From 445522dcb0e67bce8e20ae9ece2058d25543169a Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jan 31 2006 16:49:43 +0000 Subject: renaming from 20060131 interface review, round 2 --- diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index e632a4a..37e9256 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -34,7 +34,7 @@ can_exec(acct_t,acct_exec_t) kernel_list_proc(acct_t) kernel_read_system_state(acct_t) -kernel_read_kernel_sysctl(acct_t) +kernel_read_kernel_sysctls(acct_t) dev_read_sysfs(acct_t) # for SSP diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index 046cf69..367ec24 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -123,9 +123,9 @@ allow amanda_t amanda_tmp_t:file create_file_perms; files_filetrans_tmp(amanda_t, amanda_tmp_t, { file dir }) kernel_read_system_state(amanda_t) -kernel_read_kernel_sysctl(amanda_t) -kernel_dontaudit_getattr_unlabeled_file(amanda_t) -kernel_dontaudit_read_proc_symlink(amanda_t) +kernel_read_kernel_sysctls(amanda_t) +kernel_dontaudit_getattr_unlabeled_files(amanda_t) +kernel_dontaudit_read_proc_symlinks(amanda_t) # Added for targeted policy term_use_unallocated_tty(amanda_t) @@ -216,7 +216,7 @@ allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms; files_filetrans_tmp(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_system_state(amanda_recover_t) -kernel_read_kernel_sysctl(amanda_recover_t) +kernel_read_kernel_sysctls(amanda_recover_t) corenet_tcp_sendrecv_all_if(amanda_recover_t) corenet_udp_sendrecv_all_if(amanda_recover_t) diff --git a/refpolicy/policy/modules/admin/ddcprobe.te b/refpolicy/policy/modules/admin/ddcprobe.te index 80b4766..8d3e83e 100644 --- a/refpolicy/policy/modules/admin/ddcprobe.te +++ b/refpolicy/policy/modules/admin/ddcprobe.te @@ -21,7 +21,7 @@ allow ddcprobe_t self:capability { sys_rawio sys_admin }; allow ddcprobe_t self:process execmem; kernel_read_system_state(ddcprobe_t) -kernel_read_kernel_sysctl(ddcprobe_t) +kernel_read_kernel_sysctls(ddcprobe_t) kernel_change_ring_buffer_level(ddcprobe_t) bootloader_search_kernel_modules(ddcprobe_t) diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index 047571a..6aa6d26 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -31,7 +31,7 @@ ifdef(`strict_policy',` allow dmesg_t self:process signal_perms; - kernel_read_kernel_sysctl(dmesg_t) + kernel_read_kernel_sysctls(dmesg_t) kernel_read_ring_buffer(dmesg_t) kernel_clear_ring_buffer(dmesg_t) kernel_change_ring_buffer_level(dmesg_t) diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te index 511c65f..3df58b1 100644 --- a/refpolicy/policy/modules/admin/firstboot.te +++ b/refpolicy/policy/modules/admin/firstboot.te @@ -46,7 +46,7 @@ files_filetrans_etc(firstboot_t,firstboot_rw_t,file) unconfined_domain_template(firstboot_t) kernel_read_system_state(firstboot_t) -kernel_read_kernel_sysctl(firstboot_t) +kernel_read_kernel_sysctls(firstboot_t) corenet_tcp_sendrecv_all_if(firstboot_t) corenet_raw_sendrecv_all_if(firstboot_t) diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index 7b9647a..09d472e 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -40,12 +40,12 @@ files_filetrans_pid(kudzu_t,kudzu_var_run_t) kernel_change_ring_buffer_level(kudzu_t) kernel_list_proc(kudzu_t) -kernel_read_device_sysctl(kudzu_t) -kernel_read_kernel_sysctl(kudzu_t) +kernel_read_device_sysctls(kudzu_t) +kernel_read_kernel_sysctls(kudzu_t) kernel_read_proc_symlinks(kudzu_t) kernel_read_network_state(kudzu_t) kernel_read_system_state(kudzu_t) -kernel_rw_hotplug_sysctl(kudzu_t) +kernel_rw_hotplug_sysctls(kudzu_t) kernel_rw_kernel_sysctl(kudzu_t) bootloader_read_kernel_modules(kudzu_t) diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 686dd57..7ea0fd5 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -65,7 +65,7 @@ allow logrotate_t logrotate_var_lib_t:file create_file_perms; files_filetrans_var_lib(logrotate_t, logrotate_var_lib_t) kernel_read_system_state(logrotate_t) -kernel_read_kernel_sysctl(logrotate_t) +kernel_read_kernel_sysctls(logrotate_t) dev_read_urand(logrotate_t) diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te index 6a39b5c..28856ea 100644 --- a/refpolicy/policy/modules/admin/logwatch.te +++ b/refpolicy/policy/modules/admin/logwatch.te @@ -34,8 +34,8 @@ allow logwatch_t logwatch_tmp_t:dir create_dir_perms; allow logwatch_t logwatch_tmp_t:file create_file_perms; files_filetrans_tmp(logwatch_t, logwatch_tmp_t, { file dir }) -kernel_read_fs_sysctl(logwatch_t) -kernel_read_kernel_sysctl(logwatch_t) +kernel_read_fs_sysctls(logwatch_t) +kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) corecmd_read_sbin_symlink(logwatch_t) diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if index d5adc90..363ee67 100644 --- a/refpolicy/policy/modules/admin/portage.if +++ b/refpolicy/policy/modules/admin/portage.if @@ -135,9 +135,9 @@ template(`portage_compile_domain_template',` kernel_read_system_state($1_t) kernel_read_network_state($1_t) kernel_read_software_raid_state($1_t) - kernel_getattr_core($1_t) + kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) - kernel_read_kernel_sysctl($1_t) + kernel_read_kernel_sysctls($1_t) corecmd_exec_bin($1_t) corecmd_exec_sbin($1_t) diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te index a73ab9e..e98ff14 100644 --- a/refpolicy/policy/modules/admin/portage.te +++ b/refpolicy/policy/modules/admin/portage.te @@ -68,7 +68,7 @@ allow portage_sandbox_t portage_t:process sigchld; can_exec(portage_t,portage_tmp_t) # merging baselayout will need this: -kernel_write_proc_file(portage_t) +kernel_write_proc_files(portage_t) domain_dontaudit_read_all_domains_state(portage_t) @@ -133,7 +133,7 @@ files_filetrans_tmp(portage_fetch_t, portage_fetch_tmp_t, { file dir }) dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms; kernel_read_system_state(portage_fetch_t) -kernel_read_kernel_sysctl(portage_fetch_t) +kernel_read_kernel_sysctls(portage_fetch_t) corecmd_exec_bin(portage_fetch_t) corecmd_exec_sbin(portage_fetch_t) diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te index 2ef2881..2d76768 100644 --- a/refpolicy/policy/modules/admin/quota.te +++ b/refpolicy/policy/modules/admin/quota.te @@ -25,7 +25,7 @@ allow quota_t quota_db_t:file { read write quotaon }; kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) -kernel_read_kernel_sysctl(quota_t) +kernel_read_kernel_sysctls(quota_t) dev_read_sysfs(quota_t) dev_getattr_all_blk_files(quota_t) diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index 5a53646..dba1942 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -25,9 +25,9 @@ allow readahead_t readahead_var_run_t:file create_file_perms; allow readahead_t readahead_var_run_t:dir rw_dir_perms; files_filetrans_pid(readahead_t,readahead_var_run_t) -kernel_read_kernel_sysctl(readahead_t) +kernel_read_kernel_sysctls(readahead_t) kernel_read_system_state(readahead_t) -kernel_dontaudit_getattr_core(readahead_t) +kernel_dontaudit_getattr_core_if(readahead_t) dev_read_sysfs(readahead_t) dev_getattr_generic_chr_files(readahead_t) diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 8ebe034..2a56ed8 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -88,7 +88,7 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms; files_filetrans_var_lib(rpm_t,rpm_var_lib_t,dir) kernel_read_system_state(rpm_t) -kernel_read_kernel_sysctl(rpm_t) +kernel_read_kernel_sysctls(rpm_t) corenet_tcp_sendrecv_all_if(rpm_t) corenet_raw_sendrecv_all_if(rpm_t) @@ -254,7 +254,7 @@ allow rpm_script_t rpm_t:fd use; allow rpm_script_t rpm_t:fifo_file rw_file_perms; allow rpm_script_t rpm_t:process sigchld; -kernel_read_kernel_sysctl(rpm_script_t) +kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) dev_list_sysfs(rpm_script_t) diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index c04e59e..f77cf95 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -35,7 +35,7 @@ template(`su_restricted_domain_template', ` allow $1_su_t $2:process sigchld; kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctl($1_su_t) + kernel_read_kernel_sysctls($1_su_t) # for SSP dev_read_urand($1_su_t) @@ -143,7 +143,7 @@ template(`su_per_userdomain_template',` allow $1_su_t $2:process sigchld; kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctl($1_su_t) + kernel_read_kernel_sysctls($1_su_t) # for SSP dev_read_urand($1_su_t) diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if index 49b17e7..da50571 100644 --- a/refpolicy/policy/modules/admin/sudo.if +++ b/refpolicy/policy/modules/admin/sudo.if @@ -80,7 +80,7 @@ template(`sudo_per_userdomain_template',` allow $1_sudo_t $2:fifo_file rw_file_perms; allow $1_sudo_t $2:process sigchld; - kernel_read_kernel_sysctl($1_sudo_t) + kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) dev_read_urand($1_sudo_t) diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index 1dfe289..83b4daf 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -21,7 +21,7 @@ allow updfstab_t self:process signal_perms; allow updfstab_t self:fifo_file { getattr read write ioctl }; kernel_use_fd(updfstab_t) -kernel_read_kernel_sysctl(updfstab_t) +kernel_read_kernel_sysctls(updfstab_t) kernel_dontaudit_write_kernel_sysctl(updfstab_t) # for /proc/partitions kernel_read_system_state(updfstab_t) diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 8250da7..86c9366 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -80,7 +80,7 @@ allow chfn_t self:unix_dgram_socket sendto; allow chfn_t self:unix_stream_socket connectto; kernel_read_system_state(chfn_t) -kernel_read_kernel_sysctl(chfn_t) +kernel_read_kernel_sysctls(chfn_t) selinux_get_fs_mount(chfn_t) selinux_validate_context(chfn_t) @@ -285,7 +285,7 @@ allow passwd_t self:msg { send receive }; allow passwd_t crack_db_t:dir r_dir_perms; allow passwd_t crack_db_t:file r_file_perms; -kernel_read_kernel_sysctl(passwd_t) +kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -372,7 +372,7 @@ allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms; files_filetrans_tmp(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) files_search_var(sysadm_passwd_t) -kernel_read_kernel_sysctl(sysadm_passwd_t) +kernel_read_kernel_sysctls(sysadm_passwd_t) # for /proc/meminfo kernel_read_system_state(sysadm_passwd_t) @@ -461,7 +461,7 @@ selinux_compute_create_context(useradd_t) selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) # for