diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index b2c5bf3..6c1fe19 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,5 @@
+- Move domain, files, and corecommands modules to kernel
+ layer to resolve some layering inconsistencies.
- Move policy build options out of Makefile into build.conf.
- Add yppasswd to nis module.
- Change optional_policy() to refer to the module name
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
new file mode 100644
index 0000000..8fca398
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -0,0 +1,202 @@
+
+#
+# /bin
+#
+/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
+/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+#
+# /dev
+#
+/dev/MAKEDEV -- gen_context(system_u:object_r:sbin_t,s0)
+
+#
+# /emul
+#
+ifdef(`distro_redhat',`
+/emul/ia32-linux/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/emul/ia32-linux/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/emul/ia32-linux/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /etc
+#
+/etc/hotplug/.*agent -- gen_context(system_u:object_r:sbin_t,s0)
+/etc/hotplug/.*rc -- gen_context(system_u:object_r:sbin_t,s0)
+/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:sbin_t,s0)
+/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:sbin_t,s0)
+
+/etc/netplug\.d(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+
+/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_debian',`
+/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`targeted_policy',`
+/etc/X11/prefdm -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /lib
+#
+
+ifdef(`distro_gentoo',`
+/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /sbin
+#
+/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:sbin_t,s0)
+/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:sbin_t,s0)
+
+#
+# /opt
+#
+/opt(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt(/.*)?/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+
+#
+# /usr
+#
+/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+
+/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+# these two lines are separate because of a
+# sorting issue with the java module
+/usr/lib/jvm/java.*/bin -d gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/jvm/java.*/bin/.* gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
+
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
+
+/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_gentoo', `
+/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/rhn/rhn_applet/needed-packages\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-language/system-config-language -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-lvm/system-config-lvm.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-mouse/system-config-mouse -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/system-config-netboot\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/pxeos\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/pxeboot\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-users/system-config-users -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-logviewer/system-logviewer\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`distro_suse', `
+/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /var
+#
+/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
+
+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
+')
diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if
new file mode 100644
index 0000000..0033679
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@@ -0,0 +1,569 @@
+## <summary>
+## Core policy for shells, and generic programs
+## in /bin, /sbin, /usr/bin, and /usr/sbin.
+## </summary>
+## <required val="true">
+## Contains the base bin and sbin directory types
+## which need to be searched for the kernel to
+## run init.
+## </required>
+
+########################################
+## <summary>
+## Create a aliased type to generic bin files.
+## </summary>
+## <desc>
+## <p>
+## Create a aliased type to generic bin files.
+## </p>
+## <p>
+## This is added to support targeted policy. Its
+## use should be limited. It has no effect
+## on the strict policy.
+## </p>
+## </desc>
+## <param name="domain">
+## Alias type for bin_t.
+## </param>
+interface(`corecmd_bin_alias',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ typealias bin_t alias $1;
+ ',`
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
+')
+
+########################################
+## <summary>
+## Make the shell an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## The domain for which the shell is an entrypoint.
+## </param>
+interface(`corecmd_shell_entry_type',`
+ gen_require(`
+ type shell_exec_t;
+ ')
+
+ domain_entry_file($1,shell_exec_t)
+')
+
+########################################
+#
+# corecmd_search_bin(domain)
+#
+interface(`corecmd_search_bin',`
+ gen_require(`
+ type bin_t;
+ class dir search;
+ ')
+
+ allow $1 bin_t:dir search;
+')
+
+########################################
+#
+# corecmd_list_bin(domain)
+#
+interface(`corecmd_list_bin',`
+ gen_require(`
+ type bin_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in bin directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`corecmd_getattr_bin_file',`
+ gen_require(`
+ type bin_t;
+ class file getattr;
+ ')
+
+ allow $1 bin_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read files in bin directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_bin_file',`
+ gen_require(`
+ type bin_t;
+ class dir search;
+ class file r_file_perms;
+ ')
+
+ allow $1 bin_t:dir search;
+ allow $1 bin_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links in bin directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_bin_symlink',`
+ gen_require(`
+ type bin_t;
+ class dir search;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 bin_t:dir search;
+ allow $1 bin_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read pipes in bin directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_bin_pipe',`
+ gen_require(`
+ type bin_t;
+ class dir search;
+ class fifo_file r_file_perms;
+ ')
+
+ allow $1 bin_t:dir search;
+ allow $1 bin_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read named sockets in bin directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_bin_socket',`
+ gen_require(`
+ type bin_t;
+ class dir search;
+ class sock_file r_file_perms;
+ ')
+
+ allow $1 bin_t:dir search;
+ allow $1 bin_t:sock_file r_file_perms;
+')
+
+########################################
+#
+# corecmd_exec_bin(domain)
+#
+interface(`corecmd_exec_bin',`
+ gen_require(`
+ type bin_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file r_file_perms;
+ can_exec($1,bin_t)
+
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a bin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="target_domain">
+## The type of the new process.
+## </param>
+#
+interface(`corecmd_bin_domtrans',`
+ gen_require(`
+ type bin_t;
+ class dir search;
+ class lnk_file { getattr read };
+ ')
+
+ allow $1 bin_t:dir search;
+ allow $1 bin_t:lnk_file { getattr read };
+
+ domain_auto_trans($1,bin_t,$2)
+')
+
+########################################
+#
+# corecmd_search_sbin(domain)
+#
+interface(`corecmd_search_sbin',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ allow $1 sbin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## sbin directories.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`corecmd_dontaudit_search_sbin',`
+ gen_require(`
+ type sbin_t;
+ ')
+
+ dontaudit $1 sbin_t:dir search_dir_perms;
+')
+
+########################################
+#
+# corecmd_list_sbin(domain)
+#
+interface(`corecmd_list_sbin',`
+ gen_require(`
+ type sbin_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 sbin_t:dir r_dir_perms;
+')
+
+########################################
+#
+# corecmd_getattr_sbin_file(domain)
+#
+interface(`corecmd_getattr_sbin_file',`
+ gen_require(`
+ type sbin_t;
+ class file getattr;
+ ')
+
+ allow $1 sbin_t:file getattr;
+')
+
+########################################
+#
+# corecmd_dontaudit_getattr_sbin_file(domain)
+#
+interface(`corecmd_dontaudit_getattr_sbin_file',`
+ gen_require(`
+ type sbin_t;
+ class file getattr;
+ ')
+
+ dontaudit $1 sbin_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read files in sbin directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_sbin_file',`
+ gen_require(`
+ type sbin_t;
+ class dir search;
+ class file r_file_perms;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links in sbin directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_sbin_symlink',`
+ gen_require(`
+ type sbin_t;
+ class dir search;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read named pipes in sbin directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_sbin_pipe',`
+ gen_require(`
+ type sbin_t;
+ class dir search;
+ class fifo_file r_file_perms;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read named sockets in sbin directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`corecmd_read_sbin_socket',`
+ gen_require(`
+ type sbin_t;
+ class dir search;
+ class sock_file r_file_perms;
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:sock_file r_file_perms;
+')
+
+########################################
+#
+# corecmd_exec_sbin(domain)
+#
+interface(`corecmd_exec_sbin',`
+ gen_require(`
+ type sbin_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 sbin_t:dir r_dir_perms;
+ allow $1 sbin_t:lnk_file r_file_perms;
+ can_exec($1,sbin_t)
+
+')
+
+########################################
+## <summary>
+## Execute a file in a sbin directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a sbin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="target_domain">
+## The type of the new process.
+## </param>
+#
+interface(`corecmd_sbin_domtrans',`
+ gen_require(`
+ type sbin_t;
+ class dir search;
+ class lnk_file { getattr read };
+ ')
+
+ allow $1 sbin_t:dir search;
+ allow $1 sbin_t:lnk_file { getattr read };
+
+ domain_auto_trans($1,sbin_t,$2)
+')
+
+########################################
+## <summary>
+## Check if a shell is executable (DAC-wise).
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`corecmd_check_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file r_file_perms;
+ allow $1 shell_exec_t:file execute;
+')
+
+########################################
+#
+# corecmd_exec_shell(domain)
+#
+interface(`corecmd_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file r_file_perms;
+ can_exec($1,shell_exec_t)
+')
+
+########################################
+#
+# corecmd_exec_ls(domain)
+#
+interface(`corecmd_exec_ls',`
+ gen_require(`
+ type bin_t, ls_exec_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file r_file_perms;
+ can_exec($1,ls_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a shell in the target domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Execute a shell in the target domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="target_domain">
+## The type of the shell process.
+## </param>
+#
+interface(`corecmd_shell_spec_domtrans',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 bin_t:dir r_dir_perms;
+ allow $1 bin_t:lnk_file r_file_perms;
+
+ domain_trans($1,shell_exec_t,$2)
+')
+
+########################################
+## <summary>
+## Execute a shell in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a shell in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="target_domain">
+## The type of the shell process.
+## </param>
+#
+interface(`corecmd_shell_domtrans',`
+ gen_require(`
+ type shell_exec_t;
+ ')
+
+ corecmd_shell_spec_domtrans($1,$2)
+ type_transition $1 shell_exec_t:process $2;
+')
+
+########################################
+#
+# corecmd_exec_chroot(domain)
+#
+interface(`corecmd_exec_chroot',`
+ gen_require(`
+ type chroot_exec_t;
+ class capability sys_chroot;
+ ')
+
+ can_exec($1,chroot_exec_t)
+ allow $1 self:capability sys_chroot;
+')
+
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
new file mode 100644
index 0000000..2dde3dc
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -0,0 +1,37 @@
+
+policy_module(corecommands,1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+#
+# bin_t is the type of files in the system bin directories.
+#
+type bin_t;
+files_type(bin_t)
+
+#
+# sbin_t is the type of files in the system sbin directories.
+#
+type sbin_t;
+files_type(sbin_t)
+
+#
+# ls_exec_t is the type of the ls program.
+#
+type ls_exec_t;
+files_type(ls_exec_t)
+
+#cjp: temp
+typeattribute ls_exec_t entry_type;
+
+#
+# shell_exec_t is the type of user shells such as /bin/bash.
+#
+type shell_exec_t;
+files_type(shell_exec_t)
+
+type chroot_exec_t;
+files_type(chroot_exec_t)
diff --git a/refpolicy/policy/modules/kernel/domain.fc b/refpolicy/policy/modules/kernel/domain.fc
new file mode 100644
index 0000000..7be4ddf
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/domain.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
new file mode 100644
index 0000000..78f2d87
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -0,0 +1,1095 @@
+## <summary>Core policy for domains.</summary>
+## <required val="true">
+## Contains the concept of a domain.
+## </required>
+
+########################################
+## <summary>
+## Make the specified type usable as a basic domain.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable as a basic domain.
+## </p>
+## <p>
+## This is primarily used for kernel threads;
+## generally the domain_type() interface is
+## more appropriate for userland processes.
+## </p>
+## </desc>
+## <param name="type">
+## Type to be used as a basic domain type.
