dirs',`
++interface(`files_write_root_dirs',`
+ gen_require(`
+ type root_t;
+ ')
+
+- dontaudit $1 root_t:dir write;
++ allow $1 root_t:dir write;
+ ')
+
+-###################
+########################################
-+##
+ ##
+-## Do not audit attempts to write
+-## files in the root directory.
+## Do not audit attempts to write to / dirs.
+ ##
+ ##
+ ##
+@@ -1737,7 +2231,26 @@ interface(`files_dontaudit_write_root_dirs',`
+ ##
+ ##
+ #
+-interface(`files_dontaudit_rw_root_dir',`
++interface(`files_dontaudit_write_root_dirs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ dontaudit $1 root_t:dir write;
++')
++
++###################
++##
++## Do not audit attempts to write
++## files in the root directory.
+##
+##
+##
@@ -10479,17 +10724,11 @@ index 64ff4d7..87da44f 100644
+##
+##
+#
-+interface(`files_write_root_dirs',`
-+ gen_require(`
-+ type root_t;
-+ ')
-+
-+ allow $1 root_t:dir write;
-+')
-
- ########################################
- ##
-@@ -1747,6 +2224,26 @@ interface(`files_dontaudit_rw_root_dir',`
++interface(`files_dontaudit_rw_root_dir',`
+ gen_require(`
+ type root_t;
+ ')
+@@ -1747,6 +2260,26 @@ interface(`files_dontaudit_rw_root_dir',`
########################################
##
@@ -10516,7 +10755,7 @@ index 64ff4d7..87da44f 100644
## Create an object in the root directory, with a private
## type using a type transition.
##
-@@ -1874,25 +2371,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1874,25 +2407,25 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -10548,7 +10787,7 @@ index 64ff4d7..87da44f 100644
##
##
##
-@@ -1905,7 +2402,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2438,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -10557,7 +10796,7 @@ index 64ff4d7..87da44f 100644
')
########################################
-@@ -1928,6 +2425,42 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2461,42 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -10600,7 +10839,7 @@ index 64ff4d7..87da44f 100644
## Get attributes of the /boot directory.
##
##
-@@ -2163,6 +2696,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2163,6 +2732,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -10625,7 +10864,7 @@ index 64ff4d7..87da44f 100644
######################################
##
## Read symbolic links in the /boot directory.
-@@ -2627,6 +3178,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3214,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -10650,7 +10889,7 @@ index 64ff4d7..87da44f 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2698,6 +3267,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3303,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10658,7 +10897,7 @@ index 64ff4d7..87da44f 100644
')
########################################
-@@ -2706,7 +3276,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3312,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -10667,7 +10906,7 @@ index 64ff4d7..87da44f 100644
##
##
#
-@@ -2762,6 +3332,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3368,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -10693,7 +10932,7 @@ index 64ff4d7..87da44f 100644
## Delete system configuration files in /etc.
##
##
-@@ -2780,6 +3369,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3405,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -10718,7 +10957,7 @@ index 64ff4d7..87da44f 100644
## Execute generic files in /etc.
##
##
-@@ -2945,26 +3552,8 @@ interface(`files_delete_boot_flag',`
+@@ -2945,24 +3588,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -10740,14 +10979,10 @@ index 64ff4d7..87da44f 100644
-
-########################################
-##
--## Read files in /etc that are dynamically
--## created on boot, such as mtab.
-+## Read files in /etc that are dynamically
-+## created on boot, such as mtab.
+ ## Read files in /etc that are dynamically
+ ## created on boot, such as mtab.
##
- ##
- ##
-@@ -3003,9 +3592,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3003,9 +3628,7 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -10758,7 +10993,7 @@ index 64ff4d7..87da44f 100644
##
##
##
-@@ -3013,18 +3600,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3636,17 @@ interface(`files_read_etc_runtime_files',`
##
##
#
@@ -10780,7 +11015,7 @@ index 64ff4d7..87da44f 100644
##
##
##
-@@ -3042,6 +3628,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3664,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
##
@@ -10807,7 +11042,7 @@ index 64ff4d7..87da44f 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3059,6 +3665,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3701,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10815,7 +11050,7 @@ index 64ff4d7..87da44f 100644
')
########################################
-@@ -3080,6 +3687,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3723,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10823,7 +11058,7 @@ index 64ff4d7..87da44f 100644
')
########################################
-@@ -3132,6 +3740,44 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3776,44 @@ interface(`files_getattr_isid_type_dirs',`
########################################
##
@@ -10868,13 +11103,193 @@ index 64ff4d7..87da44f 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
##
-@@ -3205,6 +3851,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,11 +3887,10 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
+-
+ ########################################
+ ##
+-## Create, read, write, and delete directories
+-## on new filesystems that have not yet been labeled.
++## Execute files on new filesystems
++## that have not yet been labeled.
+ ##
+ ##
+ ##
+@@ -3217,18 +3898,18 @@ interface(`files_delete_isid_type_dirs',`
+ ##
+ ##
+ #
+-interface(`files_manage_isid_type_dirs',`
++interface(`files_exec_isid_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+- allow $1 file_t:dir manage_dir_perms;
++ can_exec($1, file_t)
+ ')
+
+ ########################################
+ ##
+-## Mount a filesystem on a directory on new filesystems
+-## that has not yet been labeled.
++## Moundon directories on new filesystems
++## that have not yet been labeled.
+ ##
+ ##
+ ##
+@@ -3236,17 +3917,17 @@ interface(`files_manage_isid_type_dirs',`
+ ##
+ ##
+ #
+-interface(`files_mounton_isid_type_dirs',`
++interface(`files_mounton_isid',`
+ gen_require(`
+ type file_t;
+ ')
+
+- allow $1 file_t:dir { search_dir_perms mounton };
++ allow $1 file_t:dir mounton;
+ ')
+
+ ########################################
+ ##
+-## Read files on new filesystems
++## Relabelfrom all file opbjects on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+@@ -3255,18 +3936,18 @@ interface(`files_mounton_isid_type_dirs',`
+ ##
+ ##
+ #
+-interface(`files_read_isid_type_files',`
++interface(`files_relabelfrom_isid_type',`
+ gen_require(`
+ type file_t;
+ ')
+
+- allow $1 file_t:file read_file_perms;
++ dontaudit $1 file_t:dir_file_class_set relabelfrom;
+ ')
+
+ ########################################
+ ##
+-## Delete files on new filesystems
+-## that have not yet been labeled.
++## Create, read, write, and delete directories
++## on new filesystems that have not yet been labeled.
+ ##
+ ##
+ ##
+@@ -3274,18 +3955,18 @@ interface(`files_read_isid_type_files',`
+ ##
+ ##
+ #
+-interface(`files_delete_isid_type_files',`
++interface(`files_manage_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+- delete_files_pattern($1, file_t, file_t)
++ allow $1 file_t:dir manage_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete symbolic links on new filesystems
+-## that have not yet been labeled.
++## Mount a filesystem on a directory on new filesystems
++## that has not yet been labeled.
+ ##
+ ##
+ ##
+@@ -3293,18 +3974,18 @@ interface(`files_delete_isid_type_files',`
+ ##
+ ##
+ #
+-interface(`files_delete_isid_type_symlinks',`
++interface(`files_mounton_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+- delete_lnk_files_pattern($1, file_t, file_t)
++ allow $1 file_t:dir { search_dir_perms mounton };
+ ')
+
+ ########################################
+ ##
+-## Delete named pipes on new filesystems
+-## that have not yet been labeled.
++## Mount a filesystem on a new chr_file
++## that has not yet been labeled.
+ ##
+ ##
+ ##
+@@ -3312,17 +3993,17 @@ interface(`files_delete_isid_type_symlinks',`
+ ##
+ ##
+ #
+-interface(`files_delete_isid_type_fifo_files',`
++interface(`files_mounton_isid_type_chr_file',`
+ gen_require(`
+- type file_t;
++ type unlabeled_t;
+ ')
+
+- delete_fifo_files_pattern($1, file_t, file_t)
++ allow $1 unlabeled_t:chr_file mounton;
+ ')
+
+ ########################################
+ ##
+-## Delete named sockets on new filesystems
++## Read files on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+@@ -3331,17 +4012,17 @@ interface(`files_delete_isid_type_fifo_files',`
+ ##
+ ##
+ #
+-interface(`files_delete_isid_type_sock_files',`
++interface(`files_read_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+- delete_sock_files_pattern($1, file_t, file_t)
++ allow $1 file_t:file read_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Delete block files on new filesystems
++## Delete files on new filesystems
+ ## that have not yet been labeled.
+ ##
+ ##
+@@ -3350,12 +4031,88 @@ interface(`files_delete_isid_type_sock_files',`
+ ##
+ ##
+ #
+-interface(`files_delete_isid_type_blk_files',`
++interface(`files_delete_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+- delete_blk_files_pattern($1, file_t, file_t)
++ delete_files_pattern($1, file_t, file_t)
++')
++
+########################################
+##
-+## Execute files on new filesystems
++## Delete symbolic links on new filesystems
+## that have not yet been labeled.
+##
+##
@@ -10883,17 +11298,17 @@ index 64ff4d7..87da44f 100644
+##
+##
+#
-+interface(`files_exec_isid_files',`
++interface(`files_delete_isid_type_symlinks',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ can_exec($1, file_t)
++ delete_lnk_files_pattern($1, file_t, file_t)
+')
+
+########################################
+##
-+## Moundon directories on new filesystems
++## Delete named pipes on new filesystems
+## that have not yet been labeled.
+##
+##
@@ -10902,17 +11317,17 @@ index 64ff4d7..87da44f 100644
+##
+##
+#
-+interface(`files_mounton_isid',`
++interface(`files_delete_isid_type_fifo_files',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:dir mounton;
++ delete_fifo_files_pattern($1, file_t, file_t)
+')
+
+########################################
+##
-+## Relabelfrom all file opbjects on new filesystems
++## Delete named sockets on new filesystems
+## that have not yet been labeled.
+##
+##
@@ -10921,22 +11336,18 @@ index 64ff4d7..87da44f 100644
+##
+##
+#
-+interface(`files_relabelfrom_isid_type',`
++interface(`files_delete_isid_type_sock_files',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ dontaudit $1 file_t:dir_file_class_set relabelfrom;
++ delete_sock_files_pattern($1, file_t, file_t)
+')
-
- ########################################
- ##
-@@ -3246,6 +3948,25 @@ interface(`files_mounton_isid_type_dirs',`
-
- ########################################
- ##
-+## Mount a filesystem on a new chr_file
-+## that has not yet been labeled.
++
++########################################
++##
++## Delete block files on new filesystems
++## that have not yet been labeled.
+##
+##
+##
@@ -10944,20 +11355,16 @@ index 64ff4d7..87da44f 100644
+##
+##
+#
-+interface(`files_mounton_isid_type_chr_file',`
++interface(`files_delete_isid_type_blk_files',`
+ gen_require(`
-+ type unlabeled_t;
++ type file_t;
+ ')
+
-+ allow $1 unlabeled_t:chr_file mounton;
-+')
-+
-+########################################
-+##
- ## Read files on new filesystems
- ## that have not yet been labeled.
