From 9930e8f125cb4cc849fdca19cf886313091e0833 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Feb 15 2017 14:41:56 +0000
Subject: * Wed Feb 15 2017 Lukas Vrabec - 3.13.1-240
- Dontaudit xdm_t wake_alarm capability2
- Allow systemd_initctl_t to create and connect unix_dgram sockets
- Allow ifconfig_t to mount/unmount nsfs_t filesystem
- Add interfaces allowing mount/unmount nsfs_t filesystem
- Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944)
---
diff --git a/container-selinux.tgz b/container-selinux.tgz
index 4430a42..c34b771 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 550765c..6bdaf0c 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -11246,7 +11246,7 @@ index b876c48..03f9342 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..e06a46c 100644
+index f962f76..d9660e9 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -13197,7 +13197,34 @@ index f962f76..e06a46c 100644
')
########################################
-@@ -4012,6 +4908,12 @@ interface(`files_read_kernel_modules',`
+@@ -3921,6 +4817,26 @@ interface(`files_read_mnt_symlinks',`
+ read_lnk_files_pattern($1, mnt_t, mnt_t)
+ ')
+
++
++########################################
++##
++## Load kernel module files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_load_kernel_modules',`
++ gen_require(`
++ type modules_object_t;
++ ')
++
++ files_read_kernel_modules($1)
++ allow $1 modules_object_t:system module_load;
++')
++
+ ########################################
+ ##
+ ## Create, read, write, and delete symbolic links in /mnt.
+@@ -4012,6 +4928,12 @@ interface(`files_read_kernel_modules',`
allow $1 modules_object_t:dir list_dir_perms;
read_files_pattern($1, modules_object_t, modules_object_t)
read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -13210,7 +13237,7 @@ index f962f76..e06a46c 100644
')
########################################
-@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,78 +5139,289 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -13340,111 +13367,75 @@ index f962f76..e06a46c 100644
##
#
-interface(`files_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- allow $1 tmp_t:dir search_dir_perms;
++
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Do not audit attempts to search the tmp directory (/tmp).
++##
+## Relabel manageable system configuration files in /etc.
- ##
- ##
--##
--## Domain to not audit.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_search_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
-
-- dontaudit $1 tmp_t:dir search_dir_perms;
++
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
- ')
-
--########################################
++')
++
+###################################
- ##
--## Read the tmp directory (/tmp).
++##
+## Create files in /etc with the type used for
+## the manageable system config files.
- ##
- ##
--##
--## Domain allowed access.
--##
++##
++##
+##
+## The type of the process performing this action.
+##
- ##
- #
--interface(`files_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
-
-- allow $1 tmp_t:dir list_dir_perms;
++
+ filetrans_pattern($1, etc_t, system_conf_t, file)
- ')
-
--########################################
++')
++
+######################################
- ##
--## Do not audit listing of the tmp directory (/tmp).
++##
+## Manage manageable system db files in /var/lib.
- ##
- ##
--##
--## Domain not to audit.
--##
++##
++##
+##
+## Domain allowed access.
+##
- ##
- #
--interface(`files_dontaudit_list_tmp',`
-- gen_require(`
-- type tmp_t;
-- ')
++##
++#
+interface(`files_manage_system_db_files',`
+ gen_require(`
+ type var_lib_t, system_db_t;
+ ')
-
-- dontaudit $1 tmp_t:dir list_dir_perms;
++
+ manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
+ files_filetrans_system_db_named_files($1)
- ')
-
--########################################
++')
++
+#####################################
- ##
--## Remove entries from the tmp directory.
++##
+## File name transition for system db files in /var/lib.
- ##
- ##
++##
++##
+##
+## Domain allowed access.
+##
@@ -13466,322 +13457,173 @@ index f962f76..e06a46c 100644
+## temporary directory (/tmp).
+##
+##
- ##
--## Domain allowed access.
++##
+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_delete_tmp_dir_entry',`
++##
++##
++#
+interface(`files_associate_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
-- allow $1 tmp_t:dir del_entry_dir_perms;
++ gen_require(`
++ type tmp_t;
++ ')
++
+ allow $1 tmp_t:filesystem associate;
- ')
-
- ########################################
- ##
--## Read files in the tmp directory (/tmp).
++')
++
++########################################
++##
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## / file system
- ##
--##
++##
+##
- ##
--## Domain allowed access.
++##
+## Type of the file to associate.
- ##
- ##
- #
--interface(`files_read_generic_tmp_files',`
++##
++##
++#
+interface(`files_associate_rootfs',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type root_t;
- ')
-
-- read_files_pattern($1, tmp_t, tmp_t)
++ ')
++
+ allow $1 root_t:filesystem associate;
- ')
-
- ########################################
- ##
--## Manage temporary directories in /tmp.
++')
++
++########################################
++##
+## Get the attributes of the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',`
- ##
- ##
- #
--interface(`files_manage_generic_tmp_dirs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
- ')
-
-- manage_dirs_pattern($1, tmp_t, tmp_t)
++ gen_require(`
++ type tmp_t;
++ ')
++
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir getattr;
- ')
-
- ########################################
- ##
--## Manage temporary files and directories in /tmp.
++')
++
++########################################
++##
+## Do not audit attempts to check the
+## access on tmp files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_generic_tmp_files',`
++##
++##
++#
+interface(`files_dontaudit_access_check_tmp',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ type etc_t;
- ')
-
-- manage_files_pattern($1, tmp_t, tmp_t)
++ ')
++
+ dontaudit $1 tmp_t:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## Read symbolic links in the tmp directory (/tmp).
++')
++
++########################################
++##
+## Do not audit attempts to get the
+## attributes of the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_generic_tmp_symlinks',`
++##
++##
++#
+interface(`files_dontaudit_getattr_tmp_dirs',`
- gen_require(`
- type tmp_t;
- ')
-
-- read_lnk_files_pattern($1, tmp_t, tmp_t)
++ gen_require(`
++ type tmp_t;
++ ')
++
+ dontaudit $1 tmp_t:dir getattr;
- ')
-
- ########################################
- ##
--## Read and write generic named sockets in the tmp directory (/tmp).
++')
++
++########################################
++##
+## Search the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',`
- ##
- ##
- #
--interface(`files_rw_generic_tmp_sockets',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_search_tmp',`
gen_require(`
type tmp_t;
')
-- rw_sock_files_pattern($1, tmp_t, tmp_t)
+ fs_search_tmpfs($1)
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Set the attributes of all tmp directories.
-+## Do not audit attempts to search the tmp directory (/tmp).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_setattr_all_tmp_dirs',`
-+interface(`files_dontaudit_search_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir { search_dir_perms setattr };
-+ dontaudit $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:dir search_dir_perms;
')
- ########################################
- ##
--## List all tmp directories.
-+## Read the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',`
- ##
- ##
- #
--interface(`files_list_all_tmp',`
-+interface(`files_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+@@ -4325,6 +5458,7 @@ interface(`files_list_tmp',`
+ type tmp_t;
')
-- allow $1 tmpfile:dir list_dir_perms;
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
-+ allow $1 tmp_t:dir list_dir_perms;
+ allow $1 tmp_t:dir list_dir_perms;
')
- ########################################
- ##
--## Relabel to and from all temporary
--## directory types.
-+## Do not audit listing of the tmp directory (/tmp).
+@@ -4334,7 +5468,7 @@ interface(`files_list_tmp',`
##
##
##
--## Domain allowed access.
+-## Domain not to audit.
+## Domain to not audit.
##
##
--##
#
--interface(`files_relabel_all_tmp_dirs',`
-+interface(`files_dontaudit_list_tmp',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_dirs_pattern($1, tmpfile, tmpfile)
-+ dontaudit $1 tmp_t:dir list_dir_perms;
+@@ -4346,6 +5480,25 @@ interface(`files_dontaudit_list_tmp',`
+ dontaudit $1 tmp_t:dir list_dir_perms;
')
--########################################
+#######################################
- ##
--## Do not audit attempts to get the attributes
--## of all tmp files.
++##
+## Allow read and write to the tmp directory (/tmp).
- ##
- ##
--##
--## Domain not to audit.
--##
++##
++##
+##
+## Domain not to audit.
+##
- ##
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
-- gen_require(`
-- attribute tmpfile;
-- ')
++##
++#
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ ')
-
-- dontaudit $1 tmpfile:file getattr;
++
+ files_search_tmp($1)
+ allow $1 tmp_t:dir rw_dir_perms;
- ')
-
++')
++
########################################
##
--## Allow attempts to get the attributes
--## of all tmp files.
-+## Remove entries from the tmp directory.
- ##
- ##
- ##
-@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
- ##
- ##
- #
--interface(`files_getattr_all_tmp_files',`
-+interface(`files_delete_tmp_dir_entry',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
+ ## Remove entries from the tmp directory.
+@@ -4361,6 +5514,7 @@ interface(`files_delete_tmp_dir_entry',`
+ type tmp_t;
')
-- allow $1 tmpfile:file getattr;
+ files_search_tmp($1)
-+ allow $1 tmp_t:dir del_entry_dir_perms;
- ')
-
- ########################################
- ##
--## Relabel to and from all temporary
--## file types.
-+## Read files in the tmp directory (/tmp).
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_tmp_files',`
-+interface(`files_read_generic_tmp_files',`
- gen_require(`
-- attribute tmpfile;
-- type var_t;
-+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- relabel_files_pattern($1, tmpfile, tmpfile)
-+ read_files_pattern($1, tmp_t, tmp_t)
+ allow $1 tmp_t:dir del_entry_dir_perms;
')
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of all tmp sock_file.
-+## Manage temporary directories in /tmp.
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
-+interface(`files_manage_generic_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- dontaudit $1 tmpfile:sock_file getattr;
-+ manage_dirs_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4402,6 +5556,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
--## Read all tmp files.
+## Allow shared library text relocations in tmp files.
- ##
++##
+##
+##
+## Allow shared library text relocations in tmp files.
@@ -13790,2365 +13632,109 @@ index f962f76..e06a46c 100644
+## This is added to support java policy.
+##
+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`files_read_all_tmp_files',`
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_execmod_tmp',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- read_files_pattern($1, tmpfile, tmpfile)
++ gen_require(`
++ attribute tmpfile;
++ ')
++
+ allow $1 tmpfile:file execmod;
- ')
-
- ########################################
- ##
--## Create an object in the tmp directories, with a private
--## type using a type transition.
-+## Manage temporary files and directories in /tmp.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_tmp_filetrans',`
-+interface(`files_manage_generic_tmp_files',`
- gen_require(`
- type tmp_t;
- ')
-
-- filetrans_pattern($1, tmp_t, $2, $3, $4)
-+ manage_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Delete the contents of /tmp.
-+## Read symbolic links in the tmp directory (/tmp).
- ##
- ##
- ##
-@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',`
- ##
- ##
- #
--interface(`files_purge_tmp',`
-+interface(`files_read_generic_tmp_symlinks',`
- gen_require(`
-- attribute tmpfile;
-+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
-- delete_dirs_pattern($1, tmpfile, tmpfile)
-- delete_files_pattern($1, tmpfile, tmpfile)
-- delete_lnk_files_pattern($1, tmpfile, tmpfile)
-- delete_fifo_files_pattern($1, tmpfile, tmpfile)
-- delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ read_lnk_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Set the attributes of the /usr directory.
-+## Read and write generic named sockets in the tmp directory (/tmp).
++')
++
++########################################
++##
+ ## Manage temporary files and directories in /tmp.
##
##
- ##
-@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',`
- ##
- ##
- #
--interface(`files_setattr_usr_dirs',`
-+interface(`files_rw_generic_tmp_sockets',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir setattr;
-+ rw_sock_files_pattern($1, tmp_t, tmp_t)
- ')
+@@ -4456,6 +5636,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
--## Search the content of /usr.
+## Relabel a dir from the type used in /tmp.
- ##
- ##
- ##
-@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',`
- ##
- ##
- #
--interface(`files_search_usr',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir search_dir_perms;
++ ')
++
+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## List the contents of generic
--## directories in /usr.
++')
++
++########################################
++##
+## Relabel a file from the type used in /tmp.
- ##
- ##
- ##
-@@ -4713,35 +5642,35 @@ interface(`files_search_usr',`
- ##
- ##
- #
--interface(`files_list_usr',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_relabelfrom_tmp_files',`
- gen_require(`
-- type usr_t;
++ gen_require(`
+ type tmp_t;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
++ ')
++
+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit write of /usr dirs
-+## Set the attributes of all tmp directories.
++')
++
++########################################
++##
+ ## Set the attributes of all tmp directories.
##
##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir write;
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
+@@ -4474,6 +5690,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
--## Add and remove entries from /usr directories.
+## Allow caller to read inherited tmp files.
- ##
- ##
- ##
-@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',`
- ##
- ##
- #
--interface(`files_rw_usr_dirs',`
-+interface(`files_read_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
- ')
-
- ########################################
- ##
--## Do not audit attempts to add and remove
--## entries from /usr directories.
-+## Allow caller to append inherited tmp files.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_rw_usr_dirs',`
-+interface(`files_append_inherited_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 usr_t:dir rw_dir_perms;
-+ allow $1 tmpfile:file append_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete generic directories in /usr in the caller domain.
-+## Allow caller to read and write inherited tmp files.