+## </param>
+#
+interface(`domain_base_type',`
+ gen_require(`
+ attribute domain;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file rw_file_perms;
+ class process { fork sigchld };
+ ')
+
+ # mark as a domain
+ typeattribute $1 domain;
+
+ # allow the domain to read its /proc/pid entries
+ allow $1 self:dir r_dir_perms;
+ allow $1 self:lnk_file r_file_perms;
+ allow $1 self:file rw_file_perms;
+
+ # allow $1 to create child processes in this domain
+ allow $1 self:process { fork sigchld };
+
+ ifdef(`targeted_policy',`
+ tunable_policy(`allow_execmem',`
+ allow $1 self:process execmem;
+ ')
+
+ # FIXME:
+ # hack until role dominance is fixed in
+ # the module compiler
+ role secadm_r types $1;
+ role sysadm_r types $1;
+ role user_r types $1;
+ role staff_r types $1;
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a domain.
+## </summary>
+## <param name="type">
+## Type to be used as a domain type.
+## </param>
+#
+interface(`domain_type',`
+ # start with basic domain
+ domain_base_type($1)
+
+ # Use trusted objects in /dev
+ dev_rw_null_dev($1)
+ dev_rw_zero_dev($1)
+ term_use_controlling_term($1)
+
+ # read the root directory
+ files_list_root($1)
+
+ # send init a sigchld and signull
+ init_sigchld($1)
+ init_signull($1)
+
+ ifdef(`targeted_policy',`
+ unconfined_use_fd($1)
+ unconfined_sigchld($1)
+ ')
+
+ tunable_policy(`allow_ptrace',`
+ userdom_sigchld_sysadm($1)
+ ')
+
+ # allow any domain to connect to the LDAP server
+ optional_policy(`ldap',`
+ ldap_use($1)
+ ')
+
+ # these 3 seem highly questionable:
+ optional_policy(`rpm',`
+ rpm_use_fd($1)
+ rpm_read_pipe($1)
+ ')
+
+ optional_policy(`selinux',`
+ selinux_dontaudit_read_fs($1)
+ ')
+
+ optional_policy(`selinuxutil',`
+ seutil_dontaudit_read_config($1)
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified type usable as
+## an entry point for the domain.
+## </summary>
+## <param name="domain">
+## Domain to be entered.
+## </param>
+## <param name="type">
+## Type of program used for entering
+## the domain.
+## </param>
+#
+interface(`domain_entry_file',`
+ gen_require(`
+ attribute entry_type;
+ class file entrypoint;
+ ')
+
+ files_type($2)
+
+ allow $1 $2:file entrypoint;
+ allow $1 $2:file rx_file_perms;
+
+ typeattribute $2 entry_type;
+')
+
+########################################
+#
+# domain_wide_inherit_fd(domain)
+#
+interface(`domain_wide_inherit_fd',`
+ gen_require(`
+ attribute privfd;
+ ')
+
+ typeattribute $1 privfd;
+')
+
+########################################
+#
+# domain_dyntrans_type(domain)
+#
+interface(`domain_dyntrans_type',`
+ gen_require(`
+ attribute set_curr_context;
+ ')
+
+ typeattribute $1 set_curr_context;
+')
+
+########################################
+## <summary>
+## Makes caller and execption to the constraint
+## preventing changing to the system user
+## identity and system role.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_system_change_exempt',`
+ gen_require(`
+ attribute can_system_change;
+ ')
+
+ typeattribute $1 can_system_change;
+')
+
+########################################
+## <summary>
+## Makes caller an exception to the constraint preventing
+## changing of user identity.
+## </summary>
+## <param name="domain">
+## The process type to make an exception to the constraint.
+## </param>
+#
+interface(`domain_subj_id_change_exempt',`
+ gen_require(`
+ attribute can_change_process_identity;
+ ')
+
+ typeattribute $1 can_change_process_identity;
+')
+
+########################################
+## <summary>
+## Makes caller an exception to the constraint preventing
+## changing of role.
+## </summary>
+## <param name="domain">
+## The process type to make an exception to the constraint.
+## </param>
+#
+interface(`domain_role_change_exempt',`
+ gen_require(`
+ attribute can_change_process_role;
+ ')
+
+ typeattribute $1 can_change_process_role;
+')
+
+########################################
+## <summary>
+## Makes caller an exception to the constraint preventing
+## changing the user identity in object contexts.
+## </summary>
+## <param name="domain">
+## The process type to make an exception to the constraint.
+## </param>
+#
+interface(`domain_obj_id_change_exempt',`
+ gen_require(`
+ attribute can_change_object_identity;
+ ')
+
+ typeattribute $1 can_change_object_identity;
+')
+
+########################################
+## <summary>
+## Make the specified domain the target of
+## the user domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the target of
+## the user domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the user domains from the base module.
+## It should not be used other than on
+## user domains.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain target for user exemption.
+## </param>
+#
+interface(`domain_user_exemption_target',`
+ gen_require(`
+ attribute process_user_target;
+ ')
+
+ typeattribute $1 process_user_target;
+')
+
+########################################
+## <summary>
+## Make the specified domain the source of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the source of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the cron domains from the base module.
+## It should not be used other than on
+## cron domains.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain target for user exemption.
+## </param>
+#
+interface(`domain_cron_exemption_source',`
+ gen_require(`
+ attribute cron_source_domain;
+ ')
+
+ typeattribute $1 cron_source_domain;
+')
+
+########################################
+## <summary>
+## Make the specified domain the target of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the target of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the cron domains from the base module.
+## It should not be used other than on
+## user cron jobs.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain target for user exemption.
+## </param>
+#
+interface(`domain_cron_exemption_target',`
+ gen_require(`
+ attribute cron_job_domain;
+ ')
+
+ typeattribute $1 cron_job_domain;
+')
+
+########################################
+#
+# domain_use_wide_inherit_fd(domain)
+#
+interface(`domain_use_wide_inherit_fd',`
+ gen_require(`
+ attribute privfd;
+ class fd use;
+ ')
+
+ allow $1 privfd:fd use;
+')
+
+########################################
+#
+# domain_dontaudit_use_wide_inherit_fd(domain)
+#
+interface(`domain_dontaudit_use_wide_inherit_fd',`
+ gen_require(`
+ attribute privfd;
+ class fd use;
+ ')
+
+ dontaudit $1 privfd:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to domains whose file
+## discriptors are widely inheritable.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+# cjp: this was added because of newrole
+interface(`domain_sigchld_wide_inherit_fd',`
+ gen_require(`
+ attribute privfd;
+ ')
+
+ allow $1 privfd:process sigchld;
+')
+
+########################################
+#
+# domain_setpriority_all_domains(domain)
+#
+interface(`domain_setpriority_all_domains',`
+ gen_require(`
+ attribute domain;
+ class process setsched;
+ ')
+
+ allow $1 domain:process setsched;
+')
+
+########################################
+## <summary>
+## Send general signals to all domains.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_signal_all_domains',`
+ gen_require(`
+ attribute domain;
+ class process signal;
+ ')
+
+ allow $1 domain:process signal;
+')
+
+########################################
+## <summary>
+## Send a null signal to all domains.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_signull_all_domains',`
+ gen_require(`
+ attribute domain;
+ class process signull;
+ ')
+
+ allow $1 domain:process signull;
+')
+
+########################################
+## <summary>
+## Send a stop signal to all domains.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_sigstop_all_domains',`
+ gen_require(`
+ attribute domain;
+ class process sigstop;
+ ')
+
+ allow $1 domain:process sigstop;
+')
+
+########################################
+## <summary>
+## Send a child terminated signal to all domains.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_sigchld_all_domains',`
+ gen_require(`
+ attribute domain;
+ class process sigchld;
+ ')
+
+ allow $1 domain:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a kill signal to all domains.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_kill_all_domains',`
+ gen_require(`
+ attribute domain;
+ class process sigkill;
+ class capability kill;
+ ')
+
+ allow $1 domain:process sigkill;
+ allow $1 self:capability kill;
+')
+
+########################################
+## <summary>
+## Search the process state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_search_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ class dir search;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 domain:dir search;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the process
+## state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`domain_dontaudit_search_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_read_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ class file r_file_perms;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 domain:dir r_dir_perms;
+ allow $1 domain:lnk_file r_file_perms;
+ allow $1 domain:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of all domains of all domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_getattr_all_domains',`
+ gen_require(`
+ attribute domain;
+ class process getattr;
+ ')
+
+ allow $1 domain:process getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all domains of all domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process getattr;
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of all confined domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_read_confined_domains_state',`
+ gen_require(`
+ attribute domain, unconfined_domain;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 { domain -unconfined_domain }:dir r_dir_perms;
+ allow $1 { domain -unconfined_domain }:lnk_file r_file_perms;
+ allow $1 { domain -unconfined_domain }:file r_file_perms;
+
+ dontaudit $1 unconfined_domain:dir search;
+ dontaudit $1 unconfined_domain:file { getattr read };
+')
+
+########################################
+## <summary>
+## Get the attributes of all confined domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_getattr_confined_domains',`
+ gen_require(`
+ attribute domain, unconfined_domain;
+ class process getattr;
+ ')
+
+ allow $1 { domain -unconfined_domain }:process getattr;
+')
+
+########################################
+## <summary>
+## Ptrace all domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_ptrace_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process ptrace;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to ptrace all domains.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to ptrace all domains.
+## </p>
+## <p>
+## Generally this needs to be suppressed because procps tries to access
+## /proc/pid/environ and this now triggers a ptrace check in recent kernels
+## (2.4 and 2.6).
+## </p>
+## </desc>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_dontaudit_ptrace_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process ptrace;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to ptrace confined domains.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to ptrace confined domains.
+## </p>
+## <p>
+## Generally this needs to be suppressed because procps tries to access
+## /proc/pid/environ and this now triggers a ptrace check in recent kernels
+## (2.4 and 2.6).
+## </p>
+## </desc>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_dontaudit_ptrace_confined_domains',`
+ gen_require(`
+ attribute domain, unconfined_domain;
+ class process ptrace;
+ ')
+
+ dontaudit $1 { domain -unconfined_domain }:process ptrace;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the process
+## state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_read_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:dir r_dir_perms;
+ dontaudit $1 domain:lnk_file r_file_perms;
+ dontaudit $1 domain:file r_file_perms;
+
+ # cjp: these should be removed:
+ dontaudit $1 domain:sock_file r_file_perms;
+ dontaudit $1 domain:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the process state
+## directories of all domains.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_list_all_domains_proc',`
+ gen_require(`
+ attribute domain;
+ class dir r_dir_perms;
+ ')
+
+ dontaudit $1 domain:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the session ID of all domains.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_getsession_all_domains',`
+ gen_require(`
+ attribute domain;
+ class process getsession;
+ ')
+
+ allow $1 domain:process getsession;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## session ID of all domains.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getsession_all_domains',`
+ gen_require(`
+ attribute domain;
+ class process getsession;
+ ')
+
+ dontaudit $1 domain:process getsession;
+')
+
+########################################
+## <summary>
+## Get the attributes of all domains
+## sockets, for all socket types.
