From df39310b9dce87922b7e29cf60d5b034663e7587 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Oct 21 2014 13:14:37 +0000 Subject: Removed redundant patches --- diff --git a/policy-rawhide-base-user_tmp.patch b/policy-rawhide-base-user_tmp.patch deleted file mode 100644 index 477a847..0000000 --- a/policy-rawhide-base-user_tmp.patch +++ /dev/null @@ -1,885 +0,0 @@ -diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index 32514ee..91a6a37 100644 ---- a/policy/modules/admin/bootloader.te -+++ b/policy/modules/admin/bootloader.te -@@ -154,7 +154,7 @@ modutils_domtrans_insmod(bootloader_t) - seutil_read_bin_policy(bootloader_t) - seutil_read_loadpolicy(bootloader_t) - --userdom_getattr_user_tmpfs_files(bootloader_t) -+userdom_getattr_user_tmp_files(bootloader_t) - userdom_use_inherited_user_terminals(bootloader_t) - userdom_dontaudit_search_user_home_dirs(bootloader_t) - -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 337a00e..87c6145 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -5199,6 +5199,7 @@ interface(`files_search_tmp',` - type tmp_t; - ') - -+ fs_search_tmpfs($1) - read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir search_dir_perms; - ') -diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te -index a3fe7f6..13a745c 100644 ---- a/policy/modules/roles/unconfineduser.te -+++ b/policy/modules/roles/unconfineduser.te -@@ -33,7 +33,6 @@ gen_tunable(unconfined_login, true) - userdom_base_user_template(unconfined) - userdom_manage_home_role(unconfined_r, unconfined_t) - userdom_manage_tmp_role(unconfined_r, unconfined_t) --userdom_manage_tmpfs_role(unconfined_r, unconfined_t) - userdom_unpriv_type(unconfined_t) - - type unconfined_exec_t; -diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index e8dcfa7..eb9cefe 100644 ---- a/policy/modules/services/ssh.if -+++ b/policy/modules/services/ssh.if -@@ -219,8 +219,9 @@ template(`ssh_server_template',` - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; - term_create_pty($1_t, $1_devpts_t) - -- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) -+ #manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -+ #fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) -+ userdom_manage_tmp_role(system_r, sshd_t) - - allow $1_t $1_var_run_t:file manage_file_perms; - files_pid_filetrans($1_t, $1_var_run_t, file) -diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index a8b01bf..fc87b9e 100644 ---- a/policy/modules/services/ssh.te -+++ b/policy/modules/services/ssh.te -@@ -89,7 +89,7 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) - type ssh_tmpfs_t; - typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; - typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; --userdom_user_tmpfs_file(ssh_tmpfs_t) -+userdom_user_tmp_file(ssh_tmpfs_t) - - type ssh_home_t; - typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; -@@ -127,7 +127,7 @@ manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) - manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) - manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) - manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) --fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -+#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) - manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) -@@ -292,7 +292,7 @@ auth_exec_login_program(sshd_t) - - userdom_read_user_home_content_files(sshd_t) - userdom_read_user_home_content_symlinks(sshd_t) --userdom_manage_tmp_role(system_r, sshd_t) -+#userdom_manage_tmp_role(system_r, sshd_t) - userdom_spec_domtrans_unpriv_users(sshd_t) - userdom_signal_unpriv_users(sshd_t) - userdom_dyntransition_unpriv_users(sshd_t) -diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 4dda124..4eee56a 100644 ---- a/policy/modules/services/xserver.fc -+++ b/policy/modules/services/xserver.fc -@@ -76,10 +76,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) - # /tmp - # - --/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0) --/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) --/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) --/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) -+/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) - - # - # /usr -diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index bf98136..2469c27 100644 ---- a/policy/modules/services/xserver.if -+++ b/policy/modules/services/xserver.if -@@ -220,7 +220,7 @@ interface(`xserver_non_drawing_client',` - interface(`xserver_user_client',` - refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') - gen_require(` -- type xdm_t, xdm_tmp_t; -+ type xdm_t; - type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; - ') - -@@ -235,8 +235,8 @@ interface(`xserver_user_client',` - # for when /tmp/.X11-unix is created by the system - allow $1 xdm_t:fd use; - allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; -- allow $1 xdm_tmp_t:dir search_dir_perms; -- allow $1 xdm_tmp_t:sock_file { read write }; -+ userdom_search_user_tmp_dirs($1) -+ userdom_rw_user_tmp_sock_files($1) - dontaudit $1 xdm_t:tcp_socket { read write }; - - # Allow connections to X server. -@@ -395,7 +395,7 @@ template(`xserver_object_types_template',` - # - template(`xserver_user_x_domain_template',` - gen_require(` -- type xdm_t, xdm_tmp_t, xserver_tmpfs_t; -+ type xdm_t, xserver_tmpfs_t; - type xdm_home_t; - type xauth_home_t, iceauth_home_t, xserver_t; - ') -@@ -413,8 +413,8 @@ template(`xserver_user_x_domain_template',` - # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; -- allow $2 xdm_tmp_t:dir search_dir_perms; -- allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; -+ userdom_search_user_tmp_dirs($2) -+ userdom_rw_user_tmp_sock_files($2) - dontaudit $2 xdm_t:tcp_socket { read write }; - - # Allow connections to X server. -@@ -429,7 +429,7 @@ template(`xserver_user_x_domain_template',` - xserver_ro_session($2, $3) - xserver_use_user_fonts($2) - -- xserver_read_xdm_tmp_files($2) -+ userdom_read_user_tmp_files($2) - xserver_read_xdm_pid($2) - xserver_xdm_append_log($2) - -@@ -817,12 +817,13 @@ interface(`xserver_manage_xdm_spool_files',` - # - interface(`xserver_stream_connect_xdm',` - gen_require(` -- type xdm_t, xdm_tmp_t, xdm_var_run_t; -+ type xdm_t, xdm_var_run_t; - ') - - files_search_tmp($1) - files_search_pids($1) -- stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) -+ stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t) -+ userdom_stream_connect($1) - ') - - ######################################## -@@ -934,12 +935,8 @@ interface(`xserver_read_xdm_rw_config',` - ## - # - interface(`xserver_search_xdm_tmp_dirs',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- files_search_tmp($1) -- allow $1 xdm_tmp_t:dir search_dir_perms; -+ refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.') -+ userdom_search_user_tmp_dirs($1) - ') - - ######################################## -@@ -953,11 +950,8 @@ interface(`xserver_search_xdm_tmp_dirs',` - ## - # - interface(`xserver_setattr_xdm_tmp_dirs',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- allow $1 xdm_tmp_t:dir setattr_dir_perms; -+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') -+ userdom_dontaudit_setattr_user_tmp($1) - ') - - ######################################## -@@ -971,11 +965,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',` - ## - # - interface(`xserver_dontaudit_xdm_tmp_dirs',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- dontaudit $1 xdm_tmp_t:dir setattr_dir_perms; -+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') -+ userdom_dontaudit_setattr_user_tmp($1) - ') - - ######################################## -@@ -990,13 +981,8 @@ interface(`xserver_dontaudit_xdm_tmp_dirs',` - ## - # - interface(`xserver_create_xdm_tmp_sockets',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- files_search_tmp($1) -- allow $1 xdm_tmp_t:dir list_dir_perms; -- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -+ refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.') -+ userdom_create_user_tmp_sockets($1) - ') - - ######################################## -@@ -1317,12 +1303,8 @@ interface(`xserver_manage_xdm_etc_files',` - ## - # - interface(`xserver_read_xdm_tmp_files',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- files_search_tmp($1) -- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -+ refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.') -+ userdom_read_user_tmpfs_files($1) - ') - - ######################################## -@@ -1336,12 +1318,8 @@ interface(`xserver_read_xdm_tmp_files',` - ## - # - interface(`xserver_dontaudit_read_xdm_tmp_files',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- dontaudit $1 xdm_tmp_t:dir search_dir_perms; -- dontaudit $1 xdm_tmp_t:file read_file_perms; -+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.') -+ userdom_dontaudit_read_user_tmp_files($1) - ') - - ######################################## -@@ -1355,12 +1333,8 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',` - ## - # - interface(`xserver_rw_xdm_tmp_files',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- allow $1 xdm_tmp_t:dir search_dir_perms; -- allow $1 xdm_tmp_t:file rw_file_perms; -+ refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.') -+ userdom_rw_user_tmpfs_files($1) - ') - - ######################################## -@@ -1374,11 +1348,8 @@ interface(`xserver_rw_xdm_tmp_files',` - ## - # - interface(`xserver_manage_xdm_tmp_files',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -+ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.') -+ userdom_manage_user_tmp_files($1) - ') - - ######################################## -@@ -1392,11 +1363,8 @@ interface(`xserver_manage_xdm_tmp_files',` - ## - # - interface(`xserver_relabel_xdm_tmp_dirs',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- allow $1 xdm_tmp_t:dir relabel_dir_perms; -+ refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.') -+ userdom_relabel_user_tmp_dirs($1) - ') - - ######################################## -@@ -1410,11 +1378,8 @@ interface(`xserver_relabel_xdm_tmp_dirs',` - ## - # - interface(`xserver_manage_xdm_tmp_dirs',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t) -+ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.') -+ userdom_manage_user_tmp_dirs($1) - ') - - ######################################## -@@ -1429,11 +1394,8 @@ interface(`xserver_manage_xdm_tmp_dirs',` - ## - # - interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; -+ refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.') -+ usedom_dontaudit_user_getattr_tmp_sockets($1) - ') - - ######################################## -@@ -1946,11 +1908,8 @@ interface(`xserver_xdm_ioctl_log',` - ## - # - interface(`xserver_append_xdm_tmp_files',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- allow $1 xdm_tmp_t:file append_inherited_file_perms; -+ refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.') -+ userdom_append_user_tmp_files($1) - ') - - ######################################## -@@ -2296,12 +2255,8 @@ interface(`xserver_filetrans_admin_home_content',` - ## - # - interface(`xserver_xdm_tmp_filetrans',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- filetrans_pattern($1, xdm_tmp_t, $2, $3, $4) -- files_search_tmp($1) -+ refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.') -+ userdom_user_tmp_filetrans($1,$2, $3, $4) - ') - - ######################################## -diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index f0e5cc0..e3f28af 100644 ---- a/policy/modules/services/xserver.te -+++ b/policy/modules/services/xserver.te -@@ -231,12 +231,6 @@ files_type(xserver_var_lib_t) - type xserver_var_run_t; - files_pid_file(xserver_var_run_t) - --type xdm_tmp_t; --files_tmp_file(xdm_tmp_t) --typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; --typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; --userdom_user_tmp_file(xserver_tmp_t) -- - type xdm_tmpfs_t; - files_tmpfs_file(xdm_tmpfs_t) - -@@ -264,7 +258,7 @@ files_config_file(xserver_etc_t) - type xserver_tmpfs_t; - typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; - typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; --userdom_user_tmpfs_file(xserver_tmpfs_t) -+userdom_user_tmp_file(xserver_tmpfs_t) - - type xsession_exec_t; - corecmd_executable_file(xsession_exec_t) -@@ -470,14 +464,8 @@ read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) - # this is ugly, daemons should not create files under /etc! - manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) - --manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) --manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) --manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) --manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) --files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) --relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) --relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) --can_exec(xdm_t, xdm_tmp_t) -+userdom_manage_all_user_tmp_content(xdm_t) -+userdom_exec_user_tmp_files(xdm_t) - - manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) - manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -@@ -697,7 +685,7 @@ userdom_stream_connect(xdm_t) - userdom_manage_user_tmp_dirs(xdm_t) - userdom_manage_user_tmp_files(xdm_t) - userdom_manage_user_tmp_sockets(xdm_t) --userdom_manage_tmpfs_role(system_r, xdm_t) -+userdom_manage_tmp_role(system_r, xdm_t) - - #userdom_home_manager(xdm_t) - tunable_policy(`xdm_write_home',` -@@ -1349,9 +1337,8 @@ dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms; - read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) - - # Label pid and temporary files with derived types. --manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) --manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) --manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -+userdom_manage_user_tmp_files(xserver_t) -+userdom_manage_user_tmp_sockets(xserver_t) - - # Run xkbcomp. - allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms; -@@ -1591,7 +1578,6 @@ manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t) - - stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t) - allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms; --dontaudit x_userdomain xdm_tmp_t:sock_file setattr_sock_file_perms; - files_search_tmp(x_userdomain) - - # Communicate via System V shared memory. -@@ -1618,10 +1604,9 @@ allow x_userdomain xauth_home_t:file read_file_perms; - # for when /tmp/.X11-unix is created by the system - allow x_userdomain xdm_t:fd use; - allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms; --allow x_userdomain xdm_tmp_t:dir search_dir_perms; --allow x_userdomain xdm_tmp_t:sock_file rw_inherited_sock_file_perms; -+userdom_search_user_tmp_dirs(x_userdomain) -+userdom_rw_user_tmp_sock_files(x_userdomain) - dontaudit x_userdomain xdm_t:tcp_socket { read write }; --dontaudit x_userdomain xdm_tmp_t:dir setattr_dir_perms; - - allow x_userdomain xdm_t:dbus send_msg; - allow xdm_t x_userdomain:dbus send_msg; -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 1259fbd..5e66714 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -553,7 +553,7 @@ logging_manage_all_logs(syslogd_t) - - userdom_dontaudit_use_unpriv_user_fds(syslogd_t) - userdom_search_user_home_dirs(syslogd_t) --userdom_rw_inherited_user_tmpfs_files(syslogd_t) -+userdom_rw_inherited_user_tmp_files(syslogd_t) - - ifdef(`distro_gentoo',` - # default gentoo syslog-ng config appends kernel -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 00b82b3..9933cad 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -413,7 +413,7 @@ allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms; - manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) - manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) - fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file }) --userdom_rw_user_tmpfs_files(mount_ecryptfs_t) -+userdom_rw_user_tmp_files(mount_ecryptfs_t) - - domain_use_interactive_fds(mount_ecryptfs_t) - -diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index 4ca3a28..8f5380f 100644 ---- a/policy/modules/system/userdomain.fc -+++ b/policy/modules/system/userdomain.fc -@@ -21,6 +21,12 @@ HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) - HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) - HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) - -+/tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0) -+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) -+/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) -+ -+ -+ - /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) - - /tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 102478f..4f42aa5 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -420,6 +420,7 @@ interface(`userdom_manage_tmp_role',` - manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) - manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) - files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) -+ fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) - relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) - relabel_files_pattern($2, user_tmp_type, user_tmp_type) - relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) -@@ -427,8 +428,6 @@ interface(`userdom_manage_tmp_role',` - relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) - ') - -- -- - ####################################### - ## - ## Dontaudit search of user bin dirs. -@@ -534,24 +533,8 @@ interface(`userdom_manage_tmpfs_files',` - ## - # - interface(`userdom_manage_tmpfs_role',` -- gen_require(` -- attribute user_tmpfs_type; -- type user_tmpfs_t; -- ') -- -- role $1 types user_tmpfs_t; -- -- manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) -- manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -- manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -- manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -- manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -- fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -- relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) -- relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -- relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -- relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -- relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) -+ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.') -+ userdom_manage_tmp_role($1,$2) - ') - - ####################################### -@@ -994,7 +977,6 @@ template(`userdom_login_user_template', ` - userdom_manage_home_role($1_r, $1_t) - - userdom_manage_tmp_role($1_r, $1_usertype) -- userdom_manage_tmpfs_role($1_r, $1_usertype) - - ifelse(`$1',`unconfined',`',` - gen_tunable($1_exec_content, true) -@@ -1839,8 +1821,8 @@ interface(`userdom_user_tmp_file',` - ## - # - interface(`userdom_user_tmpfs_file',` -- files_tmpfs_file($1) -- ubac_constrained($1) -+ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.') -+ userdom_user_tmp_file($1) - ') - - ######################################## -@@ -1878,14 +1860,8 @@ interface(`userdom_user_tmp_content',` - ## - # - interface(`userdom_user_tmpfs_content',` -- gen_require(` -- attribute user_tmpfs_type; -- ') -- -- typeattribute $1 user_tmpfs_type; -- -- files_tmpfs_file($1) -- ubac_constrained($1) -+ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.') -+ userdom_user_tmp_content($1) - ') - - ######################################## -@@ -2400,6 +2376,43 @@ interface(`userdom_setattr_user_tmp_files',` - - ######################################## - ## -+## Create a user tmp sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_create_user_tmp_sockets',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ files_search_tmp($1) -+ allow $1 user_tmp_t:dir list_dir_perms; -+ create_sock_files_pattern($1, user_tmp_t, user_tmp_t) -+') -+ -+######################################## -+## -+## Dontaudit getattr on user tmp sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`usedom_dontaudit_user_getattr_tmp_sockets',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms; -+') -+ -+######################################## -+## - ## Relabel user tmp files. - ## - ## -@@ -2416,6 +2429,26 @@ interface(`userdom_relabel_user_tmp_files',` - - allow $1 user_tmp_t:file relabel_file_perms; - ') -+ -+######################################## -+## -+## Relabel user tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`userdom_relabel_user_tmp_dirs',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:dir relabel_dir_perms; -+') -+ - ######################################## - ## - ## Do not audit attempts to set the -@@ -3068,6 +3101,25 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` - ## - ## - # -+interface(`userdom_getattr_user_tmp_files',` -+ gen_require(` -+ attribute user_tmp_type; -+ ') -+ -+ getattr_files_pattern($1, user_tmp_type, user_tmp_type) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Read user temporary files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# - interface(`userdom_read_user_tmp_files',` - gen_require(` - attribute user_tmp_type; -@@ -3080,6 +3132,23 @@ interface(`userdom_read_user_tmp_files',` - - ######################################## - ## -+## Read user temporary files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_append_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ allow $1 user_tmp_t:file append_inherited_file_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to read users - ## temporary files. - ## -@@ -3135,6 +3204,25 @@ interface(`userdom_rw_user_tmp_files',` - rw_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - ') -+######################################## -+## -+## Read and write user temporary files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_rw_user_tmp_sock_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:dir list_dir_perms; -+ allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms; -+ files_search_tmp($1) -+') - - ######################################## - ## -@@ -3372,12 +3460,8 @@ interface(`userdom_tmp_filetrans_user_tmp',` - ## - # - interface(`userdom_getattr_user_tmpfs_files',` -- gen_require(` -- type user_tmpfs_t; -- ') -- -- getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- fs_search_tmpfs($1) -+ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') -+ userdom_getattr_user_tmp_files($1) - ') - - ######################################## -@@ -3391,14 +3475,8 @@ interface(`userdom_getattr_user_tmpfs_files',` - ## - # - interface(`userdom_read_user_tmpfs_files',` -- gen_require(` -- type user_tmpfs_t; -- ') -- -- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- allow $1 user_tmpfs_t:dir list_dir_perms; -- fs_search_tmpfs($1) -+ refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.') -+ userdom_read_user_tmp_files($1) - ') - - ######################################## -@@ -3412,14 +3490,8 @@ interface(`userdom_read_user_tmpfs_files',` - ## - # - interface(`userdom_rw_user_tmpfs_files',` -- gen_require(` -- type user_tmpfs_t; -- ') -- -- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- allow $1 user_tmpfs_t:dir list_dir_perms; -- fs_search_tmpfs($1) -+ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.') -+ userdom_rw_user_tmp_files($1) - ') - - ######################################## -@@ -3433,11 +3505,8 @@ interface(`userdom_rw_user_tmpfs_files',` - ## - # - interface(`userdom_rw_inherited_user_tmpfs_files',` -- gen_require(` -- type user_tmpfs_t; -- ') -- -- allow $1 user_tmpfs_t:file rw_inherited_file_perms; -+ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.') -+ userdom_rw_inherited_user_tmp_files($1) - ') - - ######################################## -@@ -3451,11 +3520,26 @@ interface(`userdom_rw_inherited_user_tmpfs_files',` - ## - # - interface(`userdom_execute_user_tmpfs_files',` -+ refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.') -+ userdom_execute_user_tmp_files($1) -+') -+ -+######################################## -+## -+## Execute user tmpfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_execute_user_tmp_files',` - gen_require(` -- type user_tmpfs_t; -+ type user_tmp_t; - ') - -- allow $1 user_tmpfs_t:file execute; -+ allow $1 user_tmp_t:file execute; - ') - - ######################################## -@@ -5208,16 +5292,8 @@ interface(`userdom_list_all_user_tmp_content',` - ## - # - interface(`userdom_manage_all_user_tmpfs_content',` -- gen_require(` -- attribute user_tmpfs_type; -- ') -- -- manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type) -- manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type) -- manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type) -- manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type) -- manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type) -- fs_search_tmpfs($1) -+ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.') -+ userdom_manage_all_user_tmp_content($1) - ') - - ######################################## -@@ -5431,11 +5507,8 @@ interface(`userdom_dontaudit_setattr_user_tmp',` - ## - # - interface(`userdom_dontaudit_setattr_user_tmpfs',` -- gen_require(` -- type user_tmpfs_t; -- ') -- -- dontaudit $1 user_tmpfs_t:file setattr; -+ refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.') -+ userdom_dontaudit_setattr_user_tmp($1) - ') - - ######################################## -@@ -5539,11 +5612,8 @@ interface(`userdom_delete_user_tmp_files',` - ## - # - interface(`userdom_delete_user_tmpfs_files',` -- gen_require(` -- type user_tmpfs_t; -- ') -- -- allow $1 user_tmpfs_t:file delete_file_perms; -+ refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmpfs_files instead.') -+ userdom_delete_user_tmpfs_files($1) - ') - - ######################################## -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 7283238..6cc7d53 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -97,19 +97,18 @@ dev_node(user_devpts_t) - files_type(user_devpts_t) - ubac_constrained(user_devpts_t) - --type user_tmp_t, user_tmp_type; -+type user_tmp_t, user_tmp_type, user_tmpfs_type; - typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; - typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; -+typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; -+typealias user_tmp_t alias xdm_tmp_t; -+typealias user_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; - files_tmp_file(user_tmp_t) -+files_tmpfs_file(user_tmp_t) - userdom_user_home_content(user_tmp_t) - files_poly_parent(user_tmp_t) - files_mountpoint(user_tmp_t) - --type user_tmpfs_t, user_tmpfs_type; --typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; --files_tmpfs_file(user_tmpfs_t) --userdom_user_home_content(user_tmpfs_t) -- - type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; - dev_node(user_tty_device_t) - ubac_constrained(user_tty_device_t) diff --git a/policy-rawhide-contrib-apache-content.patch b/policy-rawhide-contrib-apache-content.patch deleted file mode 100644 index 0c31ccc..0000000 --- a/policy-rawhide-contrib-apache-content.patch +++ /dev/null @@ -1,2114 +0,0 @@ -diff --git a/apache.if b/apache.if -index fac6fe5..804867a 100644 ---- a/apache.if -+++ b/apache.if -@@ -14,99 +14,123 @@ - template(`apache_content_template',` - gen_require(` - attribute httpd_exec_scripts, httpd_script_exec_type; -- type httpd_t, httpd_suexec_t, httpd_log_t; -- type httpd_sys_content_t; -+ type httpd_t, httpd_suexec_t; - attribute httpd_script_type, httpd_content_type; - ') - - #This type is for webpages -- type httpd_$1_content_t; # customizable; -- typeattribute httpd_$1_content_t httpd_content_type; -- typealias httpd_$1_content_t alias httpd_$1_script_ro_t; -- files_type(httpd_$1_content_t) -+ type $1_content_t; # customizable; -+ typeattribute $1_content_t httpd_content_type; -+ typealias $1_content_t alias httpd_$1_script_ro_t; -+ files_type($1_content_t) - - # This type is used for .htaccess files -- type httpd_$1_htaccess_t, httpd_content_type; # customizable; -- typeattribute httpd_$1_htaccess_t httpd_content_type; -- files_type(httpd_$1_htaccess_t) -+ type $1_htaccess_t, httpd_content_type; # customizable; -+ typeattribute $1_htaccess_t httpd_content_type; -+ files_type($1_htaccess_t) - - # Type