- ##
- ##
- ##
-@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
- ##
- ##
- #
--interface(`files_delete_usr_dirs',`
-+interface(`files_rw_inherited_tmp_file',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- delete_dirs_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Delete generic files in /usr in the caller domain.
-+## List all tmp directories.
- ##
- ##
- ##
-@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',`
- ##
- ##
- #
--interface(`files_delete_usr_files',`
-+interface(`files_list_all_tmp',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- delete_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of files in /usr.
-+## Relabel to and from all temporary
-+## directory types.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_getattr_usr_files',`
-+interface(`files_relabel_all_tmp_dirs',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- getattr_files_pattern($1, usr_t, usr_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ##
--## Read generic files in /usr.
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
- ##
--##
--##
--## Allow the specified domain to read generic
--## files in /usr. These files are various program
--## files that do not have more specific SELinux types.
--## Some examples of these files are:
--##
--##
--## - /usr/include/*
--## - /usr/share/doc/*
--## - /usr/share/info/*
--##
--##
--## Generally, it is safe for many domains to have
--## this access.
--##
--##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_read_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-- read_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file getattr;
- ')
-
- ########################################
- ##
--## Execute generic programs in /usr in the caller domain.
-+## Allow attempts to get the attributes
-+## of all tmp files.
- ##
- ##
- ##
-@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',`
- ##
- ##
- #
--interface(`files_exec_usr_files',`
-+interface(`files_getattr_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- allow $1 usr_t:dir list_dir_perms;
-- exec_files_pattern($1, usr_t, usr_t)
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file getattr;
- ')
-
- ########################################
- ##
--## dontaudit write of /usr files
-+## Relabel to and from all temporary
-+## file types.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_dontaudit_write_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
-+ type var_t;
- ')
-
-- dontaudit $1 usr_t:file write;
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files in the /usr directory.
-+## Do not audit attempts to get the attributes
-+## of all tmp sock_file.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_sockets',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- manage_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:sock_file getattr;
- ')
-
- ########################################
- ##
--## Relabel a file to the type used in /usr.
-+## Read all tmp files.
- ##
- ##
- ##
-@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',`
- ##
- ##
- #
--interface(`files_relabelto_usr_files',`
-+interface(`files_read_all_tmp_files',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- relabelto_files_pattern($1, usr_t, usr_t)
-+ read_files_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ##
--## Relabel a file from the type used in /usr.
-+## Do not audit attempts to read or write
-+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_relabelfrom_usr_files',`
-+interface(`files_dontaudit_tmp_file_leaks',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- relabelfrom_files_pattern($1, usr_t, usr_t)
-+ dontaudit $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Read symbolic links in /usr.
-+## Do allow attempts to read or write
-+## all leaked tmpfiles files.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_usr_symlinks',`
-+interface(`files_rw_tmp_file_leaks',`
- gen_require(`
-- type usr_t;
-+ attribute tmpfile;
- ')
-
-- read_lnk_files_pattern($1, usr_t, usr_t)
-+ allow $1 tmpfile:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Create objects in the /usr directory
-+## Create an object in the tmp directories, with a private
-+## type using a type transition.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
-+##
- ##
--## The type of the object to be created
-+## The type of the object to be created.
- ##
- ##
--##
-+##
- ##
--## The object class.
-+## The object class of the object being created.
- ##
- ##
- ##
-@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',`
- ##
- ##
- #
--interface(`files_usr_filetrans',`
-+interface(`files_tmp_filetrans',`
- gen_require(`
-- type usr_t;
-+ type tmp_t;
- ')
-
-- filetrans_pattern($1, usr_t, $2, $3, $4)
-+ filetrans_pattern($1, tmp_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search /usr/src.
-+## Delete the contents of /tmp.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_src',`
-+interface(`files_purge_tmp',`
- gen_require(`
-- type src_t;
-+ attribute tmpfile;
- ')
-
-- dontaudit $1 src_t:dir search_dir_perms;
-+ allow $1 tmpfile:dir list_dir_perms;
-+ delete_dirs_pattern($1, tmpfile, tmpfile)
-+ delete_files_pattern($1, tmpfile, tmpfile)
-+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
-+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
-+ delete_sock_files_pattern($1, tmpfile, tmpfile)
-+ delete_chr_files_pattern($1, tmpfile, tmpfile)
-+ delete_blk_files_pattern($1, tmpfile, tmpfile)
-+ files_list_isid_type_dirs($1)
-+ files_delete_isid_type_dirs($1)
-+ files_delete_isid_type_files($1)
-+ files_delete_isid_type_symlinks($1)
-+ files_delete_isid_type_fifo_files($1)
-+ files_delete_isid_type_sock_files($1)
-+ files_delete_isid_type_blk_files($1)
-+ files_delete_isid_type_chr_files($1)
- ')
-
- ########################################
- ##
--## Get the attributes of files in /usr/src.
-+## Set the attributes of the /usr directory.
- ##
- ##
- ##
-@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',`
- ##
- ##
- #
--interface(`files_getattr_usr_src_files',`
-+interface(`files_setattr_usr_dirs',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
-- getattr_files_pattern($1, src_t, src_t)
--
-- # /usr/src/linux symlink:
-- read_lnk_files_pattern($1, usr_t, src_t)
-+ allow $1 usr_t:dir setattr;
- ')
-
- ########################################
- ##
--## Read files in /usr/src.
-+## Search the content of /usr.
- ##
- ##
- ##
-@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',`
- ##
- ##
- #
--interface(`files_read_usr_src_files',`
-+interface(`files_search_usr',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
- allow $1 usr_t:dir search_dir_perms;
-- read_files_pattern($1, { usr_t src_t }, src_t)
-- read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-- allow $1 src_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Execute programs in /usr/src in the caller domain.
-+## List the contents of generic
-+## directories in /usr.
- ##
- ##
- ##
-@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',`
- ##
- ##
- #
--interface(`files_exec_usr_src_files',`
-+interface(`files_list_usr',`
- gen_require(`
-- type usr_t, src_t;
-+ type usr_t;
- ')
-
-- list_dirs_pattern($1, usr_t, src_t)
-- exec_files_pattern($1, src_t, src_t)
-- read_lnk_files_pattern($1, src_t, src_t)
-+ allow $1 usr_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Install a system.map into the /boot directory.
-+## Do not audit write of /usr dirs
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_create_kernel_symbol_table',`
-+interface(`files_dontaudit_write_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-- allow $1 system_map_t:file { create_file_perms rw_file_perms };
-+ dontaudit $1 usr_t:dir write;
- ')
-
- ########################################
- ##
--## Read system.map in the /boot directory.
-+## Add and remove entries from /usr directories.
- ##
- ##
- ##
-@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',`
- ##
- ##
- #
--interface(`files_read_kernel_symbol_table',`
-+interface(`files_rw_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir list_dir_perms;
-- read_files_pattern($1, boot_t, system_map_t)
-+ allow $1 usr_t:dir rw_dir_perms;
- ')
-
- ########################################
- ##
--## Delete a system.map in the /boot directory.
-+## Do not audit attempts to add and remove
-+## entries from /usr directories.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_delete_kernel_symbol_table',`
-+interface(`files_dontaudit_rw_usr_dirs',`
- gen_require(`
-- type boot_t, system_map_t;
-+ type usr_t;
- ')
-
-- allow $1 boot_t:dir list_dir_perms;
-- delete_files_pattern($1, boot_t, system_map_t)
-+ dontaudit $1 usr_t:dir rw_dir_perms;
- ')
-
- ########################################
- ##
--## Search the contents of /var.
-+## Delete generic directories in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',`
- ##
- ##
- #
--interface(`files_search_var',`
-+interface(`files_delete_usr_dirs',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to write to /var.
-+## Delete generic files in /usr in the caller domain.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_write_var_dirs',`
-+interface(`files_delete_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:dir write;
-+ delete_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Allow attempts to write to /var.dirs
-+## Get the attributes of files in /usr.
- ##
- ##
- ##
-@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',`
- ##
- ##
- #
--interface(`files_write_var_dirs',`
-+interface(`files_getattr_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir write;
-+ getattr_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to search
--## the contents of /var.
-+## Read generic files in /usr.
- ##
-+##
-+##
-+## Allow the specified domain to read generic
-+## files in /usr. These files are various program
-+## files that do not have more specific SELinux types.
-+## Some examples of these files are:
-+##
-+##
-+## - /usr/include/*
-+## - /usr/share/doc/*
-+## - /usr/share/info/*
-+##
-+##
-+## Generally, it is safe for many domains to have
-+## this access.
-+##
-+##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_dontaudit_search_var',`
-+interface(`files_read_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:dir search_dir_perms;
-+ allow $1 usr_t:dir list_dir_perms;
-+ read_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## List the contents of /var.
-+## Execute generic programs in /usr in the caller domain.
- ##
- ##
- ##
-@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',`
- ##
- ##
- #
--interface(`files_list_var',`
-+interface(`files_exec_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir list_dir_perms;
-+ allow $1 usr_t:dir list_dir_perms;
-+ exec_files_pattern($1, usr_t, usr_t)
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete directories
--## in the /var directory.
-+## dontaudit write of /usr files
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_var_dirs',`
-+interface(`files_dontaudit_write_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- allow $1 var_t:dir manage_dir_perms;
-+ dontaudit $1 usr_t:file write;
- ')
-
- ########################################
- ##
--## Read files in the /var directory.
-+## Create, read, write, and delete files in the /usr directory.
- ##
- ##
- ##
-@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',`
- ##
- ##
- #
--interface(`files_read_var_files',`
-+interface(`files_manage_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- read_files_pattern($1, var_t, var_t)
-+ manage_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Append files in the /var directory.
-+## Relabel a file to the type used in /usr.
- ##
- ##
- ##
-@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',`
- ##
- ##
- #
--interface(`files_append_var_files',`
-+interface(`files_relabelto_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- append_files_pattern($1, var_t, var_t)
-+ relabelto_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Read and write files in the /var directory.
-+## Relabel a file from the type used in /usr.
- ##
- ##
- ##
-@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',`
- ##
- ##
- #
--interface(`files_rw_var_files',`
-+interface(`files_relabelfrom_usr_files',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- rw_files_pattern($1, var_t, var_t)
-+ relabelfrom_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to read and write
--## files in the /var directory.
-+## Read symbolic links in /usr.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_rw_var_files',`
-+interface(`files_read_usr_symlinks',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- dontaudit $1 var_t:file rw_file_perms;
-+ read_lnk_files_pattern($1, usr_t, usr_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files in the /var directory.
-+## Create objects in the /usr directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_manage_var_files',`
-+interface(`files_usr_filetrans',`
- gen_require(`
-- type var_t;
-+ type usr_t;
- ')
-
-- manage_files_pattern($1, var_t, var_t)
-+ filetrans_pattern($1, usr_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Read symbolic links in the /var directory.
-+## Do not audit attempts to search /usr/src.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_var_symlinks',`
-+interface(`files_dontaudit_search_src',`
- gen_require(`
-- type var_t;
-+ type src_t;
- ')
-
-- read_lnk_files_pattern($1, var_t, var_t)
-+ dontaudit $1 src_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete symbolic
--## links in the /var directory.
-+## Get the attributes of files in /usr/src.
- ##
- ##
- ##
-@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',`
- ##
- ##
- #
--interface(`files_manage_var_symlinks',`
-+interface(`files_getattr_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- manage_lnk_files_pattern($1, var_t, var_t)
-+ getattr_files_pattern($1, src_t, src_t)
-+
-+ # /usr/src/linux symlink:
-+ read_lnk_files_pattern($1, usr_t, src_t)
- ')
-
- ########################################
- ##
--## Create objects in the /var directory
-+## Read files in /usr/src.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
--## The object class.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_var_filetrans',`
-+interface(`files_read_usr_src_files',`
- gen_require(`
-- type var_t;
-+ type usr_t, src_t;
- ')
-
-- filetrans_pattern($1, var_t, $2, $3, $4)
-+ allow $1 usr_t:dir search_dir_perms;
-+ read_files_pattern($1, { usr_t src_t }, src_t)
-+ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-+ allow $1 src_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of the /var/lib directory.
-+## Execute programs in /usr/src in the caller domain.
- ##
- ##
- ##
-@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',`
- ##
- ##
- #
--interface(`files_getattr_var_lib_dirs',`
-+interface(`files_exec_usr_src_files',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type usr_t, src_t;
- ')
-
-- getattr_dirs_pattern($1, var_t, var_lib_t)
-+ list_dirs_pattern($1, usr_t, src_t)
-+ exec_files_pattern($1, src_t, src_t)
-+ read_lnk_files_pattern($1, src_t, src_t)
- ')
-
- ########################################
- ##
--## Search the /var/lib directory.
-+## Install a system.map into the /boot directory.
- ##
--##
--##
--## Search the /var/lib directory. This is
--## necessary to access files or directories under
--## /var/lib that have a private type. For example, a
--## domain accessing a private library file in the
--## /var/lib directory:
--##
--##
--## allow mydomain_t mylibfile_t:file read_file_perms;
--## files_search_var_lib(mydomain_t)
--##
--##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_search_var_lib',`
-+interface(`files_create_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- search_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## contents of /var/lib.
-+## Dontaudit getattr attempts on the system.map file
- ##
- ##
- ##
- ## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_dontaudit_search_var_lib',`
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
- gen_require(`
-- type var_lib_t;
-+ type system_map_t;
- ')
-
-- dontaudit $1 var_lib_t:dir search_dir_perms;
-+ dontaudit $1 system_map_t:file getattr;
- ')
-
- ########################################
- ##
--## List the contents of the /var/lib directory.