- ##
-@@ -3455,6 +4176,25 @@ interface(`files_rw_isid_type_blk_files',`
++ delete_blk_files_pattern($1, file_t, file_t)
+ ')
+
+ ########################################
+@@ -3455,6 +4212,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
##
@@ -10983,7 +11390,7 @@ index 64ff4d7..87da44f 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
##
-@@ -3534,6 +4274,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3534,6 +4310,27 @@ interface(`files_dontaudit_getattr_home_dir',`
########################################
##
@@ -11011,7 +11418,7 @@ index 64ff4d7..87da44f 100644
## Search home directories root (/home).
##
##
-@@ -3796,20 +4557,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4593,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -11055,98 +11462,64 @@ index 64ff4d7..87da44f 100644
')
########################################
-@@ -4199,174 +4978,215 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +5014,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
--########################################
+#######################################
- ##
--## Allow the specified type to associate
--## to a filesystem with the type of the
--## temporary directory (/tmp).
++##
+## Read manageable system configuration files in /etc
- ##
--##
--##
--## Type of the file to associate.
--##
++##
+##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_associate_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:filesystem associate;
++
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Get the attributes of the tmp directory (/tmp).
++##
+## Manage manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:dir getattr;
++
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+ files_filetrans_system_conf_named_files($1)
- ')
-
--########################################
++')
++
+#####################################
- ##
--## Do not audit attempts to get the
--## attributes of the tmp directory (/tmp).
++##
+## File name transition for system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_getattr_tmp_dirs',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- dontaudit $1 tmp_t:dir getattr;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -11164,129 +11537,87 @@ index 64ff4d7..87da44f 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
- ')
-
--########################################
++')
++
+######################################
- ##
--## Search the tmp directory (/tmp).
++##
+## Relabel manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- allow $1 tmp_t:dir search_dir_perms;
++
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Do not audit attempts to search the tmp directory (/tmp).
++##
+## Relabel manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain to not audit.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- dontaudit $1 tmp_t:dir search_dir_perms;
++
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+###################################
- ##
--## Read the tmp directory (/tmp).
++##
+## Create files in /etc with the type used for
+## the manageable system config files.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## The type of the process performing this action.
+##
- ##
- #
--interface(`files_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:dir list_dir_perms;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Do not audit listing of the tmp directory (/tmp).
++##
+## Manage manageable system db files in /var/lib.
- ##
- ##
--##
--## Domain not to audit.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_manage_system_db_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-
-- dontaudit $1 tmp_t:dir list_dir_perms;
++
+ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
+ files_filetrans_system_db_named_files($1)
- ')
-
--########################################
++')
++
+#####################################
- ##
--## Remove entries from the tmp directory.
++##
+## File name transition for system db files in /var/lib.
- ##
- ##
++##
++##
+##
+## Domain allowed access.
+##
@@ -11301,106 +11632,67 @@ index 64ff4d7..87da44f 100644
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
+')
+
-+########################################
-+##
-+## Allow the specified type to associate
-+## to a filesystem with the type of the
-+## temporary directory (/tmp).
-+##
-+##
- ##
--## Domain allowed access.
-+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_delete_tmp_dir_entry',`
-+interface(`files_associate_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
-- allow $1 tmp_t:dir del_entry_dir_perms;
-+ allow $1 tmp_t:filesystem associate;
- ')
+ ########################################
+ ##
+ ## Allow the specified type to associate
+@@ -4221,6 +5202,26 @@ interface(`files_associate_tmp',`
########################################
##
--## Read files in the tmp directory (/tmp).
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
- ##
--##
++##
+##
- ##
--## Domain allowed access.
++##
+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_read_generic_tmp_files',`
++##
++##
++#
+interface(`files_associate_rootfs',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type root_t;
- ')
-
-- read_files_pattern($1, tmp_t, tmp_t)
++ ')
++
+ allow $1 root_t:filesystem associate;
- ')
-
- ########################################
- ##
--## Manage temporary directories in /tmp.
-+## Get the attributes of the tmp directory (/tmp).
++')
++
++########################################
++##
+ ## Get the attributes of the tmp directory (/tmp).
##
##
- ##
-@@ -4374,53 +5194,56 @@ interface(`files_read_generic_tmp_files',`
- ##
- ##
- #
--interface(`files_manage_generic_tmp_dirs',`
-+interface(`files_getattr_tmp_dirs',`
- gen_require(`
+@@ -4234,17 +5235,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
-- manage_dirs_pattern($1, tmp_t, tmp_t)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir getattr;
+ allow $1 tmp_t:dir getattr;
')
########################################
##
--## Manage temporary files and directories in /tmp.
+## Do not audit attempts to check the
+## access on tmp files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_generic_tmp_files',`
++##
++##
++#
+interface(`files_dontaudit_access_check_tmp',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type etc_t;
- ')
-
-- manage_files_pattern($1, tmp_t, tmp_t)
++ ')
++
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## Read symbolic links in the tmp directory (/tmp).
-+## Do not audit attempts to get the
-+## attributes of the tmp directory (/tmp).
++')
++
++########################################
++##
+ ## Do not audit attempts to get the
+ ## attributes of the tmp directory (/tmp).
##
##
##
@@ -11409,218 +11701,70 @@ index 64ff4d7..87da44f 100644
##
##
#
--interface(`files_read_generic_tmp_symlinks',`
-+interface(`files_dontaudit_getattr_tmp_dirs',`
- gen_require(`
+@@ -4271,6 +5292,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
-- read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ dontaudit $1 tmp_t:dir getattr;
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir search_dir_perms;
')
- ########################################
- ##
--## Read and write generic named sockets in the tmp directory (/tmp).
-+## Search the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4428,35 +5251,36 @@ interface(`files_read_generic_tmp_symlinks',`
- ##
- ##
- #
--interface(`files_rw_generic_tmp_sockets',`
-+interface(`files_search_tmp',`
- gen_require(`
+@@ -4307,6 +5329,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
-- rw_sock_files_pattern($1, tmp_t, tmp_t)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:dir list_dir_perms;
')
- ########################################
- ##
--## Set the attributes of all tmp directories.
-+## Do not audit attempts to search the tmp directory (/tmp).
+@@ -4316,7 +5339,7 @@ interface(`files_list_tmp',`
##
##
##
--## Domain allowed access.
+-## Domain not to audit.
+## Domain to not audit.
##
##
#
--interface(`files_setattr_all_tmp_dirs',`
-+interface(`files_dontaudit_search_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir { search_dir_perms setattr };
-+ dontaudit $1 tmp_t:dir search_dir_perms;
+@@ -4328,6 +5351,25 @@ interface(`files_dontaudit_list_tmp',`
+ dontaudit $1 tmp_t:dir list_dir_perms;
')
- ########################################
- ##
--## List all tmp directories.
-+## Read the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4464,59 +5288,55 @@ interface(`files_setattr_all_tmp_dirs',`
- ##
- ##
- #
--interface(`files_list_all_tmp',`
-+interface(`files_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Relabel to and from all temporary
--## directory types.
-+## Do not audit listing of the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_relabel_all_tmp_dirs',`
-+interface(`files_dontaudit_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
-+ dontaudit $1 tmp_t:dir list_dir_perms;
- ')
-
--########################################
+#######################################
- ##
--## Do not audit attempts to get the attributes
--## of all tmp files.
++##
+## Allow read and write to the tmp directory (/tmp).
- ##
- ##
--##
--## Domain not to audit.
--##
++##
++##
+##
+## Domain not to audit.
+##
- ##
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
-- gen_require(`
-- attribute tmpfile;
-- ')
++##
++#
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ ')
-
-- dontaudit $1 tmpfile:file getattr;
++
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
- ')
-
++')
++
########################################
##
--## Allow attempts to get the attributes
--## of all tmp files.
-+## Remove entries from the tmp directory.
- ##
- ##
- ##
-@@ -4524,110 +5344,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
- ##
- ##
- #
--interface(`files_getattr_all_tmp_files',`
-+interface(`files_delete_tmp_dir_entry',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ ## Remove entries from the tmp directory.
+@@ -4343,6 +5385,7 @@ interface(`files_delete_tmp_dir_entry',`
+ type tmp_t;
')
-- allow $1 tmpfile:file getattr;
+ files_search_tmp($1)
-+ allow $1 tmp_t:dir del_entry_dir_perms;
- ')
-
- ########################################
- ##
--## Relabel to and from all temporary
--## file types.
-+## Read files in the tmp directory (/tmp).
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_tmp_files',`
-+interface(`files_read_generic_tmp_files',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_files_pattern($1, tmpfile, tmpfile)
-+ read_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir del_entry_dir_perms;
')
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of all tmp sock_file.
-+## Manage temporary directories in /tmp.
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+interface(`files_manage_generic_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- dontaudit $1 tmpfile:sock_file getattr;
-+ manage_dirs_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4384,25 +5427,33 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
--## Read all tmp files.
+-## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
##
+##
@@ -11637,1227 +11781,1022 @@ index 64ff4d7..87da44f 100644
##
##
#
--interface(`files_read_all_tmp_files',`
+-interface(`files_manage_generic_tmp_files',`
+interface(`files_execmod_tmp',`
gen_require(`
- attribute tmpfile;
+- type tmp_t;
++ attribute tmpfile;
')
-- read_files_pattern($1, tmpfile, tmpfile)
+- manage_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmpfile:file execmod;
')
########################################
##
--## Create an object in the tmp directories, with a private
--## type using a type transition.
+-## Read symbolic links in the tmp directory (/tmp).
+## Manage temporary files and directories in /tmp.
##
##
##
- ## Domain allowed access.
+@@ -4410,7 +5461,25 @@ interface(`files_manage_generic_tmp_files',`
##
##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
#
--interface(`files_tmp_filetrans',`
+-interface(`files_read_generic_tmp_symlinks',`
+interface(`files_manage_generic_tmp_files',`
- gen_require(`
- type tmp_t;
- ')
-
-- filetrans_pattern($1, tmp_t, $2, $3, $4)
++ gen_require(`
++ type tmp_t;
++ ')
++
+ manage_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Delete the contents of /tmp.
++')
++
++########################################
++##
+## Read symbolic links in the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4635,22 +5443,17 @@ interface(`files_tmp_filetrans',`
- ##
- ##
- #
--interface(`files_purge_tmp',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_read_generic_tmp_symlinks',`
gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-- delete_dirs_pattern($1, tmpfile, tmpfile)
-- delete_files_pattern($1, tmpfile, tmpfile)
-- delete_lnk_files_pattern($1, tmpfile, tmpfile)
-- delete_fifo_files_pattern($1, tmpfile, tmpfile)
-- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Set the attributes of the /usr directory.