+## </summary>
+## <desc>
+## <p>
+## Get the attributes of all domains
+## sockets, for all socket types.
+## </p>
+## <p>
+## This is commonly used for domains
+## that can use lsof on all domains.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_getattr_all_sockets',`
+ gen_require(`
+ gen_require_set(getattr,socket_class_set)
+ ')
+
+ allow $1 domain:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains sockets, for all socket types.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to get the attributes
+## of all domains sockets, for all socket types.
+## </p>
+## <p>
+## This interface was added for PCMCIA cardmgr
+## and is probably excessive.
+## </p>
+## </desc>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_sockets',`
+ gen_require(`
+ gen_require_set(getattr,socket_class_set)
+ ')
+
+ dontaudit $1 domain:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains TCP sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_tcp_sockets',`
+ gen_require(`
+ attribute domain;
+ class tcp_socket getattr;
+ ')
+
+ dontaudit $1 domain:tcp_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains UDP sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_udp_sockets',`
+ gen_require(`
+ attribute domain;
+ class udp_socket getattr;
+ ')
+
+ dontaudit $1 domain:udp_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all domains UDP sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_rw_all_udp_sockets',`
+ gen_require(`
+ attribute domain;
+ class udp_socket { read write };
+ ')
+
+ dontaudit $1 domain:udp_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attribues of
+## all domains IPSEC key management sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_key_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:key_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attribues of
+## all domains packet sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_packet_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:packet_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attribues of
+## all domains raw sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_raw_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:rawip_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all domains key sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_rw_all_key_sockets',`
+ gen_require(`
+ attribute domain;
+ class key_socket { read write };
+ ')
+
+ dontaudit $1 domain:key_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_dgram_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:unix_dgram_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_stream_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:unix_stream_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains unnamed pipes.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_pipes',`
+ gen_require(`
+ attribute domain;
+ class fifo_file getattr;
+ ')
+
+ dontaudit $1 domain:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of entry point
+## files for all domains.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`domain_getattr_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ class file getattr;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 entry_type:lnk_file getattr;
+ allow $1 entry_type:file r_file_perms;
+')
+
+########################################
+#
+# domain_read_all_entry_files(domain)
+#
+interface(`domain_read_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 entry_type:lnk_file r_file_perms;
+ allow $1 entry_type:file r_file_perms;
+')
+
+########################################
+#
+# domain_exec_all_entry_files(domain)
+#
+interface(`domain_exec_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ can_exec($1,entry_type)
+')
+
+########################################
+## <summary>
+## Unconfined access to domains.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`domain_unconfined',`
+ gen_require(`
+ attribute domain, set_curr_context;
+ attribute can_change_process_identity;
+ attribute can_change_process_role;
+ attribute can_change_object_identity;
+ attribute unconfined_domain;
+ ')
+
+ typeattribute $1 unconfined_domain;
+
+ # pass all constraints
+ typeattribute $1 can_change_process_identity;
+ typeattribute $1 can_change_process_role;
+ typeattribute $1 can_change_object_identity;
+ typeattribute $1 set_curr_context;
+
+ # Use/sendto/connectto sockets created by any domain.
+ allow $1 domain:{ socket_class_set socket key_socket } *;
+
+ # Use descriptors and pipes created by any domain.
+ allow $1 domain:fd use;
+ allow $1 domain:fifo_file rw_file_perms;
+
+ # Act upon any other process.
+ allow $1 domain:process ~{ transition dyntransition execmem };
+
+ # Create/access any System V IPC objects.
+ allow $1 domain:{ sem msgq shm } *;
+ allow $1 domain:msg { send receive };
+
+ # For /proc/pid
+ allow $1 domain:dir r_dir_perms;
+ allow $1 domain:file r_file_perms;
+ allow $1 domain:lnk_file r_file_perms;
+')
+
+#
+# These next macros are not templates, but actually are
+# support macros. Due to the domain_ prefix, they
+# are placed in this module, to try to prevent confusion.
+# They are called templates since regular m4 defines
+# wont work here.
+#
+
+########################################
+#
+# domain_trans(source_domain,entrypoint_file,target_domain)
+#
+template(`domain_trans',`
+ allow $1 $2:file { getattr read execute };
+ allow $1 $3:process transition;
+ dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+')
+
+########################################
+#
+# domain_auto_trans(source_domain,entrypoint_file,target_domain)
+#
+template(`domain_auto_trans',`
+ domain_trans($1,$2,$3)
+ type_transition $1 $2:process $3;
+')
diff --git a/refpolicy/policy/modules/kernel/domain.te b/refpolicy/policy/modules/kernel/domain.te
new file mode 100644
index 0000000..a368df8
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/domain.te
@@ -0,0 +1,69 @@
+
+policy_module(domain,1.0)
+
+########################################
+#
+# Declarations
+#
+
+# Mark process types as domains
+attribute domain;
+
+# Transitions only allowed from domains to other domains
+neverallow domain ~domain:process { transition dyntransition };
+
+# Domains that are unconfined
+attribute unconfined_domain;
+
+# Domains that can set their current context
+# (perform dynamic transitions)
+attribute set_curr_context;
+
+# enabling setcurrent breaks process tranquility. If you do not
+# know what this means or do not understand the implications of a
+# dynamic transition, you should not be using it!!!
+neverallow { domain -set_curr_context } self:process setcurrent;
+
+# entrypoint executables
+attribute entry_type;
+
+# widely-inheritable file descriptors
+attribute privfd;
+
+#
+# constraint related attributes
+#
+
+# [1] types that can change SELinux identity on transition
+attribute can_change_process_identity;
+
+# [2] types that can change SELinux role on transition
+attribute can_change_process_role;
+
+# [3] types that can change the SELinux identity on a filesystem
+# object or a socket object on a create or relabel
+attribute can_change_object_identity;
+
+# [3] types that can change to system_u:system_r
+attribute can_system_change;
+
+# [4] types that have attribute 1 can change the SELinux
+# identity only if the target domain has this attribute.
+# Types that have attribute 2 can change the SELinux role
+# only if the target domain has this attribute.
+attribute process_user_target;
+
+# For cron jobs
+# [5] types used for cron daemons
+attribute cron_source_domain;
+# [6] types used for cron jobs
+attribute cron_job_domain;
+
+# [7] types that are unconditionally exempt from
+# SELinux identity and role change constraints
+attribute process_uncond_exempt; # add userhelperdomain to this one
+
+# TODO:
+# cjp: also need to except correctly for SEFramework
+neverallow { domain unlabeled_t } file_type:process *;
+neverallow ~{ domain unlabeled_t } *:process *;
diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc
new file mode 100644
index 0000000..0c19f57
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/files.fc
@@ -0,0 +1,216 @@
+
+#
+# /
+#
+/.* gen_context(system_u:object_r:default_t,s0)
+/ -d gen_context(system_u:object_r:root_t,s0)
+/\.journal <<none>>
+
+ifdef(`distro_redhat',`
+/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+ifdef(`distro_suse',`
+/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+#
+# /boot
+#
+/boot/\.journal <<none>>
+/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
+/boot/lost\+found/.* <<none>>
+
+#
+# /emul
+#
+
+ifdef(`distro_redhat',`
+/emul(/.*)? gen_context(system_u:object_r:usr_t,s0)
+')
+
+#
+# /etc
+#
+/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/blkid\.tab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
+/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
+
+/etc/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0)
+
+/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/etc/network/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0)
+
+/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+ifdef(`distro_gentoo', `
+/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
+')
+
+ifdef(`distro_suse',`
+/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+#
+# HOME_ROOT
+# expanded by genhomedircon
+#
+HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0)
+HOME_ROOT/\.journal <<none>>
+HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
+HOME_ROOT/lost\+found/.* <<none>>
+
+#
+# /initrd
+#
+# initrd mount point, only used during boot
+/initrd -d gen_context(system_u:object_r:root_t,s0)
+
+#
+# /lost+found
+#
+/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
+/lost\+found/.* <<none>>
+
+#
+# /media
+#
+# Mount points; do not relabel subdirectories, since
+# we don't want to change any removable media by default.
+/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/media/[^/]*/.* <<none>>
+
+#
+# /mnt
+#
+/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/mnt/[^/]*/.* <<none>>
+
+#
+# /opt
+#
+/opt(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+/opt(/.*)?/var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+#
+# /proc
+#
+/proc(/.*)? <<none>>
+
+#
+# /selinux
+#
+/selinux(/.*)? <<none>>
+
+#
+# /srv
+#
+/srv(/.*)? gen_context(system_u:object_r:var_t,s0)
+
+#
+# /sys
+#
+/sys(/.*)? <<none>>
+
+#
+# /tmp
+#
+/tmp -d gen_context(system_u:object_r:tmp_t,s0)
+/tmp/.* <<none>>
+/tmp/\.journal <<none>>
+
+/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
+/tmp/lost\+found/.* <<none>>
+
+#
+# /usr
+#
+/usr(/.*)? gen_context(system_u:object_r:usr_t,s0)
+/usr/\.journal <<none>>
+
+/usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+/usr/local/\.journal <<none>>
+
+/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
+/usr/local/lost\+found/.* <<none>>
+
+/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+
+/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
+/usr/lost\+found/.* <<none>>
+
+/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+
+/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0)
+/usr/tmp/.* <<none>>
+
+#
+# /var
+#
+/var(/.*)? gen_context(system_u:object_r:var_t,s0)
+/var/\.journal <<none>>
+
+/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
+
+/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
+
+/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+
+/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
+/var/lost\+found/.* <<none>>
+
+/var/run(/.*)? gen_context(system_u:object_r:var_run_t,s0)
+/var/run/.*\.*pid <<none>>
+
+/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
+
+/var/tmp -d gen_context(system_u:object_r:tmp_t,s0)
+/var/tmp/.* <<none>>
+/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
+/var/tmp/lost\+found/.* <<none>>
+/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
new file mode 100644
index 0000000..c43fa98
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -0,0 +1,3104 @@
+## <summary>
+## Basic filesystem types and interfaces.
+## </summary>
+## <desc>
+## <p>
+## This module contains basic filesystem types and interfaces. This
+## includes:
+## <ul>
+## <li>The concept of different file types including basic
+## files, mount points, tmp files, etc.</li>
+## <li>Access to groups of files and all files.</li>
+## <li>Types and interfaces for the basic filesystem layout
+## (/, /etc, /tmp, /usr, etc.).</li>
+## </ul>
+## </p>
+## </desc>
+## <required val="true">
+## Contains the concept of a file.
+## Comains the file initial SID.
+## </required>
+
+########################################
+## <summary>
+## Make the specified type usable for files
+## in a filesystem.
+## </summary>
+## <param name="type">
+## Type to be used for files.