-+## Read system.map in the /boot directory.
- ##
- ##
- ##
-@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',`
- ##
- ##
- #
--interface(`files_list_var_lib',`
-+interface(`files_read_kernel_symbol_table',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ read_files_pattern($1, boot_t, system_map_t)
- ')
-
--###########################################
-+########################################
- ##
--## Read-write /var/lib directories
-+## Delete a system.map in the /boot directory.
- ##
- ##
- ##
-@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',`
- ##
- ##
- #
--interface(`files_rw_var_lib_dirs',`
-+interface(`files_delete_kernel_symbol_table',`
- gen_require(`
-- type var_lib_t;
-+ type boot_t, system_map_t;
- ')
-
-- rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ delete_files_pattern($1, boot_t, system_map_t)
- ')
-
- ########################################
- ##
--## Create objects in the /var/lib directory
-+## Search the contents of /var.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## The type of the object to be created
--##
--##
--##
--##
--## The object class.
--##
--##
--##
--##
--## The name of the object being created.
--##
--##
- #
--interface(`files_var_lib_filetrans',`
-+interface(`files_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## Read generic files in /var/lib.
-+## Do not audit attempts to write to /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_var_lib_files',`
-+interface(`files_dontaudit_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_lib_t:dir list_dir_perms;
-- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ dontaudit $1 var_t:dir write;
- ')
-
- ########################################
- ##
--## Read generic symbolic links in /var/lib
-+## Allow attempts to write to /var.dirs
- ##
- ##
- ##
-@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',`
- ##
- ##
- #
--interface(`files_read_var_lib_symlinks',`
-+interface(`files_write_var_dirs',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ allow $1 var_t:dir write;
- ')
-
--# cjp: the next two interfaces really need to be fixed
--# in some way. They really neeed their own types.
--
- ########################################
- ##
--## Create, read, write, and delete the
--## pseudorandom number generator seed.
-+## Do not audit attempts to search
-+## the contents of /var.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_urandom_seed',`
-+interface(`files_dontaudit_search_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ dontaudit $1 var_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Allow domain to manage mount tables
--## necessary for rpcd, nfsd, etc.
-+## List the contents of /var.
- ##
- ##
- ##
-@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',`
- ##
- ##
- #
--interface(`files_manage_mounttab',`
-+interface(`files_list_var',`
- gen_require(`
-- type var_t, var_lib_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Set the attributes of the generic lock directories.
-+## Do not audit listing of the var directory (/var).
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_dontaudit_list_var',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ dontaudit $1 var_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Search the locks directory (/var/lock).
-+## Create, read, write, and delete directories
-+## in the /var directory.
- ##
- ##
- ##
-@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',`
- ##
- ##
- #
--interface(`files_search_locks',`
-+interface(`files_manage_var_dirs',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_t:dir manage_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search the
--## locks directory (/var/lock).
-+## Read files in the /var directory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_search_locks',`
-+interface(`files_read_var_files',`
- gen_require(`
-- type var_lock_t;
-+ type var_t;
- ')
-
-- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_lock_t:dir search_dir_perms;
-+ read_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## List generic lock directories.
-+## Append files in the /var directory.
- ##
- ##
- ##
-@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',`
- ##
- ##
- #
--interface(`files_list_locks',`
-+interface(`files_append_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_lock_t)
-+ append_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Add and remove entries in the /var/lock
--## directories.
-+## Read and write files in the /var directory.
- ##
- ##
- ##
-@@ -5726,60 +6638,54 @@ interface(`files_list_locks',`
- ##
- ##
- #
--interface(`files_rw_lock_dirs',`
-+interface(`files_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- rw_dirs_pattern($1, var_t, var_lock_t)
-+ rw_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Create lock directories
-+## Do not audit attempts to read and write
-+## files in the /var directory.
- ##
- ##
--##
--## Domain allowed access
-+##
-+## Domain to not audit.
- ##
- ##
- #
--interface(`files_create_lock_dirs',`
-+interface(`files_dontaudit_rw_var_files',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- create_dirs_pattern($1, var_lock_t, var_lock_t)
-+ dontaudit $1 var_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Relabel to and from all lock directory types.
-+## Create, read, write, and delete files in the /var directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_relabel_all_lock_dirs',`
-+interface(`files_manage_var_files',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- relabel_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Get the attributes of generic lock files.
-+## Read symbolic links in the /var directory.
- ##
- ##
- ##
-@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',`
- ##
- ##
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_read_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 var_lock_t:dir list_dir_perms;
-- getattr_files_pattern($1, var_lock_t, var_lock_t)
-+ read_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Delete generic lock files.
-+## Create, read, write, and delete symbolic
-+## links in the /var directory.
- ##
- ##
- ##
-@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',`
- ##
- ##
- #
--interface(`files_delete_generic_locks',`
-+interface(`files_manage_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
-+ manage_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## lock files.
-+## Create objects in the /var directory
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
- #
--interface(`files_manage_generic_locks',`
-+interface(`files_var_filetrans',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-- manage_files_pattern($1, var_lock_t, var_lock_t)
-+ filetrans_pattern($1, var_t, $2, $3, $4)
- ')
-
-+
- ########################################
- ##
--## Delete all lock files.
-+## Relabel dirs in the /var directory.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_delete_all_locks',`
-+interface(`files_relabel_var_dirs',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t;
- ')
--
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, lockfile, lockfile)
-+ allow $1 var_t:dir relabel_dir_perms;
- ')
-
- ########################################
- ##
--## Read all lock files.
-+## Get the attributes of the /var/lib directory.
- ##
- ##
- ##
-@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',`
- ##
- ##
- #
--interface(`files_read_all_locks',`
-+interface(`files_getattr_var_lib_dirs',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- allow $1 lockfile:dir list_dir_perms;
-- read_files_pattern($1, lockfile, lockfile)
-- read_lnk_files_pattern($1, lockfile, lockfile)
-+ getattr_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## manage all lock files.
-+## Search the /var/lib directory.
- ##
-+##
-+##
-+## Search the /var/lib directory. This is
-+## necessary to access files or directories under
-+## /var/lib that have a private type. For example, a
-+## domain accessing a private library file in the
-+## /var/lib directory:
-+##
-+##
-+## allow mydomain_t mylibfile_t:file read_file_perms;
-+## files_search_var_lib(mydomain_t)
-+##
-+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_manage_all_locks',`
-+interface(`files_search_var_lib',`
- gen_require(`
-- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t, var_lib_t;
- ')
-
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- manage_dirs_pattern($1, lockfile, lockfile)
-- manage_files_pattern($1, lockfile, lockfile)
-- manage_lnk_files_pattern($1, lockfile, lockfile)
-+ search_dirs_pattern($1, var_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Create an object in the locks directory, with a private
--## type using a type transition.
-+## Do not audit attempts to search the
-+## contents of /var/lib.
- ##
- ##
- ##
--## Domain allowed access.
--##
--##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
-+## Domain to not audit.
- ##
- ##
-+##
- #
--interface(`files_lock_filetrans',`
-+interface(`files_dontaudit_search_var_lib',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_lock_t, $2, $3, $4)
-+ dontaudit $1 var_lib_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of the /var/run directory.
-+## List the contents of the /var/lib directory.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`files_dontaudit_getattr_pid_dirs',`
-+interface(`files_list_var_lib',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir getattr;
-+ list_dirs_pattern($1, var_t, var_lib_t)
- ')
-
--########################################
-+###########################################
- ##
--## Set the attributes of the /var/run directory.
-+## Read-write /var/lib directories
- ##
- ##
- ##
-@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_setattr_pid_dirs',`
-+interface(`files_rw_var_lib_dirs',`
- gen_require(`
-- type var_run_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir setattr;
-+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
- ')
-
- ########################################
- ##
--## Search the contents of runtime process
--## ID directories (/var/run).
-+## Create directories in /var/lib
- ##
- ##
- ##
-@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',`
- ##
- ##
- #
--interface(`files_search_pids',`
-+interface(`files_create_var_lib_dirs',`
- gen_require(`
-- type var_t, var_run_t;
-+ type var_lib_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_run_t)
-+ allow $1 var_lib_t:dir { create rw_dir_perms };
- ')
-
-+
- ########################################
- ##
--## Do not audit attempts to search
--## the /var/run directory.
-+## Create objects in the /var/lib directory
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## The type of the object to be created
-+##
-+##
-+##
-+##
-+## The object class.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
- ##
- ##
- #
--interface(`files_dontaudit_search_pids',`
-+interface(`files_var_lib_filetrans',`
- gen_require(`
-- type var_run_t;
-+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## List the contents of the runtime process
--## ID directories (/var/run).
-+## Read generic files in /var/lib.
- ##
- ##
- ##
-@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',`
- ##
- ##
- #
--interface(`files_list_pids',`
-+interface(`files_read_var_lib_files',`
- gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_lib_t:dir list_dir_perms;
-+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+')
-+
-+########################################
-+##
-+## Read generic symbolic links in /var/lib
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_var_lib_symlinks',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+')
-+
-+########################################
-+##
-+## manage generic symbolic links
-+## in the /var/lib directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_var_lib_symlinks',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+
-+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
-+# cjp: the next two interfaces really need to be fixed
-+# in some way. They really neeed their own types.
-+
-+########################################
-+##
-+## Create, read, write, and delete the
-+## pseudorandom number generator seed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_urandom_seed',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+
-+########################################
-+##
-+## Relabel to dirs in the /var/lib directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabelto_var_lib_dirs',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+ allow $1 var_lib_t:dir relabelto;
-+')
-+
-+
-+########################################
-+##
-+## Relabel dirs in the /var/lib directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_var_lib_dirs',`
-+ gen_require(`
-+ type var_lib_t;
-+ ')
-+ allow $1 var_lib_t:dir relabel_dir_perms;
-+')
-+
-+########################################
-+##
-+## Allow domain to manage mount tables
-+## necessary for rpcd, nfsd, etc.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_mounttab',`
-+ gen_require(`
-+ type var_t, var_lib_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+##
-+## List generic lock directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ list_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Search the locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search the
-+## locks directory (/var/lock).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_lock_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to read/write inherited
-+## locks (/var/lock).
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_rw_inherited_locks',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Set the attributes of the /var/lock directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_setattr_lock_dirs',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
-+ allow $1 var_lock_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Add and remove entries in the /var/lock
-+## directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_rw_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ rw_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create lock directories
-+##
-+##
-+##
-+## Domain allowed access
-+##
-+##
-+#
-+interface(`files_create_lock_dirs',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ create_dirs_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Relabel to and from all lock directory types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_lock_dirs',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_dirs_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Relabel to and from all lock file types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_relabel_all_lock_files',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ relabel_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Get the attributes of generic lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_getattr_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ allow $1 var_lock_t:dir list_dir_perms;
-+ getattr_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete generic lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ delete_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ manage_files_pattern($1, var_lock_t, var_lock_t)
-+')
-+
-+########################################
-+##
-+## Delete all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+ delete_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Read all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ allow $1 lockfile:dir list_dir_perms;
-+ read_files_pattern($1, lockfile, lockfile)
-+ read_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## manage all lock files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_all_locks',`
-+ gen_require(`
-+ attribute lockfile;
-+ type var_t, var_lock_t;
-+ ')
-+
-+ files_search_locks($1)
-+ manage_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, lockfile, lockfile)
-+ manage_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## Create an object in the locks directory, with a private
-+## type using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
+#
-+interface(`files_lock_filetrans',`
++interface(`files_read_inherited_tmp_files',`
+ gen_require(`
-+ type var_t, var_lock_t;
++ attribute tmpfile;
+ ')
+
-+ files_search_locks($1)
-+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
++ allow $1 tmpfile:file { append read_inherited_file_perms };
+')
+
+########################################
+##
-+## Do not audit attempts to get the attributes
-+## of the /var/run directory.
++## Allow caller to append inherited tmp files.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`files_dontaudit_getattr_pid_dirs',`
++interface(`files_append_inherited_tmp_files',`
+ gen_require(`
-+ type var_run_t;
++ attribute tmpfile;
+ ')
+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir getattr;
++ allow $1 tmpfile:file append_inherited_file_perms;
+')
+
+########################################
+##
-+## Set the attributes of the /var/run directory.
++## Allow caller to read and write inherited tmp files.
+##
+##
+##
@@ -16156,77 +13742,117 @@ index f962f76..e06a46c 100644
+##
+##
+#
-+interface(`files_setattr_pid_dirs',`
++interface(`files_rw_inherited_tmp_file',`
+ gen_require(`
-+ type var_run_t;
++ attribute tmpfile;
+ ')
+
-+ files_search_pids($1)
-+ allow $1 var_run_t:dir setattr;
++ allow $1 tmpfile:file rw_inherited_file_perms;
+')
+
+########################################
+##
-+## Search the contents of runtime process
-+## ID directories (/var/run).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ## List all tmp directories.
+ ##
+ ##
+@@ -4519,7 +5789,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -4579,7 +5849,7 @@ interface(`files_relabel_all_tmp_files',`
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -4611,15 +5881,53 @@ interface(`files_read_all_tmp_files',`
+
+ ########################################
+ ##
+-## Create an object in the tmp directories, with a private
+-## type using a type transition.