-+## Read and write generic named sockets in the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4658,17 +5461,17 @@ interface(`files_purge_tmp',`
- ##
- ##
- #
--interface(`files_setattr_usr_dirs',`
-+interface(`files_rw_generic_tmp_sockets',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
+ type tmp_t;
')
-
-- allow $1 usr_t:dir setattr;
-+ rw_sock_files_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4438,6 +5507,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
--## Search the content of /usr.
+## Relabel a dir from the type used in /tmp.
- ##
- ##
- ##
-@@ -4676,18 +5479,17 @@ interface(`files_setattr_usr_dirs',`
- ##
- ##
- #
--interface(`files_search_usr',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir search_dir_perms;
++ ')
++
+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## List the contents of generic
--## directories in /usr.
++')
++
++########################################
++##
+## Relabel a file from the type used in /tmp.
- ##
- ##
- ##
-@@ -4695,35 +5497,35 @@ interface(`files_search_usr',`
- ##
- ##
- #
--interface(`files_list_usr',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_relabelfrom_tmp_files',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
++ ')
++
+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit write of /usr dirs
-+## Set the attributes of all tmp directories.
++')
++
++########################################
++##
+ ## Set the attributes of all tmp directories.
##
##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir write;
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
+@@ -4456,6 +5561,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
--## Add and remove entries from /usr directories.
+## Allow caller to read inherited tmp files.
- ##
- ##
- ##
-@@ -4731,36 +5533,35 @@ interface(`files_dontaudit_write_usr_dirs',`
- ##
- ##
- #
--interface(`files_rw_usr_dirs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_read_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir rw_dir_perms;
++ ')
++
+ allow $1 tmpfile:file { append read_inherited_file_perms };
- ')
-
- ########################################
- ##
--## Do not audit attempts to add and remove
--## entries from /usr directories.
++')
++
++########################################
++##
+## Allow caller to append inherited tmp files.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_rw_usr_dirs',`
++##
++##
++#
+interface(`files_append_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir rw_dir_perms;
++ ')
++
+ allow $1 tmpfile:file append_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete generic directories in /usr in the caller domain.
++')
++
++########################################
++##
+## Allow caller to read and write inherited tmp files.
- ##
- ##
- ##
-@@ -4768,17 +5569,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
- ##
- ##
- #
--interface(`files_delete_usr_dirs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_rw_inherited_tmp_file',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- delete_dirs_pattern($1, usr_t, usr_t)
++ ')
++
+ allow $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete generic files in /usr in the caller domain.
-+## List all tmp directories.
++')
++
++########################################
++##
+ ## List all tmp directories.
+ ##
+ ##
+@@ -4501,7 +5660,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
-@@ -4786,73 +5587,59 @@ interface(`files_delete_usr_dirs',`
+-## Domain not to audit.
++## Domain to not audit.
##
##
#
--interface(`files_delete_usr_files',`
-+interface(`files_list_all_tmp',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- delete_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of files in /usr.
-+## Relabel to and from all temporary
-+## directory types.
+@@ -4561,7 +5720,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
- ## Domain allowed access.
+-## Domain not to audit.
++## Domain to not audit.
##
##
-+##
#
--interface(`files_getattr_usr_files',`
-+interface(`files_relabel_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- getattr_files_pattern($1, usr_t, usr_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
- ')
+@@ -4593,6 +5752,44 @@ interface(`files_read_all_tmp_files',`
########################################
##
--## Read generic files in /usr.
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
- ##
--##
--##
--## Allow the specified domain to read generic
--## files in /usr. These files are various program
--## files that do not have more specific SELinux types.
--## Some examples of these files are:
--##
--##
--## - /usr/include/*
--## - /usr/share/doc/*
--## - /usr/share/info/*
--##
--##
--## Generally, it is safe for many domains to have
--## this access.
--##
--##
- ##
- ##
--## Domain allowed access.
++## Do not audit attempts to read or write
++## all leaked tmpfiles files.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_read_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
++##
++##
++#
++interface(`files_dontaudit_tmp_file_leaks',`
++ gen_require(`
+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-- read_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file getattr;
++ ')
++
++ dontaudit $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Do allow attempts to read or write
++## all leaked tmpfiles files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_rw_tmp_file_leaks',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Create an object in the tmp directories, with a private
+ ## type using a type transition.
+ ##
+@@ -4646,6 +5843,16 @@ interface(`files_purge_tmp',`
+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ delete_sock_files_pattern($1, tmpfile, tmpfile)
++ delete_chr_files_pattern($1, tmpfile, tmpfile)
++ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_list_isid_type_dirs($1)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
++ files_delete_isid_type_symlinks($1)
++ files_delete_isid_type_fifo_files($1)
++ files_delete_isid_type_sock_files($1)
++ files_delete_isid_type_blk_files($1)
++ files_delete_isid_type_chr_files($1)
')
########################################
+@@ -5094,6 +6301,24 @@ interface(`files_create_kernel_symbol_table',`
+
+ ########################################
##
--## Execute generic programs in /usr in the caller domain.
-+## Allow attempts to get the attributes
-+## of all tmp files.
++## Dontaudit getattr attempts on the system.map file
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
++ gen_require(`
++ type system_map_t;
++ ')
++
++ dontaudit $1 system_map_t:file getattr;
++')
++
++########################################
++##
+ ## Read system.map in the /boot directory.
##
##
- ##
-@@ -4860,55 +5647,58 @@ interface(`files_read_usr_files',`
- ##
- ##
- #
--interface(`files_exec_usr_files',`
-+interface(`files_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+@@ -5223,6 +6448,24 @@ interface(`files_list_var',`
+
+ ########################################
+ ##
++## Do not audit listing of the var directory (/var).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_list_var',`
++ gen_require(`
++ type var_t;
++ ')
++
++ dontaudit $1 var_t:dir list_dir_perms;
++')
++
++########################################
++##
+ ## Create, read, write, and delete directories
+ ## in the /var directory.
+ ##
+@@ -5310,7 +6553,7 @@ interface(`files_dontaudit_rw_var_files',`
+ type var_t;
')
-- allow $1 usr_t:dir list_dir_perms;
-- exec_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file getattr;
+- dontaudit $1 var_t:file rw_file_perms;
++ dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -5507,6 +6750,23 @@ interface(`files_rw_var_lib_dirs',`
+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
++#######################################
++##
++## Create directories in /var/lib
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_var_lib_dirs',`
++ gen_require(`
++ type var_lib_t;
++ ')
++ allow $1 var_lib_t:dir { create rw_dir_perms };
++')
++
########################################
##
--## dontaudit write of /usr files
-+## Relabel to and from all temporary
-+## file types.
- ##
- ##
- ##
--## Domain to not audit.
+ ## Create objects in the /var/lib directory
+@@ -5578,6 +6838,25 @@ interface(`files_read_var_lib_symlinks',`
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
++########################################
++##
++## manage generic symbolic links
++## in the /var/lib directory.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_dontaudit_write_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
++##
++##
++#
++interface(`files_manage_var_lib_symlinks',`
++ gen_require(`
++ type var_lib_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
++')
++
+ # cjp: the next two interfaces really need to be fixed
+ # in some way. They really neeed their own types.
-- dontaudit $1 usr_t:file write;
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
- ')
+@@ -5623,7 +6902,7 @@ interface(`files_manage_mounttab',`
########################################
##
--## Create, read, write, and delete files in the /usr directory.
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
+-## Set the attributes of the generic lock directories.
++## List generic lock directories.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+@@ -5631,12 +6910,13 @@ interface(`files_manage_mounttab',`
##
##
#
--interface(`files_manage_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
+-interface(`files_setattr_lock_dirs',`
++interface(`files_list_locks',`
gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+ type var_t, var_lock_t;
')
-- manage_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:sock_file getattr;
+- setattr_dirs_pattern($1, var_t, var_lock_t)
++ files_search_locks($1)
++ list_dirs_pattern($1, var_t, var_lock_t)
')
########################################
- ##
--## Relabel a file to the type used in /usr.
-+## Read all tmp files.
- ##
- ##
- ##
-@@ -4916,67 +5706,70 @@ interface(`files_manage_usr_files',`
- ##
- ##
- #
--interface(`files_relabelto_usr_files',`
-+interface(`files_read_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+@@ -5654,6 +6934,7 @@ interface(`files_search_locks',`
+ type var_t, var_lock_t;
')
-- relabelto_files_pattern($1, usr_t, usr_t)
-+ read_files_pattern($1, tmpfile, tmpfile)
++ files_search_pids($1)
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_lock_t)
')
+@@ -5680,7 +6961,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
--## Relabel a file from the type used in /usr.
-+## Do not audit attempts to read or write
-+## all leaked tmpfiles files.
+-## List generic lock directories.
++## Do not audit attempts to read/write inherited
++## locks (/var/lock).
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++ gen_require(`
++ type var_lock_t;
++ ')
++
++ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
++## Set the attributes of the /var/lock directory.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+@@ -5688,13 +6988,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
--interface(`files_relabelfrom_usr_files',`
-+interface(`files_dontaudit_tmp_file_leaks',`
+-interface(`files_list_locks',`
++interface(`files_setattr_lock_dirs',`
gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+- type var_t, var_lock_t;
++ type var_lock_t;
')
-- relabelfrom_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_lock_t)
++ allow $1 var_lock_t:dir setattr;
')
########################################
- ##
--## Read symbolic links in /usr.
-+## Do allow attempts to read or write
-+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_usr_symlinks',`
-+interface(`files_rw_tmp_file_leaks',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
+@@ -5713,7 +7012,7 @@ interface(`files_rw_lock_dirs',`
+ type var_t, var_lock_t;
')
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file rw_inherited_file_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ rw_dirs_pattern($1, var_t, var_lock_t)
')
- ########################################
- ##
--## Create objects in the /usr directory
-+## Create an object in the tmp directories, with a private
-+## type using a type transition.
- ##
- ##
- ##
+@@ -5746,7 +7045,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
--##
-+##
- ##
--## The type of the object to be created
-+## The type of the object to be created.
- ##
- ##
--##
-+##
- ##
--## The object class.
-+## The object class of the object being created.
- ##
- ##
- ##
-@@ -4985,35 +5778,50 @@ interface(`files_read_usr_symlinks',`
- ##
- ##
+-##
#
--interface(`files_usr_filetrans',`
-+interface(`files_tmp_filetrans',`
+ interface(`files_relabel_all_lock_dirs',`
gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- filetrans_pattern($1, usr_t, $2, $3, $4)
-+ filetrans_pattern($1, tmp_t, $2, $3, $4)
- ')
+@@ -5761,7 +7059,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
--## Do not audit attempts to search /usr/src.
-+## Delete the contents of /tmp.
+-## Get the attributes of generic lock files.
++## Relabel to and from all lock file types.