that CGI scripts run as -- type httpd_$1_script_t, httpd_script_type; -- domain_type(httpd_$1_script_t) -- role system_r types httpd_$1_script_t; -+ type $1_script_t, httpd_script_type; -+ domain_type($1_script_t) -+ role system_r types $1_script_t; - -- kernel_read_system_state(httpd_$1_script_t) -+ kernel_read_system_state($1_script_t) - - # This type is used for executable scripts files -- type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; -- typeattribute httpd_$1_script_exec_t httpd_content_type; -- domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) -+ type $1_script_exec_t, httpd_script_exec_type; # customizable; -+ typeattribute $1_script_exec_t httpd_content_type; -+ domain_entry_file($1_script_t, $1_script_exec_t) - -- type httpd_$1_rw_content_t; # customizable -- typeattribute httpd_$1_rw_content_t httpd_content_type; -- typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; -- files_type(httpd_$1_rw_content_t) -+ type $1_rw_content_t; # customizable -+ typeattribute $1_rw_content_t httpd_content_type; -+ typealias $1_rw_content_t alias { $1_script_rw_t }; -+ files_type($1_rw_content_t) - -- type httpd_$1_ra_content_t, httpd_content_type; # customizable -- typeattribute httpd_$1_ra_content_t httpd_content_type; -- typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; -- files_type(httpd_$1_ra_content_t) -+ type $1_ra_content_t, httpd_content_type; # customizable -+ typeattribute $1_ra_content_t httpd_content_type; -+ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t }; -+ files_type($1_ra_content_t) - - # Allow the script process to search the cgi directory, and users directory -- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; -+ allow $1_script_t $1_content_t:dir search_dir_perms; - -- can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) -- allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; -+ can_exec($1_script_t, $1_script_exec_t) -+ allow $1_script_t $1_script_exec_t:dir list_dir_perms; - -- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; -- read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -- append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -- create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; -+ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) -+ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) -+ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) -+ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) - -- allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; -- read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) -- read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t) -+ allow $1_script_t $1_content_t:dir list_dir_perms; -+ read_files_pattern($1_script_t, $1_content_t, $1_content_t) -+ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t) - -- manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -- manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -- manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -- manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -+ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) -+ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) -+ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) -+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) -+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) - - # Allow the web server to run scripts and serve pages - tunable_policy(`httpd_builtin_scripting',` -- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -- manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -- manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -- rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) -+ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) -+ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) -+ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) -+ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) - -- allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms }; -- read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -- append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -- create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -- read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t) -+ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms }; -+ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) -+ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) -+ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) -+ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) - - ') - - tunable_policy(`httpd_enable_cgi',` -- allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; -+ allow $1_script_t $1_script_exec_t:file entrypoint; - -- domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t) -+ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t) - - # privileged users run the script: -- domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) -+ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) - -- allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; -+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; - - # apache runs the script: -- domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) -- allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto; -+ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) -+ allow httpd_t $1_script_t:unix_dgram_socket sendto; - ') - ') - - ######################################## - ## -+## Create a set of derived types for apache -+## web content. -+## -+## -+## -+## The prefix to be used for deriving new type names. -+## -+## -+## -+## -+## The prefix to be used for deriving old type names. -+## -+## -+# -+template(`apache_content_alias_template',` -+ typealias $1_htaccess_t alias httpd_$2_htaccess_t; -+ typealias $1_script_t alias httpd_$2_script_t; -+ typealias $1_script_exec_t alias httpd_$2_script_exec_t; -+ typealias $1_content_t alias httpd_$2_content_t; -+ typealias $1_rw_content_t alias httpd_$2_script_rw_content_t; -+ typealias $1_ra_content_t alias httpd_$2_script_ra_content_t; -+') -+ -+######################################## -+## - ## Role access for apache - ## - ## -diff --git a/apache.te b/apache.te -index 0e09bca..85e992e 100644 ---- a/apache.te -+++ b/apache.te -@@ -370,7 +370,7 @@ type httpd_suexec_tmp_t; - files_tmp_file(httpd_suexec_tmp_t) - - # setup the system domain for system CGI scripts --apache_content_template(sys) -+apache_content_template(httpd_sys) - - typeattribute httpd_sys_content_t httpdcontent; # customizable - typeattribute httpd_sys_rw_content_t httpdcontent; # customizable -@@ -389,7 +389,7 @@ files_tmp_file(httpd_tmp_t) - type httpd_tmpfs_t; - files_tmpfs_file(httpd_tmpfs_t) - --apache_content_template(user) -+apache_content_template(httpd_user) - ubac_constrained(httpd_user_script_t) - - typeattribute httpd_user_content_t httpdcontent; -@@ -1619,6 +1619,7 @@ allow httpd_t httpd_script_exec_type:dir list_dir_perms; - allow httpd_script_type self:process { setsched signal_perms }; - allow httpd_script_type self:unix_stream_socket create_stream_socket_perms; - allow httpd_script_type self:unix_dgram_socket create_socket_perms; -+allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms; - - allow httpd_script_type httpd_t:fd use; - allow httpd_script_type httpd_t:process sigchld; -diff --git a/apcupsd.fc b/apcupsd.fc -index 1c37fe1..274704f 100644 ---- a/apcupsd.fc -+++ b/apcupsd.fc -@@ -14,8 +14,8 @@ - - /var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) - --/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) --/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) --/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) --/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) --/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -+/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) -+/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) -+/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) -+/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) -+/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:apcupsd_cgi_script_exec_t,s0) -diff --git a/apcupsd.if b/apcupsd.if -index b6afc90..9c06313 100644 ---- a/apcupsd.if -+++ b/apcupsd.if -@@ -102,7 +102,7 @@ interface(`apcupsd_append_log',` - ######################################## - ## - ## Execute a domain transition to --## run httpd_apcupsd_cgi_script. -+## run apcupsd_cgi_script. - ## - ## - ## -@@ -112,11 +112,11 @@ interface(`apcupsd_append_log',` - # - interface(`apcupsd_cgi_script_domtrans',` - gen_require(` -- type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; -+ type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t; - ') - - files_search_var($1) -- domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) -+ domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t) - - optional_policy(` - apache_search_sys_content($1) -diff --git a/apcupsd.te b/apcupsd.te -index b4c43c7..11c215a 100644 ---- a/apcupsd.te -+++ b/apcupsd.te -@@ -116,19 +116,20 @@ optional_policy(` - - optional_policy(` - apache_content_template(apcupsd_cgi) -- -- allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; -- allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; -- -- corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t) -- corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) -- corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) -- corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) -- corenet_sendrecv_apcupsd_client_packets(httpd_apcupsd_cgi_script_t) -- corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t) -- corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t) -- corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t) -- corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t) -- -- sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t) -+ apache_content_alias_template(apcupsd_cgi, apcupsd_cgi) -+ -+ allow apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; -+ allow apcupsd_cgi_script_t self:udp_socket create_socket_perms; -+ -+ corenet_all_recvfrom_netlabel(apcupsd_cgi_script_t) -+ corenet_tcp_sendrecv_generic_if(apcupsd_cgi_script_t) -+ corenet_tcp_sendrecv_generic_node(apcupsd_cgi_script_t) -+ corenet_tcp_sendrecv_all_ports(apcupsd_cgi_script_t) -+ corenet_sendrecv_apcupsd_client_packets(apcupsd_cgi_script_t) -+ corenet_tcp_connect_apcupsd_port(apcupsd_cgi_script_t) -+ corenet_udp_sendrecv_generic_if(apcupsd_cgi_script_t) -+ corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t) -+ corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t) -+ -+ sysnet_dns_name_resolve(apcupsd_cgi_script_t) - ') -diff --git a/awstats.fc b/awstats.fc -index 11e6d5f..73b4ea4 100644 ---- a/awstats.fc -+++ b/awstats.fc -@@ -1,5 +1,5 @@ - /usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0) --/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0) --/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0) -+/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:awstats_content_t,s0) -+/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:awstats_script_exec_t,s0) - - /var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0) -diff --git a/awstats.te b/awstats.te -index c222135..ffbf2cb 100644 ---- a/awstats.te -+++ b/awstats.te -@@ -26,6 +26,7 @@ type awstats_var_lib_t; - files_type(awstats_var_lib_t) - - apache_content_template(awstats) -+apache_content_alias_template(awstats, awstats) - - ######################################## - # -@@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file }) - - manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t) - --allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms; -+allow awstats_t { awstats_content_t awstats_script_exec_t }:dir search_dir_perms; - --can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t }) -+can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t }) - - kernel_dontaudit_read_system_state(awstats_t) - -@@ -86,13 +87,13 @@ optional_policy(` - # CGI local policy - # - --apache_read_log(httpd_awstats_script_t) -+apache_read_log(awstats_script_t) - --manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) --manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t) --files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file }) -+manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t) -+manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t) -+files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file }) - --allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; -+allow awstats_script_t awstats_var_lib_t:dir list_dir_perms; - --read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) --files_search_var_lib(httpd_awstats_script_t) -+read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) -+files_search_var_lib(awstats_script_t) -diff --git a/bugzilla.fc b/bugzilla.fc -index fb6e397..9efceac 100644 ---- a/bugzilla.fc -+++ b/bugzilla.fc -@@ -1,4 +1,4 @@ --/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0) --/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) -+/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_content_t,s0) -+/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:bugzilla_script_exec_t,s0) - --/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) -+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_rw_content_t,s0) -diff --git a/bugzilla.if b/bugzilla.if -index bf0cefa..d9ea246 100644 ---- a/bugzilla.if -+++ b/bugzilla.if -@@ -12,10 +12,10 @@ - # - interface(`bugzilla_search_content',` - gen_require(` -- type httpd_bugzilla_content_t; -+ type bugzilla_content_t; - ') - -- allow $1 httpd_bugzilla_content_t:dir search_dir_perms; -+ allow $1 bugzilla_content_t:dir search_dir_perms; - ') - - ######################################## -@@ -32,10 +32,10 @@ interface(`bugzilla_search_content',` - # - interface(`bugzilla_dontaudit_rw_stream_sockets',` - gen_require(` -- type httpd_bugzilla_script_t; -+ type bugzilla_script_t; - ') - -- dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; -+ dontaudit $1 bugzilla_script_t:unix_stream_socket { read write }; - ') - - ######################################## -@@ -51,32 +51,32 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` - # - interface(`bugzilla_admin',` - gen_require(` -- type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; -- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; -- type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; -+ type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t; -+ type bugzilla_rw_content_t, bugzilla_script_exec_t; -+ type bugzilla_htaccess_t, bugzilla_tmp_t; - ') - -- allow $1 httpd_bugzilla_script_t:process signal_perms; -- ps_process_pattern($1, httpd_bugzilla_script_t) -+ allow $1 bugzilla_script_t:process signal_perms; -+ ps_process_pattern($1, bugzilla_script_t) - - tunable_policy(`deny_ptrace',`',` -- allow $1 httpd_bugzilla_script_t:process ptrace; -+ allow $1 bugzilla_script_t:process ptrace; - ') - - files_list_tmp($1) -- admin_pattern($1, httpd_bugzilla_tmp_t) -+ admin_pattern($1, bugzilla_tmp_t) - -- files_list_var_lib(httpd_bugzilla_script_t) -+ files_list_var_lib(bugzilla_script_t) - -- admin_pattern($1, httpd_bugzilla_script_exec_t) -- admin_pattern($1, httpd_bugzilla_script_t) -- admin_pattern($1, httpd_bugzilla_content_t) -- admin_pattern($1, httpd_bugzilla_htaccess_t) -- admin_pattern($1, httpd_bugzilla_ra_content_t) -+ admin_pattern($1, bugzilla_script_exec_t) -+ admin_pattern($1, bugzilla_script_t) -+ admin_pattern($1, bugzilla_content_t) -+ admin_pattern($1, bugzilla_htaccess_t) -+ admin_pattern($1, bugzilla_ra_content_t) - - files_search_tmp($1) - files_search_var_lib($1) -- admin_pattern($1, httpd_bugzilla_rw_content_t) -+ admin_pattern($1, bugzilla_rw_content_t) - - optional_policy(` - apache_list_sys_content($1) -diff --git a/bugzilla.te b/bugzilla.te -index d9f3061..c62f617 100644 ---- a/bugzilla.te -+++ b/bugzilla.te -@@ -6,54 +6,55 @@ policy_module(bugzilla, 1.1.0) - # - - apache_content_template(bugzilla) -+apache_content_alias_template(bugzilla, bugzilla) - --type httpd_bugzilla_tmp_t; --files_tmp_file(httpd_bugzilla_tmp_t) -+type bugzilla_tmp_t alias httpd_bugzilla_tmp_t; -+files_tmp_file(bugzilla_tmp_t) - - ######################################## - # - # Local policy - # - --allow httpd_bugzilla_script_t self:tcp_socket { accept listen }; -+allow bugzilla_script_t self:tcp_socket { accept listen }; - --corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) --corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) --corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) -+corenet_all_recvfrom_netlabel(bugzilla_script_t) -+corenet_tcp_sendrecv_generic_if(bugzilla_script_t) -+corenet_tcp_sendrecv_generic_node(bugzilla_script_t) - --corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t) --corenet_tcp_connect_http_port(httpd_bugzilla_script_t) --corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t) -+corenet_sendrecv_http_client_packets(bugzilla_script_t) -+corenet_tcp_connect_http_port(bugzilla_script_t) -+corenet_tcp_sendrecv_http_port(bugzilla_script_t) - --corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) --corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) --corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t) -+corenet_sendrecv_smtp_client_packets(bugzilla_script_t) -+corenet_tcp_connect_smtp_port(bugzilla_script_t) -+corenet_tcp_sendrecv_smtp_port(bugzilla_script_t) - --manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) --manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t) --files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir }) -+manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t) -+manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t) -+files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir }) - --files_search_var_lib(httpd_bugzilla_script_t) -+files_search_var_lib(bugzilla_script_t) - --auth_read_passwd(httpd_bugzilla_script_t) -+auth_read_passwd(bugzilla_script_t) - --dev_read_sysfs(httpd_bugzilla_script_t) -+dev_read_sysfs(bugzilla_script_t) - --sysnet_read_config(httpd_bugzilla_script_t) --sysnet_use_ldap(httpd_bugzilla_script_t) -+sysnet_read_config(bugzilla_script_t) -+sysnet_use_ldap(bugzilla_script_t) - --miscfiles_read_certs(httpd_bugzilla_script_t) -+miscfiles_read_certs(bugzilla_script_t) - - optional_policy(` -- mta_send_mail(httpd_bugzilla_script_t) -+ mta_send_mail(bugzilla_script_t) - ') - - optional_policy(` -- mysql_stream_connect(httpd_bugzilla_script_t) -- mysql_tcp_connect(httpd_bugzilla_script_t) -+ mysql_stream_connect(bugzilla_script_t) -+ mysql_tcp_connect(bugzilla_script_t) - ') - - optional_policy(` -- postgresql_stream_connect(httpd_bugzilla_script_t) -- postgresql_tcp_connect(httpd_bugzilla_script_t) -+ postgresql_stream_connect(bugzilla_script_t) -+ postgresql_tcp_connect(bugzilla_script_t) - ') -diff --git a/collectd.fc b/collectd.fc -index 2e7d7ed..8d70290 100644 ---- a/collectd.fc -+++ b/collectd.fc -@@ -8,4 +8,4 @@ - - /var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0) - --/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0) -+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0) -diff --git a/collectd.te b/collectd.te -index dc0423c..d078b96 100644 ---- a/collectd.te -+++ b/collectd.te -@@ -30,9 +30,10 @@ type collectd_unit_file_t; - systemd_unit_file(collectd_unit_file_t) - - apache_content_template(collectd) -+apache_content_alias_template(collectd, collectd) - --type httpd_collectd_script_tmp_t; --files_tmp_file(httpd_collectd_script_tmp_t) -+type collectd_script_tmp_t alias httpd_collectd_script_tmp_t; -+files_tmp_file(collectd_script_tmp_t) - - ######################################## - # -@@ -102,13 +103,13 @@ optional_policy(` - # - - --files_search_var_lib(httpd_collectd_script_t) --read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) --list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) --miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) -+files_search_var_lib(collectd_script_t) -+read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) -+list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) -+miscfiles_setattr_fonts_cache_dirs(collectd_script_t) - --manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t) --manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t) --files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir }) -+manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t) -+manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t) -+files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir }) - --auth_read_passwd(httpd_collectd_script_t) -+auth_read_passwd(collectd_script_t) -diff --git a/cvs.fc b/cvs.fc -index 75c8be9..e07e602 100644 ---- a/cvs.fc -+++ b/cvs.fc -@@ -4,10 +4,10 @@ - - /usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0) - --/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) -+/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0) - - /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) - - /var/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0) - --/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) -+/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0) -diff --git a/cvs.te b/cvs.te -index f98a932..c3502c3 100644 ---- a/cvs.te -+++ b/cvs.te -@@ -125,9 +125,10 @@ optional_policy(` - - optional_policy(` - apache_content_template(cvs) -+ apache_content_alias_template(cvs, cvs) - -- read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) -- manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -- manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) -- files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) -+ read_files_pattern(cvs_script_t, cvs_data_t, cvs_data_t) -+ manage_dirs_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t) -+ manage_files_pattern(cvs_script_t, cvs_tmp_t, cvs_tmp_t) -+ files_tmp_filetrans(cvs_script_t, cvs_tmp_t, { file dir }) - ') -diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc -index 8c44697..5e44c5e 100644 ---- a/dirsrv-admin.fc -+++ b/dirsrv-admin.fc -@@ -6,8 +6,8 @@ - /usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) - /usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) - --/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) --/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) -+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0) -+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:dirsrvadmin_script_exec_t,s0) - - /usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) - /usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0) -diff --git a/dirsrv-admin.if b/dirsrv-admin.if -index 30416f2..e360d38 100644 ---- a/dirsrv-admin.if -+++ b/dirsrv-admin.if -@@ -29,13 +29,13 @@ interface(`dirsrvadmin_run_exec',` - ## - ## - # --interface(`dirsrvadmin_run_httpd_script_exec',` -+interface(`dirsrvadmin_run_script_exec',` - gen_require(` -- type httpd_dirsrvadmin_script_exec_t; -+ type dirsrvadmin_script_exec_t; - ') - -- allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; -- can_exec($1, httpd_dirsrvadmin_script_exec_t) -+ allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms; -+ can_exec($1, dirsrvadmin_script_exec_t) - ') - - ######################################## -diff --git a/dirsrv-admin.te b/dirsrv-admin.te -index 021c5ae..37afbd4 100644 ---- a/dirsrv-admin.te -+++ b/dirsrv-admin.te -@@ -70,59 +70,60 @@ optional_policy(` - - optional_policy(` - apache_content_template(dirsrvadmin) -+ apache_content_alias_template(dirsrvadmin, dirsrvadmin) - -- allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; -- allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; -- allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; -- allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; -- allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; -- allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; -- allow httpd_dirsrvadmin_script_t self:sem create_sem_perms; -+ allow dirsrvadmin_script_t self:process { getsched getpgid }; -+ allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; -+ allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; -+ allow dirsrvadmin_script_t self:udp_socket create_socket_perms; -+ allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; -+ allow dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms; -+ allow dirsrvadmin_script_t self:sem create_sem_perms; - - -- manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t) -- files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file }) -+ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t) -+ files_lock_filetrans(dirsrvadmin_script_t, dirsrvadmin_lock_t, { file }) - -- kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) -+ kernel_read_kernel_sysctls(dirsrvadmin_script_t) - - -- corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t) -- corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t) -- corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) -+ corenet_tcp_bind_generic_node(dirsrvadmin_script_t) -+ corenet_udp_bind_generic_node(dirsrvadmin_script_t) -+ corenet_all_recvfrom_netlabel(dirsrvadmin_script_t) - -- corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t) -- corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) -- corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) -- corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) -+ corenet_tcp_bind_http_port(dirsrvadmin_script_t) -+ corenet_tcp_connect_generic_port(dirsrvadmin_script_t) -+ corenet_tcp_connect_ldap_port(dirsrvadmin_script_t) -+ corenet_tcp_connect_http_port(dirsrvadmin_script_t) - -- files_search_var_lib(httpd_dirsrvadmin_script_t) -+ files_search_var_lib(dirsrvadmin_script_t) - -- sysnet_read_config(httpd_dirsrvadmin_script_t) -+ sysnet_read_config(dirsrvadmin_script_t) - -- manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -- manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -- files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) -+ manage_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+ manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) -+ files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) - - optional_policy(` -- apache_read_modules(httpd_dirsrvadmin_script_t) -- apache_read_config(httpd_dirsrvadmin_script_t) -- apache_signal(httpd_dirsrvadmin_script_t) -- apache_signull(httpd_dirsrvadmin_script_t) -+ apache_read_modules(dirsrvadmin_script_t) -+ apache_read_config(dirsrvadmin_script_t) -+ apache_signal(dirsrvadmin_script_t) -+ apache_signull(dirsrvadmin_script_t) - ') - - optional_policy(` - # The CGI scripts must be able to manage dirsrv-admin -- dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) -- dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) -- dirsrv_domtrans(httpd_dirsrvadmin_script_t) -- dirsrv_signal(httpd_dirsrvadmin_script_t) -- dirsrv_signull(httpd_dirsrvadmin_script_t) -- dirsrv_manage_log(httpd_dirsrvadmin_script_t) -- dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t) -- dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t) -- dirsrv_manage_var_run(httpd_dirsrvadmin_script_t) -- dirsrv_manage_config(httpd_dirsrvadmin_script_t) -- dirsrv_read_share(httpd_dirsrvadmin_script_t) -+ dirsrvadmin_run_exec(dirsrvadmin_script_t) -+ dirsrvadmin_manage_config(dirsrvadmin_script_t) -+ dirsrv_domtrans(dirsrvadmin_script_t) -+ dirsrv_signal(dirsrvadmin_script_t) -+ dirsrv_signull(dirsrvadmin_script_t) -+ dirsrv_manage_log(dirsrvadmin_script_t) -+ dirsrv_manage_var_lib(dirsrvadmin_script_t) -+ dirsrv_pid_filetrans(dirsrvadmin_script_t) -+ dirsrv_manage_var_run(dirsrvadmin_script_t) -+ dirsrv_manage_config(dirsrvadmin_script_t) -+ dirsrv_read_share(dirsrvadmin_script_t) - ') - ') - -diff --git a/dspam.fc b/dspam.fc -index 3ea0423..b5fcb77 100644 ---- a/dspam.fc -+++ b/dspam.fc -@@ -2,7 +2,7 @@ - - /usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0) - --/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) -+/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0) - - /var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0) - -@@ -11,7 +11,7 @@ - /var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0) - - # web --/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) --/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0) -+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0) -+/var/www/dspam(/.