getting the number of groups -kernel_read_kernel_sysctl(useradd_t) +kernel_read_kernel_sysctls(useradd_t) fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te index cd23712..f266f9e 100644 --- a/refpolicy/policy/modules/admin/vpn.te +++ b/refpolicy/policy/modules/admin/vpn.te @@ -45,8 +45,8 @@ files_filetrans_pid(vpnc_t,vpnc_var_run_t) kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) -kernel_read_kernel_sysctl(vpnc_t) -kernel_rw_net_sysctl(vpnc_t) +kernel_read_kernel_sysctls(vpnc_t) +kernel_rw_net_sysctls(vpnc_t) corenet_tcp_sendrecv_all_if(vpnc_t) corenet_udp_sendrecv_all_if(vpnc_t) diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if index e0e0e26..2088080 100644 --- a/refpolicy/policy/modules/apps/java.if +++ b/refpolicy/policy/modules/apps/java.if @@ -75,7 +75,7 @@ template(`java_per_userdomain_template',` allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; allow $1_javaplugin_t $2:process signull; - kernel_read_all_sysctl($1_javaplugin_t) + kernel_read_all_sysctls($1_javaplugin_t) kernel_search_vm_sysctl($1_javaplugin_t) kernel_read_network_state($1_javaplugin_t) kernel_read_system_state($1_javaplugin_t) diff --git a/refpolicy/policy/modules/apps/screen.if b/refpolicy/policy/modules/apps/screen.if index 1f8137b..07b8052 100644 --- a/refpolicy/policy/modules/apps/screen.if +++ b/refpolicy/policy/modules/apps/screen.if @@ -94,7 +94,7 @@ template(`screen_per_userdomain_template',` allow $2 $1_screen_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto }; kernel_read_system_state($1_screen_t) - kernel_read_kernel_sysctl($1_screen_t) + kernel_read_kernel_sysctls($1_screen_t) corecmd_list_bin($1_screen_t) corecmd_read_bin_file($1_screen_t) diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if index 0ba786c..67abfd2 100644 --- a/refpolicy/policy/modules/apps/userhelper.if +++ b/refpolicy/policy/modules/apps/userhelper.if @@ -78,7 +78,7 @@ template(`userhelper_per_userdomain_template',` dontaudit $2 $1_userhelper_t:process signal; - kernel_read_all_sysctl($1_userhelper_t) + kernel_read_all_sysctls($1_userhelper_t) kernel_getattr_debugfs($1_userhelper_t) kernel_read_system_state($1_userhelper_t) diff --git a/refpolicy/policy/modules/apps/usernetctl.te b/refpolicy/policy/modules/apps/usernetctl.te index ec38a72..4bb7741 100644 --- a/refpolicy/policy/modules/apps/usernetctl.te +++ b/refpolicy/policy/modules/apps/usernetctl.te @@ -33,7 +33,7 @@ allow usernetctl_t self:unix_stream_socket connectto; can_exec(usernetctl_t,usernetctl_exec_t) kernel_read_system_state(usernetctl_t) -kernel_read_kernel_sysctl(usernetctl_t) +kernel_read_kernel_sysctls(usernetctl_t) corecmd_list_bin(usernetctl_t) corecmd_exec_bin(usernetctl_t) diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te index ffbfbc5..6107487 100644 --- a/refpolicy/policy/modules/apps/webalizer.te +++ b/refpolicy/policy/modules/apps/webalizer.te @@ -56,7 +56,7 @@ allow webalizer_t webalizer_var_lib_t:file create_file_perms; allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms; files_filetrans_var_lib(webalizer_t,webalizer_var_lib_t) -kernel_read_kernel_sysctl(webalizer_t) +kernel_read_kernel_sysctls(webalizer_t) kernel_read_system_state(webalizer_t) corenet_tcp_sendrecv_all_if(webalizer_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 3f81d4c..c52c8aa 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -95,10 +95,10 @@ allow bootloader_t modules_object_t:dir r_dir_perms; allow bootloader_t modules_object_t:file r_file_perms; allow bootloader_t modules_object_t:lnk_file r_file_perms; -kernel_getattr_core(bootloader_t) +kernel_getattr_core_if(bootloader_t) kernel_read_system_state(bootloader_t) kernel_read_software_raid_state(bootloader_t) -kernel_read_kernel_sysctl(bootloader_t) +kernel_read_kernel_sysctls(bootloader_t) storage_raw_read_fixed_disk(bootloader_t) storage_raw_write_fixed_disk(bootloader_t) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index b512d8e..9278bb4 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -158,7 +158,7 @@ interface(`kernel_dontaudit_use_fd',` ## Domain allowed access. ## # -interface(`kernel_rw_pipe',` +interface(`kernel_rw_pipes',` gen_require(` type kernel_t; ') @@ -174,7 +174,7 @@ interface(`kernel_rw_pipe',` ## Domain allowed access. ## # -interface(`kernel_rw_unix_dgram_socket',` +interface(`kernel_rw_unix_dgram_sockets',` gen_require(` type kernel_t; ') @@ -190,7 +190,7 @@ interface(`kernel_rw_unix_dgram_socket',` ## Domain allowed access. ## # -interface(`kernel_sendto_unix_dgram_socket',` +interface(`kernel_sendto_unix_dgram_sockets',` gen_require(` type kernel_t; ') @@ -571,7 +571,7 @@ interface(`kernel_read_system_state',` # file thats writable in proc should really # have its own label. # -interface(`kernel_write_proc_file',` +interface(`kernel_write_proc_files',` gen_require(` type proc_t; ') @@ -606,7 +606,7 @@ interface(`kernel_dontaudit_read_system_state',` ## The process type not to audit. ## # -interface(`kernel_dontaudit_read_proc_symlink',` +interface(`kernel_dontaudit_read_proc_symlinks',` gen_require(` type proc_t; ') @@ -656,7 +656,7 @@ interface(`kernel_rw_software_raid_state',` ## The process type getting the attibutes. ## # -interface(`kernel_getattr_core',` +interface(`kernel_getattr_core_if',` gen_require(` type proc_t, proc_kcore_t; ') @@ -674,7 +674,7 @@ interface(`kernel_getattr_core',` ## The process type to not audit. ## # -interface(`kernel_dontaudit_getattr_core',` +interface(`kernel_dontaudit_getattr_core_if',` gen_require(` type proc_kcore_t; ') @@ -854,7 +854,7 @@ interface(`kernel_read_sysctl',` ## The process type to allow to read the device sysctls. ## # -interface(`kernel_read_device_sysctl',` +interface(`kernel_read_device_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_dev_t; ') @@ -873,7 +873,7 @@ interface(`kernel_read_device_sysctl',` ## Domain allowed access. ## # -interface(`kernel_rw_device_sysctl',` +interface(`kernel_rw_device_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_dev_t; ') @@ -909,7 +909,7 @@ interface(`kernel_search_vm_sysctl',` ## ## # -interface(`kernel_read_vm_sysctl',` +interface(`kernel_read_vm_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_vm_t; ') @@ -927,7 +927,7 @@ interface(`kernel_read_vm_sysctl',` ## Domain allowed access. ## # -interface(`kernel_rw_vm_sysctl',` +interface(`kernel_rw_vm_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_vm_t; ') @@ -978,7 +978,7 @@ interface(`kernel_dontaudit_search_network_sysctl',` ## ## # -interface(`kernel_read_net_sysctl',` +interface(`kernel_read_net_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_net_t; ') @@ -997,7 +997,7 @@ interface(`kernel_read_net_sysctl',` ## Domain allowed access. ## # -interface(`kernel_rw_net_sysctl',` +interface(`kernel_rw_net_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_net_t; ') @@ -1017,7 +1017,7 @@ interface(`kernel_rw_net_sysctl',` ## Domain allowed access. ## # -interface(`kernel_read_unix_sysctl',` +interface(`kernel_read_unix_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; ') @@ -1037,7 +1037,7 @@ interface(`kernel_read_unix_sysctl',` ## Domain allowed access. ## # -interface(`kernel_rw_unix_sysctl',` +interface(`kernel_rw_unix_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; ') @@ -1056,7 +1056,7 @@ interface(`kernel_rw_unix_sysctl',` ## Domain allowed access. ## # -interface(`kernel_read_hotplug_sysctl',` +interface(`kernel_read_hotplug_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; ') @@ -1075,7 +1075,7 @@ interface(`kernel_read_hotplug_sysctl',` ## Domain allowed access. ## # -interface(`kernel_rw_hotplug_sysctl',` +interface(`kernel_rw_hotplug_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; ') @@ -1094,7 +1094,7 @@ interface(`kernel_rw_hotplug_sysctl',` ## Domain allowed access. ## # -interface(`kernel_read_modprobe_sysctl',` +interface(`kernel_read_modprobe_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; ') @@ -1113,7 +1113,7 @@ interface(`kernel_read_modprobe_sysctl',` ## Domain allowed access. ## # -interface(`kernel_rw_modprobe_sysctl',` +interface(`kernel_rw_modprobe_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; ') @@ -1148,7 +1148,7 @@ interface(`kernel_dontaudit_search_kernel_sysctl',` ## Domain allowed access. ## # -interface(`kernel_read_kernel_sysctl',` +interface(`kernel_read_kernel_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_kernel_t; ') @@ -1202,7 +1202,7 @@ interface(`kernel_rw_kernel_sysctl',` ## Domain allowed access. ## # -interface(`kernel_read_fs_sysctl',` +interface(`kernel_read_fs_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_fs_t; ') @@ -1221,7 +1221,7 @@ interface(`kernel_read_fs_sysctl',` ## Domain allowed access. ## # -interface(`kernel_rw_fs_sysctl',` +interface(`kernel_rw_fs_sysctls',` gen_require(` type proc_t, sysctl_t, sysctl_fs_t; ') @@ -1240,7 +1240,7 @@ interface(`kernel_rw_fs_sysctl',` ## Domain allowed access. ## # -interface(`kernel_read_irq_sysctl',` +interface(`kernel_read_irq_sysctls',` gen_require(` type proc_t, sysctl_irq_t; ') @@ -1259,7 +1259,7 @@ interface(`kernel_read_irq_sysctl',` ## ## # -interface(`kernel_rw_irq_sysctl',` +interface(`kernel_rw_irq_sysctls',` gen_require(` type proc_t, sysctl_irq_t; ') @@ -1271,9 +1271,9 @@ interface(`kernel_rw_irq_sysctl',` ######################################## # -# kernel_read_rpc_sysctl(domain) +# kernel_read_rpc_sysctls(domain) # -interface(`kernel_read_rpc_sysctl',` +interface(`kernel_read_rpc_sysctls',` gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; ') @@ -1286,9 +1286,9 @@ interface(`kernel_read_rpc_sysctl',` ######################################## # -# kernel_rw_rpc_sysctl(domain) +# kernel_rw_rpc_sysctls(domain) # -interface(`kernel_rw_rpc_sysctl',` +interface(`kernel_rw_rpc_sysctls',` gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; ') @@ -1307,7 +1307,7 @@ interface(`kernel_rw_rpc_sysctl',` ## Domain allowed access. ## # -interface(`kernel_read_all_sysctl',` +interface(`kernel_read_all_sysctls',` gen_require(` attribute sysctl_type; type proc_t, proc_net_t; @@ -1328,7 +1328,7 @@ interface(`kernel_read_all_sysctl',` ## Domain allowed access. ## # -interface(`kernel_rw_all_sysctl',` +interface(`kernel_rw_all_sysctls',` gen_require(` attribute sysctl_type; type proc_t, proc_net_t; @@ -1461,7 +1461,7 @@ interface(`kernel_dontaudit_list_unlabeled',` ## Domain allowed access. ## # -interface(`kernel_rw_unlabeled_dir',` +interface(`kernel_rw_unlabeled_dirs',` gen_require(` type unlabeled_t; ') @@ -1478,7 +1478,7 @@ interface(`kernel_rw_unlabeled_dir',` ## The process type not to audit. ## # -interface(`kernel_dontaudit_getattr_unlabeled_file',` +interface(`kernel_dontaudit_getattr_unlabeled_files',` gen_require(` type unlabeled_t; ') @@ -1495,7 +1495,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_file',` ## Domain to not audit. ## # -interface(`kernel_dontaudit_read_unlabeled_file',` +interface(`kernel_dontaudit_read_unlabeled_files',` gen_require(` type unlabeled_t; ') @@ -1563,7 +1563,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_sockets',` ## The process type not to audit. ## # -interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',` +interface(`kernel_dontaudit_getattr_unlabeled_blk_files',` gen_require(` type unlabeled_t; ') @@ -1579,7 +1579,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',` ## Domain allowed access. ## # -interface(`kernel_rw_unlabeled_blk_dev',` +interface(`kernel_rw_unlabeled_blk_files',` gen_require(` type unlabeled_t; ') @@ -1596,7 +1596,7 @@ interface(`kernel_rw_unlabeled_blk_dev',` ## The process type not to audit. ## # -interface(`kernel_dontaudit_getattr_unlabeled_chr_dev',` +interface(`kernel_dontaudit_getattr_unlabeled_chr_files',` gen_require(` type unlabeled_t; ') @@ -1615,7 +1615,6 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_dev',` interface(`kernel_relabel_unlabeled',` gen_require(` type unlabeled_t; - gen_require_set({ getattr relabelfrom },dir_file_class_set) ') kernel_list_unlabeled($1) @@ -1682,5 +1681,5 @@ interface(`kernel_unconfined',` typeattribute $1 can_load_kernmodule, can_receive_kernel_messages; typeattribute $1 kern_unconfined; - kernel_rw_all_sysctl($1) + kernel_rw_all_sysctls($1) ') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index f111502..e97e8df 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -212,7 +212,7 @@ allow httpd_t squirrelmail_spool_t:dir create_dir_perms; allow httpd_t squirrelmail_spool_t:file create_file_perms; allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms; -kernel_read_kernel_sysctl(httpd_t) +kernel_read_kernel_sysctls(httpd_t) kernel_tcp_recvfrom(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -541,7 +541,7 @@ allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms; allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms; files_filetrans_tmp(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) -kernel_read_kernel_sysctl(httpd_suexec_t) +kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) @@ -663,7 +663,7 @@ allow httpd_sys_script_t squirrelmail_spool_t:dir r_dir_perms; allow httpd_sys_script_t squirrelmail_spool_t:file r_file_perms; allow httpd_sys_script_t squirrelmail_spool_t:lnk_file { getattr read }; -kernel_read_kernel_sysctl(httpd_sys_script_t) +kernel_read_kernel_sysctls(httpd_sys_script_t) files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 980ce25..969d0e6 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -83,8 +83,8 @@ allow apmd_t apmd_var_run_t:file create_file_perms; allow apmd_t apmd_var_run_t:sock_file create_file_perms; files_filetrans_pid(apmd_t, apmd_var_run_t, { file sock_file }) -kernel_read_kernel_sysctl(apmd_t) -kernel_rw_all_sysctl(apmd_t) +kernel_read_kernel_sysctls(apmd_t) +kernel_rw_all_sysctls(apmd_t) kernel_read_system_state(apmd_t) dev_read_realtime_clock(apmd_t) diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te index 30994a6..3a8cc40 100644 --- a/refpolicy/policy/modules/services/arpwatch.te +++ b/refpolicy/policy/modules/services/arpwatch.te @@ -45,7 +45,7 @@ allow arpwatch_t arpwatch_var_run_t:file create_file_perms; allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms; files_filetrans_pid(arpwatch_t,arpwatch_var_run_t) -kernel_read_kernel_sysctl(arpwatch_t) +kernel_read_kernel_sysctls(arpwatch_t) kernel_list_proc(arpwatch_t) kernel_read_proc_symlinks(arpwatch_t) diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index 91cb8e2..861ccef 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -57,8 +57,8 @@ allow automount_t automount_var_run_t:file create_file_perms; allow automount_t automount_var_run_t:dir rw_dir_perms; files_filetrans_pid(automount_t,automount_var_run_t) -kernel_read_kernel_sysctl(automount_t) -kernel_read_fs_sysctl(automount_t) +kernel_read_kernel_sysctls(automount_t) +kernel_read_fs_sysctls(automount_t) kernel_read_proc_symlinks(automount_t) kernel_read_system_state(automount_t) kernel_list_proc(automount_t) diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te index 436c6c9..687be8f 100644 --- a/refpolicy/policy/modules/services/avahi.te +++ b/refpolicy/policy/modules/services/avahi.te @@ -33,7 +33,7 @@ allow avahi_t avahi_var_run_t:file create_file_perms; allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr }; files_filetrans_pid(avahi_t,avahi_var_run_t) -kernel_read_kernel_sysctl(avahi_t) +kernel_read_kernel_sysctls(avahi_t) kernel_list_proc(avahi_t) kernel_read_proc_symlinks(avahi_t) kernel_read_network_state(avahi_t) diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index a3662b9..269857f 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -94,7 +94,7 @@ allow named_t named_zone_t:lnk_file r_file_perms; allow named_t ndc_t:tcp_socket { acceptfrom recvfrom }; -kernel_read_kernel_sysctl(named_t) +kernel_read_kernel_sysctls(named_t) kernel_read_system_state(named_t) kernel_read_network_state(named_t) kernel_tcp_recvfrom(named_t) @@ -236,7 +236,7 @@ allow ndc_t named_var_run_t:sock_file rw_file_perms; allow ndc_t named_zone_t:dir search; -kernel_read_kernel_sysctl(ndc_t) +kernel_read_kernel_sysctls(ndc_t) kernel_tcp_recvfrom(ndc_t) corenet_tcp_sendrecv_all_if(ndc_t) @@ -274,7 +274,7 @@ ifdef(`distro_redhat',` ') ifdef(`targeted_policy',` - kernel_dontaudit_read_unlabeled_file(ndc_t) + kernel_dontaudit_read_unlabeled_files(ndc_t) term_use_unallocated_tty(ndc_t) term_use_generic_pty(ndc_t) diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 1c30d28..6bb985f 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -84,7 +84,7 @@ allow bluetooth_t bluetooth_var_run_t:file create_file_perms; allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms; files_filetrans_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file }) -kernel_read_kernel_sysctl(bluetooth_t) +kernel_read_kernel_sysctls(bluetooth_t) kernel_read_system_state(bluetooth_t) corenet_tcp_sendrecv_all_if(bluetooth_t) @@ -177,7 +177,7 @@ allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms; files_filetrans_tmp(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir }) kernel_read_system_state(bluetooth_helper_t) -kernel_read_kernel_sysctl(bluetooth_helper_t) +kernel_read_kernel_sysctls(bluetooth_helper_t) dev_read_urand(bluetooth_helper_t) diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index 4215b63..2990814 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -45,7 +45,7 @@ allow canna_t canna_var_run_t:file create_file_perms; allow canna_t canna_var_run_t:sock_file create_file_perms; files_filetrans_pid(canna_t, canna_var_run_t, { file sock_file }) -kernel_read_kernel_sysctl(canna_t) +kernel_read_kernel_sysctls(canna_t) kernel_read_system_state(canna_t) corenet_tcp_sendrecv_all_if(canna_t) diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te index 27097e9..7c99d09 100644 --- a/refpolicy/policy/modules/services/comsat.te +++ b/refpolicy/policy/modules/services/comsat.te @@ -39,7 +39,7 @@ allow comsat_t comsat_var_run_t:file create_file_perms; allow comsat_t comsat_var_run_t:dir rw_dir_perms; files_filetrans_pid(comsat_t,comsat_var_run_t) -kernel_read_kernel_sysctl(comsat_t) +kernel_read_kernel_sysctls(comsat_t) kernel_read_network_state(comsat_t) kernel_read_system_state(comsat_t) diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te index f3b3617..cc2819d 100644 --- a/refpolicy/policy/modules/services/cpucontrol.te +++ b/refpolicy/policy/modules/services/cpucontrol.te @@ -32,7 +32,7 @@ allow cpucontrol_t cpucontrol_conf_t:lnk_file { getattr read }; kernel_list_proc(cpucontrol_t) kernel_read_proc_symlinks(cpucontrol_t) -kernel_read_kernel_sysctl(cpucontrol_t) +kernel_read_kernel_sysctls(cpucontrol_t) dev_read_sysfs(cpucontrol_t) dev_rw_cpu_microcode(cpucontrol_t) @@ -83,7 +83,7 @@ allow cpuspeed_t self:process { signal_perms setsched }; allow cpuspeed_t self:unix_dgram_socket create_socket_perms; kernel_read_system_state(cpuspeed_t) -kernel_read_kernel_sysctl(cpuspeed_t) +kernel_read_kernel_sysctls(cpuspeed_t) dev_rw_sysfs(cpuspeed_t) diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index c7a097f..a919d79 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -80,7 +80,7 @@ template(`cron_per_userdomain_template',` allow $1_crond_t crond_t:process sigchld; kernel_read_system_state($1_crond_t) - kernel_read_kernel_sysctl($1_crond_t) + kernel_read_kernel_sysctls($1_crond_t) # ps does not need to access /boot when run from cron bootloader_dontaudit_search_boot($1_crond_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 6577ab3..ea29b8f 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -87,7 +87,7 @@ allow crond_t cron_spool_t:file r_file_perms; allow crond_t system_cron_spool_t:dir r_dir_perms; allow crond_t system_cron_spool_t:file r_file_perms; -kernel_read_kernel_sysctl(crond_t) +kernel_read_kernel_sysctls(crond_t) dev_read_sysfs(crond_t) selinux_get_fs_mount(crond_t) selinux_validate_context(crond_t) @@ -275,7 +275,7 @@ ifdef(`targeted_policy',` allow system_crond_t cron_spool_t:dir r_dir_perms; allow system_crond_t cron_spool_t:file r_file_perms; - kernel_read_kernel_sysctl(system_crond_t) + kernel_read_kernel_sysctls(system_crond_t) kernel_read_system_state(system_crond_t) kernel_read_software_raid_state(system_crond_t) diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 39f0aa0..2705899 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -119,7 +119,7 @@ allow cupsd_t ptal_var_run_t:sock_file { write setattr }; allow cupsd_t ptal_t:unix_stream_socket connectto; kernel_read_system_state(cupsd_t) -kernel_read_all_sysctl(cupsd_t) +kernel_read_all_sysctls(cupsd_t) kernel_tcp_recvfrom(cupsd_t) corenet_tcp_sendrecv_all_if(cupsd_t) @@ -305,7 +305,7 @@ allow ptal_t ptal_var_run_t:file create_file_perms; allow ptal_t ptal_var_run_t:dir rw_dir_perms; files_filetrans_pid(ptal_t,ptal_var_run_t) -kernel_read_kernel_sysctl(ptal_t) +kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -393,7 +393,7 @@ allow hplip_t hplip_var_run_t:dir rw_dir_perms; files_filetrans_pid(hplip_t,hplip_var_run_t) kernel_read_system_state(hplip_t) -kernel_read_kernel_sysctl(hplip_t) +kernel_read_kernel_sysctls(hplip_t) corenet_tcp_sendrecv_all_if(hplip_t) corenet_udp_sendrecv_all_if(hplip_t) @@ -516,7 +516,7 @@ files_filetrans_var(cupsd_config_t,cupsd_rw_etc_t) allow cupsd_config_t cupsd_var_run_t:file { getattr read }; kernel_read_system_state(cupsd_config_t) -kernel_read_kernel_sysctl(cupsd_config_t) +kernel_read_kernel_sysctls(cupsd_config_t) kernel_tcp_recvfrom(cupsd_config_t) corenet_tcp_sendrecv_all_if(cupsd_config_t) @@ -688,7 +688,7 @@ allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms; allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms; allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read }; -kernel_read_kernel_sysctl(cupsd_lpd_t) +kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) kernel_read_network_state(cupsd_lpd_t) diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te index 3cd03dc..60165e9 100644 --- a/refpolicy/policy/modules/services/cvs.te +++ b/refpolicy/policy/modules/services/cvs.te @@ -44,7 +44,7 @@ allow cvs_t cvs_var_run_t:file create_file_perms; allow cvs_t cvs_var_run_t:dir rw_dir_perms; files_filetrans_pid(cvs_t,cvs_var_run_t) -kernel_read_kernel_sysctl(cvs_t) +kernel_read_kernel_sysctls(cvs_t) kernel_read_system_state(cvs_t) kernel_read_network_state(cvs_t) diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te index 57f5b65..87648db 100644 --- a/refpolicy/policy/modules/services/cyrus.te +++ b/refpolicy/policy/modules/services/cyrus.te @@ -55,9 +55,9 @@ allow cyrus_t cyrus_var_run_t:sock_file create_file_perms; allow cyrus_t cyrus_var_run_t:file create_file_perms; files_filetrans_pid(cyrus_t,cyrus_var_run_t,{ file sock_file }) -kernel_read_kernel_sysctl(cyrus_t) +kernel_read_kernel_sysctls(cyrus_t) kernel_read_system_state(cyrus_t) -kernel_read_all_sysctl(cyrus_t) +kernel_read_all_sysctls(cyrus_t) corenet_tcp_sendrecv_all_if(cyrus_t) corenet_udp_sendrecv_all_if(cyrus_t) diff --git a/refpolicy/policy/modules/services/dbskk.te b/refpolicy/policy/modules/services/dbskk.te index fc4017d..cd28ad7 100644 --- a/refpolicy/policy/modules/services/dbskk.te +++ b/refpolicy/policy/modules/services/dbskk.te @@ -45,7 +45,7 @@ allow dbskkd_t dbskkd_var_run_t:file create_file_perms; allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms; files_filetrans_pid(dbskkd_t,dbskkd_var_run_t) -kernel_read_kernel_sysctl(dbskkd_t) +kernel_read_kernel_sysctls(dbskkd_t) kernel_read_system_state(dbskkd_t) kernel_read_network_state(dbskkd_t) diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index 2db8946..a7475ed 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -100,7 +100,7 @@ template(`dbus_per_userdomain_template',` allow $2 $1_dbusd_t:process { sigkill signal }; kernel_read_system_state($1_dbusd_t) - kernel_read_kernel_sysctl($1_dbusd_t) + kernel_read_kernel_sysctls($1_dbusd_t) corenet_tcp_sendrecv_all_if($1_dbusd_t) corenet_raw_sendrecv_all_if($1_dbusd_t) diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index a208e3c..07ab4fd 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -55,7 +55,7 @@ allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms; files_filetrans_pid(system_dbusd_t,system_dbusd_var_run_t) kernel_read_system_state(system_dbusd_t) -kernel_read_kernel_sysctl(system_dbusd_t) +kernel_read_kernel_sysctls(system_dbusd_t) dev_read_urand(system_dbusd_t) dev_read_sysfs(system_dbusd_t) diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index 294d420..161750b 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -52,7 +52,7 @@ allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms; files_filetrans_pid(dhcpd_t,dhcpd_var_run_t) kernel_read_system_state(dhcpd_t) -kernel_read_kernel_sysctl(dhcpd_t) +kernel_read_kernel_sysctls(dhcpd_t) corenet_tcp_sendrecv_all_if(dhcpd_t) corenet_udp_sendrecv_all_if(dhcpd_t) diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te index 1a4d9ec..d35f0e1 100644 --- a/refpolicy/policy/modules/services/dictd.te +++ b/refpolicy/policy/modules/services/dictd.te @@ -35,7 +35,7 @@ allow dictd_t dictd_var_lib_t:dir r_dir_perms; allow dictd_t dictd_var_lib_t:file r_file_perms; kernel_read_system_state(dictd_t) -kernel_read_kernel_sysctl(dictd_t) +kernel_read_kernel_sysctls(dictd_t) kernel_tcp_recvfrom(dictd_t) corenet_tcp_sendrecv_all_if(dictd_t) diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te index 0af1681..6adf88d 100644 --- a/refpolicy/policy/modules/services/distcc.te +++ b/refpolicy/policy/modules/services/distcc.te @@ -43,7 +43,7 @@ allow distccd_t distccd_var_run_t:dir rw_dir_perms; files_filetrans_pid(distccd_t,distccd_var_run_t) kernel_read_system_state(distccd_t) -kernel_read_kernel_sysctl(distccd_t) +kernel_read_kernel_sysctls(distccd_t) corenet_tcp_sendrecv_all_if(distccd_t) corenet_udp_sendrecv_all_if(distccd_t) diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index 68dc0f2..c02c30d 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -67,7 +67,7 @@ allow dovecot_t dovecot_var_run_t:sock_file create_file_perms; allow dovecot_t dovecot_var_run_t:dir rw_dir_perms; files_filetrans_pid(dovecot_t,dovecot_var_run_t) -kernel_read_kernel_sysctl(dovecot_t) +kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) corenet_tcp_sendrecv_all_if(dovecot_t) @@ -157,7 +157,7 @@ allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms; -kernel_read_all_sysctl(dovecot_auth_t) +kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) dev_read_urand(dovecot_auth_t) diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te index d1f3a03..1c624e0 100644 --- a/refpolicy/policy/modules/services/fetchmail.te +++ b/refpolicy/policy/modules/services/fetchmail.te @@ -40,7 +40,7 @@ allow fetchmail_t fetchmail_var_run_t:file create_file_perms; allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms; files_filetrans_pid(fetchmail_t,fetchmail_var_run_t) -kernel_read_kernel_sysctl(fetchmail_t) +kernel_read_kernel_sysctls(fetchmail_t) kernel_list_proc(fetchmail_t) kernel_getattr_proc_files(fetchmail_t) kernel_read_proc_symlinks(fetchmail_t) diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index e8baa56..c564a85 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -43,7 +43,7 @@ allow fingerd_t fingerd_etc_t:lnk_file { getattr read }; allow fingerd_t fingerd_log_t:file create_file_perms; logging_filetrans_log(fingerd_t,fingerd_log_t) -kernel_read_kernel_sysctl(fingerd_t) +kernel_read_kernel_sysctls(fingerd_t) kernel_read_system_state(fingerd_t) kernel_tcp_recvfrom(fingerd_t) diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index a3c6673..840969e 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -65,7 +65,7 @@ files_filetrans_pid(ftpd_t,ftpd_var_run_t) allow ftpd_t xferlog_t:file create_file_perms; logging_filetrans_log(ftpd_t,xferlog_t) -kernel_read_kernel_sysctl(ftpd_t) +kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) dev_read_sysfs(ftpd_t) diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index d254885..7113bf9 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -48,7 +48,7 @@ dev_filetrans_dev(gpm_t,gpmctl_t,{ sock_file fifo_file }) # cjp: this has no effect allow gpm_t gpmctl_t:unix_stream_socket name_bind; -kernel_read_kernel_sysctl(gpm_t) +kernel_read_kernel_sysctls(gpm_t) kernel_list_proc(gpm_t) kernel_read_proc_symlinks(gpm_t) diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 1a609e8..382fca3 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -46,9 +46,9 @@ files_filetrans_pid(hald_t,hald_var_run_t) kernel_read_system_state(hald_t) kernel_read_network_state(hald_t) -kernel_read_kernel_sysctl(hald_t) -kernel_read_fs_sysctl(hald_t) -kernel_write_proc_file(hald_t) +kernel_read_kernel_sysctls(hald_t) +kernel_read_fs_sysctls(hald_t) +kernel_write_proc_files(hald_t) bootloader_getattr_boot_dir(hald_t) diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index 4380f73..b798d93 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -30,7 +30,7 @@ allow howl_t howl_var_run_t:dir rw_dir_perms; files_filetrans_pid(howl_t,howl_var_run_t) kernel_read_network_state(howl_t) -kernel_read_kernel_sysctl(howl_t) +kernel_read_kernel_sysctls(howl_t) kernel_load_module(howl_t) kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te index 433d098..dcf18e2 100644 --- a/refpolicy/policy/modules/services/i18n_input.te +++ b/refpolicy/policy/modules/services/i18n_input.te @@ -34,7 +34,7 @@ files_filetrans_pid(i18n_input_t,i18n_input_var_run_t) can_exec(i18n_input_t, i18n_input_exec_t) -kernel_read_kernel_sysctl(i18n_input_t) +kernel_read_kernel_sysctls(i18n_input_t) kernel_read_system_state(i18n_input_t) kernel_tcp_recvfrom(i18n_input_t) diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 32cb8a0..4ad06e2 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -52,7 +52,7 @@ files_filetrans_tmp(inetd_t, inetd_tmp_t, { file dir }) allow inetd_t inetd_var_run_t:file create_file_perms; files_filetrans_pid(inetd_t,inetd_var_run_t) -kernel_read_kernel_sysctl(inetd_t) +kernel_read_kernel_sysctls(inetd_t) kernel_list_proc(inetd_t) kernel_read_proc_symlinks(inetd_t) kernel_tcp_recvfrom(inetd_t) @@ -181,7 +181,7 @@ allow inetd_child_t inetd_child_var_run_t:file create_file_perms; allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms; files_filetrans_pid(inetd_child_t,inetd_child_var_run_t) -kernel_read_kernel_sysctl(inetd_child_t) +kernel_read_kernel_sysctls(inetd_child_t) kernel_read_system_state(inetd_child_t) kernel_read_network_state(inetd_child_t) diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index 0fa2227..202eedd 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -60,7 +60,7 @@ allow innd_t news_spool_t:dir create_dir_perms; allow innd_t news_spool_t:file create_file_perms; allow innd_t news_spool_t:lnk_file create_lnk_perms; -kernel_read_kernel_sysctl(innd_t) +kernel_read_kernel_sysctls(innd_t) kernel_read_system_state(innd_t) corenet_raw_sendrecv_all_if(innd_t) diff --git a/refpolicy/policy/modules/services/irqbalance.te