##
##
##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -5769,13 +7067,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
--interface(`files_dontaudit_search_src',`
-+interface(`files_purge_tmp',`
+-interface(`files_getattr_generic_locks',`
++interface(`files_relabel_all_lock_files',`
gen_require(`
-- type src_t;
-+ attribute tmpfile;
++ attribute lockfile;
+ type var_t, var_lock_t;
')
-- dontaudit $1 src_t:dir search_dir_perms;
-+ allow $1 tmpfile:dir list_dir_perms;
-+ delete_dirs_pattern($1, tmpfile, tmpfile)
-+ delete_files_pattern($1, tmpfile, tmpfile)
-+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
-+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
-+ delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ delete_chr_files_pattern($1, tmpfile, tmpfile)
-+ delete_blk_files_pattern($1, tmpfile, tmpfile)
-+ files_list_isid_type_dirs($1)
-+ files_delete_isid_type_dirs($1)
-+ files_delete_isid_type_files($1)
-+ files_delete_isid_type_symlinks($1)
-+ files_delete_isid_type_fifo_files($1)
-+ files_delete_isid_type_sock_files($1)
-+ files_delete_isid_type_blk_files($1)
-+ files_delete_isid_type_chr_files($1)
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ relabel_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++##
++## Get the attributes of generic lock files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_generic_locks',`
++ gen_require(`
++ type var_t, var_lock_t;
++ ')
++
++ files_search_locks($1)
+ allow $1 var_lock_t:dir list_dir_perms;
+ getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-
- ########################################
- ##
--## Get the attributes of files in /usr/src.
-+## Set the attributes of the /usr directory.
- ##
- ##
- ##
-@@ -5021,20 +5829,17 @@ interface(`files_dontaudit_search_src',`
- ##
+@@ -5791,13 +7109,12 @@ interface(`files_getattr_generic_locks',`
##
#
--interface(`files_getattr_usr_src_files',`
-+interface(`files_setattr_usr_dirs',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
+ interface(`files_delete_generic_locks',`
+- gen_require(`
++ gen_require(`
+ type var_t, var_lock_t;
+- ')
++ ')
-- getattr_files_pattern($1, src_t, src_t)
--
-- # /usr/src/linux symlink:
-- read_lnk_files_pattern($1, usr_t, src_t)
-+ allow $1 usr_t:dir setattr;
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
++ files_search_locks($1)
++ delete_files_pattern($1, var_lock_t, var_lock_t)
')
########################################
- ##
--## Read files in /usr/src.
-+## Search the content of /usr.
- ##
- ##
- ##
-@@ -5042,20 +5847,18 @@ interface(`files_getattr_usr_src_files',`
- ##
- ##
- #
--interface(`files_read_usr_src_files',`
-+interface(`files_search_usr',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
+@@ -5816,9 +7133,7 @@ interface(`files_manage_generic_locks',`
+ type var_t, var_lock_t;
')
- allow $1 usr_t:dir search_dir_perms;
-- read_files_pattern($1, { usr_t src_t }, src_t)
-- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-- allow $1 src_t:dir list_dir_perms;
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
++ files_search_locks($1)
+ manage_files_pattern($1, var_lock_t, var_lock_t)
')
- ########################################
- ##
--## Execute programs in /usr/src in the caller domain.
-+## List the contents of generic
-+## directories in /usr.
- ##
- ##
- ##
-@@ -5063,38 +5866,35 @@ interface(`files_read_usr_src_files',`
- ##
- ##
- #
--interface(`files_exec_usr_src_files',`
-+interface(`files_list_usr',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
+@@ -5860,8 +7175,7 @@ interface(`files_read_all_locks',`
+ type var_t, var_lock_t;
')
-- list_dirs_pattern($1, usr_t, src_t)
-- exec_files_pattern($1, src_t, src_t)
-- read_lnk_files_pattern($1, src_t, src_t)
-+ allow $1 usr_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Install a system.map into the /boot directory.
-+## Do not audit write of /usr dirs
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_create_kernel_symbol_table',`
-+interface(`files_dontaudit_write_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1, lockfile, lockfile)
+ read_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5883,8 +7197,7 @@ interface(`files_manage_all_locks',`
+ type var_t, var_lock_t;
')
-- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-- allow $1 system_map_t:file { create_file_perms rw_file_perms };
-+ dontaudit $1 usr_t:dir write;
- ')
-
- ########################################
- ##
--## Read system.map in the /boot directory.
-+## Add and remove entries from /usr directories.
- ##
- ##
- ##
-@@ -5102,37 +5902,36 @@ interface(`files_create_kernel_symbol_table',`
- ##
- ##
- #
--interface(`files_read_kernel_symbol_table',`
-+interface(`files_rw_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5921,8 +7234,7 @@ interface(`files_lock_filetrans',`
+ type var_t, var_lock_t;
')
-- allow $1 boot_t:dir list_dir_perms;
-- read_files_pattern($1, boot_t, system_map_t)
-+ allow $1 usr_t:dir rw_dir_perms;
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
- ########################################
- ##
--## Delete a system.map in the /boot directory.
-+## Do not audit attempts to add and remove
-+## entries from /usr directories.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_delete_kernel_symbol_table',`
-+interface(`files_dontaudit_rw_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
+@@ -5961,7 +7273,7 @@ interface(`files_setattr_pid_dirs',`
+ type var_run_t;
')
-- allow $1 boot_t:dir list_dir_perms;
-- delete_files_pattern($1, boot_t, system_map_t)
-+ dontaudit $1 usr_t:dir rw_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:dir setattr;
')
- ########################################
- ##
--## Search the contents of /var.
-+## Delete generic directories in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5140,35 +5939,35 @@ interface(`files_delete_kernel_symbol_table',`
- ##
- ##
- #
--interface(`files_search_var',`
-+interface(`files_delete_usr_dirs',`
- gen_require(`
-- type var_t;
-+ type usr_t;
+@@ -5981,33 +7293,90 @@ interface(`files_search_pids',`
+ type var_t, var_run_t;
')
-- allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, usr_t, usr_t)
++ allow $1 var_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_run_t)
')
- ########################################
+-########################################
++######################################
##
--## Do not audit attempts to write to /var.
-+## Delete generic files in /usr in the caller domain.
+-## Do not audit attempts to search
+-## the /var/run directory.
++## Add and remove entries from pid directories.
##
##
- ##
+-##
-## Domain to not audit.
-+## Domain allowed access.
- ##
+-##
++##
++## Domain allowed access.
++##
##
#
--interface(`files_dontaudit_write_var_dirs',`
-+interface(`files_delete_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
+-interface(`files_dontaudit_search_pids',`
+- gen_require(`
+- type var_run_t;
+- ')
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
-- dontaudit $1 var_t:dir write;
-+ delete_files_pattern($1, usr_t, usr_t)
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rw_dir_perms;
')
- ########################################
+-########################################
++#######################################
##
--## Allow attempts to write to /var.dirs
-+## Get the attributes of files in /usr.
- ##
- ##
- ##
-@@ -5176,36 +5975,55 @@ interface(`files_dontaudit_write_var_dirs',`
- ##
- ##
- #
--interface(`files_write_var_dirs',`
-+interface(`files_getattr_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir write;
-+ getattr_files_pattern($1, usr_t, usr_t)
+-## List the contents of the runtime process
++## Create generic pid directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_create_var_run_dirs',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir create_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to search
++## the /var/run directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_pids',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++ dontaudit $1 var_run_t:dir search_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to search
++## the all /var/run directory.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ dontaudit $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++##
++## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ##
+ ##
+@@ -6021,7 +7390,7 @@ interface(`files_list_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+@@ -6040,7 +7409,7 @@ interface(`files_read_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6060,7 +7429,7 @@ interface(`files_write_generic_pid_pipes',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:fifo_file write;
+ ')
+
+@@ -6122,7 +7491,6 @@ interface(`files_pid_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
')
+@@ -6151,6 +7519,24 @@ interface(`files_pid_filetrans_lock_dir',`
+
########################################
##
--## Do not audit attempts to search
--## the contents of /var.
-+## Read generic files in /usr.
++## rw generic pid files inherited from another process
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_inherited_generic_pid_files',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+ ## Read and write generic process ID files.
##
-+##
-+##
-+## Allow the specified domain to read generic
-+## files in /usr. These files are various program
-+## files that do not have more specific SELinux types.
-+## Some examples of these files are:
-+##
-+##
-+## - /usr/include/*
-+## - /usr/share/doc/*
-+## - /usr/share/info/*
-+##
-+##
-+## Generally, it is safe for many domains to have
-+## this access.
-+##
-+##
##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_dontaudit_search_var',`
-+interface(`files_read_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
+@@ -6164,7 +7550,7 @@ interface(`files_rw_generic_pids',`
+ type var_t, var_run_t;
')
-- dontaudit $1 var_t:dir search_dir_perms;
-+ allow $1 usr_t:dir list_dir_perms;
-+ read_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
')
+@@ -6231,55 +7617,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
--## List the contents of /var.
-+## Execute generic programs in /usr in the caller domain.
+-## Read all process ID files.
++## Relable all pid directories
##
##
##
-@@ -5213,36 +6031,37 @@ interface(`files_dontaudit_search_var',`
+ ## Domain allowed access.
##
##
+-##
#
--interface(`files_list_var',`
-+interface(`files_exec_usr_files',`
+-interface(`files_read_all_pids',`
++interface(`files_relabel_all_pid_dirs',`
gen_require(`
-- type var_t;
-+ type usr_t;
+ attribute pidfile;
+- type var_t, var_run_t;
')
-- allow $1 var_t:dir list_dir_perms;
--')
-+ allow $1 usr_t:dir list_dir_perms;
-+ exec_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
-+')
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
++ relabel_dirs_pattern($1, pidfile, pidfile)
+ ')
########################################
##
--## Create, read, write, and delete directories
--## in the /var directory.
-+## dontaudit write of /usr files
+-## Delete all process IDs.
++## Delete all pid sockets
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+ ## Domain allowed access.
##
##
+-##
#
--interface(`files_manage_var_dirs',`
-+interface(`files_dontaudit_write_usr_files',`
+-interface(`files_delete_all_pids',`
++interface(`files_delete_all_pid_sockets',`
gen_require(`
-- type var_t;
-+ type usr_t;
+ attribute pidfile;
+- type var_t, var_run_t;
')
-- allow $1 var_t:dir manage_dir_perms;
-+ dontaudit $1 usr_t:file write;
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 pidfile:sock_file delete_sock_file_perms;
')
########################################
##
--## Read files in the /var directory.
-+## Create, read, write, and delete files in the /usr directory.
+-## Delete all process ID directories.
++## Create all pid sockets
##
##
##
-@@ -5250,17 +6069,17 @@ interface(`files_manage_var_dirs',`
+@@ -6287,42 +7661,35 @@ interface(`files_delete_all_pids',`
##
##
#
--interface(`files_read_var_files',`
-+interface(`files_manage_usr_files',`
+-interface(`files_delete_all_pid_dirs',`
++interface(`files_create_all_pid_sockets',`
gen_require(`
-- type var_t;
-+ type usr_t;
+ attribute pidfile;
+- type var_t, var_run_t;
')
-- read_files_pattern($1, var_t, var_t)
-+ manage_files_pattern($1, usr_t, usr_t)
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:sock_file create_sock_file_perms;
')
########################################
##
--## Append files in the /var directory.