+## </param>
+#
+interface(`files_type',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ fs_associate($1)
+ fs_associate_noxattr($1)
+ typeattribute $1 file_type;
+')
+
+########################################
+#
+# files_lock_file(type)
+#
+interface(`files_lock_file',`
+ gen_require(`
+ attribute lockfile;
+ ')
+
+ files_type($1)
+ typeattribute $1 lockfile;
+')
+
+########################################
+#
+# files_mountpoint(type)
+#
+interface(`files_mountpoint',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ files_type($1)
+ typeattribute $1 mountpoint;
+')
+
+########################################
+#
+# files_pid_file(type)
+#
+interface(`files_pid_file',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ files_type($1)
+ typeattribute $1 pidfile;
+')
+
+########################################
+## <summary>
+## Make the specified type a
+## configuration file.
+## </summary>
+## <param name="file_type">
+## Type to be used as a configuration file.
+## </param>
+#
+interface(`files_config_file',`
+ gen_require(`
+ attribute usercanread;
+ ')
+
+ files_type($1)
+
+ # this is a hack and should be removed.
+ typeattribute $1 usercanread;
+')
+
+########################################
+## <summary>
+## Make the specified type a
+## polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+## Type of the file to be used as a
+## polyinstantiated directory.
+## </param>
+#
+interface(`files_poly',`
+ gen_require(`
+ attribute polydir;
+ ')
+
+ files_type($1)
+ typeattribute $1 polydir;
+')
+
+########################################
+## <summary>
+## Make the specified type a parent
+## of a polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+## Type of the file to be used as a
+## parent directory.
+## </param>
+#
+interface(`files_poly_parent',`
+ gen_require(`
+ attribute polyparent;
+ ')
+
+ files_type($1)
+ typeattribute $1 polyparent;
+')
+
+########################################
+## <summary>
+## Make the specified type a
+## polyinstantiation member directory.
+## </summary>
+## <param name="file_type">
+## Type of the file to be used as a
+## member directory.
+## </param>
+#
+interface(`files_poly_member',`
+ gen_require(`
+ attribute polymember;
+ ')
+
+ files_type($1)
+ typeattribute $1 polymember;
+')
+
+########################################
+## <summary>
+## Make the domain use the specified
+## type of polyinstantiated directory.
+## </summary>
+## <param name="domain">
+## Domain using the polyinstantiated
+## directory.
+## </param>
+## <param name="file_type">
+## Type of the file to be used as a
+## member directory.
+## </param>
+#
+interface(`files_poly_member_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ type_member $1 tmp_t:dir $2;
+')
+
+########################################
+## <summary>
+## Make the specified type a file that
+## should not be dontaudited from
+## browsing from user domains.
+## </summary>
+## <param name="file_type">
+## Type of the file to be used as a
+## member directory.
+## </param>
+#
+interface(`files_security_file',`
+ gen_require(`
+ attribute security_file_type;
+ ')
+
+ files_type($1)
+ typeattribute $1 security_file_type;
+')
+
+########################################
+## <summary>
+## Make the specified type a file
+## used for temporary files.
+## </summary>
+## <param name="file_type">
+## Type of the file to be used as a
+## temporary file.
+## </param>
+#
+interface(`files_tmp_file',`
+ gen_require(`
+ attribute tmpfile;
+ type tmp_t;
+ ')
+
+ files_type($1)
+ files_poly_member($1)
+ fs_associate_tmpfs($1)
+ typeattribute $1 tmpfile;
+ allow $1 tmp_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Transform the type into a file, for use on a
+## virtual memory filesystem (tmpfs).
+## </summary>
+## <param name="type">
+## The type to be transformed.
+## </param>
+#
+interface(`files_tmpfs_file',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ files_type($1)
+ fs_associate_tmpfs($1)
+ typeattribute $1 tmpfsfile;
+')
+
+########################################
+## <summary>
+## Get the attributes of all directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+# cjp: this is an odd interface, because to getattr
+# all dirs, you need to search all the parent directories
+#
+interface(`files_getattr_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ class dir { getattr search };
+ ')
+
+ allow $1 file_type:dir { getattr search };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all directories.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ class dir getattr;
+ ')
+
+ dontaudit $1 file_type:dir getattr;
+')
+
+########################################
+## <summary>
+## Search all directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_search_all',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir { getattr search };
+')
+
+########################################
+## <summary>
+## List the contents of all directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_list_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 file_type:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list all
+## non security directories.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_list_non_security',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of all files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_files',`
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ class file getattr;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all sockets
+## with the type of a file.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+# cjp: added for initrc_t/distro_redhat. I
+# do not think it has any effect.
+interface(`files_getattr_all_file_type_sockets',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all files.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security files.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_files',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:file getattr;
+')
+
+########################################
+## <summary>
+## Read all files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_all_files',`
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ class file r_file_perms;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:file r_file_perms;
+
+ optional_policy(`authlogin',`
+ auth_read_shadow($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read all directories on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_dirs_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read all files on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_files_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir search;
+ allow $1 { file_type $2 }:file r_file_perms;
+
+')
+
+########################################
+## <summary>
+## Read all symbloic links on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_symlinks_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir search;
+ allow $1 { file_type $2 }:lnk_file r_file_perms;
+
+')
+
+########################################
+## <summary>
+## Get the attributes of all symbolic links.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_symlinks',`
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ class lnk_file getattr;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all symbolic links.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_symlinks',`
+ gen_require(`
+ attribute file_type;
+ class lnk_file getattr;
+ ')
+
+ dontaudit $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security symbolic links.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_symlinks',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security block devices.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_blk_dev',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security character devices.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_chr_dev',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Read all symbolic links.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_all_symlinks',`
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ class lnk_file { getattr read };
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Get the attributes of all named pipes.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_pipes',`
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ class fifo_file getattr;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all named pipes.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pipes',`
+ gen_require(`
+ attribute file_type;
+ class fifo_file getattr;
+ ')
+
+ dontaudit $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security named pipes.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_pipes',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all named sockets.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_getattr_all_sockets',`
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ class sock_file getattr;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all named sockets.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_all_sockets',`
+ gen_require(`
+ attribute file_type;
+ class sock_file getattr;
+ ')
+
+ dontaudit $1 file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security named sockets.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_sockets',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ dontaudit $1 { file_type -security_file_type }:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Read all block nodes with file types.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_all_blk_nodes',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:blk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Read all character nodes with file types.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_all_chr_nodes',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir search;
+ allow $1 file_type:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+## Relabel all files on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </param>
+#
+interface(`files_relabel_all_files',`
+ gen_require(`
+ attribute file_type;
+ class dir { r_dir_perms relabelfrom relabelto };
+ class file { relabelfrom relabelto };
+ class lnk_file { relabelfrom relabelto };
+ class fifo_file { relabelfrom relabelto };
+ class sock_file { relabelfrom relabelto };
+ class blk_file relabelfrom;
+ class chr_file relabelfrom;
+ ')
+
+ allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
+ allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
+ allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
+ allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
+
+ # satisfy the assertions:
+ seutil_relabelto_binary_pol($1)
+')
+
+########################################
+## <summary>
+## Manage all files on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </param>
+#
+interface(`files_manage_all_files',`
+ gen_require(`
+ attribute file_type;
+ class dir create_dir_perms;
+ class file create_file_perms;
+ class lnk_file create_lnk_perms;
+ class fifo_file create_file_perms;
+ class sock_file create_file_perms;
+ ')
+
+ allow $1 { file_type $2 }:dir create_dir_perms;
+ allow $1 { file_type $2 }:file create_file_perms;
+ allow $1 { file_type $2 }:lnk_file create_lnk_perms;
+ allow $1 { file_type $2 }:fifo_file create_file_perms;
+ allow $1 { file_type $2 }:sock_file create_file_perms;
+
+ # satisfy the assertions:
+ seutil_create_binary_pol($1)
+ bootloader_manage_kernel_modules($1)
+')
+
+########################################
+#
+# files_search_all_dirs(domain)
+#
+interface(`files_search_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ ')
+
+ allow $1 file_type:dir search;
+')
+
+########################################
+#
+# files_list_all_dirs(domain)
+#
+interface(`files_list_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 file_type:dir r_dir_perms;
+')
+
+########################################
+#
+# files_dontaudit_search_all_dirs(domain)
+#
+interface(`files_dontaudit_search_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ class dir search;
+ ')
+
+ dontaudit $1 file_type:dir search;
+')
+
+#######################################
+#
+# files_relabelto_all_file_type_fs(domain)
+#
+interface(`files_relabelto_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ class filesystem relabelto;
+ ')
+
+ allow $1 file_type:filesystem relabelto;
+')
+
+#######################################
+#
+# files_mount_all_file_type_fs(domain)
+#
+interface(`files_mount_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ class filesystem mount;
+ ')
+
+ allow $1 file_type:filesystem mount;
+')
+
+#######################################
+#
+# files_unmount_all_file_type_fs(domain)
+#
+interface(`files_unmount_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ class filesystem unmount;
+ ')
+
+ allow $1 file_type:filesystem unmount;
+')
+
+########################################
+#
+# files_mounton_all_mountpoints(domain)
+#
+interface(`files_mounton_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ class dir { getattr search mounton };
+ class file { getattr mounton };
+ ')
+
+ allow $1 mountpoint:dir { getattr search mounton };
+ allow $1 mountpoint:file { getattr mounton };
+')
+
+########################################
+#
+# files_list_root(domain)
+#
+interface(`files_list_root',`
+ gen_require(`
+ type root_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 root_t:dir r_dir_perms;
+ allow $1 root_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create an object in the root directory, with a private
+## type. If no object class is specified, the
+## default is file.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+## <param name="private type" optional="true">
+## The type of the object to be created. If no type
+## is specified, the type of the root directory will
+## be used.
+## </param>
+## <param name="object" optional="true">
+## The object class of the object being created. If
+## no class is specified, file will be used.