b/refpolicy/policy/modules/services/irqbalance.te index 8118845..0368165 100644 --- a/refpolicy/policy/modules/services/irqbalance.te +++ b/refpolicy/policy/modules/services/irqbalance.te @@ -26,8 +26,8 @@ allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms; files_filetrans_pid(irqbalance_t,irqbalance_var_run_t) kernel_read_system_state(irqbalance_t) -kernel_read_kernel_sysctl(irqbalance_t) -kernel_rw_irq_sysctl(irqbalance_t) +kernel_read_kernel_sysctls(irqbalance_t) +kernel_rw_irq_sysctls(irqbalance_t) dev_read_sysfs(irqbalance_t) diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index dd8042a..f21527c 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -83,7 +83,7 @@ allow kadmind_t kadmind_var_run_t:file create_file_perms; allow kadmind_t kadmind_var_run_t:dir rw_dir_perms; files_filetrans_pid(kadmind_t,kadmind_var_run_t) -kernel_read_kernel_sysctl(kadmind_t) +kernel_read_kernel_sysctls(kadmind_t) kernel_list_proc(kadmind_t) kernel_read_proc_symlinks(kadmind_t) @@ -186,7 +186,7 @@ allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms; files_filetrans_pid(krb5kdc_t,krb5kdc_var_run_t) kernel_read_system_state(krb5kdc_t) -kernel_read_kernel_sysctl(krb5kdc_t) +kernel_read_kernel_sysctls(krb5kdc_t) kernel_list_proc(krb5kdc_t) kernel_read_proc_symlinks(krb5kdc_t) diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te index 00167ed..65864b9 100644 --- a/refpolicy/policy/modules/services/ktalk.te +++ b/refpolicy/policy/modules/services/ktalk.te @@ -46,7 +46,7 @@ allow ktalkd_t ktalkd_var_run_t:file create_file_perms; allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms; files_filetrans_pid(ktalkd_t,ktalkd_var_run_t) -kernel_read_kernel_sysctl(ktalkd_t) +kernel_read_kernel_sysctls(ktalkd_t) kernel_read_system_state(ktalkd_t) kernel_read_network_state(ktalkd_t) diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 26e3a23..6998bb5 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -75,7 +75,7 @@ allow slapd_t slapd_var_run_t:dir rw_dir_perms; files_filetrans_pid(slapd_t,slapd_var_run_t) kernel_read_system_state(slapd_t) -kernel_read_kernel_sysctl(slapd_t) +kernel_read_kernel_sysctls(slapd_t) kernel_tcp_recvfrom(slapd_t) corenet_tcp_sendrecv_all_if(slapd_t) diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index cd58cc5..bda1eeb 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -154,7 +154,7 @@ dev_filetrans_dev(lpd_t,printer_t,lnk_file) allow lpd_t printer_t:unix_stream_socket name_bind; allow lpd_t printer_t:unix_dgram_socket name_bind; -kernel_read_kernel_sysctl(lpd_t) +kernel_read_kernel_sysctls(lpd_t) kernel_tcp_recvfrom(lpd_t) # bash wants access to /proc/meminfo kernel_read_system_state(lpd_t) diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if index 753d7f1..372e84b 100644 --- a/refpolicy/policy/modules/services/mailman.if +++ b/refpolicy/policy/modules/services/mailman.if @@ -45,7 +45,7 @@ template(`mailman_domain_template', ` allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms; files_filetrans_tmp(mailman_$1_t, mailman_$1_tmp_t, { file dir }) - kernel_read_kernel_sysctl(mailman_$1_t) + kernel_read_kernel_sysctls(mailman_$1_t) kernel_read_system_state(mailman_$1_t) corenet_tcp_sendrecv_all_if(mailman_$1_t) diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index f20330b..6d77382 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -66,7 +66,7 @@ template(`mta_base_mail_template',` can_exec($1_mail_t, sendmail_exec_t) allow $1_mail_t sendmail_exec_t:lnk_file r_file_perms; - kernel_read_kernel_sysctl($1_mail_t) + kernel_read_kernel_sysctls($1_mail_t) corenet_tcp_sendrecv_all_if($1_mail_t) corenet_raw_sendrecv_all_if($1_mail_t) diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index b84c2ab..4f09d20 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -61,7 +61,7 @@ allow mysqld_t mysqld_var_run_t:file create_file_perms; files_filetrans_pid(mysqld_t,mysqld_var_run_t) kernel_list_proc(mysqld_t) -kernel_read_kernel_sysctl(mysqld_t) +kernel_read_kernel_sysctls(mysqld_t) kernel_read_proc_symlinks(mysqld_t) kernel_read_system_state(mysqld_t) diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index f0bff54..d95c42b 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -35,7 +35,7 @@ files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t) kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) -kernel_read_kernel_sysctl(NetworkManager_t) +kernel_read_kernel_sysctls(NetworkManager_t) kernel_load_module(NetworkManager_t) corenet_tcp_sendrecv_all_if(NetworkManager_t) diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index 2ae303f..d109781 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -63,7 +63,7 @@ files_filetrans_pid(ypbind_t,ypbind_var_run_t) allow ypbind_t var_yp_t:dir rw_dir_perms; allow ypbind_t var_yp_t:file create_file_perms; -kernel_read_kernel_sysctl(ypbind_t) +kernel_read_kernel_sysctls(ypbind_t) kernel_list_proc(ypbind_t) kernel_read_proc_symlinks(ypbind_t) kernel_tcp_recvfrom(ypbind_t) @@ -160,7 +160,7 @@ allow yppasswdd_t var_yp_t:lnk_file create_lnk_perms; kernel_list_proc(yppasswdd_t) kernel_read_proc_symlinks(yppasswdd_t) kernel_getattr_proc_files(yppasswdd_t) -kernel_read_kernel_sysctl(yppasswdd_t) +kernel_read_kernel_sysctls(yppasswdd_t) corenet_tcp_sendrecv_generic_if(yppasswdd_t) corenet_udp_sendrecv_generic_if(yppasswdd_t) @@ -262,7 +262,7 @@ allow ypserv_t ypserv_var_run_t:dir rw_dir_perms; allow ypserv_t ypserv_var_run_t:file manage_file_perms; files_filetrans_pid(ypserv_t,ypserv_var_run_t) -kernel_read_kernel_sysctl(ypserv_t) +kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) kernel_read_proc_symlinks(ypserv_t) diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index e87e669..088dc7d 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -52,7 +52,7 @@ allow nscd_t nscd_var_run_t:sock_file create_file_perms; allow nscd_t nscd_var_run_t:dir rw_dir_perms; files_filetrans_pid(nscd_t,nscd_var_run_t,{ file sock_file }) -kernel_read_kernel_sysctl(nscd_t) +kernel_read_kernel_sysctls(nscd_t) kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 530dfe7..018d6af 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -60,7 +60,7 @@ allow ntpd_t ntpd_var_run_t:file create_file_perms; allow ntpd_t ntpd_var_run_t:dir rw_dir_perms; files_filetrans_pid(ntpd_t,ntpd_var_run_t) -kernel_read_kernel_sysctl(ntpd_t) +kernel_read_kernel_sysctls(ntpd_t) kernel_read_system_state(ntpd_t) corenet_tcp_sendrecv_all_if(ntpd_t) diff --git a/refpolicy/policy/modules/services/openct.te b/refpolicy/policy/modules/services/openct.te index b36f450..8887143 100644 --- a/refpolicy/policy/modules/services/openct.te +++ b/refpolicy/policy/modules/services/openct.te @@ -25,7 +25,7 @@ allow openct_t openct_var_run_t:file create_file_perms; allow openct_t openct_var_run_t:dir rw_dir_perms; files_filetrans_pid(openct_t,openct_var_run_t) -kernel_read_kernel_sysctl(openct_t) +kernel_read_kernel_sysctls(openct_t) kernel_list_proc(openct_t) kernel_read_proc_symlinks(openct_t) diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te index 6827c71..f21e8f8 100644 --- a/refpolicy/policy/modules/services/pegasus.te +++ b/refpolicy/policy/modules/services/pegasus.te @@ -61,8 +61,8 @@ allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; allow pegasus_t pegasus_var_run_t:dir rw_dir_perms; files_filetrans_pid(pegasus_t,pegasus_var_run_t) -kernel_read_kernel_sysctl(pegasus_t) -kernel_read_fs_sysctl(pegasus_t) +kernel_read_kernel_sysctls(pegasus_t) +kernel_read_fs_sysctls(pegasus_t) kernel_read_system_state(pegasus_t) kernel_search_vm_sysctl(pegasus_t) diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index d0ecdbd..bc5969b 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -42,7 +42,7 @@ allow portmap_t portmap_var_run_t:file create_file_perms; allow portmap_t portmap_var_run_t:dir rw_dir_perms; files_filetrans_pid(portmap_t,portmap_var_run_t) -kernel_read_kernel_sysctl(portmap_t) +kernel_read_kernel_sysctls(portmap_t) kernel_list_proc(portmap_t) kernel_read_proc_symlinks(portmap_t) kernel_tcp_recvfrom(portmap_t) diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index a749e8e..003c7e0 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -47,7 +47,7 @@ template(`postfix_domain_template',` kernel_read_system_state(postfix_$1_t) kernel_read_network_state(postfix_$1_t) - kernel_read_all_sysctl(postfix_$1_t) + kernel_read_all_sysctls(postfix_$1_t) dev_read_sysfs(postfix_$1_t) dev_read_rand(postfix_$1_t) diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 4c85ccb..3450bc7 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -132,7 +132,7 @@ allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms; allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms; allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; -kernel_read_all_sysctl(postfix_master_t) +kernel_read_all_sysctls(postfix_master_t) corenet_tcp_sendrecv_all_if(postfix_master_t) corenet_udp_sendrecv_all_if(postfix_master_t) @@ -301,7 +301,7 @@ allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms; allow postfix_map_t postfix_map_tmp_t:file create_file_perms; files_filetrans_tmp(postfix_map_t, postfix_map_tmp_t, { file dir }) -kernel_read_kernel_sysctl(postfix_map_t) +kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) corenet_tcp_sendrecv_all_if(postfix_map_t) diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te index 2ddd3fe..e6cf8d9 100644 --- a/refpolicy/policy/modules/services/postgresql.te +++ b/refpolicy/policy/modules/services/postgresql.te @@ -77,10 +77,10 @@ allow postgresql_t postgresql_var_run_t:file create_file_perms; allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; files_filetrans_pid(postgresql_t,postgresql_var_run_t) -kernel_read_kernel_sysctl(postgresql_t) +kernel_read_kernel_sysctls(postgresql_t) kernel_read_system_state(postgresql_t) kernel_list_proc(postgresql_t) -kernel_read_all_sysctl(postgresql_t) +kernel_read_all_sysctls(postgresql_t) kernel_read_proc_symlinks(postgresql_t) kernel_tcp_recvfrom(postgresql_t) diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index 78e63ae..0cef95f 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -107,9 +107,9 @@ allow pppd_t pppd_secret_t:file r_file_perms; # Automatically label newly created files under /etc/ppp with this type type_transition pppd_t pppd_etc_t:file