-+## Relabel a file to the type used in /usr.
+-## Create, read, write and delete all
+-## var_run (pid) content
++## Create all pid named pipes
##
##
##
-@@ -5268,17 +6087,17 @@ interface(`files_read_var_files',`
+-## Domain alloed access.
++## Domain allowed access.
##
##
#
--interface(`files_append_var_files',`
-+interface(`files_relabelto_usr_files',`
+-interface(`files_manage_all_pids',`
++interface(`files_create_all_pid_pipes',`
gen_require(`
-- type var_t;
-+ type usr_t;
+ attribute pidfile;
')
-- append_files_pattern($1, var_t, var_t)
-+ relabelto_files_pattern($1, usr_t, usr_t)
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
')
########################################
##
--## Read and write files in the /var directory.
-+## Relabel a file from the type used in /usr.
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Delete all pid named pipes
##
##
##
-@@ -5286,73 +6105,86 @@ interface(`files_append_var_files',`
+@@ -6330,18 +7697,18 @@ interface(`files_manage_all_pids',`
##
##
#
--interface(`files_rw_var_files',`
-+interface(`files_relabelfrom_usr_files',`
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pid_pipes',`
gen_require(`
-- type var_t;
-+ type usr_t;
+- attribute polymember;
++ attribute pidfile;
')
-- rw_files_pattern($1, var_t, var_t)
-+ relabelfrom_files_pattern($1, usr_t, usr_t)
+- allow $1 polymember:dir mounton;
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
')
########################################
##
--## Do not audit attempts to read and write
--## files in the /var directory.
-+## Read symbolic links in /usr.
+-## Search the contents of generic spool
+-## directories (/var/spool).
++## manage all pidfile directories
++## in the /var/run directory.
##
##
##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -6349,37 +7716,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
--interface(`files_dontaudit_rw_var_files',`
-+interface(`files_read_usr_symlinks',`
+-interface(`files_search_spool',`
++interface(`files_manage_all_pid_dirs',`
gen_require(`
-- type var_t;
-+ type usr_t;
+- type var_t, var_spool_t;
++ attribute pidfile;
')
-- dontaudit $1 var_t:file rw_file_perms;
-+ read_lnk_files_pattern($1, usr_t, usr_t)
+- search_dirs_pattern($1, var_t, var_spool_t)
++ manage_dirs_pattern($1,pidfile,pidfile)
')
++
########################################
##
--## Create, read, write, and delete files in the /var directory.
-+## Create objects in the /usr directory
+-## Do not audit attempts to search generic
+-## spool directories.
++## Read all process ID files.
##
##
##
- ## Domain allowed access.
+-## Domain to not audit.
++## Domain allowed access.
##
##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
++##
#
--interface(`files_manage_var_files',`
-+interface(`files_usr_filetrans',`
+-interface(`files_dontaudit_search_spool',`
++interface(`files_read_all_pids',`
gen_require(`
-- type var_t;
-+ type usr_t;
+- type var_spool_t;
++ attribute pidfile;
++ type var_t;
')
-- manage_files_pattern($1, var_t, var_t)
-+ filetrans_pattern($1, usr_t, $2, $3, $4)
+- dontaudit $1 var_spool_t:dir search_dir_perms;
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
')
########################################
##
--## Read symbolic links in the /var directory.
-+## Do not audit attempts to search /usr/src.
+-## List the contents of generic spool
+-## (/var/spool) directories.
++## Relable all pid files
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+@@ -6387,18 +7757,17 @@ interface(`files_dontaudit_search_spool',`
##
##
#
--interface(`files_read_var_symlinks',`
-+interface(`files_dontaudit_search_src',`
+-interface(`files_list_spool',`
++interface(`files_relabel_all_pid_files',`
gen_require(`
-- type var_t;
-+ type src_t;
+- type var_t, var_spool_t;
++ attribute pidfile;
')
-- read_lnk_files_pattern($1, var_t, var_t)
-+ dontaudit $1 src_t:dir search_dir_perms;
+- list_dirs_pattern($1, var_t, var_spool_t)
++ relabel_files_pattern($1, pidfile, pidfile)
')
########################################
##
--## Create, read, write, and delete symbolic
--## links in the /var directory.
-+## Get the attributes of files in /usr/src.
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
++## Execute generic programs in /var/run in the caller domain.
##
##
##
-@@ -5360,50 +6192,41 @@ interface(`files_read_var_symlinks',`
+@@ -6406,18 +7775,18 @@ interface(`files_list_spool',`
##
##
#
--interface(`files_manage_var_symlinks',`
-+interface(`files_getattr_usr_src_files',`
+-interface(`files_manage_generic_spool_dirs',`
++interface(`files_exec_generic_pid_files',`
gen_require(`
-- type var_t;
-+ type usr_t, src_t;
+- type var_t, var_spool_t;
++ type var_run_t;
')
-- manage_lnk_files_pattern($1, var_t, var_t)
-+ getattr_files_pattern($1, src_t, src_t)
-+
-+ # /usr/src/linux symlink:
-+ read_lnk_files_pattern($1, usr_t, src_t)
- ')
-
- ########################################
- ##
--## Create objects in the /var directory
-+## Read files in /usr/src.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
--## The object class.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_var_filetrans',`
-+interface(`files_read_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- filetrans_pattern($1, var_t, $2, $3, $4)
-+ allow $1 usr_t:dir search_dir_perms;
-+ read_files_pattern($1, { usr_t src_t }, src_t)
-+ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-+ allow $1 src_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of the /var/lib directory.
-+## Execute programs in /usr/src in the caller domain.
- ##
- ##
- ##
-@@ -5411,69 +6234,56 @@ interface(`files_var_filetrans',`
- ##
- ##
- #
--interface(`files_getattr_var_lib_dirs',`
-+interface(`files_exec_usr_src_files',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type usr_t, src_t;
- ')
-
-- getattr_dirs_pattern($1, var_t, var_lib_t)
-+ list_dirs_pattern($1, usr_t, src_t)
-+ exec_files_pattern($1, src_t, src_t)
-+ read_lnk_files_pattern($1, src_t, src_t)
- ')
-
- ########################################
- ##
--## Search the /var/lib directory.
-+## Install a system.map into the /boot directory.
- ##
--##
--##
--## Search the /var/lib directory. This is
--## necessary to access files or directories under
--## /var/lib that have a private type. For example, a
--## domain accessing a private library file in the
--## /var/lib directory:
--##
--##
--## allow mydomain_t mylibfile_t:file read_file_perms;
--## files_search_var_lib(mydomain_t)
--##
--##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_search_var_lib',`
-+interface(`files_create_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- search_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ exec_files_pattern($1, var_run_t, var_run_t)
')
########################################
##
--## Do not audit attempts to search the
--## contents of /var/lib.
-+## Dontaudit getattr attempts on the system.map file
+-## Read generic spool files.
++## manage all pidfiles
++## in the /var/run directory.
##
##
##
- ## Domain to not audit.
+@@ -6425,19 +7794,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
--##
#
--interface(`files_dontaudit_search_var_lib',`
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
+-interface(`files_read_generic_spool',`
++interface(`files_manage_all_pids',`
gen_require(`
-- type var_lib_t;
-+ type system_map_t;
+- type var_t, var_spool_t;
++ attribute pidfile;
')
-- dontaudit $1 var_lib_t:dir search_dir_perms;
-+ dontaudit $1 system_map_t:file getattr;
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
++ manage_files_pattern($1,pidfile,pidfile)
')
########################################
##
--## List the contents of the /var/lib directory.
-+## Read system.map in the /boot directory.
- ##
- ##
- ##
-@@ -5481,17 +6291,18 @@ interface(`files_dontaudit_search_var_lib',`
- ##
- ##
- #
--interface(`files_list_var_lib',`
-+interface(`files_read_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ read_files_pattern($1, boot_t, system_map_t)
- ')
-
--###########################################
-+########################################
- ##
--## Read-write /var/lib directories
-+## Delete a system.map in the /boot directory.
+-## Create, read, write, and delete generic
+-## spool files.
++## Mount filesystems on all polyinstantiation
++## member directories.
##
##
##
-@@ -5499,70 +6310,54 @@ interface(`files_list_var_lib',`
+@@ -6445,55 +7813,43 @@ interface(`files_read_generic_spool',`
##
##
#
--interface(`files_rw_var_lib_dirs',`
-+interface(`files_delete_kernel_symbol_table',`
+-interface(`files_manage_generic_spool',`
++interface(`files_mounton_all_poly_members',`
gen_require(`
-- type var_lib_t;
-+ type boot_t, system_map_t;
+- type var_t, var_spool_t;
++ attribute polymember;
')
-- rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ delete_files_pattern($1, boot_t, system_map_t)
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
++ allow $1 polymember:dir mounton;
')
########################################
##
--## Create objects in the /var/lib directory
-+## Search the contents of /var.
+-## Create objects in the spool directory
+-## with a private type with a type transition.
++## Delete all process IDs.
##
##
##
## Domain allowed access.
##
##
--##
+-##
-##
--## The type of the object to be created
+-## Type to which the created node will be transitioned.
-##
-##
--##
+-##
-##
--## The object class.
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
-##
-##
-##
@@ -12865,1702 +12804,138 @@ index 64ff4d7..87da44f 100644
-## The name of the object being created.
-##
-##
++##
#
--interface(`files_var_lib_filetrans',`
-+interface(`files_search_var',`
+-interface(`files_spool_filetrans',`
++interface(`files_delete_all_pids',`
gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
+- type var_t, var_spool_t;
++ attribute pidfile;
++ type var_t, var_run_t;
')
++ files_search_pids($1)
allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Read generic files in /var/lib.
-+## Do not audit attempts to write to /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_var_lib_files',`
-+interface(`files_dontaudit_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_lib_t:dir list_dir_perms;
-- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ dontaudit $1 var_t:dir write;
+- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
')
########################################
##
--## Read generic symbolic links in /var/lib
-+## Allow attempts to write to /var.dirs
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
++## Delete all process ID directories.
##
##
##
-@@ -5570,41 +6365,36 @@ interface(`files_read_var_lib_files',`
+@@ -6501,64 +7857,887 @@ interface(`files_spool_filetrans',`
##
##
#
--interface(`files_read_var_lib_symlinks',`
-+interface(`files_write_var_dirs',`
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_pid_dirs',`
gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
+- attribute polydir, polymember, polyparent;
+- type poly_t;
++ attribute pidfile;
++ type var_t, var_run_t;
')
-- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ allow $1 var_t:dir write;
- ')
-
--# cjp: the next two interfaces really need to be fixed
--# in some way. They really neeed their own types.
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
-
- ########################################
- ##
--## Create, read, write, and delete the
--## pseudorandom number generator seed.
-+## Do not audit attempts to search
-+## the contents of /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_urandom_seed',`
-+interface(`files_dontaudit_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ dontaudit $1 var_t:dir search_dir_perms;
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+-
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+- ')
++ files_search_pids($1)
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
')
########################################
##
--## Allow domain to manage mount tables
--## necessary for rpcd, nfsd, etc.