+## </param>
+#
+interface(`files_create_root',`
+ gen_require(`
+ type root_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ ifelse(`$2',`',`
+ allow $1 root_t:file create_file_perms;
+ ',`
+ type_transition $1 root_t:file $2;
+ ')
+ ',`
+ ifelse(`$2',`',`
+ allow $1 root_t:$3 create_file_perms;
+ ',`
+ type_transition $1 root_t:$3 $2;
+ ')
+ ')
+')
+
+########################################
+#
+# files_dontaudit_read_root_file(domain)
+#
+interface(`files_dontaudit_read_root_file',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:file { getattr read };
+')
+
+########################################
+#
+# files_dontaudit_rw_root_file(domain)
+#
+interface(`files_dontaudit_rw_root_file',`
+ gen_require(`
+ type root_t;
+ class file { read write };
+ ')
+
+ dontaudit $1 root_t:file { read write };
+')
+
+########################################
+#
+# files_dontaudit_rw_root_chr_dev(domain)
+#
+interface(`files_dontaudit_rw_root_chr_dev',`
+ gen_require(`
+ type root_t;
+ class chr_file { read write };
+ ')
+
+ dontaudit $1 root_t:chr_file { read write };
+')
+
+########################################
+#
+# files_delete_root_dir_entry(domain)
+#
+interface(`files_delete_root_dir_entry',`
+ gen_require(`
+ type root_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+')
+
+########################################
+#
+# files_unmount_rootfs(domain)
+#
+interface(`files_unmount_rootfs',`
+ gen_require(`
+ type root_t;
+ class filesystem unmount;
+ ')
+
+ allow $1 root_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## directories with the default file type.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_default_dir',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the contents of directories with the default file type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_search_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir search;
+')
+
+########################################
+## <summary>
+## List contents of directories with the default file type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_list_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list contents of
+## directories with the default file type.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_list_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on a directory with the default file type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_mounton_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir { getattr search mounton };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## files with the default file type.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read files with the default file type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read files
+## with the default file type.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_read_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links with the default file type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_default_symlinks',`
+ gen_require(`
+ type default_t;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 default_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read sockets with the default file type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_default_sockets',`
+ gen_require(`
+ type default_t;
+ class sock_file r_file_perms;
+ ')
+
+ allow $1 default_t:sock_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read named pipes with the default file type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_default_pipes',`
+ gen_require(`
+ type default_t;
+ class fifo_file r_file_perms;
+ ')
+
+ allow $1 default_t:fifo_file r_file_perms;
+')
+
+########################################
+#
+# files_search_etc(domain)
+#
+interface(`files_search_etc',`
+ gen_require(`
+ type etc_t;
+ class dir search;
+ ')
+
+ allow $1 etc_t:dir search;
+')
+
+########################################
+## <summary>
+## Set the attributes of the /etc directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_setattr_etc_dir',`
+ gen_require(`
+ type etc_t;
+ class dir setattr;
+ ')
+
+ allow $1 etc_t:dir setattr;
+')
+
+########################################
+#
+# files_list_etc(domain)
+#
+interface(`files_list_etc',`
+ gen_require(`
+ type etc_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+')
+
+########################################
+#
+# files_read_etc_files(domain)
+#
+interface(`files_read_etc_files',`
+ gen_require(`
+ type etc_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_t:file r_file_perms;
+ allow $1 etc_t:lnk_file r_file_perms;
+')
+
+########################################
+#
+# files_rw_etc_files(domain)
+#
+interface(`files_rw_etc_files',`
+ gen_require(`
+ type etc_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_t:file rw_file_perms;
+ allow $1 etc_t:lnk_file r_file_perms;
+')
+
+########################################
+#
+# files_manage_etc_files(domain)
+#
+interface(`files_manage_etc_files',`
+ gen_require(`
+ type etc_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+ allow $1 etc_t:file create_file_perms;
+ allow $1 etc_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Delete system configuration files in /etc.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_delete_etc_files',`
+ gen_require(`
+ type etc_t;
+ class dir rw_dir_perms;
+ class file unlink;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+ allow $1 etc_t:file unlink;
+')
+
+########################################
+#
+# files_exec_etc_files(domain)
+#
+interface(`files_exec_etc_files',`
+ gen_require(`
+ type etc_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_t:lnk_file r_file_perms;
+ can_exec($1,etc_t)
+
+')
+
+#######################################
+## <summary>
+## Relabel from and to generic files in /etc.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_relabel_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ allow $1 etc_t:file { relabelfrom relabelto };
+')
+
+########################################
+#
+# files_create_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_create_boot_flag',`
+ gen_require(`
+ type root_t, etc_runtime_t;
+ class dir rw_dir_perms;
+ class file { create read write setattr unlink};
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 etc_runtime_t:file { create read write setattr unlink };
+ type_transition $1 root_t:file etc_runtime_t;
+')
+
+########################################
+## <summary>
+## Read files in /etc that are dynamically
+## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_etc_runtime_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_runtime_t:file r_file_perms;
+ allow $1 etc_runtime_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read files
+## in /etc that are dynamically
+## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ class file { getattr read };
+ ')
+
+ dontaudit $1 etc_runtime_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read and write files in /etc that are dynamically
+## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_rw_etc_runtime_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
+
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_runtime_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in
+## /etc that are dynamically created on boot,
+## such as mtab.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_manage_etc_runtime_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+ allow $1 etc_runtime_t:file create_file_perms;
+ type_transition $1 etc_t:file etc_runtime_t;
+')
+
+########################################
+#
+# files_create_etc_config(domain,privatetype,[class(es)])
+#
+interface(`files_create_etc_config',`
+ gen_require(`
+ type etc_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+ ifelse(`$3',`',`
+ type_transition $1 etc_t:file $2;
+ ',`
+ type_transition $1 etc_t:$3 $2;
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_dontaudit_search_isid_type_dir',`
+ gen_require(`
+ type file_t;
+ ')
+
+ dontaudit $1 file_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_list_isid_type_dir',`
+ gen_require(`
+ type file_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 file_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_rw_isid_type_dir',`
+ gen_require(`
+ type file_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_dir',`
+ gen_require(`
+ type file_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 file_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on a directory on new filesystems
+## that has not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_mounton_isid_type_dir',`
+ gen_require(`
+ type file_t;
+ class dir { getattr search mounton };
+ ')
+
+ allow $1 file_t:dir { getattr search mounton };
+')
+
+########################################
+## <summary>
+## Read files on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_read_isid_type_file',`
+ gen_require(`
+ type file_t;
+ class dir search;
+ class file r_file_perms;
+ ')
+
+ allow $1 file_t:dir search;
+ allow $1 file_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_file',`
+ gen_require(`
+ type file_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_symlink',`
+ gen_require(`
+ type file_t;
+ class dir rw_dir_perms;
+ class lnk_file create_lnk_perms;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Read and write block device nodes on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_rw_isid_type_blk_node',`
+ gen_require(`
+ type file_t;
+ class dir search;
+ class blk_file rw_file_perms;
+ ')
+
+ allow $1 file_t:dir search;
+ allow $1 file_t:blk_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete block device nodes
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_blk_node',`
+ gen_require(`
+ type file_t;
+ class dir rw_dir_perms;
+ class blk_file create_file_perms;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:blk_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete character device nodes
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_isid_type_chr_node',`
+ gen_require(`
+ type file_t;
+ class dir rw_dir_perms;
+ class chr_file create_file_perms;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+ allow $1 file_t:chr_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of the home directories root
+## (/home).
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_getattr_home_dir',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the home directories root
+## (/home).
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_home_dir',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ dontaudit $1 home_root_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search home directories root (/home).
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_search_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## home directories root (/home).
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_search_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ dontaudit $1 home_root_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Get listing of home directories.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_list_home',`
+ gen_require(`
+ type home_root_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 home_root_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create home directories
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+## <param name="home_type">
+## The type of the home directory
+## </param>
+#
+interface(`files_create_home_dirs',`
+ gen_require(`
+ type home_root_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 home_root_t:dir rw_dir_perms;
+ type_transition $1 home_root_t:dir $2;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete objects in
+## lost+found directories.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_manage_lost_found',`
+ gen_require(`
+ type lost_found_t;
+ class dir create_dir_perms;
+ class file create_file_perms;
+ class sock_file create_file_perms;
+ class fifo_file create_file_perms;
+ class lnk_file create_lnk_perms;
+ ')
+
+ allow $1 lost_found_t:dir create_dir_perms;
+ allow $1 lost_found_t:file create_file_perms;
+ allow $1 lost_found_t:sock_file create_file_perms;
+ allow $1 lost_found_t:fifo_file create_file_perms;
+ allow $1 lost_found_t:lnk_file create_lnk_perms;
+')
+
+########################################
+#
+# files_search_mnt(domain)
+#
+interface(`files_search_mnt',`
+ gen_require(`
+ type mnt_t;
+ class dir search;
+ ')
+
+ allow $1 mnt_t:dir search;
+')
+
+########################################
+#
+# files_list_mnt(domain)
+#
+interface(`files_list_mnt',`
+ gen_require(`
+ type mnt_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 mnt_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on /mnt.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_mounton_mnt',`
+ gen_require(`
+ type mnt_t;
+ class dir { search mounton };
+ ')
+
+ allow $1 mnt_t:dir { search mounton };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories in /mnt.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_manage_mnt_dirs',`
+ gen_require(`
+ type mnt_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 mnt_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in /mnt.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_manage_mnt_files',`
+ gen_require(`
+ type mnt_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ allow $1 mnt_t:dir rw_dir_perms;
+ allow $1 mnt_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links in /mnt.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_manage_mnt_symlinks',`
+ gen_require(`
+ type mnt_t;
+ class dir rw_dir_perms;
+ class lnk_file create_lnk_perms;
+ ')
+
+ allow $1 mnt_t:dir rw_dir_perms;
+ allow $1 mnt_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## List world-readable directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_list_world_readable',`
+ gen_require(`
+ type readable_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 readable_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_files',`
+ gen_require(`
+ type readable_t;
+ class file r_file_perms;
+ ')
+
+ allow $1 readable_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable symbolic links.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_symlinks',`
+ gen_require(`
+ type readable_t;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 readable_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable named pipes.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_pipes',`
+ gen_require(`
+ type readable_t;
+ class fifo_file r_file_perms;
+ ')
+
+ allow $1 readable_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable sockets.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_sockets',`
+ gen_require(`
+ type readable_t;
+ class sock_file r_file_perms;
+ ')
+
+ allow $1 readable_t:sock_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## temporary directory (/tmp).
+## </summary>
+## <param name="file_type">
+## Type of the file to associate.
+## </param>
+#
+interface(`files_associate_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Get the attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_getattr_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_dontaudit_getattr_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ class dir getattr;
+ ')
+
+ dontaudit $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Allow domain to getattr on /tmp directory.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_getattr_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ class dir getattr;
+ ')
+
+ allow $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_search_tmp',`
+ gen_require(`
+ type tmp_t;
+ class dir search;
+ ')
+
+ allow $1 tmp_t:dir search;
+')
+
+########################################
+## <summary>
+## Read the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_list_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_read_generic_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_read_generic_tmp_symlinks',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
+ allow $1 tmp_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of all tmp directories.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+ class dir { search setattr };
+ ')
+
+ allow $1 tmpfile:dir { search getattr };
+')
+
+########################################
+#
+# files_create_tmp_files(domain,private_type,[object class(es)])
+#
+interface(`files_create_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 tmp_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 tmp_t:file $2;
+ ',`
+ type_transition $1 tmp_t:$3 $2;
+ ')
+')
+
+########################################
+#
+# files_purge_tmp(domain)
+#
+interface(`files_purge_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ class dir { rw_dir_perms rmdir };
+ gen_require_set({ getattr unlink },notdevfile_class_set)
+ ')
+
+ allow $1 tmpfile:dir { rw_dir_perms rmdir };
+ allow $1 tmpfile:notdevfile_class_set { getattr unlink };
+')
+
+########################################
+#
+# files_search_usr(domain)
+#
+interface(`files_search_usr',`
+ gen_require(`
+ type usr_t;
+ class dir search;
+ ')
+
+ allow $1 usr_t:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of generic
+## directories in /usr.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_list_usr',`
+ gen_require(`
+ type usr_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 usr_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in /usr.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_getattr_usr_files',`
+ gen_require(`
+ type usr_t;
+ class dir search;
+ class file getattr;
+ ')
+
+ allow $1 usr_t:dir search;
+ allow $1 usr_t:file getattr;
+')
+
+########################################
+#
+# files_read_usr_files(domain)
+#
+interface(`files_read_usr_files',`
+ gen_require(`
+ type usr_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 usr_t:dir r_dir_perms;
+ allow $1 usr_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Execute generic programs in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_exec_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir r_dir_perms;
+ allow $1 usr_t:lnk_file r_file_perms;
+ can_exec($1,usr_t)
+
+')
+
+########################################
+## <summary>
+## Relabel a file to the type used in /usr.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_relabelto_usr_files',`
+ gen_require(`
+ type usr_t;
+ class file relabelto;
+ ')
+
+ allow $1 usr_t:file relabelto;
+')
+
+########################################
+## <summary>
+## Read symbolic links in /usr.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_usr_symlinks',`
+ gen_require(`
+ type usr_t;
+ class dir search;
+ class file r_file_perms;
+ ')
+
+ allow $1 usr_t:dir search;
+ allow $1 usr_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create objects in the /usr directory
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="file_type">
+## The type of the object to be created
+## </param>
+## <param name="object_class" optional="true">
+## The object class. If not specified, file is used.