++## Do not audit attempts to read or write
++## all leaked tmpfiles files.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+-##
+#
-+interface(`files_search_pids',`
++interface(`files_dontaudit_tmp_file_leaks',`
+ gen_require(`
-+ type var_t, var_run_t;
++ attribute tmpfile;
+ ')
+
-+ allow $1 var_t:lnk_file read_lnk_file_perms;
-+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
-+ search_dirs_pattern($1, var_t, var_run_t)
++ dontaudit $1 tmpfile:file rw_inherited_file_perms;
+')
+
-+######################################
++########################################
+##
-+## Add and remove entries from pid directories.
++## Do allow attempts to read or write
++## all leaked tmpfiles files.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain to not audit.
++##
+##
+#
-+interface(`files_rw_pid_dirs',`
-+ gen_require(`
-+ type var_run_t;
-+ ')
++interface(`files_rw_tmp_file_leaks',`
++ gen_require(`
++ attribute tmpfile;
++ ')
+
-+ allow $1 var_run_t:dir rw_dir_perms;
++ allow $1 tmpfile:file rw_inherited_file_perms;
+')
+
-+#######################################
++########################################
+##
-+## Create generic pid directory.
++## Create an object in the tmp directories, with a private
++## type using a type transition.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
-+#
-+interface(`files_create_var_run_dirs',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir create_dir_perms;
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search
-+## the /var/run directory.
++##
+ ##
+ ## The type of the object to be created.
+ ##
+@@ -4664,6 +5972,16 @@ interface(`files_purge_tmp',`
+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ delete_sock_files_pattern($1, tmpfile, tmpfile)
++ delete_chr_files_pattern($1, tmpfile, tmpfile)
++ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_list_isid_type_dirs($1)
++ files_delete_isid_type_dirs($1)
++ files_delete_isid_type_files($1)
++ files_delete_isid_type_symlinks($1)
++ files_delete_isid_type_fifo_files($1)
++ files_delete_isid_type_sock_files($1)
++ files_delete_isid_type_blk_files($1)
++ files_delete_isid_type_chr_files($1)
+ ')
+
+ ########################################
+@@ -5112,6 +6430,24 @@ interface(`files_create_kernel_symbol_table',`
+
+ ########################################
+ ##
++## Dontaudit getattr attempts on the system.map file
+##
+##
+##
@@ -16234,19 +13860,24 @@ index f962f76..e06a46c 100644
+##
+##
+#
-+interface(`files_dontaudit_search_pids',`
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
+ gen_require(`
-+ type var_run_t;
++ type system_map_t;
+ ')
+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 var_run_t:dir search_dir_perms;
++ dontaudit $1 system_map_t:file getattr;
+')
+
+########################################
+##
-+## Do not audit attempts to search
-+## the all /var/run directory.
+ ## Read system.map in the /boot directory.
+ ##
+ ##
+@@ -5241,6 +6577,24 @@ interface(`files_list_var',`
+
+ ########################################
+ ##
++## Do not audit listing of the var directory (/var).
+##
+##
+##
@@ -16254,36 +13885,58 @@ index f962f76..e06a46c 100644
+##
+##
+#
-+interface(`files_dontaudit_search_all_pids',`
++interface(`files_dontaudit_list_var',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t;
+ ')
+
-+ dontaudit $1 pidfile:dir search_dir_perms;
++ dontaudit $1 var_t:dir list_dir_perms;
+')
+
+########################################
+##
-+## Allow search the all /var/run directory.
+ ## Create, read, write, and delete directories
+ ## in the /var directory.
+ ##
+@@ -5328,7 +6682,7 @@ interface(`files_dontaudit_rw_var_files',`
+ type var_t;
+ ')
+
+- dontaudit $1 var_t:file rw_file_perms;
++ dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+@@ -5419,6 +6773,24 @@ interface(`files_var_filetrans',`
+ filetrans_pattern($1, var_t, $2, $3, $4)
+ ')
+
++
++########################################
++##
++## Relabel dirs in the /var directory.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`files_search_all_pids',`
++interface(`files_relabel_var_dirs',`
+ gen_require(`
-+ attribute pidfile;
++ type var_t;
+ ')
-+
-+ allow $1 pidfile:dir search_dir_perms;
++ allow $1 var_t:dir relabel_dir_perms;
+')
+
-+########################################
-+##
-+## List the contents of the runtime process
-+## ID directories (/var/run).
+ ########################################
+ ##
+ ## Get the attributes of the /var/lib directory.
+@@ -5527,6 +6899,25 @@ interface(`files_rw_var_lib_dirs',`
+
+ ########################################
+ ##
++## Create directories in /var/lib
+##
+##
+##
@@ -16291,18 +13944,28 @@ index f962f76..e06a46c 100644
+##
+##
+#
-+interface(`files_list_pids',`
++interface(`files_create_var_lib_dirs',`
+ gen_require(`
-+ type var_t, var_run_t;
++ type var_lib_t;
+ ')
+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
++ allow $1 var_lib_t:dir { create rw_dir_perms };
+')
+
++
++########################################
++##
+ ## Create objects in the /var/lib directory
+ ##
+ ##
+@@ -5596,6 +6987,25 @@ interface(`files_read_var_lib_symlinks',`
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
+
+########################################
+##
-+## Read generic process ID files.
++## manage generic symbolic links
++## in the /var/lib directory.
+##
+##
+##
@@ -16310,19 +13973,25 @@ index f962f76..e06a46c 100644
+##
+##
+#
-+interface(`files_read_generic_pids',`
++interface(`files_manage_var_lib_symlinks',`
+ gen_require(`
-+ type var_t, var_run_t;
++ type var_lib_t;
+ ')
+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ read_files_pattern($1, var_run_t, var_run_t)
++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
+')
+
+ # cjp: the next two interfaces really need to be fixed
+ # in some way. They really neeed their own types.
+
+@@ -5619,6 +7029,42 @@ interface(`files_manage_urandom_seed',`
+ manage_files_pattern($1, var_lib_t, var_lib_t)
+ ')
+
++
+########################################
+##
-+## Write named generic process ID pipes
++## Relabel to dirs in the /var/lib directory.
+##
+##
+##
@@ -16330,102 +13999,157 @@ index f962f76..e06a46c 100644
+##
+##
+#
-+interface(`files_write_generic_pid_pipes',`
++interface(`files_relabelto_var_lib_dirs',`
+ gen_require(`
-+ type var_run_t;
++ type var_lib_t;
+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_run_t:fifo_file write;
++ allow $1 var_lib_t:dir relabelto;
+')
+
++
+########################################
+##
-+## Create an object in the process ID directory, with a private type.
++## Relabel dirs in the /var/lib directory.
+##
-+##
-+##
-+## Create an object in the process ID directory (e.g., /var/run)
-+## with a private type. Typically this is used for creating
-+## private PID files in /var/run with the private type instead
-+## of the general PID file type. To accomplish this goal,
-+## either the program must be SELinux-aware, or use this interface.
-+##
-+##
-+## Related interfaces:
-+##
-+##
-+## - files_pid_file()
-+##
-+##
-+## Example usage with a domain that can create and
-+## write its PID file with a private PID file type in the
-+## /var/run directory:
-+##
-+##
-+## type mypidfile_t;
-+## files_pid_file(mypidfile_t)
-+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
-+## files_pid_filetrans(mydomain_t, mypidfile_t, file)
-+##
-+##
+##
+##
+## Domain allowed access.
+##
+##
-+##
-+##
-+## The type of the object to be created.
-+##
-+##
-+##
-+##
-+## The object class of the object being created.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+##
+#
-+interface(`files_pid_filetrans',`
++interface(`files_relabel_var_lib_dirs',`
+ gen_require(`
-+ type var_t, var_run_t;
++ type var_lib_t;
+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_run_t, $2, $3, $4)
++ allow $1 var_lib_t:dir relabel_dir_perms;
+')
+
-+########################################
-+##
-+## Create a generic lock directory within the run directories
+ ########################################
+ ##
+ ## Allow domain to manage mount tables
+@@ -5641,7 +7087,7 @@ interface(`files_manage_mounttab',`
+
+ ########################################
+ ##
+-## Set the attributes of the generic lock directories.
++## List generic lock directories.
+ ##
+ ##
+ ##
+@@ -5649,12 +7095,13 @@ interface(`files_manage_mounttab',`
+ ##
+ ##
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_list_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+- setattr_dirs_pattern($1, var_t, var_lock_t)
++ files_search_locks($1)
++ list_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+ ########################################
+@@ -5672,6 +7119,7 @@ interface(`files_search_locks',`
+ type var_t, var_lock_t;
+ ')
+
++ files_search_pids($1)
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_lock_t)
+ ')
+@@ -5698,7 +7146,26 @@ interface(`files_dontaudit_search_locks',`
+
+ ########################################
+ ##
+-## List generic lock directories.
++## Do not audit attempts to read/write inherited
++## locks (/var/lock).
+##
+##
-+##
-+## Domain allowed access
-+##
-+##
-+##
+##
-+## The name of the object being created.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_pid_filetrans_lock_dir',`
++interface(`files_dontaudit_rw_inherited_locks',`
+ gen_require(`
+ type var_lock_t;
+ ')
+
-+ files_pid_filetrans($1, var_lock_t, dir, $2)
++ dontaudit $1 var_lock_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
-+## rw generic pid files inherited from another process
++## Set the attributes of the /var/lock directory.
+ ##
+ ##
+ ##
+@@ -5706,13 +7173,12 @@ interface(`files_dontaudit_search_locks',`
+ ##
+ ##
+ #
+-interface(`files_list_locks',`
++interface(`files_setattr_lock_dirs',`
+ gen_require(`
+- type var_t, var_lock_t;
++ type var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_lock_t)
++ allow $1 var_lock_t:dir setattr;
+ ')
+
+ ########################################
+@@ -5731,7 +7197,7 @@ interface(`files_rw_lock_dirs',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ rw_dirs_pattern($1, var_t, var_lock_t)
+ ')
+
+@@ -5764,7 +7230,6 @@ interface(`files_create_lock_dirs',`
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+ interface(`files_relabel_all_lock_dirs',`
+ gen_require(`
+@@ -5779,7 +7244,7 @@ interface(`files_relabel_all_lock_dirs',`
+
+ ########################################
+ ##
+-## Get the attributes of generic lock files.
++## Relabel to and from all lock file types.
+ ##
+ ##
+ ##
+@@ -5787,13 +7252,33 @@ interface(`files_relabel_all_lock_dirs',`
+ ##
+ ##
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_relabel_all_lock_files',`
+ gen_require(`
++ attribute lockfile;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ relabel_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++##
++## Get the attributes of generic lock files.
+##
+##
+##
@@ -16433,38 +14157,138 @@ index f962f76..e06a46c 100644
+##
+##
+#
-+interface(`files_rw_inherited_generic_pid_files',`
++interface(`files_getattr_generic_locks',`
+ gen_require(`
-+ type var_run_t;
++ type var_t, var_lock_t;
+ ')
+
-+ allow $1 var_run_t:file rw_inherited_file_perms;
++ files_search_locks($1)
+ allow $1 var_lock_t:dir list_dir_perms;
+ getattr_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+@@ -5809,13 +7294,12 @@ interface(`files_getattr_generic_locks',`
+ ##
+ #
+ interface(`files_delete_generic_locks',`
+- gen_require(`
++ gen_require(`
+ type var_t, var_lock_t;
+- ')
++ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- delete_files_pattern($1, var_lock_t, var_lock_t)
++ files_search_locks($1)
++ delete_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+ ########################################
+@@ -5834,9 +7318,7 @@ interface(`files_manage_generic_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
++ files_search_locks($1)
+ manage_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+
+@@ -5878,8 +7360,7 @@ interface(`files_read_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1, lockfile, lockfile)
+ read_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5901,8 +7382,7 @@ interface(`files_manage_all_locks',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
++ files_search_locks($1)
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5939,8 +7419,7 @@ interface(`files_lock_filetrans',`
+ type var_t, var_lock_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++ files_search_locks($1)
+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
+ ')
+
+@@ -5979,7 +7458,7 @@ interface(`files_setattr_pid_dirs',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:dir setattr;
+ ')
+
+@@ -5999,10 +7478,48 @@ interface(`files_search_pids',`
+ type var_t, var_run_t;
+ ')
+
++ allow $1 var_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ search_dirs_pattern($1, var_t, var_run_t)
+ ')
+
++######################################
++##
++## Add and remove entries from pid directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_rw_pid_dirs',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ allow $1 var_run_t:dir rw_dir_perms;
+')
+
-+########################################
++#######################################
+##
-+## Read and write generic process ID files.
++## Create generic pid directory.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`files_rw_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
++interface(`files_create_var_run_dirs',`
++ gen_require(`
++ type var_t, var_run_t;
++ ')
+
-+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+ rw_files_pattern($1, var_run_t, var_run_t)
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir create_dir_perms;
+')
+
-+########################################
-+##
-+## Do not audit attempts to get the attributes of
-+## daemon runtime data files.
+ ########################################
+ ##
+ ## Do not audit attempts to search
+@@ -6025,6 +7542,43 @@ interface(`files_dontaudit_search_pids',`
+
+ ########################################
+ ##
++## Do not audit attempts to search
++## the all /var/run directory.