-+## List the contents of /var.
+-## Unconfined access to files.
++## Make the specified type a file
++## used for spool files.
##
- ##
+-##
++##
++##
++## Make the specified type usable for spool files.
++## This will also make the type usable for files, making
++## calls to files_type() redundant. Failure to use this interface
++## for a spool file may result in problems with
++## purging spool files.
++##
++##
++## Related interfaces:
++##
++##
++## - files_spool_filetrans()
++##
++##
++## Example usage with a domain that can create and
++## write its spool file in the system spool file
++## directories (/var/spool):
++##
++##
++## type myspoolfile_t;
++## files_spool_file(myfile_spool_t)
++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
++## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
++##
++##
++##
##
-@@ -5612,36 +6402,36 @@ interface(`files_manage_urandom_seed',`
+-## Domain allowed access.
++## Type of the file to be used as a
++## spool file.
##
##
++##
#
--interface(`files_manage_mounttab',`
-+interface(`files_list_var',`
+-interface(`files_unconfined',`
++interface(`files_spool_file',`
gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
+- attribute files_unconfined_type;
++ attribute spoolfile;
')
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Set the attributes of the generic lock directories.
-+## Do not audit listing of the var directory (/var).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_dontaudit_list_var',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ dontaudit $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Search the locks directory (/var/lock).
-+## Create, read, write, and delete directories
-+## in the /var directory.
- ##
- ##
- ##
-@@ -5649,38 +6439,35 @@ interface(`files_setattr_lock_dirs',`
- ##
- ##
- #
--interface(`files_search_locks',`
-+interface(`files_manage_var_dirs',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_t:dir manage_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## locks directory (/var/lock).
-+## Read files in the /var directory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_locks',`
-+interface(`files_read_var_files',`
- gen_require(`
-- type var_lock_t;
-+ type var_t;
- ')
-
-- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_lock_t:dir search_dir_perms;
-+ read_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## List generic lock directories.
-+## Append files in the /var directory.
- ##
- ##
- ##
-@@ -5688,19 +6475,17 @@ interface(`files_dontaudit_search_locks',`
- ##
- ##
- #
--interface(`files_list_locks',`
-+interface(`files_append_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_lock_t)
-+ append_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Add and remove entries in the /var/lock
--## directories.
-+## Read and write files in the /var directory.
- ##
- ##
- ##
-@@ -5708,60 +6493,54 @@ interface(`files_list_locks',`
- ##
- ##
- #
--interface(`files_rw_lock_dirs',`
-+interface(`files_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- rw_dirs_pattern($1, var_t, var_lock_t)
-+ rw_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Create lock directories
-+## Do not audit attempts to read and write
-+## files in the /var directory.
- ##
- ##
--##
--## Domain allowed access
-+##
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_create_lock_dirs',`
-+interface(`files_dontaudit_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- create_dirs_pattern($1, var_lock_t, var_lock_t)
-+ dontaudit $1 var_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Relabel to and from all lock directory types.
-+## Create, read, write, and delete files in the /var directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_lock_dirs',`
-+interface(`files_manage_var_files',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- relabel_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Get the attributes of generic lock files.
-+## Read symbolic links in the /var directory.
- ##
- ##
- ##
-@@ -5769,20 +6548,18 @@ interface(`files_relabel_all_lock_dirs',`
- ##
- ##
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_read_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 var_lock_t:dir list_dir_perms;
-- getattr_files_pattern($1, var_lock_t, var_lock_t)
-+ read_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Delete generic lock files.
-+## Create, read, write, and delete symbolic
-+## links in the /var directory.
- ##
- ##
- ##
-@@ -5790,86 +6567,120 @@ interface(`files_getattr_generic_locks',`
- ##
- ##
- #
--interface(`files_delete_generic_locks',`
-+interface(`files_manage_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ manage_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## lock files.
-+## Create objects in the /var directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_manage_generic_locks',`
-+interface(`files_var_filetrans',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-- manage_files_pattern($1, var_lock_t, var_lock_t)
-+ filetrans_pattern($1, var_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Delete all lock files.
-+## Get the attributes of the /var/lib directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_delete_all_locks',`
-+interface(`files_getattr_var_lib_dirs',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, lockfile, lockfile)
-+ getattr_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Read all lock files.
-+## Search the /var/lib directory.
- ##
-+##
-+##
-+## Search the /var/lib directory. This is
-+## necessary to access files or directories under
-+## /var/lib that have a private type. For example, a
-+## domain accessing a private library file in the
-+## /var/lib directory:
-+##
-+##
-+## allow mydomain_t mylibfile_t:file read_file_perms;
-+## files_search_var_lib(mydomain_t)
-+##
-+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_read_all_locks',`
-+interface(`files_search_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- allow $1 lockfile:dir list_dir_perms;
-- read_files_pattern($1, lockfile, lockfile)
-- read_lnk_files_pattern($1, lockfile, lockfile)
-+ search_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## manage all lock files.
-+## Do not audit attempts to search the
-+## contents of /var/lib.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+##
-+#
-+interface(`files_dontaudit_search_var_lib',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+
-+ dontaudit $1 var_lib_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List the contents of the /var/lib directory.
- ##
- ##
- ##
-@@ -5877,37 +6688,66 @@ interface(`files_read_all_locks',`
- ##
- ##
- #
--interface(`files_manage_all_locks',`
-+interface(`files_list_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- manage_dirs_pattern($1, lockfile, lockfile)
-- manage_files_pattern($1, lockfile, lockfile)
-- manage_lnk_files_pattern($1, lockfile, lockfile)
-+ list_dirs_pattern($1, var_t, var_lib_t)
-+')
-+
-+###########################################
-+##
-+## Read-write /var/lib directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_var_lib_dirs',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+
-+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+#######################################
-+##
-+## Create directories in /var/lib
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_var_lib_dirs',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+ allow $1 var_lib_t:dir { create rw_dir_perms };
- ')
-
- ########################################
- ##
--## Create an object in the locks directory, with a private
--## type using a type transition.
-+## Create objects in the /var/lib directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+##
- ##
--## The type of the object to be created.
-+## The type of the object to be created
- ##
- ##
--##
-+##
- ##
--## The object class of the object being created.
-+## The object class.
- ##
- ##
- ##
-@@ -5916,39 +6756,37 @@ interface(`files_manage_all_locks',`
- ##
- ##
- #
--interface(`files_lock_filetrans',`
-+interface(`files_var_lib_filetrans',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of the /var/run directory.
-+## Read generic files in /var/lib.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_pid_dirs',`
-+interface(`files_read_var_lib_files',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir getattr;
-+ allow $1 var_lib_t:dir list_dir_perms;
-+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
- ########################################
- ##
--## Set the attributes of the /var/run directory.
-+## Read generic symbolic links in /var/lib
- ##
- ##
- ##
-@@ -5956,19 +6794,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_setattr_pid_dirs',`
-+interface(`files_read_var_lib_symlinks',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir setattr;
-+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
-
- ########################################
- ##
--## Search the contents of runtime process
--## ID directories (/var/run).
-+## manage generic symbolic links
-+## in the /var/lib directory.
- ##
- ##
- ##
-@@ -5976,18 +6813,495 @@ interface(`files_setattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_search_pids',`
-+interface(`files_manage_var_lib_symlinks',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_run_t)
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
- ')
-
-+# cjp: the next two interfaces really need to be fixed
-+# in some way. They really neeed their own types.
-+
- ########################################
- ##
--## Do not audit attempts to search
-+## Create, read, write, and delete the
-+## pseudorandom number generator seed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_urandom_seed',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+##
-+## Allow domain to manage mount tables
-+## necessary for rpcd, nfsd, etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_mounttab',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+##
-+## List generic lock directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ list_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Search the locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the
-+## locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_lock_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read/write inherited
-+## locks (/var/lock).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_rw_inherited_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Set the attributes of the /var/lock directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_lock_dirs',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ allow $1 var_lock_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Add and remove entries in the /var/lock
-+## directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ rw_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create lock directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_create_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ create_dirs_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Relabel to and from all lock directory types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_lock_dirs',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_dirs_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Relabel to and from all lock file types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_lock_files',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Get the attributes of generic lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_getattr_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ allow $1 var_lock_t:dir list_dir_perms;
-+ getattr_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete generic lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ delete_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ manage_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ delete_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Read all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ allow $1 lockfile:dir list_dir_perms;
-+ read_files_pattern($1, lockfile, lockfile)
-+ read_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## manage all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ manage_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, lockfile, lockfile)
-+ manage_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Create an object in the locks directory, with a private
-+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_lock_filetrans',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes
-+## of the /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir getattr;
-+')
-+
-+########################################
-+##
-+## Set the attributes of the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_run_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Search the contents of runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:lnk_file read_lnk_file_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+######################################
-+##
-+## Add and remove entries from pid directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ allow $1 var_run_t:dir rw_dir_perms;
-+')
-+
-+#######################################
-+##
-+## Create generic pid directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_var_run_dirs',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir create_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search
- ## the /var/run directory.
- ##
- ##
-@@ -5996,19 +7310,675 @@ interface(`files_search_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_search_pids',`
-+interface(`files_dontaudit_search_pids',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search
-+## the all /var/run directory.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 pidfile:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List the contents of the runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Read generic process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ read_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Write named generic process ID pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_write_generic_pid_pipes',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_run_t:fifo_file write;
-+')
-+
-+########################################
-+##
-+## Create an object in the process ID directory, with a private type.
-+##
-+##
-+##
-+## Create an object in the process ID directory (e.g., /var/run)
-+## with a private type. Typically this is used for creating
-+## private PID files in /var/run with the private type instead
-+## of the general PID file type. To accomplish this goal,
-+## either the program must be SELinux-aware, or use this interface.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+## - files_pid_file()
-+##
-+##
-+## Example usage with a domain that can create and
-+## write its PID file with a private PID file type in the
-+## /var/run directory:
-+##
-+##
-+## type mypidfile_t;
-+## files_pid_file(mypidfile_t)
-+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-+## files_pid_filetrans(mydomain_t, mypidfile_t, file)
-+##
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+##
-+#
-+interface(`files_pid_filetrans',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_run_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Create a generic lock directory within the run directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_pid_filetrans_lock_dir',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ files_pid_filetrans($1, var_lock_t, dir, $2)
-+')
-+
-+########################################
-+##
-+## rw generic pid files inherited from another process
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_inherited_generic_pid_files',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ allow $1 var_run_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Read and write generic process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ rw_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to get the attributes of
-+## daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_getattr_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file getattr;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to write to daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_write_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file write;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to ioctl daemon runtime data files.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_ioctl_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
-+ ')
-+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file ioctl;
-+')
-+
-+########################################
-+##
-+## Relable all pid directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ relabel_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
-+## Delete all pid sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Create all pid sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Create all pid named pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_all_pid_pipes',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete all pid named pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_pid_pipes',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
-+')
-+
-+########################################
-+##
-+## manage all pidfile directories
-+## in the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
-+
-+########################################
-+##
-+## Read all process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_read_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
-+## Relable all pid files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_pid_files',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ relabel_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
-+## Execute generic programs in /var/run in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_exec_generic_pid_files',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
-+
-+ exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## manage all pidfiles
-+## in the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
-+ manage_files_pattern($1,pidfile,pidfile)
-+')
-+
-+########################################
-+##
-+## Mount filesystems on all polyinstantiation
-+## member directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_mounton_all_poly_members',`
-+ gen_require(`
-+ attribute polymember;
-+ ')
-+
-+ allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+##
-+## Delete all process IDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+##
-+## Delete all process ID directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
-+## Make the specified type a file
-+## used for spool files.