*?) gen_context(system_u:object_r:dspam_content_t,s0) - --/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0) -+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:dspam_rw_content_t,s0) -diff --git a/dspam.te b/dspam.te -index 37c844b..1ec4d89 100644 ---- a/dspam.te -+++ b/dspam.te -@@ -75,29 +75,27 @@ logging_send_syslog_msg(dspam_t) - - optional_policy(` - apache_content_template(dspam) -+ apache_content_alias_template(dspam, dspam) - -- read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) -+ read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) - -- files_search_var_lib(httpd_dspam_script_t) -- list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) -- manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) -- manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) -+ files_search_var_lib(dspam_script_t) - -- domain_dontaudit_read_all_domains_state(httpd_dspam_script_t) -+ domain_dontaudit_read_all_domains_state(dspam_script_t) - -- term_dontaudit_search_ptys(httpd_dspam_script_t) -- term_dontaudit_getattr_all_ttys(httpd_dspam_script_t) -- term_dontaudit_getattr_all_ptys(httpd_dspam_script_t) -+ term_dontaudit_search_ptys(dspam_script_t) -+ term_dontaudit_getattr_all_ttys(dspam_script_t) -+ term_dontaudit_getattr_all_ptys(dspam_script_t) - -- init_read_utmp(httpd_dspam_script_t) -+ init_read_utmp(dspam_script_t) - -- logging_send_syslog_msg(httpd_dspam_script_t) -+ logging_send_syslog_msg(dspam_script_t) - -- mta_send_mail(httpd_dspam_script_t) -+ mta_send_mail(dspam_script_t) - - optional_policy(` -- mysql_tcp_connect(httpd_dspam_script_t) -- mysql_stream_connect(httpd_dspam_script_t) -+ mysql_tcp_connect(dspam_script_t) -+ mysql_stream_connect(dspam_script_t) - ') - ') - -diff --git a/git.fc b/git.fc -index 24700f8..6561d56 100644 ---- a/git.fc -+++ b/git.fc -@@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) - - /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) - --/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) --/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) -+/var/cache/cgit(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0) -+/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0) - - /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) - --/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) --/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) --/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) --/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) -+/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:git_script_exec_t,s0) -+/var/www/git(/.*)? gen_context(system_u:object_r:git_content_t,s0) -+/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0) -+/var/www/gitweb-caching/gitweb\.cgi -- gen_context(system_u:object_r:git_script_exec_t,s0) -diff --git a/git.te b/git.te -index 2609364..d3caffa 100644 ---- a/git.te -+++ b/git.te -@@ -75,6 +75,7 @@ attribute git_daemon; - attribute_role git_session_roles; - - apache_content_template(git) -+apache_content_alias_template(git, git) - - type git_system_t, git_daemon; - type gitd_exec_t; -@@ -210,48 +211,48 @@ tunable_policy(`git_system_use_nfs',` - # CGI policy - # - --list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) --read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) --files_search_var_lib(httpd_git_script_t) -+list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) -+read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) -+files_search_var_lib(git_script_t) - --files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) -+files_dontaudit_getattr_tmp_dirs(git_script_t) - --auth_use_nsswitch(httpd_git_script_t) -+auth_use_nsswitch(git_script_t) - - tunable_policy(`git_cgi_enable_homedirs',` -- userdom_search_user_home_dirs(httpd_git_script_t) -+ userdom_search_user_home_dirs(git_script_t) - ') - - tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',` -- fs_getattr_nfs(httpd_git_script_t) -- fs_list_nfs(httpd_git_script_t) -- fs_read_nfs_files(httpd_git_script_t) -+ fs_getattr_nfs(git_script_t) -+ fs_list_nfs(git_script_t) -+ fs_read_nfs_files(git_script_t) - ',` -- fs_dontaudit_read_nfs_files(httpd_git_script_t) -+ fs_dontaudit_read_nfs_files(git_script_t) - ') - - tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',` -- fs_getattr_cifs(httpd_git_script_t) -- fs_list_cifs(httpd_git_script_t) -- fs_read_cifs_files(httpd_git_script_t) -+ fs_getattr_cifs(git_script_t) -+ fs_list_cifs(git_script_t) -+ fs_read_cifs_files(git_script_t) - ',` -- fs_dontaudit_read_cifs_files(httpd_git_script_t) -+ fs_dontaudit_read_cifs_files(git_script_t) - ') - - tunable_policy(`git_cgi_use_cifs',` -- fs_getattr_cifs(httpd_git_script_t) -- fs_list_cifs(httpd_git_script_t) -- fs_read_cifs_files(httpd_git_script_t) -+ fs_getattr_cifs(git_script_t) -+ fs_list_cifs(git_script_t) -+ fs_read_cifs_files(git_script_t) - ',` -- fs_dontaudit_read_cifs_files(httpd_git_script_t) -+ fs_dontaudit_read_cifs_files(git_script_t) - ') - - tunable_policy(`git_cgi_use_nfs',` -- fs_getattr_nfs(httpd_git_script_t) -- fs_list_nfs(httpd_git_script_t) -- fs_read_nfs_files(httpd_git_script_t) -+ fs_getattr_nfs(git_script_t) -+ fs_list_nfs(git_script_t) -+ fs_read_nfs_files(git_script_t) - ',` -- fs_dontaudit_read_nfs_files(httpd_git_script_t) -+ fs_dontaudit_read_nfs_files(git_script_t) - ') - - ######################################## -diff --git a/lightsquid.fc b/lightsquid.fc -index 044390c..63e2058 100644 ---- a/lightsquid.fc -+++ b/lightsquid.fc -@@ -1,11 +1,11 @@ - /etc/cron\.daily/lightsquid -- gen_context(system_u:object_r:lightsquid_exec_t,s0) - --/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:httpd_lightsquid_content_t,s0) --/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0) -+/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:lightsquid_content_t,s0) -+/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0) - --/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0) -+/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0) - - /var/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0) - --/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:httpd_lightsquid_content_t,s0) --/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0) -+/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_content_t,s0) -+/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_report_content_t,s0) -diff --git a/lightsquid.te b/lightsquid.te -index 75854ed..6c7855e 100644 ---- a/lightsquid.te -+++ b/lightsquid.te -@@ -13,18 +13,18 @@ type lightsquid_exec_t; - application_domain(lightsquid_t, lightsquid_exec_t) - role lightsquid_roles types lightsquid_t; - --type lightsquid_rw_content_t; --files_type(lightsquid_rw_content_t) -+type lightsquid_report_content_t; -+files_type(lightsquid_report_content_t) - - ######################################## - # - # Local policy - # - --manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) --manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) --manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) --files_var_filetrans(lightsquid_t, lightsquid_rw_content_t, dir) -+manage_dirs_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t) -+manage_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t) -+manage_lnk_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t) -+files_var_filetrans(lightsquid_t, lightsquid_report_content_t, dir) - - corecmd_exec_bin(lightsquid_t) - corecmd_exec_shell(lightsquid_t) -@@ -36,10 +36,11 @@ squid_read_log(lightsquid_t) - - optional_policy(` - apache_content_template(lightsquid) -+ apache_content_alias_template(lightsquid, lightsquid) - -- list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) -- read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) -- read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) -+ list_dirs_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t) -+ read_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t) -+ read_lnk_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t) - ') - - optional_policy(` -diff --git a/man2html.fc b/man2html.fc -index 82f6255..3686732 100644 ---- a/man2html.fc -+++ b/man2html.fc -@@ -1,5 +1,5 @@ --/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) --/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) --/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:httpd_man2html_script_exec_t,s0) -+/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:man2html_script_exec_t,s0) -+/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:man2html_script_exec_t,s0) -+/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:man2html_script_exec_t,s0) - --/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0) -+/var/cache/man2html(/.*)? gen_context(system_u:object_r:man2html_rw_content_t,s0) -diff --git a/man2html.if b/man2html.if -index fe43dea..53eaf61 100644 ---- a/man2html.if -+++ b/man2html.if -@@ -2,7 +2,7 @@ - - ######################################## - ## --## Transition to httpd_man2html_script. -+## Transition to man2html_script. - ## - ## - ## -@@ -10,18 +10,18 @@ - ## - ## - # --interface(`httpd_man2html_script_domtrans',` -+interface(`man2html_script_domtrans',` - gen_require(` -- type httpd_man2html_script_t, httpd_man2html_script_exec_t; -+ type man2html_script_t, man2html_script_exec_t; - ') - - corecmd_search_bin($1) -- domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t) -+ domtrans_pattern($1, man2html_script_exec_t, man2html_script_t) - ') - - ######################################## - ## --## Search httpd_man2html_script cache directories. -+## Search man2html_script content directories. - ## - ## - ## -@@ -29,18 +29,19 @@ interface(`httpd_man2html_script_domtrans',` - ## - ## - # --interface(`httpd_man2html_script_search_cache',` -+interface(`man2html_search_content',` - gen_require(` -- type httpd_man2html_script_cache_t; -+ type man2html_content_t; -+ type man2html_rw_content_t; - ') - -- allow $1 httpd_man2html_script_cache_t:dir search_dir_perms; -+ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms; - files_search_var($1) - ') - - ######################################## - ## --## Read httpd_man2html_script cache files. -+## Read man2html cache files. - ## - ## - ## -@@ -48,19 +49,22 @@ interface(`httpd_man2html_script_search_cache',` - ## - ## - # --interface(`httpd_man2html_script_read_cache_files',` -+interface(`man2html_read_content_files',` - gen_require(` -- type httpd_man2html_script_cache_t; -+ type man2html_content_t; -+ type man2html_rw_content_t; - ') - - files_search_var($1) -- read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+ allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms; -+ read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t) -+ read_files_pattern($1, man2html_content_t, man2html_content_t) - ') - - ######################################## - ## - ## Create, read, write, and delete --## httpd_man2html_script cache files. -+## man2html content files. - ## - ## - ## -@@ -68,18 +72,21 @@ interface(`httpd_man2html_script_read_cache_files',` - ## - ## - # --interface(`httpd_man2html_script_manage_cache_files',` -+interface(`man2html_manage_content_files',` - gen_require(` -- type httpd_man2html_script_cache_t; -+ type man2html_content_t; -+ type man2html_rw_content_t; - ') - - files_search_var($1) -- manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+ manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t) -+ manage_files_pattern($1, man2html_content_t, man2html_content_t) - ') - - ######################################## - ## --## Manage httpd_man2html_script cache dirs. -+## Create, read, write, and delete -+## man2html content dirs. - ## - ## - ## -@@ -87,20 +94,21 @@ interface(`httpd_man2html_script_manage_cache_files',` - ## - ## - # --interface(`httpd_man2html_script_manage_cache_dirs',` -+interface(`man2html_manage_content_dirs',` - gen_require(` -- type httpd_man2html_script_cache_t; -+ type man2html_content_t; -+ type man2html_rw_content_t; - ') - - files_search_var($1) -- manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -+ manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t) -+ manage_dirs_pattern($1, man2html_content_t, man2html_content_t) - ') - -- - ######################################## - ## - ## All of the rules required to administrate --## an httpd_man2html_script environment -+## an man2html environment - ## - ## - ## -@@ -108,17 +116,19 @@ interface(`httpd_man2html_script_manage_cache_dirs',` - ## - ## - # --interface(`httpd_man2html_script_admin',` -+interface(`man2html_admin',` - gen_require(` -- type httpd_man2html_script_t; -- type httpd_man2html_script_cache_t; -+ type man2html_script_t; -+ type man2html_rw_content_t; -+ type man2html_content_t; - ') - -- allow $1 httpd_man2html_script_t:process { ptrace signal_perms }; -- ps_process_pattern($1, httpd_man2html_script_t) -+ allow $1 man2html_script_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, man2html_script_t) - - files_search_var($1) -- admin_pattern($1, httpd_man2html_script_cache_t) -+ admin_pattern($1, man2html_content_t) -+ admin_pattern($1, man2html_rw_content_t) - - optional_policy(` - systemd_passwd_agent_exec($1) -diff --git a/man2html.te b/man2html.te -index 9e634bd..24b56e9 100644 ---- a/man2html.te -+++ b/man2html.te -@@ -6,23 +6,17 @@ policy_module(man2html, 1.0.0) - # - - --type httpd_man2html_script_cache_t; --files_type(httpd_man2html_script_cache_t) -- - ######################################## - # --# httpd_man2html_script local policy -+# man2html_script local policy - # - - optional_policy(` -- - apache_content_template(man2html) -+ apache_content_alias_template(man2html, man2html) - -- allow httpd_man2html_script_t self:process { fork }; -- -- manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -- manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -- manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -- files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file }) -+ allow man2html_script_t self:process fork; - -+ typealias man2html_rw_content_t alias man2html_script_cache_t; -+ files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file }) - ') -diff --git a/mediawiki.fc b/mediawiki.fc -index 99f7c41..93ec6db 100644 ---- a/mediawiki.fc -+++ b/mediawiki.fc -@@ -1,8 +1,8 @@ --/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) --/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) --/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) -+/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0) -+/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0) -+/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0) - --/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) -+/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0) - --/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) --/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) -+/var/www/wiki(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0) -+/var/www/wiki/.