pppd_etc_rw_t; -kernel_read_kernel_sysctl(pppd_t) +kernel_read_kernel_sysctls(pppd_t) kernel_read_system_state(pppd_t) -kernel_read_net_sysctl(pppd_t) +kernel_read_net_sysctls(pppd_t) kernel_read_network_state(pppd_t) kernel_load_module(pppd_t) @@ -256,7 +256,7 @@ allow pptp_t pptp_var_run_t:sock_file create_file_perms; files_filetrans_pid(pptp_t,pptp_var_run_t) kernel_list_proc(pptp_t) -kernel_read_kernel_sysctl(pptp_t) +kernel_read_kernel_sysctls(pptp_t) kernel_read_proc_symlinks(pptp_t) dev_read_sysfs(pptp_t) @@ -322,6 +322,7 @@ optional_policy(`postfix',` postfix_read_config(pppd_t) ') +# FIXME: domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t) allow pppd_t initrc_t:fd use; allow initrc_t pppd_t:fd use; diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index ea69c43..f95456c 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -38,7 +38,7 @@ allow privoxy_t privoxy_var_run_t:file create_file_perms; allow privoxy_t privoxy_var_run_t:dir rw_dir_perms; files_filetrans_pid(privoxy_t,privoxy_var_run_t) -kernel_read_kernel_sysctl(privoxy_t) +kernel_read_kernel_sysctls(privoxy_t) kernel_list_proc(privoxy_t) kernel_read_proc_symlinks(privoxy_t) diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te index 258a8ea..2471486 100644 --- a/refpolicy/policy/modules/services/procmail.te +++ b/refpolicy/policy/modules/services/procmail.te @@ -26,7 +26,7 @@ allow procmail_t self:tcp_socket create_stream_socket_perms; allow procmail_t self:udp_socket create_socket_perms; kernel_read_system_state(procmail_t) -kernel_read_kernel_sysctl(procmail_t) +kernel_read_kernel_sysctls(procmail_t) corenet_tcp_sendrecv_all_if(procmail_t) corenet_raw_sendrecv_all_if(procmail_t) diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te index 0b49f23..5cbd243 100644 --- a/refpolicy/policy/modules/services/radius.te +++ b/refpolicy/policy/modules/services/radius.te @@ -47,7 +47,7 @@ allow radiusd_t radiusd_var_run_t:file create_file_perms; allow radiusd_t radiusd_var_run_t:dir rw_dir_perms; files_filetrans_pid(radiusd_t,radiusd_var_run_t) -kernel_read_kernel_sysctl(radiusd_t) +kernel_read_kernel_sysctls(radiusd_t) kernel_read_system_state(radiusd_t) corenet_tcp_sendrecv_all_if(radiusd_t) diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te index 0cb9893..23c0502 100644 --- a/refpolicy/policy/modules/services/radvd.te +++ b/refpolicy/policy/modules/services/radvd.te @@ -34,8 +34,8 @@ allow radvd_t radvd_var_run_t:file create_file_perms; allow radvd_t radvd_var_run_t:dir rw_dir_perms; files_filetrans_pid(radvd_t,radvd_var_run_t) -kernel_read_kernel_sysctl(radvd_t) -kernel_read_net_sysctl(radvd_t) +kernel_read_kernel_sysctls(radvd_t) +kernel_read_net_sysctls(radvd_t) kernel_read_network_state(radvd_t) kernel_read_system_state(radvd_t) diff --git a/refpolicy/policy/modules/services/rdisc.te b/refpolicy/policy/modules/services/rdisc.te index 596f77d..d7e522c 100644 --- a/refpolicy/policy/modules/services/rdisc.te +++ b/refpolicy/policy/modules/services/rdisc.te @@ -24,7 +24,7 @@ allow rdisc_t self:rawip_socket create_socket_perms; kernel_list_proc(rdisc_t) kernel_read_proc_symlinks(rdisc_t) -kernel_read_kernel_sysctl(rdisc_t) +kernel_read_kernel_sysctls(rdisc_t) corenet_udp_sendrecv_generic_if(rdisc_t) corenet_raw_sendrecv_generic_if(rdisc_t) diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 1e76716..8116894 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -43,7 +43,7 @@ allow remote_login_t remote_login_tmp_t:file create_file_perms; files_filetrans_tmp(remote_login_t, remote_login_tmp_t, { file dir }) kernel_read_system_state(remote_login_t) -kernel_read_kernel_sysctl(remote_login_t) +kernel_read_kernel_sysctls(remote_login_t) dev_getattr_mouse_dev(remote_login_t) dev_setattr_mouse_dev(remote_login_t) diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te index 6a15af9..da68a2c 100644 --- a/refpolicy/policy/modules/services/rlogin.te +++ b/refpolicy/policy/modules/services/rlogin.te @@ -47,7 +47,7 @@ allow rlogind_t rlogind_var_run_t:file create_file_perms; allow rlogind_t rlogind_var_run_t:dir rw_dir_perms; files_filetrans_pid(rlogind_t,rlogind_var_run_t) -kernel_read_kernel_sysctl(rlogind_t) +kernel_read_kernel_sysctls(rlogind_t) kernel_read_system_state(rlogind_t) kernel_read_network_state(rlogind_t) diff --git a/refpolicy/policy/modules/services/roundup.te b/refpolicy/policy/modules/services/roundup.te index a7cedb4..4019879 100644 --- a/refpolicy/policy/modules/services/roundup.te +++ b/refpolicy/policy/modules/services/roundup.te @@ -36,7 +36,7 @@ allow roundup_t roundup_var_lib_t:file create_file_perms; allow roundup_t roundup_var_lib_t:dir rw_dir_perms; files_filetrans_var_lib(roundup_t,roundup_var_lib_t) -kernel_read_kernel_sysctl(roundup_t) +kernel_read_kernel_sysctls(roundup_t) kernel_list_proc(roundup_t) kernel_read_proc_symlinks(roundup_t) diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if index eeb169f..a06f4d9 100644 --- a/refpolicy/policy/modules/services/rpc.if +++ b/refpolicy/policy/modules/services/rpc.if @@ -44,9 +44,9 @@ template(`rpc_domain_template', ` kernel_list_proc($1_t) kernel_read_proc_symlinks($1_t) - kernel_read_kernel_sysctl($1_t) + kernel_read_kernel_sysctls($1_t) # bind to arbitary unused ports - kernel_rw_rpc_sysctl($1_t) + kernel_rw_rpc_sysctls($1_t) dev_read_sysfs($1_t) diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te index 8c776b8..55d562e 100644 --- a/refpolicy/policy/modules/services/rshd.te +++ b/refpolicy/policy/modules/services/rshd.te @@ -21,7 +21,7 @@ allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; allow rshd_t self:fifo_file rw_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; -kernel_read_kernel_sysctl(rshd_t) +kernel_read_kernel_sysctls(rshd_t) corenet_tcp_sendrecv_generic_if(rshd_t) corenet_udp_sendrecv_generic_if(rshd_t) diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index 303b86c..94db6d0 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -50,7 +50,7 @@ allow rsync_t rsync_var_run_t:file create_file_perms; allow rsync_t rsync_var_run_t:dir rw_dir_perms; files_filetrans_pid(rsync_t,rsync_var_run_t) -kernel_read_kernel_sysctl(rsync_t) +kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index ee36494..b0fdc60 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -223,10 +223,10 @@ files_filetrans_pid(smbd_t,smbd_var_run_t) allow smbd_t winbind_var_run_t:sock_file { read write getattr }; -kernel_getattr_core(smbd_t) +kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) kernel_read_network_state(smbd_t) -kernel_read_kernel_sysctl(smbd_t) +kernel_read_kernel_sysctls(smbd_t) kernel_read_software_raid_state(smbd_t) kernel_read_system_state(smbd_t) @@ -369,9 +369,9 @@ allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr re allow nmbd_t smbd_var_run_t:dir rw_dir_perms; -kernel_getattr_core(nmbd_t) +kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -kernel_read_kernel_sysctl(nmbd_t) +kernel_read_kernel_sysctls(nmbd_t) kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -567,7 +567,7 @@ files_filetrans_pid(swat_t,swat_var_run_t) allow swat_t winbind_exec_t:file execute; -kernel_read_kernel_sysctl(swat_t) +kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) kernel_read_network_state(swat_t) @@ -663,7 +663,7 @@ allow winbind_t winbind_var_run_t:sock_file create_file_perms; allow winbind_t winbind_var_run_t:dir rw_dir_perms; files_filetrans_pid(winbind_t,winbind_var_run_t) -kernel_read_kernel_sysctl(winbind_t) +kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index cd6b15e..065726e 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -31,7 +31,7 @@ allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms; files_filetrans_pid(saslauthd_t,saslauthd_var_run_t) -kernel_read_kernel_sysctl(saslauthd_t) +kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) corenet_tcp_sendrecv_all_if(saslauthd_t) diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 9bf1ce3..fd16c09 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -37,7 +37,7 @@ allow sendmail_t sendmail_log_t:file create_file_perms; allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr }; logging_filetrans_log(sendmail_t,sendmail_log_t,{ file dir }) -kernel_read_kernel_sysctl(sendmail_t) +kernel_read_kernel_sysctls(sendmail_t) # for piping mail to a command kernel_read_system_state(sendmail_t) diff --git a/refpolicy/policy/modules/services/slrnpull.te b/refpolicy/policy/modules/services/slrnpull.te index f27268d..c3462c8 100644 --- a/refpolicy/policy/modules/services/slrnpull.te +++ b/refpolicy/policy/modules/services/slrnpull.te @@ -41,7 +41,7 @@ allow slrnpull_t slrnpull_var_run_t:dir rw_dir_perms; files_filetrans_pid(slrnpull_t,slrnpull_var_run_t) kernel_list_proc(slrnpull_t) -kernel_read_kernel_sysctl(slrnpull_t) +kernel_read_kernel_sysctls(slrnpull_t) kernel_read_proc_symlinks(slrnpull_t) dev_read_sysfs(slrnpull_t) diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te index 321fc97..7980227 100644 --- a/refpolicy/policy/modules/services/smartmon.te +++ b/refpolicy/policy/modules/services/smartmon.te @@ -37,7 +37,7 @@ allow fsdaemon_t fsdaemon_var_run_t:file create_file_perms; allow fsdaemon_t fsdaemon_var_run_t:dir rw_dir_perms; files_filetrans_pid(fsdaemon_t,fsdaemon_var_run_t) -kernel_read_kernel_sysctl(fsdaemon_t) +kernel_read_kernel_sysctls(fsdaemon_t) kernel_read_software_raid_state(fsdaemon_t) kernel_read_system_state(fsdaemon_t) diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index 373955f..9d2a499 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -49,8 +49,8 @@ allow snmpd_t snmpd_var_run_t:file create_file_perms; allow snmpd_t snmpd_var_run_t:dir rw_dir_perms; files_filetrans_pid(snmpd_t,snmpd_var_run_t) -kernel_read_kernel_sysctl(snmpd_t) -kernel_read_net_sysctl(snmpd_t) +kernel_read_kernel_sysctls(snmpd_t) +kernel_read_net_sysctls(snmpd_t) kernel_read_proc_symlinks(snmpd_t) kernel_read_system_state(snmpd_t) kernel_read_network_state(snmpd_t) diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if index 0046187..6d3ac33 100644 --- a/refpolicy/policy/modules/services/spamassassin.if +++ b/refpolicy/policy/modules/services/spamassassin.if @@ -89,7 +89,7 @@ template(`spamassassin_per_userdomain_template',` allow $1_spamc_t $2:fifo_file rw_file_perms; allow $1_spamc_t $2:process