+## </param>
+#
+interface(`files_create_usr',`
+ gen_require(`
+ type usr_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 usr_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 usr_t:file $2;
+ ',`
+ type_transition $1 usr_t:$3 $2;
+ ')
+')
+
+########################################
+## <summary>
+## Execute programs in /usr/src in the caller domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_exec_usr_src_files',`
+ gen_require(`
+ type usr_t, src_t;
+ ')
+
+ allow $1 usr_t:dir search;
+ allow $1 src_t:dir r_dir_perms;
+ allow $1 src_t:lnk_file r_file_perms;
+ can_exec($1,src_t)
+')
+
+########################################
+#
+# files_dontaudit_search_src(domain)
+#
+interface(`files_dontaudit_search_src',`
+ gen_require(`
+ type src_t;
+ ')
+
+ dontaudit $1 src_t:dir search;
+')
+
+########################################
+#
+# files_read_usr_src_files(domain)
+#
+interface(`files_read_usr_src_files',`
+ gen_require(`
+ type usr_t, src_t;
+ ')
+
+ allow $1 usr_t:dir search;
+ allow $1 src_t:dir r_dir_perms;
+ allow $1 src_t:{ file lnk_file } r_file_perms;
+')
+
+########################################
+## <summary>
+## Search the contents of /var.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_search_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## the contents of /var.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_search_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+ dontaudit $1 var_t:dir search;
+')
+
+########################################
+## <summary>
+## List the contents of /var.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_list_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## in the /var directory.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_dirs',`
+ gen_require(`
+ type var_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 var_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files in the /var directory.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_read_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in the /var directory.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_files',`
+ gen_require(`
+ type var_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ allow $1 var_t:dir rw_dir_perms;
+ allow $1 var_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links in the /var directory.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_var_symlink',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic
+## links in the /var directory.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_manage_var_symlinks',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir rw_dir_perms;
+ allow $1 var_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Create objects in the /var directory
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="file_type">
+## The type of the object to be created
+## </param>
+## <param name="object_class" optional="true">
+## The object class. If not specified, file is used.
+## </param>
+#
+interface(`files_create_var',`
+ gen_require(`
+ type var_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 var_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 var_t:file $2;
+ ',`
+ type_transition $1 var_t:$3 $2;
+ ')
+')
+
+########################################
+## <summary>
+## Search directories in /var/lib.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_search_var_lib_dir',`
+ gen_require(`
+ type var_t, var_lib_t;
+ class dir search;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_lib_t:dir search;
+')
+
+########################################
+## <summary>
+## Get the attributes of the /var/lib directory.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_getattr_var_lib_dir',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the /var/lib directory.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_search_var_lib',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 { var_t var_lib_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the /var/lib directory.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_list_var_lib',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in the /var/lib directory
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+## <param name="file_type">
+## The type of the object to be created
+## </param>
+## <param name="object_class" optional="true">
+## The object class. If not specified, file is used.
+## </param>
+#
+interface(`files_create_var_lib',`
+ gen_require(`
+ type var_t, var_lib_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 var_lib_t:file $2;
+ ',`
+ type_transition $1 var_lib_t:$3 $2;
+ ')
+')
+
+########################################
+## <summary>
+## Read generic files in /var/lib.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_var_lib_files',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 { var_t var_lib_t }:dir search_dir_perms;
+ allow $1 var_lib_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read generic symbolic links in /var/lib
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_read_var_lib_symlinks',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 { var_t var_lib_t }:dir search_dir_perms;
+ allow $1 var_lib_t:lnk_file { getattr read };
+')
+
+# cjp: the next two interfaces really need to be fixed
+# in some way. They really neeed their own types.
+
+########################################
+#
+# files_manage_urandom_seed(domain)
+#
+interface(`files_manage_urandom_seed',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir rw_dir_perms;
+ allow $1 var_lib_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to manage mount tables
+## necessary for rpcd, nfsd, etc.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_manage_mounttab',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir rw_dir_perms;
+ allow $1 var_lib_t:file manage_file_perms;
+')
+
+########################################
+#
+# files_search_locks(domain)
+#
+interface(`files_search_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## locks directory (/var/lock).
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_search_locks',`
+ gen_require(`
+ type var_lock_t;
+ ')
+
+ dontaudit $1 var_lock_t:dir search;
+')
+
+########################################
+## <summary>
+## Add and remove entries in the /var/lock
+## directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_rw_locks_dir',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:dir rw_dir_perms;
+')
+
+########################################
+#
+# files_getattr_generic_locks(domain)
+#
+interface(`files_getattr_generic_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:dir r_dir_perms;
+ allow $1 var_lock_t:file getattr;
+')
+
+########################################
+#
+# files_manage_generic_locks(domain)
+#
+interface(`files_manage_generic_locks',`
+ gen_require(`
+ type var_lock_t;
+ ')
+
+ allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
+ allow $1 var_lock_t:file { getattr create read write setattr unlink };
+')
+
+########################################
+#
+# files_delete_all_locks(domain)
+#
+interface(`files_delete_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ class dir rw_dir_perms;
+ class file { getattr unlink };
+ ')
+
+ allow $1 lockfile:dir rw_dir_perms;
+ allow $1 lockfile:file { getattr unlink };
+')
+
+########################################
+#
+# files_create_lock(domain,private_type,[object class(es)])
+#
+interface(`files_create_lock',`
+ gen_require(`
+ type var_t, var_lock_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_lock_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 var_lock_t:file $2;
+ ',`
+ type_transition $1 var_lock_t:$3 $2;
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of the /var/run directory.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_getattr_pid_dir',`
+ gen_require(`
+ type var_run_t;
+ class dir getattr;
+ ')
+
+ dontaudit $1 var_run_t:dir getattr;
+')
+
+########################################
+#
+# files_search_pids(domain)
+#
+interface(`files_search_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## the /var/run directory.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_search_pids',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ dontaudit $1 var_run_t:dir search;
+')
+
+########################################
+#
+# files_list_pids(domain)
+#
+interface(`files_list_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir r_dir_perms;
+')
+
+########################################
+#
+# files_create_pid(domain,pidfile,[object class(es)])
+#
+interface(`files_create_pid',`
+ gen_require(`
+ type var_t, var_run_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 var_run_t:file $2;
+ ',`
+ type_transition $1 var_run_t:$3 $2;
+ ')
+')
+
+########################################
+#
+# files_rw_generic_pids(domain)
+#
+interface(`files_rw_generic_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_run_t:dir r_dir_perms;
+ allow $1 var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to daemon runtime data files.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_dontaudit_write_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ dontaudit $1 pidfile:file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to ioctl daemon runtime data files.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_dontaudit_ioctl_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ dontaudit $1 pidfile:file ioctl;
+')
+
+########################################
+#
+# files_read_all_pids(domain)
+#
+interface(`files_read_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 pidfile:dir r_dir_perms;
+ allow $1 pidfile:file r_file_perms;
+')
+
+########################################
+#
+# files_delete_all_pids(domain)
+#
+interface(`files_delete_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
+ class dir rw_dir_perms;
+ class file { getattr unlink };
+ class lnk_file { getattr unlink };
+ class sock_file { getattr unlink };
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
+ allow $1 var_run_t:dir rmdir;
+ allow $1 pidfile:dir rw_dir_perms;
+ allow $1 pidfile:file { getattr unlink };
+ allow $1 pidfile:sock_file { getattr unlink };
+')
+
+########################################
+#
+# files_delete_all_pid_dirs(domain)
+#
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 pidfile:dir { rw_dir_perms rmdir };
+')
+
+########################################
+#
+# files_search_spool(domain)
+#
+interface(`files_search_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+#
+# files_list_spool(domain)
+#
+interface(`files_list_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir r_dir_perms;
+')
+
+########################################
+#
+# files_manage_generic_spool_dirs(domain)
+#
+interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
+ type var_t, var_spool_t;
+ class dir create_dir_perms;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir create_dir_perms;
+')
+
+########################################
+#
+# files_read_generic_spools(domain)
+#
+interface(`files_read_generic_spools',`
+ gen_require(`
+ type var_t, var_spool_t;
+ class dir r_dir_perms;
+ class file r_file_perms;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir r_dir_perms;
+ allow $1 var_spool_t:file r_file_perms;
+')
+
+########################################
+#
+# files_manage_generic_spools(domain)
+#
+interface(`files_manage_generic_spools',`
+ gen_require(`
+ type var_t, var_spool_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_spool_t:dir rw_dir_perms;
+ allow $1 var_spool_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+## Unconfined access to files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_unconfined',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ # Create/access any file in a labeled filesystem;
+ allow $1 file_type:{ file chr_file } ~execmod;
+ allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+
+ # Mount/unmount any filesystem with the context= option.
+ allow $1 file_type:filesystem *;
+
+ # Bind to any network address.
+ # cjp: need to check this, I dont think this has any effect.
+ allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+
+ ifdef(`targeted_policy',`
+ tunable_policy(`allow_execmod',`
+ allow $1 file_type:file execmod;
+ ')
+ ')
+')
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
new file mode 100644
index 0000000..46260eb
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -0,0 +1,169 @@
+
+policy_module(files,1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute file_type;
+
+# cjp: should handle this different
+allow file_type self:filesystem associate;
+
+attribute lockfile;
+attribute mountpoint;
+attribute pidfile;
+
+# For labeling types that are to be polyinstantiated
+attribute polydir;
+
+# this is a hack and should be changed
+attribute usercanread;
+
+# And for labeling the parent directories of those polyinstantiated directories
+# This is necessary for remounting the original in the parent to give
+# security aware apps access
+attribute polyparent;
+
+# And labeling for the member directories
+attribute polymember;
+
+# sensitive security files whose accesses should
+# not be dontaudited for uses
+attribute security_file_type;
+
+attribute tmpfile;
+attribute tmpfsfile;
+
+# default_t is the default type for files that do not
+# match any specification in the file_contexts configuration
+# other than the generic /.* specification.