*\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0) -diff --git a/mediawiki.if b/mediawiki.if -index 1c1d012..9b183e6 100644 ---- a/mediawiki.if -+++ b/mediawiki.if -@@ -13,12 +13,12 @@ - # - interface(`mediawiki_read_tmp_files',` - gen_require(` -- type httpd_mediawiki_tmp_t; -+ type mediawiki_tmp_t; - ') - - files_search_tmp($1) -- read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -- read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -+ read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t) -+ read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t) - ') - - ####################################### -@@ -33,8 +33,8 @@ interface(`mediawiki_read_tmp_files',` - # - interface(`mediawiki_delete_tmp_files',` - gen_require(` -- type httpd_mediawiki_tmp_t; -+ type mediawiki_tmp_t; - ') - -- delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) -+ delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t) - ') -diff --git a/mediawiki.te b/mediawiki.te -index 212712c..fcbc191 100644 ---- a/mediawiki.te -+++ b/mediawiki.te -@@ -5,16 +5,26 @@ policy_module(mediawiki, 1.0.0) - # Declarations - # - --optional_policy(` -- -- apache_content_template(mediawiki) -+type mediawiki_tmp_t; -+files_tmp_file(mediawiki_tmp_t) - - ######################################## - # - # Local policy - # - -- files_search_var_lib(httpd_mediawiki_script_t) -+optional_policy(` -+ -+ apache_content_template(mediawiki) -+ apache_content_alias_template(mediawiki, mediawiki) -+ -+ manage_dirs_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t) -+ manage_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t) -+ manage_sock_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t) -+ manage_lnk_files_pattern(mediawiki_script_t, mediawiki_tmp_t, mediawiki_tmp_t) -+ files_tmp_filetrans(mediawiki_script_t, mediawiki_tmp_t, { file dir lnk_file }) -+ -+ files_search_var_lib(mediawiki_script_t) - -- miscfiles_read_tetex_data(httpd_mediawiki_script_t) -+ miscfiles_read_tetex_data(mediawiki_script_t) - ') -diff --git a/mojomojo.fc b/mojomojo.fc -index 7b827ca..5ee8a0f 100644 ---- a/mojomojo.fc -+++ b/mojomojo.fc -@@ -1,5 +1,5 @@ --/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0) -+/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:mojomojo_script_exec_t,s0) - --/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0) -+/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:mojomojo_content_t,s0) - --/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) -+/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:mojomojo_rw_content_t,s0) -diff --git a/mojomojo.te b/mojomojo.te -index 9556487..25d1d33 100644 ---- a/mojomojo.te -+++ b/mojomojo.te -@@ -5,8 +5,8 @@ policy_module(mojomojo, 1.1.0) - # Declarations - # - --type httpd_mojomojo_tmp_t; --files_tmp_file(httpd_mojomojo_tmp_t) -+type mojomojo_tmp_t alias httpd_mojomojo_tmp_t; -+files_tmp_file(mojomojo_tmp_t) - - ######################################## - # -@@ -15,31 +15,30 @@ files_tmp_file(httpd_mojomojo_tmp_t) - - optional_policy(` - apache_content_template(mojomojo) -+ apache_content_alias_template(mojomojo, mojomojo) - -- allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; -+ manage_dirs_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t) -+ manage_files_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t) -+ files_tmp_filetrans(mojomojo_script_t, mojomojo_tmp_t, { file dir }) - -- manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) -- manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t) -- files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir }) -+ corenet_tcp_connect_postgresql_port(mojomojo_script_t) -+ corenet_tcp_connect_mysqld_port(mojomojo_script_t) -+ corenet_tcp_connect_smtp_port(mojomojo_script_t) -+ corenet_sendrecv_postgresql_client_packets(mojomojo_script_t) -+ corenet_sendrecv_mysqld_client_packets(mojomojo_script_t) -+ corenet_sendrecv_smtp_client_packets(mojomojo_script_t) - -- corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t) -- corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t) -- corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) -- corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t) -- corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t) -- corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) -+ files_search_var_lib(mojomojo_script_t) - -- files_search_var_lib(httpd_mojomojo_script_t) -+ sysnet_dns_name_resolve(mojomojo_script_t) - -- sysnet_dns_name_resolve(httpd_mojomojo_script_t) -- -- mta_send_mail(httpd_mojomojo_script_t) -+ mta_send_mail(mojomojo_script_t) - - optional_policy(` -- mysql_stream_connect(httpd_mojomojo_script_t) -+ mysql_stream_connect(mojomojo_script_t) - ') - - optional_policy(` -- postgresql_stream_connect(httpd_mojomojo_script_t) -+ postgresql_stream_connect(mojomojo_script_t) - ') - ') -diff --git a/munin.fc b/munin.fc -index 4968324..af28bb5 100644 ---- a/munin.fc -+++ b/munin.fc -@@ -73,7 +73,7 @@ - /var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) - /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) - /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) --/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) --/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) --/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) --/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) -+/var/www/html/munin(/.*)? gen_context(system_u:object_r:munin_content_t,s0) -+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:munin_script_exec_t,s0) -+/var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0) -+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0) -diff --git a/munin.if b/munin.if -index 4c1b6a8..900d083 100644 ---- a/munin.if -+++ b/munin.if -@@ -209,7 +209,7 @@ interface(`munin_admin',` - attribute munin_plugin_domain, munin_plugin_tmp_content; - type munin_t, munin_etc_t, munin_tmp_t; - type munin_log_t, munin_var_lib_t, munin_var_run_t; -- type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; -+ type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; - ') - - allow $1 munin_t:process signal_perms; -@@ -239,5 +239,5 @@ interface(`munin_admin',` - files_list_pids($1) - admin_pattern($1, munin_var_run_t) - -- admin_pattern($1, httpd_munin_content_t) -+ admin_pattern($1, munin_content_t) - ') -diff --git a/munin.te b/munin.te -index cead88c..16b96d0 100644 ---- a/munin.te -+++ b/munin.te -@@ -44,8 +44,8 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) - munin_plugin_template(system) - munin_plugin_template(unconfined) - --type httpd_munin_script_tmp_t; --files_tmp_file(httpd_munin_script_tmp_t) -+type munin_script_tmp_t alias httpd_munin_script_tmp_t; -+files_tmp_file(munin_script_tmp_t) - - ################################ - # -@@ -435,22 +435,23 @@ optional_policy(` - # - - apache_content_template(munin) -+apache_content_alias_template(munin, munin) - --manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) --manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) -+manage_dirs_pattern(munin_t, munin_content_t, munin_content_t) -+manage_files_pattern(munin_t, munin_content_t, munin_content_t) - --manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t) --manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t) -+manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t) -+manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t) - --read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) --read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t) -+read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t) -+read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t) - --read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t) --append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t) -+read_files_pattern(munin_script_t, munin_log_t, munin_log_t) -+append_files_pattern(munin_script_t, munin_log_t, munin_log_t) - --files_search_var_lib(httpd_munin_script_t) -+files_search_var_lib(munin_script_t) - --auth_read_passwd(httpd_munin_script_t) -+auth_read_passwd(munin_script_t) - - optional_policy(` - apache_search_sys_content(munin_t) -diff --git a/mythtv.fc b/mythtv.fc -index 3a1c423..d62cf88 100644 ---- a/mythtv.fc -+++ b/mythtv.fc -@@ -1,9 +1,9 @@ --/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0) -+/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:mythtv_script_exec_t,s0) - - /var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0) - - /var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0) - --/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0) --/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0) --/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0) -+/usr/share/mythtv(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0) -+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:mythtv_content_t,s0) -+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:mythtv_script_exec_t,s0) -diff --git a/mythtv.if b/mythtv.if -index 171f666..e2403dd 100644 ---- a/mythtv.if -+++ b/mythtv.if -@@ -1,9 +1,9 @@ - --## policy for httpd_mythtv_script -+## policy for mythtv_script - - ######################################## - ## --## Execute TEMPLATE in the httpd_mythtv_script domin. -+## Execute TEMPLATE in the mythtv_script domin. - ## - ## - ## -@@ -11,13 +11,13 @@ - ## - ## - # --interface(`httpd_mythtv_script_domtrans',` -+interface(`mythtv_script_domtrans',` - gen_require(` -- type httpd_mythtv_script_t, httpd_mythtv_script_exec_t; -+ type mythtv_script_t, mythtv_script_exec_t; - ') - - corecmd_search_bin($1) -- domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t) -+ domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t) - ') - - ####################################### -@@ -133,15 +133,15 @@ interface(`mythtv_manage_log',` - # - interface(`mythtv_admin',` - gen_require(` -- type httpd_mythtv_script_t, mythtv_var_lib_t; -+ type mythtv_script_t, mythtv_var_lib_t; - type mythtv_var_log_t; - ') - -- allow $1 httpd_mythtv_script_t:process signal_perms; -- ps_process_pattern($1, httpd_mythtv_script_t) -+ allow $1 mythtv_script_t:process signal_perms; -+ ps_process_pattern($1, mythtv_script_t) - - tunable_policy(`deny_ptrace',`',` -- allow $1 httpd_mythtv_script_t:process ptrace; -+ allow $1 mythtv_script_t:process ptrace; - ') - - logging_list_logs($1) -diff --git a/mythtv.te b/mythtv.te -index 90129ac..7a4910c 100644 ---- a/mythtv.te -+++ b/mythtv.te -@@ -6,6 +6,7 @@ policy_module(mythtv, 1.0.0) - # - - apache_content_template(mythtv) -+apache_content_alias_template(mythtv, mythtv) - - type mythtv_var_lib_t; - files_type(mythtv_var_lib_t) -@@ -15,27 +16,27 @@ logging_log_file(mythtv_var_log_t) - - ######################################## - # --# httpd_mythtv_script local policy -+# mythtv_script local policy - # - --manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) --manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) --files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file }) -+manage_files_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) -+manage_dirs_pattern(mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t) -+files_var_lib_filetrans(mythtv_script_t, mythtv_var_lib_t, { dir file }) - --manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) --manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) --logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file ) -+manage_files_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) -+manage_dirs_pattern(mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t) -+logging_log_filetrans(mythtv_script_t, mythtv_var_log_t, file ) - --domain_use_interactive_fds(httpd_mythtv_script_t) -+domain_use_interactive_fds(mythtv_script_t) - --files_read_etc_files(httpd_mythtv_script_t) -+files_read_etc_files(mythtv_script_t) - --fs_read_nfs_files(httpd_mythtv_script_t) -+fs_read_nfs_files(mythtv_script_t) - --miscfiles_read_localization(httpd_mythtv_script_t) -+miscfiles_read_localization(mythtv_script_t) - - optional_policy(` -- mysql_read_config(httpd_mythtv_script_t) -- mysql_stream_connect(httpd_mythtv_script_t) -- mysql_tcp_connect(httpd_mythtv_script_t) -+ mysql_read_config(mythtv_script_t) -+ mysql_stream_connect(mythtv_script_t) -+ mysql_tcp_connect(mythtv_script_t) - ') -diff --git a/nagios.fc b/nagios.fc -index a00cc2d..24a2dec 100644 ---- a/nagios.fc -+++ b/nagios.fc -@@ -6,8 +6,8 @@ - /usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) - /usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - --/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) --/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) -+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) - - /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) - /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -@@ -19,8 +19,8 @@ - ifdef(`distro_debian',` - /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) - ') --/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) --/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0) -+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) - - # admin