sigchld; - kernel_read_kernel_sysctl($1_spamc_t) + kernel_read_kernel_sysctls($1_spamc_t) kernel_tcp_recvfrom($1_spamc_t) corenet_tcp_sendrecv_generic_if($1_spamc_t) @@ -217,7 +217,7 @@ template(`spamassassin_per_userdomain_template',` allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms; userdom_create_user_home($1,spamd_t,{ dir file lnk_file sock_file fifo_file },$1_spamassassin_home_t) - kernel_read_kernel_sysctl($1_spamassassin_t) + kernel_read_kernel_sysctls($1_spamassassin_t) dev_read_urand($1_spamassassin_t) diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index 853391c..099adda 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -57,7 +57,7 @@ allow spamd_t spamd_var_run_t:file create_file_perms; allow spamd_t spamd_var_run_t:dir rw_dir_perms; files_filetrans_pid(spamd_t,spamd_var_run_t) -kernel_read_all_sysctl(spamd_t) +kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) kernel_tcp_recvfrom(spamd_t) diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index 60f6bc4..74dd8fc 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -64,7 +64,7 @@ allow squid_t squid_var_run_t:file create_file_perms; allow squid_t squid_var_run_t:dir rw_dir_perms; files_filetrans_pid(squid_t,squid_var_run_t) -kernel_read_kernel_sysctl(squid_t) +kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) kernel_tcp_recvfrom(squid_t) diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 938d34e..d51727a 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -118,7 +118,7 @@ template(`ssh_per_userdomain_template',` allow ssh_server $1_home_ssh_t:lnk_file r_file_perms; allow ssh_server $1_home_ssh_t:file r_file_perms; - kernel_read_kernel_sysctl($1_ssh_t) + kernel_read_kernel_sysctls($1_ssh_t) corenet_tcp_sendrecv_all_if($1_ssh_t) corenet_raw_sendrecv_all_if($1_ssh_t) @@ -291,7 +291,7 @@ template(`ssh_per_userdomain_template',` allow $1_ssh_agent_t $2:fifo_file rw_file_perms; allow $1_ssh_agent_t $2:process sigchld; - kernel_read_kernel_sysctl($1_ssh_agent_t) + kernel_read_kernel_sysctls($1_ssh_agent_t) dev_read_urand($1_ssh_agent_t) dev_read_rand($1_ssh_agent_t) @@ -434,7 +434,7 @@ template(`ssh_server_template', ` # Access key files allow $1_t sshd_key_t:file { getattr read }; - kernel_read_kernel_sysctl($1_t) + kernel_read_kernel_sysctls($1_t) corenet_tcp_sendrecv_all_if($1_t) corenet_udp_sendrecv_all_if($1_t) diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 7f20b44..2f4f84d 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -219,7 +219,7 @@ ifdef(`targeted_policy',`',` allow ssh_keygen_t sshd_key_t:file create_file_perms; files_filetrans_etc(ssh_keygen_t,sshd_key_t,file) - kernel_read_kernel_sysctl(ssh_keygen_t) + kernel_read_kernel_sysctls(ssh_keygen_t) fs_search_auto_mountpoints(ssh_keygen_t) diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te index 07f2551..c0f9920 100644 --- a/refpolicy/policy/modules/services/stunnel.te +++ b/refpolicy/policy/modules/services/stunnel.te @@ -51,7 +51,7 @@ allow stunnel_t stunnel_var_run_t:file create_file_perms; allow stunnel_t stunnel_var_run_t:dir rw_dir_perms; files_filetrans_pid(stunnel_t,stunnel_var_run_t) -kernel_read_kernel_sysctl(stunnel_t) +kernel_read_kernel_sysctls(stunnel_t) kernel_read_system_state(stunnel_t) kernel_read_network_state(stunnel_t) diff --git a/refpolicy/policy/modules/services/sysstat.te b/refpolicy/policy/modules/services/sysstat.te index 09dbf0b..5bfdc8f 100644 --- a/refpolicy/policy/modules/services/sysstat.te +++ b/refpolicy/policy/modules/services/sysstat.te @@ -32,9 +32,9 @@ logging_filetrans_log(sysstat_t,sysstat_log_t,{ file dir }) # get info from /proc kernel_read_system_state(sysstat_t) kernel_read_network_state(sysstat_t) -kernel_read_kernel_sysctl(sysstat_t) -kernel_read_fs_sysctl(sysstat_t) -kernel_read_rpc_sysctl(sysstat_t) +kernel_read_kernel_sysctls(sysstat_t) +kernel_read_fs_sysctls(sysstat_t) +kernel_read_rpc_sysctls(sysstat_t) corecmd_dontaudit_search_sbin(sysstat_t) corecmd_exec_bin(sysstat_t) diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te index 8f3c80e..ad044f5 100644 --- a/refpolicy/policy/modules/services/telnet.te +++ b/refpolicy/policy/modules/services/telnet.te @@ -45,7 +45,7 @@ allow telnetd_t telnetd_var_run_t:file create_file_perms; allow telnetd_t telnetd_var_run_t:dir rw_dir_perms; files_filetrans_pid(telnetd_t,telnetd_var_run_t) -kernel_read_kernel_sysctl(telnetd_t) +kernel_read_kernel_sysctls(telnetd_t) kernel_read_system_state(telnetd_t) kernel_read_network_state(telnetd_t) diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te index 682a604..44fb415 100644 --- a/refpolicy/policy/modules/services/tftp.te +++ b/refpolicy/policy/modules/services/tftp.te @@ -37,7 +37,7 @@ allow tftpd_t tftpd_var_run_t:file create_file_perms; allow tftpd_t tftpd_var_run_t:dir rw_dir_perms; files_filetrans_pid(tftpd_t,tftpd_var_run_t) -kernel_read_kernel_sysctl(tftpd_t) +kernel_read_kernel_sysctls(tftpd_t) kernel_list_proc(tftpd_t) kernel_read_proc_symlinks(tftpd_t) diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te index a6ca08f..b66b5db 100644 --- a/refpolicy/policy/modules/services/timidity.te +++ b/refpolicy/policy/modules/services/timidity.te @@ -35,7 +35,7 @@ allow timidity_t timidity_tmpfs_t:sock_file create_file_perms; allow timidity_t timidity_tmpfs_t:fifo_file create_file_perms; fs_filetrans_tmpfs(timidity_t,timidity_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) -kernel_read_kernel_sysctl(timidity_t) +kernel_read_kernel_sysctls(timidity_t) # read /proc/cpuinfo kernel_read_system_state(timidity_t) diff --git a/refpolicy/policy/modules/services/uucp.te b/refpolicy/policy/modules/services/uucp.te index 3e47d75..56aca2f 100644 --- a/refpolicy/policy/modules/services/uucp.te +++ b/refpolicy/policy/modules/services/uucp.te @@ -63,7 +63,7 @@ allow uucpd_t uucpd_var_run_t:file create_file_perms; allow uucpd_t uucpd_var_run_t:dir rw_dir_perms; files_filetrans_pid(uucpd_t,uucpd_var_run_t) -kernel_read_kernel_sysctl(uucpd_t) +kernel_read_kernel_sysctls(uucpd_t) kernel_read_system_state(uucpd_t) kernel_read_network_state(uucpd_t) diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te index b703f3b..fb806d9 100644 --- a/refpolicy/policy/modules/services/xfs.te +++ b/refpolicy/policy/modules/services/xfs.te @@ -39,7 +39,7 @@ files_filetrans_pid(xfs_t,xfs_var_run_t) # cjp: I do not believe this has an effect. allow xfs_t xfs_tmp_t:unix_stream_socket name_bind; -kernel_read_kernel_sysctl(xfs_t) +kernel_read_kernel_sysctls(xfs_t) kernel_read_system_state(xfs_t) dev_read_sysfs(xfs_t) diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index c088991..be61ef3 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -70,10 +70,10 @@ template(`xserver_common_domain_template',` logging_filetrans_log($1_xserver_t,xserver_log_t,file) kernel_read_system_state($1_xserver_t) - kernel_read_device_sysctl($1_xserver_t) - kernel_read_modprobe_sysctl($1_xserver_t) + kernel_read_device_sysctls($1_xserver_t) + kernel_read_modprobe_sysctls($1_xserver_t) # Xorg wants to check if kernel is tainted - kernel_read_kernel_sysctl($1_xserver_t) + kernel_read_kernel_sysctls($1_xserver_t) # Run helper programs in $1_xserver_t. corecmd_search_sbin($1_xserver_t) diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index d089091..d43696c 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -93,7 +93,7 @@ allow xdm_t xdm_rw_etc_t:dir rw_dir_perms; allow xdm_t xdm_rw_etc_t:file create_file_perms; kernel_read_system_state(xdm_t) -kernel_read_kernel_sysctl(xdm_t) +kernel_read_kernel_sysctls(xdm_t) corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index c493c45..85c5834 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -57,9 +57,9 @@ allow zebra_t zebra_var_run_t:dir rw_dir_perms; files_filetrans_pid(zebra_t,zebra_var_run_t, { file sock_file }) kernel_read_system_state(zebra_t) -kernel_read_kernel_sysctl(zebra_t) +kernel_read_kernel_sysctls(zebra_t) kernel_tcp_recvfrom(zebra_t) -kernel_rw_net_sysctl(zebra_t) +kernel_rw_net_sysctls(zebra_t) corenet_tcp_sendrecv_all_if(zebra_t) corenet_udp_sendrecv_all_if(zebra_t) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index a734e22..f9c4fc0 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -145,7 +145,7 @@ allow pam_console_t pam_var_console_t:file r_file_perms; dontaudit pam_console_t pam_var_console_t:file write; allow pam_console_t pam_var_console_t:lnk_file { getattr read }; -kernel_read_kernel_sysctl(pam_console_t) +kernel_read_kernel_sysctls(pam_console_t) kernel_use_fd(pam_console_t) # Read /proc/meminfo kernel_read_system_state(pam_console_t) diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index cff1a93..fac03e2 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -30,7 +30,7 @@ allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re # Allow hwclock to store & retrieve correction factors. allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append }; -kernel_read_kernel_sysctl(hwclock_t) +kernel_read_kernel_sysctls(hwclock_t) kernel_list_proc(hwclock_t) kernel_read_proc_symlinks(hwclock_t) diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 070e38e..354fbd3 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -48,14 +48,14 @@ files_filetrans_tmp(fsadm_t, fsadm_tmp_t, { file dir }) allow fsadm_t swapfile_t:file { getattr swapon }; kernel_read_system_state(fsadm_t) -kernel_read_kernel_sysctl(fsadm_t) +kernel_read_kernel_sysctls(fsadm_t) # Allow console log change (updfstab) kernel_change_ring_buffer_level(fsadm_t) # mkreiserfs needs this kernel_getattr_proc(fsadm_t) # Access to /initrd devices -kernel_rw_unlabeled_dir(fsadm_t) -kernel_rw_unlabeled_blk_dev(fsadm_t) +kernel_rw_unlabeled_dirs(fsadm_t) +kernel_rw_unlabeled_blk_files(fsadm_t) dev_getattr_all_chr_files(fsadm_t) # mkreiserfs and other programs need this for UUID diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index c0ed117..04e5d89 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -47,8 +47,8 @@ files_filetrans_pid(hotplug_t,hotplug_var_run_t) kernel_sigchld(hotplug_t) kernel_setpgid(hotplug_t) kernel_read_system_state(hotplug_t) -kernel_read_kernel_sysctl(hotplug_t) -kernel_read_net_sysctl(hotplug_t) +kernel_read_kernel_sysctls(hotplug_t) +kernel_read_net_sysctls(hotplug_t) bootloader_read_kernel_modules(hotplug_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 