+##
+##
+##
@@ -16472,19 +14296,17 @@ index f962f76..e06a46c 100644
+##
+##
+#
-+interface(`files_dontaudit_getattr_all_pids',`
++interface(`files_dontaudit_search_all_pids',`
+ gen_require(`
+ attribute pidfile;
-+ type var_run_t;
+ ')
+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file getattr;
++ dontaudit $1 pidfile:dir search_dir_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to write to daemon runtime data files.
++## Allow search the all /var/run directory.
+##
+##
+##
@@ -16492,37 +14314,101 @@ index f962f76..e06a46c 100644
+##
+##
+#
-+interface(`files_dontaudit_write_all_pids',`
++interface(`files_search_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file write;
++ allow $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++##
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ##
+@@ -6039,7 +7593,7 @@ interface(`files_list_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ ')
+
+@@ -6058,7 +7612,7 @@ interface(`files_read_generic_pids',`
+ type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6078,7 +7632,7 @@ interface(`files_write_generic_pid_pipes',`
+ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ files_search_pids($1)
+ allow $1 var_run_t:fifo_file write;
+ ')
+
+@@ -6140,7 +7694,6 @@ interface(`files_pid_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
+ ')
+
+@@ -6169,7 +7722,7 @@ interface(`files_pid_filetrans_lock_dir',`
+
+ ########################################
+ ##
+-## Read and write generic process ID files.
++## rw generic pid files inherited from another process
+ ##
+ ##
+ ##
+@@ -6177,12 +7730,30 @@ interface(`files_pid_filetrans_lock_dir',`
+ ##
+ ##
+ #
+-interface(`files_rw_generic_pids',`
++interface(`files_rw_inherited_generic_pid_files',`
+ gen_require(`
+- type var_t, var_run_t;
++ type var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ allow $1 var_run_t:file rw_inherited_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to ioctl daemon runtime data files.
++## Read and write generic process ID files.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`files_dontaudit_ioctl_all_pids',`
++interface(`files_rw_generic_pids',`
+ gen_require(`
-+ attribute pidfile;
-+ type var_run_t;
++ type var_t, var_run_t;
+ ')
+
-+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-+ dontaudit $1 pidfile:file ioctl;
-+')
-+
-+########################################
-+##
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
+ ')
+@@ -6249,6 +7820,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+
+ ########################################
+ ##
+## Relable all pid directories
+##
+##
@@ -16633,23 +14519,20 @@ index f962f76..e06a46c 100644
+
+########################################
+##
-+## Read all process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_read_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
+ ## Read all process ID files.
+ ##
+ ##
+@@ -6261,12 +7942,105 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ interface(`files_read_all_pids',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ type var_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, pidfile)
-+ read_files_pattern($1, pidfile, pidfile)
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
+')
+
@@ -16744,59 +14627,33 @@ index f962f76..e06a46c 100644
+ ')
+
+ allow $1 polymember:dir mounton;
-+')
-+
-+########################################
-+##
-+## Delete all process IDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_delete_all_pids',`
-+ gen_require(`
-+ attribute pidfile;
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ allow $1 var_run_t:dir rmdir;
-+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+ delete_files_pattern($1, pidfile, pidfile)
-+ delete_fifo_files_pattern($1, pidfile, pidfile)
-+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
-+')
-+
-+########################################
-+##
-+## Delete all process ID directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
+ ')
+
+ ########################################
+@@ -6286,8 +8060,8 @@ interface(`files_delete_all_pids',`
type var_t, var_run_t;
')
++ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+@@ -6311,36 +8085,80 @@ interface(`files_delete_all_pid_dirs',`
+ type var_t, var_run_t;
+ ')
+
+ files_search_pids($1)
-+ allow $1 var_t:dir search_dir_perms;
-+ delete_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
+ allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write and delete all
+-## var_run (pid) content
+## Make the specified type a file
+## used for spool files.
+##
@@ -16846,334 +14703,91 @@ index f962f76..e06a46c 100644
+########################################
+##
+## Create all spool sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_create_all_spool_sockets',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ allow $1 spoolfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Delete all spool sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_delete_all_spool_sockets',`
-+ gen_require(`
-+ attribute spoolfile;
-+ ')
-+
-+ allow $1 spoolfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+##
-+## Relabel to and from all spool
-+## directory types.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`files_relabel_all_spool_dirs',`
-+ gen_require(`
-+ attribute spoolfile;
-+ type var_t;
-+ ')
-+
-+ relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
-+########################################
-+##
-+## Search the contents of generic spool
-+## directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search generic
-+## spool directories.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`files_dontaudit_search_spool',`
-+ gen_require(`
-+ type var_spool_t;
-+ ')
-+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List the contents of generic spool
-+## (/var/spool) directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Read generic process ID files.
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
##
##
##
-@@ -6053,19 +8243,18 @@ interface(`files_list_pids',`
+-## Domain alloed access.
++## Domain allowed access.
##
##
#
--interface(`files_read_generic_pids',`
-+interface(`files_manage_generic_spool_dirs',`
+-interface(`files_manage_all_pids',`
++interface(`files_create_all_spool_sockets',`
gen_require(`
-- type var_t, var_run_t;
-+ type var_t, var_spool_t;
+- attribute pidfile;
++ attribute spoolfile;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+- manage_dirs_pattern($1, pidfile, pidfile)
+- manage_files_pattern($1, pidfile, pidfile)
+- manage_lnk_files_pattern($1, pidfile, pidfile)
++ allow $1 spoolfile:sock_file create_sock_file_perms;
')
########################################
##
--## Write named generic process ID pipes
-+## Read generic spool files.
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Delete all spool sockets
##
##
##
-@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',`
+@@ -6348,12 +8166,33 @@ interface(`files_manage_all_pids',`
##
##
#
--interface(`files_write_generic_pid_pipes',`
-+interface(`files_read_generic_spool',`
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_spool_sockets',`
gen_require(`
-- type var_run_t;
-+ type var_t, var_spool_t;
+- attribute polymember;
++ attribute spoolfile;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
- ')
-
- ########################################
- ##
--## Create an object in the process ID directory, with a private type.
-+## Create, read, write, and delete generic
-+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create objects in the spool directory
-+## with a private type with a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Type to which the created node will be transitioned.
-+##
-+##
-+##
-+##
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_spool_filetrans',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
+- allow $1 polymember:dir mounton;
++ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+##
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
++## Relabel to and from all spool
++## directory types.
+##
+##
+##
+## Domain allowed access.
+##
+##
++##
+#
-+interface(`files_polyinstantiate_all',`
++interface(`files_relabel_all_spool_dirs',`
+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
++ attribute spoolfile;
++ type var_t;
+ ')
+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
-+ # is remounted for polyinstantiation aware programs (like gdm)
-+ allow $1 polyparent:dir { getattr mounton };
-+
-+ # Need to give permission to create directories where applicable
-+ allow $1 self:process setfscreate;
-+ allow $1 polymember: dir { create setattr relabelto };
-+ allow $1 polydir: dir { write add_name open };
-+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
-+
-+ # Default type for mountpoints
-+ allow $1 poly_t:dir { create mounton };
-+ fs_unmount_xattr_fs($1)
-+
-+ fs_mount_tmpfs($1)
-+ fs_unmount_tmpfs($1)
-+
-+ ifdef(`distro_redhat',`
-+ # namespace.init
-+ files_search_tmp($1)
-+ files_search_home($1)
-+ corecmd_exec_bin($1)
-+ seutil_domtrans_setfiles($1)
-+ ')
-+')
++ relabel_dirs_pattern($1, spoolfile, spoolfile)
+ ')
+
+ ########################################
+@@ -6580,3 +8419,605 @@ interface(`files_unconfined',`
+
+ typeattribute $1 files_unconfined_type;
+ ')
+
+########################################
+##
-+## Unconfined access to files.
++## Create a core files in /
+##
++##
++##
++## Create a core file in /,
++##
++##
+##
+##
+## Domain allowed access.
+##
+##
-+#
-+interface(`files_unconfined',`
-+ gen_require(`
-+ attribute files_unconfined_type;
-+ ')
-+
-+ typeattribute $1 files_unconfined_type;
-+')
-+
-+########################################
-+##
-+## Create a core files in /
- ##
- ##
- ##
--## Create an object in the process ID directory (e.g., /var/run)
--## with a private type. Typically this is used for creating
--## private PID files in /var/run with the private type instead
--## of the general PID file type. To accomplish this goal,
--## either the program must be SELinux-aware, or use this interface.
--##
--##
--## Related interfaces:
--##
--##
--## - files_pid_file()
--##
--##
--## Example usage with a domain that can create and
--## write its PID file with a private PID file type in the
--## /var/run directory:
--##
--##
--## type mypidfile_t;
--## files_pid_file(mypidfile_t)
--## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
--## files_pid_filetrans(mydomain_t, mypidfile_t, file)
-+## Create a core file in /,
- ##
- ##
- ##
-@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',`
- ## Domain allowed access.
- ##
- ##
--##
+##
+#
+interface(`files_manage_root_files',`
@@ -17214,14 +14828,12 @@ index f962f76..e06a46c 100644
+## type transition.
+##
+##
- ##
--## The type of the object to be created.
++##
+## Domain allowed access.
- ##
- ##
- ##
- ##
--## The object class of the object being created.
++##
++##
++##
++##
+## The class of the object being created.
+##
+##
@@ -17252,11 +14864,10 @@ index f962f76..e06a46c 100644
+##
+##
+## The class of the object being created.
- ##
- ##
- ##
- ##
--## The name of the object being created.
++##
++##
++##
++##
+## The name of the object being created.
+##
+##
@@ -17277,433 +14888,315 @@ index f962f76..e06a46c 100644
+##
+##
+## Domain allowed access.
- ##
- ##
--##
- #
--interface(`files_pid_filetrans',`
++##
++##
++#
+interface(`files_manage_generic_pids_symlinks',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ type var_run_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_run_t, $2, $3, $4)
++ ')
++
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
- ')
-
- ########################################
- ##
--## Create a generic lock directory within the run directories
++')
++
++########################################
++##
+## Do not audit attempts to getattr
+## all tmpfs files.
- ##
- ##
--##
--## Domain allowed access
--##
--##
--##
- ##
--## The name of the object being created.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_pid_filetrans_lock_dir',`
++##
++##
++#
+interface(`files_dontaudit_getattr_tmpfs_files',`
- gen_require(`
-- type var_lock_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- files_pid_filetrans($1, var_lock_t, dir, $2)
++ ')
++
+ allow $1 tmpfsfile:file getattr;
- ')
-
- ########################################
- ##
--## Read and write generic process ID files.
++')
++
++########################################
++##
+## Allow delete all tmpfs files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_rw_generic_pids',`
++##
++##
++#
+interface(`files_delete_tmpfs_files',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- rw_files_pattern($1, var_run_t, var_run_t)
++ ')
++
+ allow $1 tmpfsfile:file delete_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes of
--## daemon runtime data files.
++')
++
++########################################
++##
+## Allow read write all tmpfs files
- ##
- ##
- ##
-@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_getattr_all_pids',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_rw_tmpfs_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
++ gen_require(`
+ attribute tmpfsfile;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file getattr;
++ ')
++
+ allow $1 tmpfsfile:file { read write };
- ')
-
- ########################################
- ##
--## Do not audit attempts to write to daemon runtime data files.
++')
++
++########################################
++##
+## Do not audit attempts to read security files
- ##
- ##
- ##
-@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_write_all_pids',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_read_security_files',`
- gen_require(`
-- attribute pidfile;
++ gen_require(`
+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file write;
++ ')
++
+ dontaudit $1 security_file_type:file read_file_perms;
- ')
-
- ########################################
- ##
--## Do not audit attempts to ioctl daemon runtime data files.
++')
++
++########################################
++##
+## Do not audit attempts to search security files
- ##
- ##
- ##
-@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',`
- ##
- ##
- #
--interface(`files_dontaudit_ioctl_all_pids',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_search_security_files',`
- gen_require(`
-- attribute pidfile;
-- type var_run_t;
++ gen_require(`
+ attribute security_file_type;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 pidfile:file ioctl;
++ ')
++
+ dontaudit $1 security_file_type:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## Read all process ID files.
++')
++
++########################################
++##
+## Do not audit attempts to read security dirs
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`files_read_all_pids',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_list_security_dirs',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute security_file_type;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, pidfile)
-- read_files_pattern($1, pidfile, pidfile)
++ ')
++
+ dontaudit $1 security_file_type:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Delete all process IDs.
++')
++
++########################################
++##
+## rw any files inherited from another process
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
+##
+## Object type.
+##
+##
- #
--interface(`files_delete_all_pids',`
++#
+interface(`files_rw_all_inherited_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir rmdir;
-- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-- delete_files_pattern($1, pidfile, pidfile)
-- delete_fifo_files_pattern($1, pidfile, pidfile)
-- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ ')
++
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
- ##
--## Delete all process ID directories.
++')
++
++########################################
++##
+## Allow any file point to be the entrypoint of this domain
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`files_delete_all_pid_dirs',`
++#
+interface(`files_entrypoint_all_files',`
- gen_require(`
-- attribute pidfile;
-- type var_t, var_run_t;
++ gen_require(`
+ attribute file_type;
+ type unlabeled_t;
- ')
--
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- delete_dirs_pattern($1, pidfile, pidfile)
++ ')
+ allow $1 {file_type -unlabeled_t} :file entrypoint;
- ')
-
- ########################################
- ##
--## Create, read, write and delete all
--## var_run (pid) content
++')
++
++########################################
++##
+## Do not audit attempts to rw inherited file perms
+## of non security files.