plugins - /usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) -diff --git a/nagios.te b/nagios.te -index f565a0e..1726e88 100644 ---- a/nagios.te -+++ b/nagios.te -@@ -186,33 +186,34 @@ optional_policy(` - - optional_policy(` - apache_content_template(nagios) -- typealias httpd_nagios_script_t alias nagios_cgi_t; -- typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; -+ apache_content_alias_template(nagios, nagios) -+ typealias nagios_script_t alias nagios_cgi_t; -+ typealias nagios_script_exec_t alias nagios_cgi_exec_t; - -- allow httpd_nagios_script_t self:process signal_perms; -+ allow nagios_script_t self:process signal_perms; - -- read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -- read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -+ read_files_pattern(nagios_script_t, nagios_t, nagios_t) -+ read_lnk_files_pattern(nagios_script_t, nagios_t, nagios_t) - -- allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; -- allow httpd_nagios_script_t nagios_etc_t:file read_file_perms; -- allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms; -+ allow nagios_script_t nagios_etc_t:dir list_dir_perms; -+ allow nagios_script_t nagios_etc_t:file read_file_perms; -+ allow nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms; - -- files_search_spool(httpd_nagios_script_t) -- rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) -+ files_search_spool(nagios_script_t) -+ rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t) - -- allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; -- read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) -- read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) -+ allow nagios_script_t nagios_log_t:dir list_dir_perms; -+ read_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t) -+ read_lnk_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t) - -- kernel_read_system_state(httpd_nagios_script_t) -+ kernel_read_system_state(nagios_script_t) - -- domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) -+ domain_dontaudit_read_all_domains_state(nagios_script_t) - -- files_read_etc_runtime_files(httpd_nagios_script_t) -- files_read_kernel_symbol_table(httpd_nagios_script_t) -+ files_read_etc_runtime_files(nagios_script_t) -+ files_read_kernel_symbol_table(nagios_script_t) - -- logging_send_syslog_msg(httpd_nagios_script_t) -+ logging_send_syslog_msg(nagios_script_t) - ') - - ######################################## -diff --git a/nut.fc b/nut.fc -index 41ff159..fac7d7b 100644 ---- a/nut.fc -+++ b/nut.fc -@@ -11,6 +11,6 @@ - - /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) - --/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) --/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) --/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) -+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) -+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) -diff --git a/nut.te b/nut.te -index 1701352..249224e 100644 ---- a/nut.te -+++ b/nut.te -@@ -166,17 +166,18 @@ logging_send_syslog_msg(nut_upsdrvctl_t) - - optional_policy(` - apache_content_template(nutups_cgi) -+ apache_content_alias_template(nutups_cgi,nutups_cgi) - -- read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) -+ read_files_pattern(nutups_cgi_script_t, nut_conf_t, nut_conf_t) - -- corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) -- corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) -- corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) -- corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) -- corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) -- corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) -- corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) -- corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) -+ corenet_all_recvfrom_netlabel(nutups_cgi_script_t) -+ corenet_tcp_sendrecv_generic_if(nutups_cgi_script_t) -+ corenet_tcp_sendrecv_generic_node(nutups_cgi_script_t) -+ corenet_tcp_sendrecv_all_ports(nutups_cgi_script_t) -+ corenet_tcp_connect_ups_port(nutups_cgi_script_t) -+ corenet_udp_sendrecv_generic_if(nutups_cgi_script_t) -+ corenet_udp_sendrecv_generic_node(nutups_cgi_script_t) -+ corenet_udp_sendrecv_all_ports(nutups_cgi_script_t) - -- sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) -+ sysnet_dns_name_resolve(nutups_cgi_script_t) - ') -diff --git a/openshift.fc b/openshift.fc -index f2d6119..71ba1bd 100644 ---- a/openshift.fc -+++ b/openshift.fc -@@ -18,7 +18,7 @@ - /usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0) - - /usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) --/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0) -+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:openshift_script_exec_t,s0) - /usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) - /usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) - -diff --git a/openshift.te b/openshift.te -index cd25e8e..7965e82 100644 ---- a/openshift.te -+++ b/openshift.te -@@ -294,13 +294,14 @@ optional_policy(` - # openshift cgi script policy - # - apache_content_template(openshift) -- domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t) -+ apache_content_alias_template(openshift, openshift) -+ domtrans_pattern(openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t) - - optional_policy(` -- dbus_system_bus_client(httpd_openshift_script_t) -+ dbus_system_bus_client(openshift_script_t) - - optional_policy(` -- oddjob_dbus_chat(httpd_openshift_script_t) -+ oddjob_dbus_chat(openshift_script_t) - oddjob_dontaudit_rw_fifo_file(openshift_domain) - ') - ') -diff --git a/pki.if b/pki.if -index b975b85..798efb6 100644 ---- a/pki.if -+++ b/pki.if -@@ -134,13 +134,6 @@ template(`pki_apache_template',` - - # need to resolve addresses? - auth_use_nsswitch($1_t) -- -- #pki_apache_domain_signal(httpd_t) -- #pki_apache_domain_signal(httpd_t) -- #pki_manage_apache_run(httpd_t) -- #pki_manage_apache_config_files(httpd_t) -- #pki_manage_apache_log_files(httpd_t) -- #pki_manage_apache_lib(httpd_t) - ') - - ####################################### -diff --git a/pki.te b/pki.te -index 17f5d18..d656f71 100644 ---- a/pki.te -+++ b/pki.te -@@ -43,7 +43,6 @@ typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_ - typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; - typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; - typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; --# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; - - - # pki policy types -@@ -126,10 +125,6 @@ miscfiles_read_hwdata(pki_tomcat_t) - userdom_manage_user_tmp_dirs(pki_tomcat_t) - userdom_manage_user_tmp_files(pki_tomcat_t) - --# forward proxy --# need to define ports to fix this --#corenet_tcp_connect_pki_tomcat_port(httpd_t) -- - # for crl publishing - allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; - -@@ -166,9 +161,6 @@ corenet_tcp_connect_pki_tks_port(pki_tps_t) - - files_exec_usr_files(pki_tps_t) - --# why do I need to add this? --#allow httpd_t httpd_config_t:file execute; -- - ###################################### - # - # ra local policy -@@ -268,13 +260,8 @@ optional_policy(` - apache_list_modules(pki_apache_domain) - apache_read_config(pki_apache_domain) - apache_exec(pki_apache_domain) -- apache_exec_suexec(pki_apache_domain) -+ apache_exec_suexec(pki_apache_domain) - apache_entrypoint(pki_apache_domain) -- -- # should be started using a script which will execute httpd -- # start up httpd in pki_apache_domain mode -- #can_exec(pki_apache_domain, httpd_config_t) -- #can_exec(pki_apache_domain, httpd_suexec_exec_t) - ') - - # allow rpm -q in init scripts -diff --git a/prelude.fc b/prelude.fc -index 8dbc763..b580f85 100644 ---- a/prelude.fc -+++ b/prelude.fc -@@ -12,7 +12,7 @@ - - /usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) - --/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) -+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:prewikka_script_exec_t,s0) - - /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) - -diff --git a/prelude.te b/prelude.te -index 509fd0a..e1f4f70 100644 ---- a/prelude.te -+++ b/prelude.te -@@ -265,27 +265,28 @@ optional_policy(` - - optional_policy(` - apache_content_template(prewikka) -+ apache_content_alias_template(prewikka, prewikka) - -- can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) -+ can_exec(prewikka_script_t, prewikka_script_exec_t) - -- files_search_tmp(httpd_prewikka_script_t) -+ files_search_tmp(prewikka_script_t) - -- kernel_read_sysctl(httpd_prewikka_script_t) -- kernel_search_network_sysctl(httpd_prewikka_script_t) -+ kernel_read_sysctl(prewikka_script_t) -+ kernel_search_network_sysctl(prewikka_script_t) - -- auth_use_nsswitch(httpd_prewikka_script_t) -+ auth_use_nsswitch(prewikka_script_t) - -- logging_send_syslog_msg(httpd_prewikka_script_t) -+ logging_send_syslog_msg(prewikka_script_t) - -- apache_search_sys_content(httpd_prewikka_script_t) -+ apache_search_sys_content(prewikka_script_t) - - optional_policy(` -- mysql_stream_connect(httpd_prewikka_script_t) -- mysql_tcp_connect(httpd_prewikka_script_t) -+ mysql_stream_connect(prewikka_script_t) -+ mysql_tcp_connect(prewikka_script_t) - ') - - optional_policy(` -- postgresql_stream_connect(httpd_prewikka_script_t) -- postgresql_tcp_connect(httpd_prewikka_script_t) -+ postgresql_stream_connect(prewikka_script_t) -+ postgresql_tcp_connect(prewikka_script_t) - ') - ') -diff --git a/smokeping.fc b/smokeping.fc -index 3359819..a231ecb 100644 ---- a/smokeping.fc -+++ b/smokeping.fc -@@ -2,7 +2,7 @@ - - /usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0) - --/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0) -+/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:smokeping_cgi_script_exec_t,s0) - - /var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) - -diff --git a/smokeping.te b/smokeping.te -index ebf575f..26b6da1 100644 ---- a/smokeping.te -+++ b/smokeping.te -@@ -58,19 +58,20 @@ netutils_domtrans_ping(smokeping_t) - - optional_policy(` - apache_content_template(smokeping_cgi) -+ apache_content_alias_template(smokeping_cgi, smokeping_cgi) - -- manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) -- manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) -+ manage_dirs_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) -+ manage_files_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - -- getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) -+ getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) - -- files_read_etc_files(httpd_smokeping_cgi_script_t) -- files_search_tmp(httpd_smokeping_cgi_script_t) -- files_search_var_lib(httpd_smokeping_cgi_script_t) -+ files_read_etc_files(smokeping_cgi_script_t) -+ files_search_tmp(smokeping_cgi_script_t) -+ files_search_var_lib(smokeping_cgi_script_t) - -- auth_read_passwd(httpd_smokeping_cgi_script_t) -+ auth_read_passwd(smokeping_cgi_script_t) - -- sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) -+ sysnet_dns_name_resolve(smokeping_cgi_script_t) - -- netutils_domtrans_ping(httpd_smokeping_cgi_script_t) -+ netutils_domtrans_ping(smokeping_cgi_script_t) - ') -diff --git a/squid.fc b/squid.fc -index ebbec17..5b066d3 100644 ---- a/squid.fc -+++ b/squid.fc -@@ -2,14 +2,14 @@ - /etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - /etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - --/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) -+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:squid_script_exec_t,s0) - - /usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0) - - /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) - - /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) --/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) -+/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:squid_script_exec_t,s0) - - /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) - -diff --git a/squid.te b/squid.te -index 7cb8bec..4ade5f1 100644 ---- a/squid.te -+++ b/squid.te -@@ -201,24 +201,25 @@ tunable_policy(`squid_use_tproxy',` - - optional_policy(` - apache_content_template(squid) -+ apache_content_alias_template(squid, squid) - -- allow httpd_squid_script_t self:tcp_socket create_socket_perms; -+ allow squid_script_t self:tcp_socket create_socket_perms; - -- corenet_all_recvfrom_unlabeled(httpd_squid_script_t) -- corenet_all_recvfrom_netlabel(httpd_squid_script_t) -- corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) -- corenet_tcp_sendrecv_generic_node(httpd_squid_script_t) -+ corenet_all_recvfrom_unlabeled(squid_script_t) -+ corenet_all_recvfrom_netlabel(squid_script_t) -+ corenet_tcp_sendrecv_generic_if(squid_script_t) -+ corenet_tcp_sendrecv_generic_node(squid_script_t) - -- corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t) -- corenet_tcp_connect_http_cache_port(httpd_squid_script_t) -- corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) -+ corenet_sendrecv_http_cache_client_packets(squid_script_t) -+ corenet_tcp_connect_http_cache_port(squid_script_t) -+ corenet_tcp_sendrecv_http_cache_port(squid_script_t) - -- corenet_tcp_connect_squid_port(httpd_squid_script_t) -+ corenet_tcp_connect_squid_port(squid_script_t) - -- sysnet_dns_name_resolve(httpd_squid_script_t) -+ sysnet_dns_name_resolve(squid_script_t) - - optional_policy(` -- squid_read_config(httpd_squid_script_t) -+ squid_read_config(squid_script_t) - ') - ') - -diff --git a/w3c.fc b/w3c.fc -index 463c799..227feaf 100644 ---- a/w3c.fc -+++ b/w3c.fc -@@ -1,4 +1,4 @@ --/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) -+/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:w3c_validator_script_exec_t,s0) - --/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) --/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) -+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:w3c_validator_content_t,s0) -+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:w3c_validator_script_exec_t,s0) -diff --git a/w3c.te b/w3c.te -index b14d6a9..ac1944e 100644 ---- a/w3c.te -+++ b/w3c.te -@@ -6,29 +6,30 @@ policy_module(w3c, 