+type default_t, file_type, mountpoint;
+fs_associate(default_t)
+fs_associate_noxattr(default_t)
+
+#
+# etc_t is the type of the system etc directories.
+#
+type etc_t, file_type;
+fs_associate(etc_t)
+fs_associate_noxattr(etc_t)
+
+#
+# etc_runtime_t is the type of various
+# files in /etc that are automatically
+# generated during initialization.
+#
+type etc_runtime_t, file_type;
+fs_associate(etc_runtime_t)
+fs_associate_noxattr(etc_runtime_t)
+
+#
+# file_t is the default type of a file that has not yet been
+# assigned an extended attribute (EA) value (when using a filesystem
+# that supports EAs).
+#
+type file_t, file_type, mountpoint;
+fs_associate(file_t)
+fs_associate_noxattr(file_t)
+kernel_rootfs_mountpoint(file_t)
+sid file gen_context(system_u:object_r:file_t,s0)
+
+#
+# home_root_t is the type for the directory where user home directories
+# are created
+#
+type home_root_t, file_type, mountpoint; #, polyparent
+fs_associate(home_root_t)
+fs_associate_noxattr(home_root_t)
+
+#
+# lost_found_t is the type for the lost+found directories.
+#
+type lost_found_t, file_type;
+fs_associate(lost_found_t)
+fs_associate_noxattr(lost_found_t)
+
+#
+# mnt_t is the type for mount points such as /mnt/cdrom
+#
+type mnt_t, file_type, mountpoint;
+fs_associate(mnt_t)
+fs_associate_noxattr(mnt_t)
+
+type no_access_t, file_type;
+fs_associate(no_access_t)
+fs_associate_noxattr(no_access_t)
+
+type poly_t, file_type;
+fs_associate(poly_t)
+fs_associate_noxattr(poly_t)
+
+type readable_t, file_type;
+fs_associate(readable_t)
+fs_associate_noxattr(readable_t)
+
+#
+# root_t is the type for rootfs and the root directory.
+#
+type root_t, file_type, mountpoint; #, polyparent
+fs_associate(root_t)
+fs_associate_noxattr(root_t)
+kernel_rootfs_mountpoint(root_t)
+genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+
+#
+# src_t is the type of files in the system src directories.
+#
+type src_t, file_type, mountpoint;
+fs_associate(src_t)
+fs_associate_noxattr(src_t)
+
+#
+# tmp_t is the type of the temporary directories
+#
+type tmp_t, mountpoint; #, polydir
+files_tmp_file(tmp_t)
+
+#
+# usr_t is the type for /usr.
+#
+type usr_t, file_type, mountpoint;
+fs_associate(usr_t)
+fs_associate_noxattr(usr_t)
+
+#
+# var_t is the type of /var
+#
+type var_t, file_type, mountpoint;
+fs_associate(var_t)
+fs_associate_noxattr(var_t)
+
+#
+# var_lib_t is the type of /var/lib
+#
+type var_lib_t, file_type, mountpoint;
+fs_associate(var_lib_t)
+fs_associate_noxattr(var_lib_t)
+
+#
+# var_lock_t is tye type of /var/lock
+#
+type var_lock_t, file_type, lockfile;
+fs_associate(var_lock_t)
+fs_associate_noxattr(var_lock_t)
+
+#
+# var_run_t is the type of /var/run, usually
+# used for pid and other runtime files.
+#
+type var_run_t, file_type, pidfile;
+fs_associate(var_run_t)
+fs_associate_noxattr(var_run_t)
+
+#
+# var_spool_t is the type of /var/spool
+#
+type var_spool_t;
+files_tmp_file(var_spool_t)
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
deleted file mode 100644
index 8fca398..0000000
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ /dev/null
@@ -1,202 +0,0 @@
-
-#
-# /bin
-#
-/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
-/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
-
-#
-# /dev
-#
-/dev/MAKEDEV -- gen_context(system_u:object_r:sbin_t,s0)
-
-#
-# /emul
-#
-ifdef(`distro_redhat',`
-/emul/ia32-linux/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-/emul/ia32-linux/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-/emul/ia32-linux/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /etc
-#
-/etc/hotplug/.*agent -- gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug/.*rc -- gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:sbin_t,s0)
-
-/etc/netplug\.d(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-
-/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
-
-/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
-
-/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
-/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
-/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
-/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_debian',`
-/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
-')
-
-ifdef(`targeted_policy',`
-/etc/X11/prefdm -- gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /lib
-#
-
-ifdef(`distro_gentoo',`
-/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /sbin
-#
-/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:sbin_t,s0)
-/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:sbin_t,s0)
-
-#
-# /opt
-#
-/opt(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/opt(/.*)?/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/opt(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-
-#
-# /usr
-#
-/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-
-/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-# these two lines are separate because of a
-# sorting issue with the java module
-/usr/lib/jvm/java.*/bin -d gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/jvm/java.*/bin/.* gen_context(system_u:object_r:bin_t,s0)
-
-/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
-/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
-/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
-
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
-
-/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
-
-/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-
-/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_gentoo', `
-/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-')
-
-ifdef(`distro_redhat', `
-/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/rhn/rhn_applet/needed-packages\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-language/system-config-language -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-lvm/system-config-lvm.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-mouse/system-config-mouse -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-netboot/system-config-netboot\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-netboot/pxeos\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-netboot/pxeboot\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-config-users/system-config-users -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/system-logviewer/system-logviewer\.py -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
-')
-
-ifdef(`distro_suse', `
-/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-')
-
-#
-# /var
-#
-/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
-
-/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_suse',`
-/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
-')
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
deleted file mode 100644
index 0033679..0000000
--- a/refpolicy/policy/modules/system/corecommands.if
+++ /dev/null
@@ -1,569 +0,0 @@
-## <summary>
-## Core policy for shells, and generic programs
-## in /bin, /sbin, /usr/bin, and /usr/sbin.
-## </summary>
-## <required val="true">
-## Contains the base bin and sbin directory types
-## which need to be searched for the kernel to
-## run init.
-## </required>
-
-########################################
-## <summary>
-## Create a aliased type to generic bin files.
-## </summary>
-## <desc>
-## <p>
-## Create a aliased type to generic bin files.
-## </p>
-## <p>
-## This is added to support targeted policy. Its
-## use should be limited. It has no effect
-## on the strict policy.
-## </p>
-## </desc>
-## <param name="domain">
-## Alias type for bin_t.
-## </param>
-interface(`corecmd_bin_alias',`
- ifdef(`targeted_policy',`
- gen_require(`
- type bin_t;
- ')
-
- typealias bin_t alias $1;
- ',`
- errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
- ')
-')
-
-########################################
-## <summary>
-## Make the shell an entrypoint for the specified domain.
-## </summary>
-## <param name="domain">
-## The domain for which the shell is an entrypoint.
-## </param>
-interface(`corecmd_shell_entry_type',`
- gen_require(`
- type shell_exec_t;
- ')
-
- domain_entry_file($1,shell_exec_t)
-')
-
-########################################
-#
-# corecmd_search_bin(domain)
-#
-interface(`corecmd_search_bin',`
- gen_require(`
- type bin_t;
- class dir search;
- ')
-
- allow $1 bin_t:dir search;
-')
-
-########################################
-#
-# corecmd_list_bin(domain)
-#
-interface(`corecmd_list_bin',`
- gen_require(`
- type bin_t;
- class dir r_dir_perms;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of files in bin directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`corecmd_getattr_bin_file',`
- gen_require(`
- type bin_t;
- class file getattr;
- ')
-
- allow $1 bin_t:file getattr;
-')
-
-########################################
-## <summary>
-## Read files in bin directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_bin_file',`
- gen_require(`
- type bin_t;
- class dir search;
- class file r_file_perms;
- ')
-
- allow $1 bin_t:dir search;
- allow $1 bin_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read symbolic links in bin directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_bin_symlink',`
- gen_require(`
- type bin_t;
- class dir search;
- class lnk_file r_file_perms;
- ')
-
- allow $1 bin_t:dir search;
- allow $1 bin_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read pipes in bin directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_bin_pipe',`
- gen_require(`
- type bin_t;
- class dir search;
- class fifo_file r_file_perms;
- ')
-
- allow $1 bin_t:dir search;
- allow $1 bin_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read named sockets in bin directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_bin_socket',`
- gen_require(`
- type bin_t;
- class dir search;
- class sock_file r_file_perms;
- ')
-
- allow $1 bin_t:dir search;
- allow $1 bin_t:sock_file r_file_perms;
-')
-
-########################################
-#
-# corecmd_exec_bin(domain)
-#
-interface(`corecmd_exec_bin',`
- gen_require(`
- type bin_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
- can_exec($1,bin_t)
-
-')
-
-########################################
-## <summary>
-## Execute a file in a bin directory
-## in the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a file in a bin directory
-## in the specified domain. This allows
-## the specified domain to execute any file
-## on these filesystems in the specified
-## domain. This is not suggested.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## <p>
-## This interface was added to handle
-## the ssh-agent policy.
-## </p>
-## </desc>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-## <param name="target_domain">
-## The type of the new process.
-## </param>
-#
-interface(`corecmd_bin_domtrans',`
- gen_require(`
- type bin_t;
- class dir search;
- class lnk_file { getattr read };
- ')
-
- allow $1 bin_t:dir search;
- allow $1 bin_t:lnk_file { getattr read };
-
- domain_auto_trans($1,bin_t,$2)
-')
-
-########################################
-#
-# corecmd_search_sbin(domain)
-#
-interface(`corecmd_search_sbin',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search
-## sbin directories.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`corecmd_dontaudit_search_sbin',`
- gen_require(`
- type sbin_t;
- ')
-
- dontaudit $1 sbin_t:dir search_dir_perms;
-')
-
-########################################
-#
-# corecmd_list_sbin(domain)
-#
-interface(`corecmd_list_sbin',`
- gen_require(`
- type sbin_t;
- class dir r_dir_perms;
- ')
-
- allow $1 sbin_t:dir r_dir_perms;
-')
-
-########################################
-#
-# corecmd_getattr_sbin_file(domain)
-#
-interface(`corecmd_getattr_sbin_file',`
- gen_require(`
- type sbin_t;
- class file getattr;
- ')
-
- allow $1 sbin_t:file getattr;
-')
-
-########################################
-#
-# corecmd_dontaudit_getattr_sbin_file(domain)
-#
-interface(`corecmd_dontaudit_getattr_sbin_file',`
- gen_require(`
- type sbin_t;
- class file getattr;
- ')
-
- dontaudit $1 sbin_t:file getattr;
-')
-
-########################################
-## <summary>
-## Read files in sbin directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_sbin_file',`
- gen_require(`
- type sbin_t;
- class dir search;
- class file r_file_perms;
- ')
-
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read symbolic links in sbin directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_sbin_symlink',`
- gen_require(`
- type sbin_t;
- class dir search;
- class lnk_file r_file_perms;
- ')
-
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read named pipes in sbin directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_sbin_pipe',`
- gen_require(`
- type sbin_t;
- class dir search;
- class fifo_file r_file_perms;
- ')
-
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read named sockets in sbin directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`corecmd_read_sbin_socket',`
- gen_require(`
- type sbin_t;
- class dir search;
- class sock_file r_file_perms;
- ')
-
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:sock_file r_file_perms;
-')
-
-########################################
-#
-# corecmd_exec_sbin(domain)
-#
-interface(`corecmd_exec_sbin',`
- gen_require(`
- type sbin_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 sbin_t:dir r_dir_perms;
- allow $1 sbin_t:lnk_file r_file_perms;
- can_exec($1,sbin_t)
-
-')
-
-########################################
-## <summary>
-## Execute a file in a sbin directory
-## in the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a file in a sbin directory
-## in the specified domain. This allows
-## the specified domain to execute any file
-## on these filesystems in the specified
-## domain. This is not suggested.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## <p>
-## This interface was added to handle
-## the ssh-agent policy.