- ##
- ##
- ##
--## Domain alloed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_all_pids',`
++##
++##
++#
+interface(`files_dontaudit_all_non_security_leaks',`
- gen_require(`
-- attribute pidfile;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- manage_dirs_pattern($1, pidfile, pidfile)
-- manage_files_pattern($1, pidfile, pidfile)
-- manage_lnk_files_pattern($1, pidfile, pidfile)
++ ')
++
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Mount filesystems on all polyinstantiation
--## member directories.
++')
++
++########################################
++##
+## Do not audit attempts to read or write
+## all leaked files.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_mounton_all_poly_members',`
++##
++##
++#
+interface(`files_dontaudit_leaks',`
- gen_require(`
-- attribute polymember;
++ gen_require(`
+ attribute file_type;
- ')
-
-- allow $1 polymember:dir mounton;
++ ')
++
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
- ')
-
- ########################################
- ##
--## Search the contents of generic spool
--## directories (/var/spool).
++')
++
++########################################
++##
+## Allow domain to create_file_ass all types
- ##
- ##
- ##
-@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',`
- ##
- ##
- #
--interface(`files_search_spool',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_create_as_is_all_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute file_type;
+ class kernel_service create_files_as;
- ')
-
-- search_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ allow $1 file_type:kernel_service create_files_as;
- ')
-
- ########################################
- ##
--## Do not audit attempts to search generic
--## spool directories.
++')
++
++########################################
++##
+## Do not audit attempts to check the
+## access on all files
- ##
- ##
- ##
-@@ -6386,132 +8748,227 @@ interface(`files_search_spool',`
- ##
- ##
- #
--interface(`files_dontaudit_search_spool',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`files_dontaudit_all_access_check',`
- gen_require(`
-- type var_spool_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- dontaudit $1 var_spool_t:dir search_dir_perms;
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set audit_access;
- ')
-
- ########################################
- ##
--## List the contents of generic spool
--## (/var/spool) directories.
++')
++
++########################################
++##
+## Do not audit attempts to write to all files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_spool',`
++##
++##
++#
+interface(`files_dontaudit_write_all_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
++ ')
++
+ dontaudit $1 file_type:dir_file_class_set write;
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool directories (/var/spool).
++')
++
++########################################
++##
+## Allow domain to delete to all files
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_manage_generic_spool_dirs',`
++##
++##
++#
+interface(`files_delete_all_non_security_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_dirs_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ allow $1 non_security_file_type:dir del_entry_dir_perms;
+ allow $1 non_security_file_type:file_class_set delete_file_perms;
- ')
-
- ########################################
- ##
--## Read generic spool files.
++')
++
++########################################
++##
+## Allow domain to delete to all dirs
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_read_generic_spool',`
++##
++##
++#
+interface(`files_delete_all_non_security_dirs',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute non_security_file_type;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool files.
++')
++
++########################################
++##
+## Transition named content in the var_run_t directory
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`files_manage_generic_spool',`
++##
++##
++#
+interface(`files_filetrans_named_content',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ type etc_t;
+ type mnt_t;
+ type usr_t;
@@ -17712,10 +15205,8 @@ index f962f76..e06a46c 100644
+ type var_run_t;
+ type var_lock_t;
+ type tmp_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ files_pid_filetrans($1, mnt_t, dir, "media")
+ files_root_filetrans($1, etc_runtime_t, file, ".readahead")
+ files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -17755,16 +15246,13 @@ index f962f76..e06a46c 100644
+ files_var_filetrans($1, tmp_t, dir, "tmp")
+ files_var_filetrans($1, var_run_t, dir, "run")
+ files_var_filetrans($1, etc_runtime_t, file, ".updated")
- ')
-
- ########################################
- ##
--## Create objects in the spool directory
--## with a private type with a type transition.
++')
++
++########################################
++##
+## Make the specified type a
+## base file.
- ##
--##
++##
+##
+##
+## Identify file type as base file type. Tools will use this attribute,
@@ -17772,12 +15260,10 @@ index f962f76..e06a46c 100644
+##
+##
+##
- ##
--## Domain allowed access.
++##
+## Type to be used as a base files.
- ##
- ##
--##
++##
++##
+##
+#
+interface(`files_base_file',`
@@ -17799,12 +15285,10 @@ index f962f76..e06a46c 100644
+##
+##
+##
- ##
--## Type to which the created node will be transitioned.
++##
+## Type to be used as a base read only files.
- ##
- ##
--##
++##
++##
+##
+#
+interface(`files_ro_base_file',`
@@ -17820,13 +15304,10 @@ index f962f76..e06a46c 100644
+## Read all ro base files.
+##
+##
- ##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
++##
+## Domain allowed access.
- ##
- ##
--##
++##
++##
+##
+#
+interface(`files_read_all_base_ro_files',`
@@ -17844,106 +15325,56 @@ index f962f76..e06a46c 100644
+## Execute all base ro files.
+##
+##
- ##
--## The name of the object being created.
++##
+## Domain allowed access.
- ##
- ##
++##
++##
+##
- #
--interface(`files_spool_filetrans',`
++#
+interface(`files_exec_all_base_ro_files',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute base_ro_file_type;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ ')
++
+ can_exec($1, base_ro_file_type)
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++##
+## Allow the specified domain to modify the systemd configuration of
+## any file.
- ##
- ##
- ##
-@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',`
- ##
- ##
- #
--interface(`files_polyinstantiate_all',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_config_all_files',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute file_type;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
--
-- # Need to give access to parent directories where original
-- # is remounted for polyinstantiation aware programs (like gdm)
-- allow $1 polyparent:dir { getattr mounton };
--
-- # Need to give permission to create directories where applicable
-- allow $1 self:process setfscreate;
-- allow $1 polymember: dir { create setattr relabelto };
-- allow $1 polydir: dir { write add_name open };
-- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
-- # Default type for mountpoints
-- allow $1 poly_t:dir { create mounton };
-- fs_unmount_xattr_fs($1)
--
-- fs_mount_tmpfs($1)
-- fs_unmount_tmpfs($1)
--
-- ifdef(`distro_redhat',`
-- # namespace.init
-- files_search_tmp($1)
-- files_search_home($1)
-- corecmd_exec_bin($1)
-- seutil_domtrans_setfiles($1)
-- ')
++ ')
++
+ allow $1 file_type:service all_service_perms;
- ')
-
- ########################################
- ##
--## Unconfined access to files.
++')
++
++########################################
++##
+## Get the status of etc_t files
- ##
- ##
- ##
-@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',`
- ##
- ##
- #
--interface(`files_unconfined',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_status_etc',`
- gen_require(`
-- attribute files_unconfined_type;
++ gen_require(`
+ type etc_t;
- ')
-
-- typeattribute $1 files_unconfined_type;
++ ')
++
+ allow $1 etc_t:service status;
- ')
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..3221f80 100644
--- a/policy/modules/kernel/files.te
@@ -18191,7 +15622,7 @@ index d7c11a0..f521a50 100644
/var/run/shm/.* <>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..b38387e 100644
+index 8416beb..f1ebb1b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18690,7 +16121,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',`
+@@ -1878,135 +2122,835 @@ interface(`fs_search_fusefs',`
##
##
#
@@ -18796,7 +16227,6 @@ index 8416beb..b38387e 100644
-#
-interface(`fs_exec_fusefs_files',`
- gen_require(`
-- type fusefs_t;
+##
+##
+## Execute a file on a FUSE filesystem
@@ -18830,110 +16260,88 @@ index 8416beb..b38387e 100644
+interface(`fs_ecryptfs_domtrans',`
+ gen_require(`
+ type ecryptfs_t;
- ')
-
-- exec_files_pattern($1, fusefs_t, fusefs_t)
++ ')
++
+ allow $1 ecryptfs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, ecryptfs_t, $2)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete files
--## on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Mount a FUSE filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
- #
--interface(`fs_manage_fusefs_files',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_mount_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- manage_files_pattern($1, fusefs_t, fusefs_t)
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:filesystem mount;
- ')
-
- ########################################
- ##
--## Do not audit attempts to create,
--## read, write, and delete files
--## on a FUSEFS filesystem.
++')
++
++########################################
++##
+## Unmount a FUSE filesystem.
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
- ##
- ##
- #
--interface(`fs_dontaudit_manage_fusefs_files',`
++##
++##
++#
+interface(`fs_unmount_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- dontaudit $1 fusefs_t:file manage_file_perms;
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:filesystem unmount;
- ')
-
- ########################################
- ##
--## Read symbolic links on a FUSEFS filesystem.
-+## Mounton a FUSEFS filesystem.
- ##
- ##
- ##
-@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',`
- ##
- ##
- #
--interface(`fs_read_fusefs_symlinks',`
++')
++
++########################################
++##
++## Mounton a FUSEFS filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_mounton_fusefs',`
- gen_require(`
- type fusefs_t;
- ')
-
-- allow $1 fusefs_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:dir mounton;
- ')
-
- ########################################
- ##
--## Get the attributes of an hugetlbfs
--## filesystem.
++')
++
++########################################
++##
+## Search directories
+## on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`fs_getattr_hugetlbfs',`
++#
+interface(`fs_search_fusefs',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem getattr;
++ ')
++
+ allow $1 fusefs_t:dir search_dir_perms;
- ')
-
- ########################################
- ##
--## List hugetlbfs.
++')
++
++########################################
++##
+## Do not audit attempts to list the contents
+## of directories on a FUSEFS filesystem.
+##
@@ -18955,28 +16363,24 @@ index 8416beb..b38387e 100644
+##
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`fs_list_hugetlbfs',`
++#
+interface(`fs_manage_fusefs_dirs',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:dir list_dir_perms;
++ ')
++
+ allow $1 fusefs_t:dir manage_dir_perms;
- ')
-
- ########################################
- ##
--## Manage hugetlbfs dirs.
++')
++
++########################################
++##
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a FUSEFS filesystem.
@@ -18998,157 +16402,129 @@ index 8416beb..b38387e 100644
+########################################
+##
+## Read, a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`fs_manage_hugetlbfs_dirs',`
++#
+interface(`fs_read_fusefs_files',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ ')
++
+ read_files_pattern($1, fusefs_t, fusefs_t)
- ')
-
- ########################################
- ##
--## Read and write hugetlbfs files.
++')
++
++########################################
++##
+## Execute files on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`fs_rw_hugetlbfs_files',`
++#
+interface(`fs_exec_fusefs_files',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ ')
++
+ exec_files_pattern($1, fusefs_t, fusefs_t)
- ')
-
- ########################################
- ##
--## Allow the type to associate to hugetlbfs filesystems.
++')
++
++########################################
++##
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
- ##
--##
++##
+##
- ##
--## The type of the object to be associated.
++##
+## The domain for which fusefs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_associate_hugetlbfs',`
++##
++##
++#
+interface(`fs_fusefs_entry_type',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem associate;
++ ')
++
+ domain_entry_file($1, fusefs_t)
- ')
-
- ########################################
- ##
--## Search inotifyfs filesystem.
++')
++
++########################################
++##
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## The domain for which fusefs_t is an entrypoint.
- ##
- ##
- #
--interface(`fs_search_inotifyfs',`
++##
++##
++#
+interface(`fs_fusefs_entrypoint',`
- gen_require(`
-- type inotifyfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 inotifyfs_t:dir search_dir_perms;
++ ')
++
+ allow $1 fusefs_t:file entrypoint;
- ')
-
- ########################################
- ##
--## List inotifyfs filesystem.
++')
++
++########################################
++##
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`fs_list_inotifyfs',`
++#
+interface(`fs_manage_fusefs_files',`
- gen_require(`
-- type inotifyfs_t;
-+ type fusefs_t;
++ gen_require(`
+ type fusefs_t;
')
-- allow $1 inotifyfs_t:dir list_dir_perms;
+- exec_files_pattern($1, fusefs_t, fusefs_t)
+ manage_files_pattern($1, fusefs_t, fusefs_t)
- ')
-
- ########################################
- ##
--## Dontaudit List inotifyfs filesystem.
++')
++
++########################################
++##
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
- ##
- ##
- ##
-@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',`
- ##
- ##
- #
--interface(`fs_dontaudit_list_inotifyfs',`
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
+interface(`fs_dontaudit_manage_fusefs_files',`
- gen_require(`
-- type inotifyfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- dontaudit $1 inotifyfs_t:dir list_dir_perms;
++ ')
++
+ dontaudit $1 fusefs_t:file manage_file_perms;
- ')
-
- ########################################
- ##
--## Create an object in a hugetlbfs filesystem, with a private
--## type using a type transition.
++')
++
++########################################
++##
+## Read symbolic links on a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`fs_read_fusefs_symlinks',`
+ gen_require(`
@@ -19164,12 +16540,10 @@ index 8416beb..b38387e 100644
+## Manage symbolic links on a FUSEFS filesystem.
+##
+##
- ##
--## The type of the object to be created.
++##
+## Domain allowed access.
- ##
- ##
--##
++##
++##
+#
+interface(`fs_manage_fusefs_symlinks',`
+ gen_require(`
@@ -19204,94 +16578,73 @@ index 8416beb..b38387e 100644
+##
+##
+##
- ##
--## The object class of the object being created.
++##
+## Domain allowed to transition.
- ##
- ##
--##
++##
++##
+##
- ##
--## The name of the object being created.