-+##
-+##
-+##
-+## Make the specified type usable for spool files.
-+## This will also make the type usable for files, making
-+## calls to files_type() redundant. Failure to use this interface
-+## for a spool file may result in problems with
-+## purging spool files.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+## - files_spool_filetrans()
-+##
-+##
-+## Example usage with a domain that can create and
-+## write its spool file in the system spool file
-+## directories (/var/spool):
-+##
-+##
-+## type myspoolfile_t;
-+## files_spool_file(myfile_spool_t)
-+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
-+## files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+##
-+##
-+##
-+##
-+## Type of the file to be used as a
-+## spool file.
-+##
-+##
-+##
-+#
-+interface(`files_spool_file',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
+- typeattribute $1 files_unconfined_type;
+ files_type($1)
+ typeattribute $1 spoolfile;
+')
@@ -14653,94 +13028,73 @@ index 64ff4d7..87da44f 100644
+##
+#
+interface(`files_dontaudit_search_spool',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_spool_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
++ ')
++
+ dontaudit $1 var_spool_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## List the contents of the runtime process
--## ID directories (/var/run).
++')
++
++########################################
++##
+## List the contents of generic spool
+## (/var/spool) directories.
- ##
- ##
- ##
-@@ -6016,18 +7986,18 @@ interface(`files_dontaudit_search_pids',`
- ##
- ##
- #
--interface(`files_list_pids',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_list_spool',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
++ ')
++
+ list_dirs_pattern($1, var_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Read generic process ID files.
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
- ##
- ##
- ##
-@@ -6035,19 +8005,18 @@ interface(`files_list_pids',`
- ##
- ##
- #
--interface(`files_read_generic_pids',`
++')
++
++########################################
++##
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_manage_generic_spool_dirs',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Write named generic process ID pipes
++')
++
++########################################
++##
+## Read generic spool files.
- ##
- ##
- ##
-@@ -6055,43 +8024,151 @@ interface(`files_read_generic_pids',`
- ##
- ##
- #
--interface(`files_write_generic_pid_pipes',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_read_generic_spool',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_t, var_spool_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
++ ')
++
+ list_dirs_pattern($1, var_t, var_spool_t)
+ read_files_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Create an object in the process ID directory, with a private type.
++')
++
++########################################
++##
+## Create, read, write, and delete generic
+## spool files.
+##
@@ -14871,40 +13225,17 @@ index 64ff4d7..87da44f 100644
+########################################
+##
+## Create a core files in /
- ##
- ##
- ##
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
--##
--##
--## Related interfaces:
--##
--##
--## - files_pid_file()
--##
--##
--## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
--##
--##
--## type mypidfile_t;
--## files_pid_file(mypidfile_t)
--## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
--## files_pid_filetrans(mydomain_t, mypidfile_t, file)
++##
++##
++##
+## Create a core file in /,
- ##
- ##
- ##
-@@ -6099,14 +8176,82 @@ interface(`files_write_generic_pid_pipes',`
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
+#
+interface(`files_manage_root_files',`
@@ -14974,401 +13305,291 @@ index 64ff4d7..87da44f 100644
+##
+##
+##
- ##
--## The type of the object to be created.
++##
+## Type of the directory to be transitioned from
- ##
- ##
- ##
- ##
--## The object class of the object being created.
++##
++##
++##
++##
+## The class of the object being created.
- ##
- ##
- ##
-@@ -6114,65 +8259,56 @@ interface(`files_write_generic_pid_pipes',`
- ## The name of the object being created.
- ##
- ##
--##
- #
--interface(`files_pid_filetrans',`
-- gen_require(`
-- type var_t, var_run_t;
-- ')
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
+interface(`files_filetrans_lib',`
+ gen_require(`
+ type lib_t, lib_t;
+ ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_run_t, $2, $3, $4)
++
+ filetrans_pattern($1, $2, lib_t, $3, $4)
- ')
-
- ########################################
- ##
--## Create a generic lock directory within the run directories
++')
++
++########################################
++##
+## manage generic symbolic links
+## in the /var/run directory.
- ##
- ##
--##
--## Domain allowed access
--##
--##
--##
- ##
--## The name of the object being created.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_pid_filetrans_lock_dir',`
++##
++##
++#
+interface(`files_manage_generic_pids_symlinks',`
- gen_require(`
-- type var_lock_t;
++ gen_require(`
+ type var_run_t;
- ')
-
-- files_pid_filetrans($1, var_lock_t, dir, $2)
++ ')
++
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
- ')
-
- ########################################
- ##
--## Read and write generic process ID files.
++')
++
++########################################
++##
+## Do not audit attempts to getattr
+## all tmpfs files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_rw_generic_pids',`
++##
++##
++#
+interface(`files_dontaudit_getattr_tmpfs_files',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- rw_files_pattern($1, var_run_t, var_run_t)
++ ')
++
+ allow $1 tmpfsfile:file getattr;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes of
--## daemon runtime data files.
++')
++
++########################################
++##
+## Allow read write all tmpfs files
- ##
- ##
- ##
-@@ -6180,19 +8316,17 @@ interface(`files_rw_generic_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_pids',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_rw_tmpfs_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file getattr;
++ ')
++
+ allow $1 tmpfsfile:file { read write };
- ')
-
- ########################################
- ##
--## Do not audit attempts to write to daemon runtime data files.
++')
++
++########################################
++##
+## Do not audit attempts to read security files
- ##
- ##
- ##
-@@ -6200,38 +8334,43 @@ interface(`files_dontaudit_getattr_all_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_write_all_pids',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_read_security_files',`
- gen_require(`
-- attribute pidfile;
++ gen_require(`
+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file write;
++ ')
++
+ dontaudit $1 security_file_type:file read_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to ioctl daemon runtime data files.
++')
++
++########################################
++##
+## rw any files inherited from another process
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
++##
++##
+##
+##
+## Object type.
+##
+##
- #
--interface(`files_dontaudit_ioctl_all_pids',`
++#
+interface(`files_rw_all_inherited_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file ioctl;
++ ')
++
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
- ##
--## Read all process ID files.
++')
++
++########################################
++##
+## Allow any file point to be the entrypoint of this domain
- ##
- ##
- ##
-@@ -6240,127 +8379,111 @@ interface(`files_dontaudit_ioctl_all_pids',`
- ##
- ##
- #
--interface(`files_read_all_pids',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
+interface(`files_entrypoint_all_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
- ')
--
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
++ ')
+ allow $1 file_type:file entrypoint;
- ')
-
- ########################################
- ##
--## Delete all process IDs.
++')
++
++########################################
++##
+## Do not audit attempts to rw inherited file perms
+## of non security files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_delete_all_pids',`
++##
++##
++#
+interface(`files_dontaudit_all_non_security_leaks',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ ')
++
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete all process ID directories.
++')
++
++########################################
++##
+## Do not audit attempts to read or write
+## all leaked files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_delete_all_pid_dirs',`
++##
++##
++#
+interface(`files_dontaudit_leaks',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
++ ')
++
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
- ')
-
- ########################################
- ##
--## Create, read, write and delete all
--## var_run (pid) content
++')
++
++########################################
++##
+## Allow domain to create_file_ass all types
- ##
- ##
- ##
--## Domain alloed access.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_manage_all_pids',`
++##
++##
++#
+interface(`files_create_as_is_all_files',`
- gen_require(`
-- attribute pidfile;
++ gen_require(`
+ attribute file_type;
+ class kernel_service create_files_as;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
++ ')
++
+ allow $1 file_type:kernel_service create_files_as;
- ')
-
- ########################################
- ##
--## Mount filesystems on all polyinstantiation
--## member directories.
++')
++
++########################################
++##
+## Do not audit attempts to check the
+## access on all files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_mounton_all_poly_members',`
++##
++##
++#
+interface(`files_dontaudit_all_access_check',`
- gen_require(`
-- attribute polymember;
++ gen_require(`
+ attribute file_type;
- ')
-
-- allow $1 polymember:dir mounton;
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## Search the contents of generic spool
--## directories (/var/spool).
++')
++
++########################################
++##
+## Do not audit attempts to write to all files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_search_spool',`
++##
++##
++#
+interface(`files_dontaudit_write_all_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set write;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search generic
--## spool directories.
++')
++
++########################################
++##
+## Allow domain to delete to all files
- ##
- ##
- ##
-@@ -6368,132 +8491,188 @@ interface(`files_search_spool',`
- ##
- ##
- #
--interface(`files_dontaudit_search_spool',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_delete_all_non_security_files',`
- gen_require(`
-- type var_spool_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- dontaudit $1 var_spool_t:dir search_dir_perms;
++ ')
++
+ allow $1 non_security_file_type:dir del_entry_dir_perms;
+ allow $1 non_security_file_type:file_class_set delete_file_perms;
- ')
-
- ########################################
- ##
--## List the contents of generic spool
--## (/var/spool) directories.
++')
++
++########################################
++##
+## Allow domain to delete to all dirs
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_spool',`
++##
++##
++#
+interface(`files_delete_all_non_security_dirs',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
++')
++
++########################################
++##
+## Transition named content in the var_run_t directory
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_manage_generic_spool_dirs',`
++##
++##
++#
+interface(`files_filetrans_named_content',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ type etc_t;
+ type mnt_t;
+ type usr_t;
@@ -15377,10 +13598,8 @@ index 64ff4d7..87da44f 100644
+ type var_run_t;
+ type var_lock_t;
+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ files_pid_filetrans($1, mnt_t, dir, "media")
+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -15417,15 +13636,13 @@ index 64ff4d7..87da44f 100644
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+ files_var_filetrans($1, tmp_t, dir, "tmp")
+ files_var_filetrans($1, var_run_t, dir, "run")
- ')
-
- ########################################
- ##
--## Read generic spool files.
++')
++
++########################################
++##
+## Make the specified type a
+## base file.
- ##
--##
++##
+##
+##
+## Identify file type as base file type. Tools will use this attribute,
@@ -15433,25 +13650,20 @@ index 64ff4d7..87da44f 100644
+##
+##
+##
- ##
--## Domain allowed access.
++##
+## Type to be used as a base files.