07b7198..230a10b 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -236,8 +236,8 @@ kernel_read_ring_buffer(initrc_t) kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) -kernel_read_all_sysctl(initrc_t) -kernel_rw_all_sysctl(initrc_t) +kernel_read_all_sysctls(initrc_t) +kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) @@ -637,7 +637,7 @@ optional_policy(`rhgb',` optional_policy(`rpm',` # bash tries to access a block device in the initrd - kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t) + kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t) # for a bug in rm files_dontaudit_write_all_pids(initrc_t) diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index acdcab8..36f4a19 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -71,14 +71,14 @@ allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms; allow ipsec_mgmt_t ipsec_t:process sigchld; -kernel_read_kernel_sysctl(ipsec_t) +kernel_read_kernel_sysctls(ipsec_t) kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; kernel_read_system_state(ipsec_t) kernel_read_network_state(ipsec_t) kernel_read_software_raid_state(ipsec_t) -kernel_getattr_core(ipsec_t) +kernel_getattr_core_if(ipsec_t) kernel_getattr_message_if(ipsec_t) # Pluto needs network access @@ -198,13 +198,13 @@ allow ipsec_t ipsec_mgmt_t:fd use; allow ipsec_t ipsec_mgmt_t:fifo_file rw_file_perms; allow ipsec_t ipsec_mgmt_t:process sigchld; -kernel_rw_net_sysctl(ipsec_mgmt_t) +kernel_rw_net_sysctls(ipsec_mgmt_t) # allow pluto to access /proc/net/ipsec_eroute; kernel_read_system_state(ipsec_mgmt_t) kernel_read_network_state(ipsec_mgmt_t) kernel_read_software_raid_state(ipsec_mgmt_t) -kernel_read_kernel_sysctl(ipsec_mgmt_t) -kernel_getattr_core(ipsec_mgmt_t) +kernel_read_kernel_sysctls(ipsec_mgmt_t) +kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) bootloader_read_kernel_symbol_table(ipsec_mgmt_t) diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index c2fd556..9f8860f 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -39,8 +39,8 @@ allow iptables_t self:rawip_socket create_socket_perms; kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) -kernel_read_kernel_sysctl(iptables_t) -kernel_read_modprobe_sysctl(iptables_t) +kernel_read_kernel_sysctls(iptables_t) +kernel_read_modprobe_sysctls(iptables_t) kernel_use_fd(iptables_t) dev_read_sysfs(iptables_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 1b53bc8..ab4111a 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -59,7 +59,7 @@ allow local_login_t local_login_tmp_t:file create_file_perms; files_filetrans_tmp(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) -kernel_read_kernel_sysctl(local_login_t) +kernel_read_kernel_sysctls(local_login_t) dev_setattr_mouse_dev(local_login_t) dev_getattr_mouse_dev(local_login_t) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 6c6795f..27b922e 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -72,7 +72,7 @@ allow auditctl_t etc_t:file { getattr read }; allow auditctl_t auditd_etc_t:file r_file_perms; -kernel_read_kernel_sysctl(auditctl_t) +kernel_read_kernel_sysctls(auditctl_t) kernel_read_proc_symlinks(auditctl_t) domain_read_all_domains_state(auditctl_t) @@ -131,7 +131,7 @@ allow auditd_t auditd_var_run_t:file create_file_perms; allow auditd_t auditd_var_run_t:dir rw_dir_perms; files_filetrans_pid(auditd_t,auditd_var_run_t) -kernel_read_kernel_sysctl(auditd_t) +kernel_read_kernel_sysctls(auditd_t) kernel_list_proc(auditd_t) kernel_read_proc_symlinks(auditd_t) @@ -205,7 +205,7 @@ files_filetrans_pid(klogd_t,klogd_var_run_t) kernel_read_system_state(klogd_t) kernel_read_messages(klogd_t) -kernel_read_kernel_sysctl(klogd_t) +kernel_read_kernel_sysctls(klogd_t) # Control syslog and console logging kernel_clear_ring_buffer(klogd_t) kernel_change_ring_buffer_level(klogd_t) @@ -294,7 +294,7 @@ allow syslogd_t syslogd_var_run_t:file create_file_perms; allow syslogd_t syslogd_var_run_t:dir rw_dir_perms; files_filetrans_pid(syslogd_t,syslogd_var_run_t) -kernel_read_kernel_sysctl(syslogd_t) +kernel_read_kernel_sysctls(syslogd_t) kernel_read_proc_symlinks(syslogd_t) # Allow access to /proc/kmsg for syslog-ng kernel_read_messages(syslogd_t) diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index b72beaf..47dcf51 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -53,7 +53,7 @@ allow clvmd_t clvmd_var_run_t:file create_file_perms; allow clvmd_t clvmd_var_run_t:dir rw_dir_perms; files_filetrans_pid(clvmd_t,clvmd_var_run_t) -kernel_read_kernel_sysctl(clvmd_t) +kernel_read_kernel_sysctls(clvmd_t) kernel_list_proc(clvmd_t) kernel_read_proc_symlinks(clvmd_t) @@ -163,11 +163,11 @@ type_transition lvm_t lvm_etc_t:file lvm_metadata_t; files_filetrans_etc(lvm_t,lvm_metadata_t,file) kernel_read_system_state(lvm_t) -kernel_read_kernel_sysctl(lvm_t) +kernel_read_kernel_sysctls(lvm_t) # Read system variables in /proc/sys -kernel_read_kernel_sysctl(lvm_t) +kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this -kernel_dontaudit_getattr_core(lvm_t) +kernel_dontaudit_getattr_core_if(lvm_t) selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index deb0179..fd42f00 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -62,9 +62,9 @@ kernel_read_system_state(insmod_t) kernel_mount_debugfs(insmod_t) kernel_read_debugfs(insmod_t) # Rules for /proc/sys/kernel/tainted -kernel_read_kernel_sysctl(insmod_t) +kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -kernel_read_hotplug_sysctl(insmod_t) +kernel_read_hotplug_sysctls(insmod_t) bootloader_read_kernel_modules(insmod_t) # for locking: (cjp: ????) @@ -242,7 +242,7 @@ allow update_modules_t update_modules_tmp_t:dir create_dir_perms; allow update_modules_t update_modules_tmp_t:file create_file_perms; files_filetrans_tmp(update_modules_t, update_modules_tmp_t, { file dir }) -kernel_read_kernel_sysctl(update_modules_t) +kernel_read_kernel_sysctls(update_modules_t) kernel_read_system_state(update_modules_t) dev_read_urand(update_modules_t) diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index d9299a7..41c2805 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -49,7 +49,7 @@ allow cardmgr_t cardmgr_var_run_t:file create_file_perms; files_filetrans_pid(cardmgr_t,cardmgr_var_run_t) kernel_read_system_state(cardmgr_t) -kernel_read_kernel_sysctl(cardmgr_t) +kernel_read_kernel_sysctls(cardmgr_t) kernel_dontaudit_getattr_message_if(cardmgr_t) bootloader_search_kernel_modules(cardmgr_t) diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index cd1841c..f700da6 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -27,7 +27,7 @@ allow mdadm_t mdadm_var_run_t:file create_file_perms; files_filetrans_pid(mdadm_t,mdadm_var_run_t) kernel_read_system_state(mdadm_t) -kernel_read_kernel_sysctl(mdadm_t) +kernel_read_kernel_sysctls(mdadm_t) kernel_rw_software_raid_state(mdadm_t) dev_read_sysfs(mdadm_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 56af088..5854cbc 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -225,7 +225,7 @@ allow newrole_t { selinux_config_t default_context_t }:file r_file_perms; allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_read_system_state(newrole_t) -kernel_read_kernel_sysctl(newrole_t) +kernel_read_kernel_sysctls(newrole_t) dev_read_urand(newrole_t) @@ -319,7 +319,7 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; kernel_use_fd(restorecon_t) -kernel_rw_pipe(restorecon_t) +kernel_rw_pipes(restorecon_t) kernel_read_system_state(restorecon_t) # cjp: why is this needed? diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 38bf6bb..6dde0b3 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -88,7 +88,7 @@ allow ifconfig_t dhcpc_t:process sigchld; kernel_read_system_state(dhcpc_t) kernel_read_network_state(dhcpc_t) -kernel_read_kernel_sysctl(dhcpc_t) +kernel_read_kernel_sysctls(dhcpc_t) kernel_use_fd(dhcpc_t) corenet_tcp_sendrecv_all_if(dhcpc_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index da2d3d8..9cd4157 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -73,15 +73,15 @@ allow udev_t udev_var_run_t:dir rw_dir_perms; files_filetrans_pid(udev_t,udev_var_run_t) kernel_read_system_state(udev_t) -kernel_getattr_core(udev_t) +kernel_getattr_core_if(udev_t) kernel_use_fd(udev_t) -kernel_read_device_sysctl(udev_t) -kernel_read_hotplug_sysctl(udev_t) -kernel_read_modprobe_sysctl(udev_t) -kernel_read_kernel_sysctl(udev_t) -kernel_rw_hotplug_sysctl(udev_t) -kernel_rw_unix_dgram_socket(udev_t) -kernel_sendto_unix_dgram_socket(udev_t) +kernel_read_device_sysctls(udev_t) +kernel_read_hotplug_sysctls(udev_t) +kernel_read_modprobe_sysctls(udev_t) +kernel_read_kernel_sysctls(udev_t) +kernel_rw_hotplug_sysctls(udev_t) +kernel_rw_unix_dgram_sockets(udev_t) +kernel_sendto_unix_dgram_sockets(udev_t) kernel_signal(udev_t) dev_rw_sysfs(udev_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index b04ca52..469fdac 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -142,18 +142,18 @@ template(`base_user_template',` allow $1_t unpriv_userdomain:fd use; - kernel_read_kernel_sysctl($1_t) + kernel_read_kernel_sysctls($1_t) kernel_dontaudit_list_unlabeled($1_t) - kernel_dontaudit_getattr_unlabeled_file($1_t) + kernel_dontaudit_getattr_unlabeled_files($1_t) kernel_dontaudit_getattr_unlabeled_symlinks($1_t) kernel_dontaudit_getattr_unlabeled_pipes($1_t) kernel_dontaudit_getattr_unlabeled_sockets($1_t) - kernel_dontaudit_getattr_unlabeled_blk_dev($1_t) - kernel_dontaudit_getattr_unlabeled_chr_dev($1_t) + kernel_dontaudit_getattr_unlabeled_blk_files($1_t) + kernel_dontaudit_getattr_unlabeled_chr_files($1_t) # Very permissive allowing every domain to see every type: kernel_get_sysvipc_info($1_t) # Find CDROM devices: - kernel_read_device_sysctl($1_t) + kernel_read_device_sysctls($1_t) dev_rw_power_management($1_t) # GNOME checks for usb and other devices: @@ -818,13 +818,13 @@ template(`admin_user_template',` kernel_read_system_state($1_t) kernel_read_network_state($1_t) kernel_read_software_raid_state($1_t) - kernel_getattr_core($1_t) + kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) kernel_change_ring_buffer_level($1_t) kernel_clear_ring_buffer($1_t) kernel_read_ring_buffer($1_t) kernel_get_sysvipc_info($1_t) - kernel_rw_all_sysctl($1_t) + kernel_rw_all_sysctls($1_t) # signal unlabeled processes: kernel_kill_unlabeled($1_t) kernel_signal_unlabeled($1_t)