++##
+## The type of the new process.
- ##
- ##
- #
--interface(`fs_hugetlbfs_filetrans',`
++##
++##
++#
+interface(`fs_fusefs_domtrans',`
- gen_require(`
-- type hugetlbfs_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $2 hugetlbfs_t:filesystem associate;
-- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
++ ')
++
+ allow $1 fusefs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, fusefs_t, $2)
- ')
-
- ########################################
- ##
--## Mount an iso9660 filesystem, which
--## is usually used on CDs.
++')
++
++########################################
++##
+## Get the attributes of a FUSEFS filesystem.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
++##
++##
++##
++## Domain allowed access.
++##
++##
+##
- #
--interface(`fs_mount_iso9660_fs',`
++#
+interface(`fs_getattr_fusefs',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type fusefs_t;
- ')
-
-- allow $1 iso9660_t:filesystem mount;
++ ')
++
+ allow $1 fusefs_t:filesystem getattr;
- ')
-
- ########################################
- ##
--## Remount an iso9660 filesystem, which
--## is usually used on CDs. This allows
--## some mount options to be changed.
++')
++
++########################################
++##
+## Get the attributes of an hugetlbfs
+## filesystem.
- ##
- ##
- ##
-@@ -2234,18 +2588,17 @@ interface(`fs_mount_iso9660_fs',`
- ##
- ##
- #
--interface(`fs_remount_iso9660_fs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_getattr_hugetlbfs',`
- gen_require(`
-- type iso9660_t;
++ gen_require(`
+ type hugetlbfs_t;
- ')
-
-- allow $1 iso9660_t:filesystem remount;
++ ')
++
+ allow $1 hugetlbfs_t:filesystem getattr;
- ')
-
- ########################################
- ##
--## Unmount an iso9660 filesystem, which
--## is usually used on CDs.
++')
++
++########################################
++##
+## List hugetlbfs.
- ##
- ##
- ##
-@@ -2253,38 +2606,725 @@ interface(`fs_remount_iso9660_fs',`
- ##
- ##
- #
--interface(`fs_unmount_iso9660_fs',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`fs_list_hugetlbfs',`
+ gen_require(`
+ type hugetlbfs_t;
@@ -19576,18 +16929,21 @@ index 8416beb..b38387e 100644
+ ')
+
+ dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete files
+-## on a FUSEFS filesystem.
+## Create an object in a hugetlbfs filesystem, with a private
+## type using a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+##
+##
+## The type of the object to be created.
@@ -19603,217 +16959,271 @@ index 8416beb..b38387e 100644
+## The name of the object being created.
+##
+##
-+#
+ #
+-interface(`fs_manage_fusefs_files',`
+interface(`fs_hugetlbfs_filetrans',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type hugetlbfs_t;
-+ ')
-+
+ ')
+
+- manage_files_pattern($1, fusefs_t, fusefs_t)
+ allow $2 hugetlbfs_t:filesystem associate;
+ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to create,
+-## read, write, and delete files
+-## on a FUSEFS filesystem.
+## Mount an iso9660 filesystem, which
+## is usually used on CDs.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_manage_fusefs_files',`
+interface(`fs_mount_iso9660_fs',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 fusefs_t:file manage_file_perms;
+ allow $1 iso9660_t:filesystem mount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read symbolic links on a FUSEFS filesystem.
+## Remount an iso9660 filesystem, which
+## is usually used on CDs. This allows
+## some mount options to be changed.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2014,19 +2958,18 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+ ##
+ ##
+ #
+-interface(`fs_read_fusefs_symlinks',`
+interface(`fs_remount_iso9660_fs',`
-+ gen_require(`
+ gen_require(`
+- type fusefs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- allow $1 fusefs_t:dir list_dir_perms;
+- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+ allow $1 iso9660_t:filesystem remount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of an hugetlbfs
+-## filesystem.
+## Unmount an iso9660 filesystem, which
+## is usually used on CDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2034,35 +2977,38 @@ interface(`fs_read_fusefs_symlinks',`
+ ##
+ ##
+ #
+-interface(`fs_getattr_hugetlbfs',`
+interface(`fs_unmount_iso9660_fs',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:filesystem getattr;
+ allow $1 iso9660_t:filesystem unmount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List hugetlbfs.
+## Get the attributes of an iso9660
+## filesystem, which is usually used on CDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
-+#
+ #
+-interface(`fs_list_hugetlbfs',`
+interface(`fs_getattr_iso9660_fs',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:dir list_dir_perms;
+ allow $1 iso9660_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Manage hugetlbfs dirs.
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2070,17 +3016,19 @@ interface(`fs_list_hugetlbfs',`
+ ##
+ ##
+ #
+-interface(`fs_manage_hugetlbfs_dirs',`
+interface(`fs_getattr_iso9660_files',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read and write hugetlbfs files.
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2088,35 +3036,38 @@ interface(`fs_manage_hugetlbfs_dirs',`
+ ##
+ ##
+ #
+-interface(`fs_rw_hugetlbfs_files',`
+interface(`fs_read_iso9660_files',`
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type iso9660_t;
-+ ')
-+
+ ')
+
+- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+ allow $1 iso9660_t:dir list_dir_perms;
+ read_files_pattern($1, iso9660_t, iso9660_t)
+ read_lnk_files_pattern($1, iso9660_t, iso9660_t)
-+')
-+
+ ')
+
+
-+########################################
-+##
+ ########################################
+ ##
+-## Allow the type to associate to hugetlbfs filesystems.
+## Mount kdbus filesystems.
-+##
+ ##
+-##
+##
-+##
+ ##
+-## The type of the object to be associated.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_associate_hugetlbfs',`
+interface(`fs_mount_kdbus', `
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- allow $1 hugetlbfs_t:filesystem associate;
+ allow $1 kdbusfs_t:filesystem mount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Search inotifyfs filesystem.
+## Remount kdbus filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2124,17 +3075,17 @@ interface(`fs_associate_hugetlbfs',`
+ ##
+ ##
+ #
+-interface(`fs_search_inotifyfs',`
+interface(`fs_remount_kdbus', `
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- allow $1 inotifyfs_t:dir search_dir_perms;
+ allow $1 kdbusfs_t:filesystem remount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## List inotifyfs filesystem.
+## Unmount kdbus filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2142,71 +3093,134 @@ interface(`fs_search_inotifyfs',`
+ ##
+ ##
+ #
+-interface(`fs_list_inotifyfs',`
+interface(`fs_unmount_kdbus', `
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- allow $1 inotifyfs_t:dir list_dir_perms;
+ allow $1 kdbusfs_t:filesystem unmount;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Dontaudit List inotifyfs filesystem.
+## Get attributes of kdbus filesystems.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_dontaudit_list_inotifyfs',`
+interface(`fs_getattr_kdbus',`
-+ gen_require(`
+ gen_require(`
+- type inotifyfs_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 inotifyfs_t:dir list_dir_perms;
+ allow $1 kdbusfs_t:filesystem getattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in a hugetlbfs filesystem, with a private
+-## type using a type transition.
+## Search kdbusfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+#
+interface(`fs_search_kdbus_dirs',`
+ gen_require(`
@@ -19831,10 +17241,12 @@ index 8416beb..b38387e 100644
+## Relabel kdbusfs directories.
+##
+##
-+##
+ ##
+-## The type of the object to be created.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+-##
+#
+interface(`fs_relabel_kdbus_dirs',`
+ gen_require(`
@@ -19850,10 +17262,12 @@ index 8416beb..b38387e 100644
+## List kdbusfs directories.
+##
+##
-+##
+ ##
+-## The object class of the object being created.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+-##
+#
+interface(`fs_list_kdbus_dirs',`
+ gen_require(`
@@ -19889,103 +17303,101 @@ index 8416beb..b38387e 100644
+## Delete kdbusfs directories.
+##
+##
-+##
+ ##
+-## The name of the object being created.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`fs_hugetlbfs_filetrans',`
+interface(`fs_delete_kdbus_dirs', `
-+ gen_require(`
+ gen_require(`
+- type hugetlbfs_t;
+ type kdbusfs_t;
-+ ')
-+
+ ')
+
+- allow $2 hugetlbfs_t:filesystem associate;
+- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Mount an iso9660 filesystem, which
+-## is usually used on CDs.
+## Manage kdbusfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2214,19 +3228,19 @@ interface(`fs_hugetlbfs_filetrans',`
+ ##
+ ##
+ #
+-interface(`fs_mount_iso9660_fs',`
+interface(`fs_manage_kdbus_dirs',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+- ')
+ type kdbusfs_t;
-+
+
+- allow $1 iso9660_t:filesystem mount;
+ ')
+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Remount an iso9660 filesystem, which
+-## is usually used on CDs. This allows
+-## some mount options to be changed.
+## Read kdbusfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2234,18 +3248,21 @@ interface(`fs_mount_iso9660_fs',`
+ ##
+ ##
+ #
+-interface(`fs_remount_iso9660_fs',`
+interface(`fs_read_kdbus_files',`
-+ gen_require(`
+ gen_require(`
+- type iso9660_t;
+ type cgroup_t;
+
-+ ')
-+
+ ')
+
+- allow $1 iso9660_t:filesystem remount;
+ read_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Unmount an iso9660 filesystem, which
+-## is usually used on CDs.
+## Write kdbusfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2253,38 +3270,61 @@ interface(`fs_remount_iso9660_fs',`
+ ##
+ ##
+ #
+-interface(`fs_unmount_iso9660_fs',`
+interface(`fs_write_kdbus_files', `
-+ gen_require(`
-+ type kdbusfs_t;
-+ ')
-+
-+ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ fs_search_tmpfs($1)
-+ dev_search_sysfs($1)
-+')
-+
-+########################################
-+##
-+## Read and write kdbusfs files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`fs_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
+ type kdbusfs_t;
-+
')
- allow $1 iso9660_t:filesystem unmount;
-+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
-+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ write_files_pattern($1, kdbusfs_t, kdbusfs_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
')
@@ -19994,33 +17406,54 @@ index 8416beb..b38387e 100644
##
-## Get the attributes of an iso9660
-## filesystem, which is usually used on CDs.
-+## Do not audit attempts to open,
-+## get attributes, read and write
-+## cgroup files.
++## Read and write kdbusfs files.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+ ## Domain allowed access.
##
##
-##
#
-interface(`fs_getattr_iso9660_fs',`
-+interface(`fs_dontaudit_rw_kdbus_files',`
++interface(`fs_rw_kdbus_files',`
gen_require(`
- type iso9660_t;
+ type kdbusfs_t;
++
')
- allow $1 iso9660_t:filesystem getattr;
-+ dontaudit $1 kdbusfs_t:file rw_file_perms;
++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
')
########################################
##
-## Read files on an iso9660 filesystem, which
-## is usually used on CDs.
++## Do not audit attempts to open,
++## get attributes, read and write
++## cgroup files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`fs_dontaudit_rw_kdbus_files',`
++ gen_require(`
++ type kdbusfs_t;
++ ')
++
++ dontaudit $1 kdbusfs_t:file rw_file_perms;
++')
++
++########################################
++##
+## Manage kdbusfs files.
##
##
@@ -20363,7 +17796,7 @@ index 8416beb..b38387e 100644
## Mount a NFS server pseudo filesystem.
##
##
-@@ -3255,17 +4470,126 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,17 +4470,182 @@ interface(`fs_list_nfsd_fs',`
##
##
#
@@ -20478,13 +17911,69 @@ index 8416beb..b38387e 100644
+##
+#
+interface(`fs_rw_nsfs_files',`
++ gen_require(`
++ type nsfs_t;
++ ')
++
++ rw_files_pattern($1, nsfs_t, nsfs_t)
++')
++
++
++########################################
++##
++## Mount a nsfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_mount_nsfs',`
++ gen_require(`
++ type nsfs_t;
++ ')
++
++ allow $1 nsfs_t:filesystem mount;
++')
++
++
++########################################
++##
++## Remount a tmpfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_remount_nsfs',`
++ gen_require(`
++ type nsfs_t;
++ ')
++
++ allow $1 nsfs_t:filesystem remount;
++')
++
++########################################
++##
++## Unmount a tmpfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_unmount_nsfs',`
gen_require(`
- type nfsd_fs_t;
+ type nsfs_t;
')
- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
-+ rw_files_pattern($1, nsfs_t, nsfs_t)
++ allow $1 nsfs_t:filesystem unmount;
')
########################################
@@ -20494,7 +17983,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3273,12 +4597,12 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3273,12 +4653,12 @@ interface(`fs_getattr_nfsd_files',`
##
##
#
@@ -20509,7 +17998,7 @@ index 8416beb..b38387e 100644
')
########################################
-@@ -3301,6 +4625,24 @@ interface(`fs_associate_ramfs',`
+@@ -3301,6 +4681,24 @@ interface(`fs_associate_ramfs',`
########################################
##
@@ -20534,7 +18023,7 @@ index 8416beb..b38387e 100644
## Mount a RAM filesystem.
##
##
-@@ -3392,7 +4734,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4790,7 @@ interface(`fs_search_ramfs',`
########################################
##
@@ -20543,7 +18032,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3429,7 +4771,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4827,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
##
@@ -20552,7 +18041,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3447,7 +4789,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4845,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
##
@@ -20561,7 +18050,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3779,6 +5121,24 @@ interface(`fs_mount_tmpfs',`