1.1.0) - # - - apache_content_template(w3c_validator) -+apache_content_alias_template(w3c_validator, w3c_validator) - - ######################################## - # - # Local policy - # - --corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t) --corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t) --corenet_tcp_sendrecv_generic_if(httpd_w3c_validator_script_t) --corenet_tcp_sendrecv_generic_node(httpd_w3c_validator_script_t) -+corenet_all_recvfrom_unlabeled(w3c_validator_script_t) -+corenet_all_recvfrom_netlabel(w3c_validator_script_t) -+corenet_tcp_sendrecv_generic_if(w3c_validator_script_t) -+corenet_tcp_sendrecv_generic_node(w3c_validator_script_t) - --corenet_sendrecv_ftp_client_packets(httpd_w3c_validator_script_t) --corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) --corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) -+corenet_sendrecv_ftp_client_packets(w3c_validator_script_t) -+corenet_tcp_connect_ftp_port(w3c_validator_script_t) -+corenet_tcp_sendrecv_ftp_port(w3c_validator_script_t) - --corenet_sendrecv_http_client_packets(httpd_w3c_validator_script_t) --corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) --corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) -+corenet_sendrecv_http_client_packets(w3c_validator_script_t) -+corenet_tcp_connect_http_port(w3c_validator_script_t) -+corenet_tcp_sendrecv_http_port(w3c_validator_script_t) - --corenet_sendrecv_http_cache_client_packets(httpd_w3c_validator_script_t) --corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) --corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) -+corenet_sendrecv_http_cache_client_packets(w3c_validator_script_t) -+corenet_tcp_connect_http_cache_port(w3c_validator_script_t) -+corenet_tcp_sendrecv_http_cache_port(w3c_validator_script_t) - --miscfiles_read_generic_certs(httpd_w3c_validator_script_t) -+miscfiles_read_generic_certs(w3c_validator_script_t) - --sysnet_dns_name_resolve(httpd_w3c_validator_script_t) -+sysnet_dns_name_resolve(w3c_validator_script_t) -diff --git a/webalizer.fc b/webalizer.fc -index 64baf67..76c753b 100644 ---- a/webalizer.fc -+++ b/webalizer.fc -@@ -6,4 +6,4 @@ - - /var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0) - --/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0) -+/var/www/usage(/.*)? gen_context(system_u:object_r:webalizer_rw_content_t,s0) -diff --git a/webalizer.te b/webalizer.te -index e0b1983..32cbf8c 100644 ---- a/webalizer.te -+++ b/webalizer.te -@@ -83,9 +83,8 @@ userdom_dontaudit_search_user_home_content(webalizer_t) - optional_policy(` - apache_read_log(webalizer_t) - apache_content_template(webalizer) -+ apache_content_alias_template(webalizer, webalizer) - apache_manage_sys_content(webalizer_t) -- manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) -- manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) - ') - - optional_policy(` -diff --git a/zoneminder.fc b/zoneminder.fc -index 8c61505..ceaa219 100644 ---- a/zoneminder.fc -+++ b/zoneminder.fc -@@ -4,7 +4,7 @@ - - /usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0) - --/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0) -+/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:zoneminder_script_exec_t,s0) - - /var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) - -diff --git a/zoneminder.te b/zoneminder.te -index add28f7..b66e76d 100644 ---- a/zoneminder.te -+++ b/zoneminder.te -@@ -164,24 +164,24 @@ optional_policy(` - - optional_policy(` - apache_content_template(zoneminder) -+ apache_content_alias_template(zoneminder, zoneminder) - - # need more testing -- #allow httpd_zoneminder_script_t self:shm create_shm_perms; -+ #allow zoneminder_script_t self:shm create_shm_perms; - -- manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t) -+ manage_sock_files_pattern(zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t) - -- rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) -+ rw_files_pattern(zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) - -- zoneminder_stream_connect(httpd_zoneminder_script_t) -+ zoneminder_stream_connect(zoneminder_script_t) - -- can_exec(zoneminder_t, httpd_zoneminder_script_exec_t) -+ can_exec(zoneminder_t, zoneminder_script_exec_t) - -- files_search_var_lib(httpd_zoneminder_script_t) -+ files_search_var_lib(zoneminder_script_t) - -- logging_send_syslog_msg(httpd_zoneminder_script_t) -+ logging_send_syslog_msg(zoneminder_script_t) - - optional_policy(` -- mysql_stream_connect(httpd_zoneminder_script_t) -+ mysql_stream_connect(zoneminder_script_t) - ') -- - ') diff --git a/policy-rawhide-contrib-user_tmp.patch b/policy-rawhide-contrib-user_tmp.patch deleted file mode 100644 index 052ec5c..0000000 --- a/policy-rawhide-contrib-user_tmp.patch +++ /dev/null @@ -1,252 +0,0 @@ -diff --git a/chrome.te b/chrome.te -index fb60ffc..7d937cb 100644 ---- a/chrome.te -+++ b/chrome.te -@@ -114,8 +114,8 @@ miscfiles_read_fonts(chrome_sandbox_t) - - sysnet_dns_name_resolve(chrome_sandbox_t) - --userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t) --userdom_execute_user_tmpfs_files(chrome_sandbox_t) -+userdom_rw_inherited_user_tmp_files(chrome_sandbox_t) -+userdom_execute_user_tmp_files(chrome_sandbox_t) - - userdom_use_user_ptys(chrome_sandbox_t) - userdom_write_inherited_user_tmp_files(chrome_sandbox_t) -@@ -236,8 +236,8 @@ init_read_state(chrome_sandbox_nacl_t) - libs_legacy_use_shared_libs(chrome_sandbox_nacl_t) - - userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) --userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) --userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) -+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t) -+userdom_execute_user_tmp_files(chrome_sandbox_nacl_t) - userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t) - userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t) - userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t) -diff --git a/colord.te b/colord.te -index 5425ddf..3d5988c 100644 ---- a/colord.te -+++ b/colord.te -@@ -112,7 +112,7 @@ logging_send_syslog_msg(colord_t) - - systemd_read_logind_sessions_files(colord_t) - --userdom_rw_user_tmpfs_files(colord_t) -+userdom_rw_user_tmp_files(colord_t) - userdom_home_reader(colord_t) - userdom_list_user_home_content(colord_t) - userdom_read_inherited_user_home_content_files(colord_t) -diff --git a/corosync.te b/corosync.te -index e827567..837e0a8 100644 ---- a/corosync.te -+++ b/corosync.te -@@ -108,8 +108,8 @@ logging_send_syslog_msg(corosync_t) - miscfiles_read_localization(corosync_t) - - userdom_read_user_tmp_files(corosync_t) --userdom_delete_user_tmpfs_files(corosync_t) --userdom_rw_user_tmpfs_files(corosync_t) -+userdom_delete_user_tmp_files(corosync_t) -+userdom_rw_user_tmp_files(corosync_t) - - optional_policy(` - fs_manage_tmpfs_files(corosync_t) -diff --git a/gpg.te b/gpg.te -index 695e8fa..fe77236 100644 ---- a/gpg.te -+++ b/gpg.te -@@ -364,9 +364,9 @@ miscfiles_read_fonts(gpg_pinentry_t) - - # for .Xauthority - userdom_read_user_home_content_files(gpg_pinentry_t) --userdom_read_user_tmpfs_files(gpg_pinentry_t) -+userdom_read_user_tmp_files(gpg_pinentry_t) - # Bug: user pulseaudio files need open,read and unlink: --allow gpg_pinentry_t user_tmpfs_t:file unlink; -+allow gpg_pinentry_t user_tmp_t:file unlink; - userdom_signull_unpriv_users(gpg_pinentry_t) - userdom_use_user_terminals(gpg_pinentry_t) - -diff --git a/journalctl.te b/journalctl.te -index 5de3229..e1d6594 100644 ---- a/journalctl.te -+++ b/journalctl.te -@@ -36,8 +36,7 @@ fs_getattr_all_fs(journalctl_t) - userdom_list_user_home_dirs(journalctl_t) - userdom_read_user_home_content_files(journalctl_t) - userdom_use_inherited_user_ptys(journalctl_t) --userdom_write_inherited_user_tmp_files(journalctl_t) --userdom_rw_inherited_user_tmpfs_files(journalctl_t) -+userdom_rw_inherited_user_tmp_files(journalctl_t) - userdom_rw_inherited_user_home_content_files(journalctl_t) - - miscfiles_read_localization(journalctl_t) -diff --git a/kismet.te b/kismet.te -index c070420..4e66536 100644 ---- a/kismet.te -+++ b/kismet.te -@@ -96,7 +96,7 @@ corenet_tcp_connect_rtsclient_port(kismet_t) - auth_use_nsswitch(kismet_t) - - userdom_use_inherited_user_terminals(kismet_t) --userdom_read_user_tmpfs_files(kismet_t) -+userdom_read_user_tmp_files(kismet_t) - - optional_policy(` - dbus_system_bus_client(kismet_t) -diff --git a/mozilla.te b/mozilla.te -index ad56dac..01dc360 100644 ---- a/mozilla.te -+++ b/mozilla.te -@@ -357,7 +357,6 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin - manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) - files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) - userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) --xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) - can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) - - manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -365,7 +364,6 @@ manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugi - manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) - manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) - fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) --userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) - userdom_manage_home_texlive(mozilla_plugin_t) - - allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -@@ -484,8 +482,6 @@ term_getattr_ptmx(mozilla_plugin_t) - term_dontaudit_use_ptmx(mozilla_plugin_t) - - userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t) --userdom_rw_user_tmpfs_files(mozilla_plugin_t) --userdom_delete_user_tmpfs_files(mozilla_plugin_t) - userdom_dontaudit_use_user_terminals(mozilla_plugin_t) - userdom_manage_user_tmp_sockets(mozilla_plugin_t) - userdom_manage_user_tmp_dirs(mozilla_plugin_t) -diff --git a/mpd.te b/mpd.te -index 92632e8..953e3bf 100644 ---- a/mpd.te -+++ b/mpd.te -@@ -172,7 +172,7 @@ tunable_policy(`mpd_enable_homedirs',` - userdom_stream_connect(mpd_t) - userdom_read_home_audio_files(mpd_t) - userdom_list_user_tmp(mpd_t) -- userdom_read_user_tmpfs_files(mpd_t) -+ userdom_read_user_tmp_files(mpd_t) - userdom_dontaudit_setattr_user_tmp(mpd_t) - ') - -diff --git a/podsleuth.te b/podsleuth.te -index 5bf10ce..c06ace5 100644 ---- a/podsleuth.te -+++ b/podsleuth.te -@@ -80,7 +80,7 @@ sysnet_dns_name_resolve(podsleuth_t) - - userdom_signal_unpriv_users(podsleuth_t) - userdom_signull_unpriv_users(podsleuth_t) --userdom_read_user_tmpfs_files(podsleuth_t) -+userdom_read_user_tmp_files(podsleuth_t) - - optional_policy(` - dbus_system_bus_client(podsleuth_t) -diff --git a/pulseaudio.te b/pulseaudio.te -index 1d2470f..64ac070 100644 ---- a/pulseaudio.te -+++ b/pulseaudio.te -@@ -97,7 +97,7 @@ auth_use_nsswitch(pulseaudio_t) - - logging_send_syslog_msg(pulseaudio_t) - --userdom_read_user_tmpfs_files(pulseaudio_t) -+userdom_read_user_tmp_files(pulseaudio_t) - - userdom_search_user_home_dirs(pulseaudio_t) - userdom_write_user_tmp_sockets(pulseaudio_t) -@@ -224,7 +224,7 @@ pulseaudio_signull(pulseaudio_client) - - userdom_manage_user_home_content_files(pulseaudio_client) - --userdom_read_user_tmpfs_files(pulseaudio_client) -+userdom_read_user_tmp_files(pulseaudio_client) - - tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(pulseaudio_client) -diff --git a/qemu.te b/qemu.te -index 8c1e989..958c0ef 100644 ---- a/qemu.te -+++ b/qemu.te -@@ -52,7 +52,7 @@ storage_raw_write_removable_device(qemu_t) - storage_raw_read_removable_device(qemu_t) - - userdom_search_user_home_content(qemu_t) --userdom_read_user_tmpfs_files(qemu_t) -+userdom_read_user_tmp_files(qemu_t) - userdom_stream_connect(qemu_t) - - tunable_policy(`qemu_full_network',` -diff --git a/rhcs.te b/rhcs.te -index ec50831..eb9e2ac 100644 ---- a/rhcs.te -+++ b/rhcs.te -@@ -219,9 +219,8 @@ init_read_script_state(cluster_t) - init_rw_script_tmp_files(cluster_t) - init_manage_script_status_files(cluster_t) - --userdom_read_user_tmp_files(cluster_t) --userdom_delete_user_tmpfs_files(cluster_t) --userdom_rw_user_tmpfs_files(cluster_t) -+userdom_delete_user_tmp_files(cluster_t) -+userdom_rw_user_tmp_files(cluster_t) - userdom_kill_all_users(cluster_t) - - tunable_policy(`cluster_can_network_connect',` -diff --git a/sandboxX.te b/sandboxX.te -index 956922c..499e739 100644 ---- a/sandboxX.te -+++ b/sandboxX.te -@@ -415,8 +415,8 @@ selinux_compute_relabel_context(sandbox_web_type) - selinux_compute_user_contexts(sandbox_web_type) - seutil_read_default_contexts(sandbox_web_type) - --userdom_rw_user_tmpfs_files(sandbox_web_type) --userdom_delete_user_tmpfs_files(sandbox_web_type) -+userdom_rw_user_tmp_files(sandbox_web_type) -+userdom_delete_user_tmp_files(sandbox_web_type) - - optional_policy(` - alsa_read_rw_config(sandbox_web_type) -diff --git a/thumb.te b/thumb.te -index 0e30ce2..bd82684 100644 ---- a/thumb.te -+++ b/thumb.te -@@ -46,7 +46,7 @@ manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t) - userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails") - userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log") - userdom_dontaudit_access_check_user_content(thumb_t) --userdom_rw_inherited_user_tmpfs_files(thumb_t) -+userdom_rw_inherited_user_tmp_files(thumb_t) - userdom_manage_home_texlive(thumb_t) - - manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) -@@ -55,7 +55,6 @@ manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) - exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) - files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file }) - userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file }) --xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file) - - manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) - manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) -diff --git a/userhelper.if b/userhelper.if -index 35d784a..b25ec0d 100644 ---- a/userhelper.if -+++ b/userhelper.if -@@ -315,7 +315,7 @@ template(`userhelper_console_role_template',` - - auth_use_pam($1_consolehelper_t) - -- userdom_manage_tmpfs_role($2, $1_consolehelper_t) -+ userdom_manage_tmp_role($2, $1_consolehelper_t) - - optional_policy(` - dbus_connect_session_bus($1_consolehelper_t)