- ##
- ##
++##
++##
+##
- #
--interface(`files_read_generic_spool',`
++#
+interface(`files_base_file',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_file_type;
- ')
++ ')
+ files_type($1)
+ typeattribute $1 base_file_type;
+')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
++
+########################################
+##
+## Make the specified type a
@@ -15475,155 +13687,82 @@ index 64ff4d7..87da44f 100644
+ ')
+ files_base_file($1)
+ typeattribute $1 base_ro_file_type;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool files.
++')
++
++########################################
++##
+## Read all ro base files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`files_manage_generic_spool',`
++#
+interface(`files_read_all_base_ro_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_ro_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
+ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
+ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
- ')
-
- ########################################
- ##
--## Create objects in the spool directory
--## with a private type with a type transition.
++')
++
++########################################
++##
+## Execute all base ro files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Type to which the created node will be transitioned.
--##
--##
--##
--##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`files_spool_filetrans',`
++#
+interface(`files_exec_all_base_ro_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_ro_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ ')
++
+ can_exec($1, base_ro_file_type)
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++##
+## Allow the specified domain to modify the systemd configuration of
+## any file.
- ##
- ##
- ##
-@@ -6501,53 +8680,17 @@ interface(`files_spool_filetrans',`
- ##
- ##
- #
--interface(`files_polyinstantiate_all',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_config_all_files',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
--
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-- ')
++ ')
++
+ allow $1 file_type:service all_service_perms;
- ')
-
- ########################################
- ##
--## Unconfined access to files.
++')
++
++########################################
++##
+## Get the status of etc_t files
- ##
- ##
- ##
-@@ -6555,10 +8698,10 @@ interface(`files_polyinstantiate_all',`
- ##
- ##
- #
--interface(`files_unconfined',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_status_etc',`
- gen_require(`
-- attribute files_unconfined_type;
++ gen_require(`
+ type etc_t;
- ')
-
-- typeattribute $1 files_unconfined_type;
++ ')
++
+ allow $1 etc_t:service status;
')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 2115a33..bd19ccb 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -2970,7 +2970,7 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..83590aa
+index 0000000..8cc6120
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,273 @@
@@ -3040,7 +3040,7 @@ index 0000000..83590aa
+# antivirus domain local policy
+#
+
-+allow antivirus_domain self:capability { dac_override chown kill setgid setuid };
++allow antivirus_domain self:capability { dac_override chown kill setgid setuid sys_admin };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
@@ -48782,7 +48782,7 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..00557d0 100644
+index afd2fad..459c46a 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -48986,11 +48986,11 @@ index afd2fad..00557d0 100644
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
-
--userdom_use_user_terminals(system_mail_t)
++
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
-+
+
+-userdom_use_user_terminals(system_mail_t)
+
+logging_append_all_logs(system_mail_t)
+
@@ -49107,7 +49107,18 @@ index afd2fad..00557d0 100644
')
optional_policy(`
-@@ -293,42 +210,36 @@ optional_policy(`
+@@ -285,6 +202,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ systemd_write_inhibit_pipes(system_mail_t)
++')
++
++optional_policy(`
+ userdom_dontaudit_use_user_ptys(system_mail_t)
+
+ optional_policy(`
+@@ -293,42 +214,36 @@ optional_policy(`
')
optional_policy(`
@@ -49160,7 +49171,7 @@ index afd2fad..00557d0 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +248,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +252,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -49209,7 +49220,7 @@ index afd2fad..00557d0 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -378,6 +275,17 @@ optional_policy(`
+@@ -378,6 +279,17 @@ optional_policy(`
')
optional_policy(`
@@ -49227,7 +49238,7 @@ index afd2fad..00557d0 100644
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
-@@ -387,24 +295,177 @@ optional_policy(`
+@@ -387,24 +299,177 @@ optional_policy(`
########################################
#
@@ -75597,10 +75608,10 @@ index 4b2c272..1aee969 100644
+ dbus_connect_system_bus(quota_nld_t)
')
diff --git a/rabbitmq.fc b/rabbitmq.fc
-index c5ad6de..2bf7656 100644
+index c5ad6de..af2d46f 100644
--- a/rabbitmq.fc
+++ b/rabbitmq.fc
-@@ -1,10 +1,19 @@
+@@ -1,10 +1,18 @@
/etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0)
-/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
@@ -75609,7 +75620,6 @@ index c5ad6de..2bf7656 100644
+/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0)
+
+/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
-+/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmqctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
+
+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0)
@@ -90413,10 +90423,10 @@ index d204752..31cc6e6 100644
+ ')
')
diff --git a/sensord.te b/sensord.te
-index 5e82fd6..64e130f 100644
+index 5e82fd6..d31876d 100644
--- a/sensord.te
+++ b/sensord.te
-@@ -9,27 +9,35 @@ type sensord_t;
+@@ -9,27 +9,37 @@ type sensord_t;
type sensord_exec_t;
init_daemon_domain(sensord_t, sensord_exec_t)
@@ -90448,10 +90458,12 @@ index 5e82fd6..64e130f 100644
manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
files_pid_filetrans(sensord_t, sensord_var_run_t, file)
- dev_read_sysfs(sensord_t)
+-dev_read_sysfs(sensord_t)
++kernel_read_system_state(sensord_t)
-files_read_etc_files(sensord_t)
--
++dev_read_sysfs(sensord_t)
+
logging_send_syslog_msg(sensord_t)
-miscfiles_read_localization(sensord_t)
@@ -91509,7 +91521,7 @@ index 7880d1f..8804935 100644
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/slocate.te b/slocate.te
-index ba26427..5149419 100644
+index ba26427..f2745d2 100644
--- a/slocate.te
+++ b/slocate.te
@@ -18,7 +18,7 @@ files_type(locate_var_lib_t)
@@ -91521,15 +91533,20 @@ index ba26427..5149419 100644
allow locate_t self:fifo_file rw_fifo_file_perms;
allow locate_t self:unix_stream_socket create_socket_perms;
-@@ -35,6 +35,7 @@ dev_getattr_all_blk_files(locate_t)
+@@ -35,8 +35,12 @@ dev_getattr_all_blk_files(locate_t)
dev_getattr_all_chr_files(locate_t)
files_list_all(locate_t)
+files_list_isid_type_dirs(locate_t)
++files_getattr_isid_type(locate_t)
files_dontaudit_read_all_symlinks(locate_t)
files_getattr_all_files(locate_t)
++files_getattr_all_chr_files(locate_t)
++files_getattr_all_blk_files(locate_t)
files_getattr_all_pipes(locate_t)
-@@ -53,7 +54,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
+ files_getattr_all_sockets(locate_t)
+ files_read_etc_runtime_files(locate_t)
+@@ -53,7 +57,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
auth_use_nsswitch(locate_t)
@@ -91537,7 +91554,7 @@ index ba26427..5149419 100644
ifdef(`enable_mls',`
files_dontaudit_getattr_all_dirs(locate_t)
-@@ -62,3 +62,8 @@ ifdef(`enable_mls',`
+@@ -62,3 +65,8 @@ ifdef(`enable_mls',`
optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')
@@ -100192,7 +100209,7 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 8840be6..bb7c53f 100644
+index 8840be6..604c840 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles;
@@ -100217,7 +100234,8 @@ index 8840be6..bb7c53f 100644
# Local policy
#
- allow usbmuxd_t self:capability { kill setgid setuid };
+-allow usbmuxd_t self:capability { kill setgid setuid };
++allow usbmuxd_t self:capability { chown kill setgid setuid };
+dontaudit usbmuxd_t self:capability sys_resource;
allow usbmuxd_t self:process { signal signull };
allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
@@ -106742,7 +106760,7 @@ index fd2b6cc..938c4a7 100644
+')
+
diff --git a/wine.te b/wine.te
-index b51923c..f38d4b1 100644
+index b51923c..e5944be 100644
--- a/wine.te
+++ b/wine.te
@@ -14,10 +14,11 @@ policy_module(wine, 1.10.1)
@@ -106758,7 +106776,7 @@ index b51923c..f38d4b1 100644
type wine_exec_t;
userdom_user_application_domain(wine_t, wine_exec_t)
role wine_roles types wine_t;
-@@ -25,56 +26,59 @@ role wine_roles types wine_t;
+@@ -25,56 +26,63 @@ role wine_roles types wine_t;
type wine_home_t;
userdom_user_home_content(wine_home_t)
@@ -106770,30 +106788,30 @@ index b51923c..f38d4b1 100644
# Local policy
#
+domain_mmap_low(wine_t)
-
--allow wine_t self:process { execstack execmem execheap };
--allow wine_t self:fifo_file manage_fifo_file_perms;
++
+optional_policy(`
+ unconfined_domain(wine_t)
+')
--can_exec(wine_t, wine_exec_t)
+-allow wine_t self:process { execstack execmem execheap };
+-allow wine_t self:fifo_file manage_fifo_file_perms;
--userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
+-can_exec(wine_t, wine_exec_t)
+########################################
+#
+# Common wine domain policy
+#
+-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
++allow wine_domain self:process { execstack execmem execheap };
++allow wine_domain self:fifo_file manage_fifo_file_perms;
+
-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
-+allow wine_domain self:process { execstack execmem execheap };
-+allow wine_domain self:fifo_file manage_fifo_file_perms;
++can_exec(wine_domain, wine_exec_t)
-domain_mmap_low(wine_t)
-+can_exec(wine_domain, wine_exec_t)
-+
+manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_lnk_files_pattern(wine_domain, wine_home_t, wine_home_t)
+manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
@@ -106828,19 +106846,21 @@ index b51923c..f38d4b1 100644
optional_policy(`
- rtkit_scheduled(wine_t)
-+ rtkit_scheduled(wine_domain)
++ gnome_create_generic_cache_dir(wine_domain)
')
optional_policy(`
- unconfined_domain(wine_t)
-+ xserver_read_xdm_pid(wine_domain)
-+ xserver_rw_shm(wine_domain)
++ rtkit_scheduled(wine_domain)
')
--optional_policy(`
+ optional_policy(`
- xserver_read_xdm_pid(wine_t)
- xserver_rw_shm(wine_t)
--')
++ xserver_read_xdm_pid(wine_domain)
++ xserver_rw_shm(wine_domain)
+ ')
++
diff --git a/wireshark.te b/wireshark.te
index cf5cab6..a2d910f 100644
--- a/wireshark.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e631b85..8fdf541 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 185%{?dist}
+Release: 186%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Sep 22 2014 Lukas Vrabec 3.12.1-186
+- Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
+- Allow sensord read in /proc BZ(#1143799)
+- Allow sys_admin capability for antivirus domians.
+- Allow usbmuxd chown capabilities
+- Remove labeling for rabbitmqctl
+- Allow wine domains to create cache dirs.
+- Allow newaliases to systemd inhibit pipes.
+
* Thu Sep 11 2014 Lukas Vrabec 3.12.1-185
- Label /usr/lib/erlang/erts.*/bin files as bin_t
- Added changes related to rabbitmq daemon.