+@@ -3779,6 +5177,24 @@ interface(`fs_mount_tmpfs',`
########################################
##
@@ -20586,7 +18075,7 @@ index 8416beb..b38387e 100644
## Remount a tmpfs filesystem.
##
##
-@@ -3815,6 +5175,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +5231,24 @@ interface(`fs_unmount_tmpfs',`
########################################
##
@@ -20611,7 +18100,7 @@ index 8416beb..b38387e 100644
## Get the attributes of a tmpfs
## filesystem.
##
-@@ -3908,7 +5286,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +5342,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
##
@@ -20620,7 +18109,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3916,17 +5294,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +5350,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
##
##
#
@@ -20641,7 +18130,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3934,17 +5312,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +5368,17 @@ interface(`fs_mounton_tmpfs',`
##
##
#
@@ -20662,7 +18151,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3952,17 +5330,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +5386,36 @@ interface(`fs_setattr_tmpfs_dirs',`
##
##
#
@@ -20702,7 +18191,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -3970,31 +5367,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5423,48 @@ interface(`fs_search_tmpfs',`
##
##
#
@@ -20758,7 +18247,7 @@ index 8416beb..b38387e 100644
')
########################################
-@@ -4057,23 +5471,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
+@@ -4057,23 +5527,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
##
##
##
@@ -20935,7 +18424,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4081,18 +5642,18 @@ interface(`fs_tmpfs_filetrans',`
+@@ -4081,18 +5698,18 @@ interface(`fs_tmpfs_filetrans',`
##
##
#
@@ -20958,7 +18447,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4100,54 +5661,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+@@ -4100,54 +5717,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
##
##
#
@@ -21025,7 +18514,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4155,17 +5715,18 @@ interface(`fs_read_tmpfs_files',`
+@@ -4155,17 +5771,18 @@ interface(`fs_read_tmpfs_files',`
##
##
#
@@ -21047,7 +18536,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4173,17 +5734,18 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4173,17 +5790,18 @@ interface(`fs_rw_tmpfs_files',`
##
##
#
@@ -21069,7 +18558,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4191,37 +5753,36 @@ interface(`fs_read_tmpfs_symlinks',`
+@@ -4191,37 +5809,36 @@ interface(`fs_read_tmpfs_symlinks',`
##
##
#
@@ -21115,7 +18604,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4229,18 +5790,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4229,18 +5846,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
##
##
#
@@ -21137,7 +18626,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4248,18 +5809,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+@@ -4248,18 +5865,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
##
##
#
@@ -21161,7 +18650,7 @@ index 8416beb..b38387e 100644
##
##
##
-@@ -4267,32 +5829,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+@@ -4267,32 +5885,31 @@ interface(`fs_rw_tmpfs_blk_files',`
##
##
#
@@ -21200,7 +18689,7 @@ index 8416beb..b38387e 100644
')
########################################
-@@ -4407,6 +5968,25 @@ interface(`fs_search_xenfs',`
+@@ -4407,6 +6024,25 @@ interface(`fs_search_xenfs',`
allow $1 xenfs_t:dir search_dir_perms;
')
@@ -21226,7 +18715,7 @@ index 8416beb..b38387e 100644
########################################
##
## Create, read, write, and delete directories
-@@ -4503,6 +6083,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +6139,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -21235,7 +18724,7 @@ index 8416beb..b38387e 100644
')
########################################
-@@ -4549,7 +6131,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +6187,7 @@ interface(`fs_unmount_all_fs',`
##
##
## Allow the specified domain to
@@ -21244,7 +18733,7 @@ index 8416beb..b38387e 100644
## Example attributes:
##
##
-@@ -4596,6 +6178,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6234,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
##
@@ -21271,7 +18760,7 @@ index 8416beb..b38387e 100644
## Get the quotas of all filesystems.
##
##
-@@ -4671,6 +6273,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6329,25 @@ interface(`fs_getattr_all_dirs',`
########################################
##
@@ -21297,7 +18786,7 @@ index 8416beb..b38387e 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6533,175 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6589,175 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -32127,7 +29616,7 @@ index 6bf0ecc..e6be63a 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..b4908dd 100644
+index 8b40377..84a88ff 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -32486,7 +29975,7 @@ index 8b40377..b4908dd 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +420,104 @@ optional_policy(`
+@@ -300,64 +420,105 @@ optional_policy(`
# XDM Local policy
#
@@ -32495,6 +29984,7 @@ index 8b40377..b4908dd 100644
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability2 { block_suspend };
+dontaudit xdm_t self:capability sys_admin;
++dontaudit xdm_t self:capability2 wake_alarm;
+tunable_policy(`deny_ptrace',`',`
+ allow xdm_t self:process ptrace;
+')
@@ -32604,7 +30094,7 @@ index 8b40377..b4908dd 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +527,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -32637,7 +30127,7 @@ index 8b40377..b4908dd 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +559,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +560,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -32692,7 +30182,7 @@ index 8b40377..b4908dd 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +613,30 @@ files_list_mnt(xdm_t)
+@@ -431,9 +614,30 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -32723,7 +30213,7 @@ index 8b40377..b4908dd 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +645,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +646,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -32774,7 +30264,7 @@ index 8b40377..b4908dd 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +693,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +694,163 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -32944,7 +30434,7 @@ index 8b40377..b4908dd 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +862,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +863,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -32976,7 +30466,7 @@ index 8b40377..b4908dd 100644
')
optional_policy(`
-@@ -518,8 +897,36 @@ optional_policy(`
+@@ -518,8 +898,36 @@ optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -33014,7 +30504,7 @@ index 8b40377..b4908dd 100644
')
')
-@@ -530,6 +937,20 @@ optional_policy(`
+@@ -530,6 +938,20 @@ optional_policy(`
')
optional_policy(`
@@ -33035,7 +30525,7 @@ index 8b40377..b4908dd 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +968,78 @@ optional_policy(`
+@@ -547,28 +969,78 @@ optional_policy(`
')
optional_policy(`
@@ -33123,7 +30613,7 @@ index 8b40377..b4908dd 100644
')
optional_policy(`
-@@ -580,6 +1051,14 @@ optional_policy(`
+@@ -580,6 +1052,14 @@ optional_policy(`
')
optional_policy(`
@@ -33138,7 +30628,7 @@ index 8b40377..b4908dd 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1073,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1074,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -33147,7 +30637,7 @@ index 8b40377..b4908dd 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1083,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1084,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -33160,7 +30650,7 @@ index 8b40377..b4908dd 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1100,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1101,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -33176,7 +30666,7 @@ index 8b40377..b4908dd 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1116,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1117,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -33187,7 +30677,7 @@ index 8b40377..b4908dd 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1131,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1132,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -33229,7 +30719,7 @@ index 8b40377..b4908dd 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1182,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1183,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -33261,7 +30751,7 @@ index 8b40377..b4908dd 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1215,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1216,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -33276,7 +30766,7 @@ index 8b40377..b4908dd 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1236,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1237,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -33300,7 +30790,7 @@ index 8b40377..b4908dd 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1255,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1256,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -33309,7 +30799,7 @@ index 8b40377..b4908dd 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1299,54 @@ optional_policy(`
+@@ -785,17 +1300,54 @@ optional_policy(`
')
optional_policy(`
@@ -33366,7 +30856,7 @@ index 8b40377..b4908dd 100644
')
optional_policy(`
-@@ -803,6 +1354,10 @@ optional_policy(`
+@@ -803,6 +1355,10 @@ optional_policy(`
')
optional_policy(`
@@ -33377,7 +30867,7 @@ index 8b40377..b4908dd 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1373,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1374,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -33402,7 +30892,7 @@ index 8b40377..b4908dd 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1396,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1397,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -33437,7 +30927,7 @@ index 8b40377..b4908dd 100644
')
optional_policy(`
-@@ -912,7 +1461,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1462,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -33446,7 +30936,7 @@ index 8b40377..b4908dd 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1515,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1516,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -33478,7 +30968,7 @@ index 8b40377..b4908dd 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1561,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1562,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -40312,7 +37802,7 @@ index 0000000..c814795
+fs_manage_kdbus_dirs(systemd_logind_t)
+fs_manage_kdbus_files(systemd_logind_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..fffae71 100644
+index 73bb3c0..7b05663 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@@ -40383,7 +37873,7 @@ index 73bb3c0..fffae71 100644
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-@@ -125,10 +135,12 @@ ifdef(`distro_redhat',`
+@@ -125,13 +135,16 @@ ifdef(`distro_redhat',`
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40396,7 +37886,11 @@ index 73bb3c0..fffae71 100644
/usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -141,19 +153,23 @@ ifdef(`distro_redhat',`
++/usr/lib/libGLdispatch/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -141,19 +154,23 @@ ifdef(`distro_redhat',`
/usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40425,7 +37919,7 @@ index 73bb3c0..fffae71 100644
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -182,11 +198,13 @@ ifdef(`distro_redhat',`
+@@ -182,11 +199,13 @@ ifdef(`distro_redhat',`
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40439,7 +37933,7 @@ index 73bb3c0..fffae71 100644
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -241,13 +259,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
+@@ -241,13 +260,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40455,7 +37949,7 @@ index 73bb3c0..fffae71 100644
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -269,20 +285,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -269,20 +286,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -40486,7 +37980,7 @@ index 73bb3c0..fffae71 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -299,17 +314,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -299,17 +315,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -43682,7 +41176,7 @@ index 7449974..b792900 100644
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a363b8..3f02a36 100644
+index 7a363b8..6d92782 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
@@ -43828,7 +41322,7 @@ index 7a363b8..3f02a36 100644
kernel_setsched(insmod_t)
corecmd_exec_bin(insmod_t)
-@@ -142,6 +159,7 @@ dev_rw_agp(insmod_t)
+@@ -142,40 +159,55 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -43836,7 +41330,10 @@ index 7a363b8..3f02a36 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -151,31 +169,44 @@ files_read_etc_runtime_files(insmod_t)
+
+ files_read_kernel_modules(insmod_t)
++files_load_kernel_modules(insmod_t)
+ files_read_etc_runtime_files(insmod_t)
files_read_etc_files(insmod_t)
files_read_usr_files(insmod_t)
files_exec_etc_files(insmod_t)
@@ -43885,7 +41382,7 @@ index 7a363b8..3f02a36 100644
kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +215,33 @@ optional_policy(`
+@@ -184,28 +216,33 @@ optional_policy(`
')
optional_policy(`
@@ -43926,7 +41423,7 @@ index 7a363b8..3f02a36 100644
')
optional_policy(`
-@@ -225,6 +261,7 @@ optional_policy(`
+@@ -225,6 +262,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -43934,7 +41431,7 @@ index 7a363b8..3f02a36 100644
')
optional_policy(`
-@@ -233,6 +270,10 @@ optional_policy(`
+@@ -233,6 +271,10 @@ optional_policy(`
')
optional_policy(`
@@ -43945,7 +41442,7 @@ index 7a363b8..3f02a36 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -291,11 +332,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +333,10 @@ init_use_script_ptys(update_modules_t)
logging_send_syslog_msg(update_modules_t)
@@ -47253,7 +44750,7 @@ index 2cea692..e3cb4f2 100644
+ files_etc_filetrans($1, net_conf_t, file)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..98c5f23 100644
+index a392fc4..b7497fc 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -47496,7 +44993,7 @@ index a392fc4..98c5f23 100644
vmware_append_log(dhcpc_t)
')
-@@ -264,32 +322,70 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,32 +322,72 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -47564,10 +45061,12 @@ index a392fc4..98c5f23 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
+fs_read_nsfs_files(ifconfig_t)
++fs_mount_nsfs(ifconfig_t)
++fs_unmount_nsfs(ifconfig_t)
selinux_dontaudit_getattr_fs(ifconfig_t)
-@@ -299,33 +395,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +397,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -47625,7 +45124,7 @@ index a392fc4..98c5f23 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -336,7 +450,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +452,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -47638,7 +45137,7 @@ index a392fc4..98c5f23 100644
')
optional_policy(`
-@@ -350,7 +468,16 @@ optional_policy(`
+@@ -350,7 +470,16 @@ optional_policy(`
')
optional_policy(`
@@ -47656,7 +45155,7 @@ index a392fc4..98c5f23 100644
')
optional_policy(`
-@@ -371,3 +498,17 @@ optional_policy(`
+@@ -371,3 +500,17 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -49572,10 +47071,10 @@ index 0000000..86e3d01
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b06bf32
+index 0000000..c6280dc
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,1016 @@
+@@ -0,0 +1,1017 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -50587,6 +48086,7 @@ index 0000000..b06bf32
+#
+# systemd_modules_load domain
+#
++allow systemd_initctl_t self:unix_dgram_socket create_socket_perms;
+
+kernel_dgram_send(systemd_initctl_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 19632f9..5862875 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 239%{?dist}
+Release: 240%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -675,6 +675,13 @@ exit 0
%endif
%changelog
+* Wed Feb 15 2017 Lukas Vrabec - 3.13.1-240
+- Dontaudit xdm_t wake_alarm capability2
+- Allow systemd_initctl_t to create and connect unix_dgram sockets
+- Allow ifconfig_t to mount/unmount nsfs_t filesystem
+- Add interfaces allowing mount/unmount nsfs_t filesystem
+- Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944)
+
* Mon Feb 13 2017 Lukas Vrabec - 3.13.1-239
- Allow syslog client to connect to kernel socket. BZ(1419946)