-## </p>
-## </desc>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-## <param name="target_domain">
-## The type of the new process.
-## </param>
-#
-interface(`corecmd_sbin_domtrans',`
- gen_require(`
- type sbin_t;
- class dir search;
- class lnk_file { getattr read };
- ')
-
- allow $1 sbin_t:dir search;
- allow $1 sbin_t:lnk_file { getattr read };
-
- domain_auto_trans($1,sbin_t,$2)
-')
-
-########################################
-## <summary>
-## Check if a shell is executable (DAC-wise).
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`corecmd_check_exec_shell',`
- gen_require(`
- type bin_t, shell_exec_t;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
- allow $1 shell_exec_t:file execute;
-')
-
-########################################
-#
-# corecmd_exec_shell(domain)
-#
-interface(`corecmd_exec_shell',`
- gen_require(`
- type bin_t, shell_exec_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
- can_exec($1,shell_exec_t)
-')
-
-########################################
-#
-# corecmd_exec_ls(domain)
-#
-interface(`corecmd_exec_ls',`
- gen_require(`
- type bin_t, ls_exec_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
- can_exec($1,ls_exec_t)
-')
-
-########################################
-## <summary>
-## Execute a shell in the target domain. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </summary>
-## <desc>
-## <p>
-## Execute a shell in the target domain. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-## <param name="target_domain">
-## The type of the shell process.
-## </param>
-#
-interface(`corecmd_shell_spec_domtrans',`
- gen_require(`
- type bin_t, shell_exec_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 bin_t:dir r_dir_perms;
- allow $1 bin_t:lnk_file r_file_perms;
-
- domain_trans($1,shell_exec_t,$2)
-')
-
-########################################
-## <summary>
-## Execute a shell in the specified domain.
-## </summary>
-## <desc>
-## <p>
-## Execute a shell in the specified domain.
-## </p>
-## <p>
-## No interprocess communication (signals, pipes,
-## etc.) is provided by this interface since
-## the domains are not owned by this module.
-## </p>
-## </desc>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-## <param name="target_domain">
-## The type of the shell process.
-## </param>
-#
-interface(`corecmd_shell_domtrans',`
- gen_require(`
- type shell_exec_t;
- ')
-
- corecmd_shell_spec_domtrans($1,$2)
- type_transition $1 shell_exec_t:process $2;
-')
-
-########################################
-#
-# corecmd_exec_chroot(domain)
-#
-interface(`corecmd_exec_chroot',`
- gen_require(`
- type chroot_exec_t;
- class capability sys_chroot;
- ')
-
- can_exec($1,chroot_exec_t)
- allow $1 self:capability sys_chroot;
-')
-
diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te
deleted file mode 100644
index 2dde3dc..0000000
--- a/refpolicy/policy/modules/system/corecommands.te
+++ /dev/null
@@ -1,37 +0,0 @@
-
-policy_module(corecommands,1.0.1)
-
-########################################
-#
-# Declarations
-#
-
-#
-# bin_t is the type of files in the system bin directories.
-#
-type bin_t;
-files_type(bin_t)
-
-#
-# sbin_t is the type of files in the system sbin directories.
-#
-type sbin_t;
-files_type(sbin_t)
-
-#
-# ls_exec_t is the type of the ls program.
-#
-type ls_exec_t;
-files_type(ls_exec_t)
-
-#cjp: temp
-typeattribute ls_exec_t entry_type;
-
-#
-# shell_exec_t is the type of user shells such as /bin/bash.
-#
-type shell_exec_t;
-files_type(shell_exec_t)
-
-type chroot_exec_t;
-files_type(chroot_exec_t)
diff --git a/refpolicy/policy/modules/system/domain.fc b/refpolicy/policy/modules/system/domain.fc
deleted file mode 100644
index 7be4ddf..0000000
--- a/refpolicy/policy/modules/system/domain.fc
+++ /dev/null
@@ -1 +0,0 @@
-# This module currently does not have any file contexts.
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
deleted file mode 100644
index 78f2d87..0000000
--- a/refpolicy/policy/modules/system/domain.if
+++ /dev/null
@@ -1,1095 +0,0 @@
-## <summary>Core policy for domains.</summary>
-## <required val="true">
-## Contains the concept of a domain.
-## </required>
-
-########################################
-## <summary>
-## Make the specified type usable as a basic domain.
-## </summary>
-## <desc>
-## <p>
-## Make the specified type usable as a basic domain.
-## </p>
-## <p>
-## This is primarily used for kernel threads;
-## generally the domain_type() interface is
-## more appropriate for userland processes.
-## </p>
-## </desc>
-## <param name="type">
-## Type to be used as a basic domain type.
-## </param>
-#
-interface(`domain_base_type',`
- gen_require(`
- attribute domain;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file rw_file_perms;
- class process { fork sigchld };
- ')
-
- # mark as a domain
- typeattribute $1 domain;
-
- # allow the domain to read its /proc/pid entries
- allow $1 self:dir r_dir_perms;
- allow $1 self:lnk_file r_file_perms;
- allow $1 self:file rw_file_perms;
-
- # allow $1 to create child processes in this domain
- allow $1 self:process { fork sigchld };
-
- ifdef(`targeted_policy',`
- tunable_policy(`allow_execmem',`
- allow $1 self:process execmem;
- ')
-
- # FIXME:
- # hack until role dominance is fixed in
- # the module compiler
- role secadm_r types $1;
- role sysadm_r types $1;
- role user_r types $1;
- role staff_r types $1;
- ')
-')
-
-########################################
-## <summary>
-## Make the specified type usable as a domain.
-## </summary>
-## <param name="type">
-## Type to be used as a domain type.
-## </param>
-#
-interface(`domain_type',`
- # start with basic domain
- domain_base_type($1)
-
- # Use trusted objects in /dev
- dev_rw_null_dev($1)
- dev_rw_zero_dev($1)
- term_use_controlling_term($1)
-
- # read the root directory
- files_list_root($1)
-
- # send init a sigchld and signull
- init_sigchld($1)
- init_signull($1)
-
- ifdef(`targeted_policy',`
- unconfined_use_fd($1)
- unconfined_sigchld($1)
- ')
-
- tunable_policy(`allow_ptrace',`
- userdom_sigchld_sysadm($1)
- ')
-
- # allow any domain to connect to the LDAP server
- optional_policy(`ldap',`
- ldap_use($1)
- ')
-
- # these 3 seem highly questionable:
- optional_policy(`rpm',`
- rpm_use_fd($1)
- rpm_read_pipe($1)
- ')
-
- optional_policy(`selinux',`
- selinux_dontaudit_read_fs($1)
- ')
-
- optional_policy(`selinuxutil',`
- seutil_dontaudit_read_config($1)
- ')
-')
-
-########################################
-## <summary>
-## Make the specified type usable as
-## an entry point for the domain.
-## </summary>
-## <param name="domain">
-## Domain to be entered.
-## </param>
-## <param name="type">
-## Type of program used for entering
-## the domain.
-## </param>
-#
-interface(`domain_entry_file',`
- gen_require(`
- attribute entry_type;
- class file entrypoint;
- ')
-
- files_type($2)
-
- allow $1 $2:file entrypoint;
- allow $1 $2:file rx_file_perms;
-
- typeattribute $2 entry_type;
-')
-
-########################################
-#
-# domain_wide_inherit_fd(domain)
-#
-interface(`domain_wide_inherit_fd',`
- gen_require(`
- attribute privfd;
- ')
-
- typeattribute $1 privfd;
-')
-
-########################################
-#
-# domain_dyntrans_type(domain)
-#
-interface(`domain_dyntrans_type',`
- gen_require(`
- attribute set_curr_context;
- ')
-
- typeattribute $1 set_curr_context;
-')
-
-########################################
-## <summary>
-## Makes caller and execption to the constraint
-## preventing changing to the system user
-## identity and system role.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_system_change_exempt',`
- gen_require(`
- attribute can_system_change;
- ')
-
- typeattribute $1 can_system_change;
-')
-
-########################################
-## <summary>
-## Makes caller an exception to the constraint preventing
-## changing of user identity.
-## </summary>
-## <param name="domain">
-## The process type to make an exception to the constraint.
-## </param>
-#
-interface(`domain_subj_id_change_exempt',`
- gen_require(`
- attribute can_change_process_identity;
- ')
-
- typeattribute $1 can_change_process_identity;
-')
-
-########################################
-## <summary>
-## Makes caller an exception to the constraint preventing
-## changing of role.
-## </summary>
-## <param name="domain">
-## The process type to make an exception to the constraint.
-## </param>
-#
-interface(`domain_role_change_exempt',`
- gen_require(`
- attribute can_change_process_role;
- ')
-
- typeattribute $1 can_change_process_role;
-')
-
-########################################
-## <summary>
-## Makes caller an exception to the constraint preventing
-## changing the user identity in object contexts.
-## </summary>
-## <param name="domain">
-## The process type to make an exception to the constraint.
-## </param>
-#
-interface(`domain_obj_id_change_exempt',`
- gen_require(`
- attribute can_change_object_identity;
- ')
-
- typeattribute $1 can_change_object_identity;
-')
-
-########################################
-## <summary>
-## Make the specified domain the target of
-## the user domain exception of the
-## SELinux role and identity change
-## constraints.
-## </summary>
-## <desc>
-## <p>
-## Make the specified domain the target of
-## the user domain exception of the
-## SELinux role and identity change
-## constraints.
-## </p>
-## <p>
-## This interface is needed to decouple
-## the user domains from the base module.
-## It should not be used other than on
-## user domains.
-## </p>
-## </desc>
-## <param name="domain">
-## Domain target for user exemption.
-## </param>
-#
-interface(`domain_user_exemption_target',`
- gen_require(`
- attribute process_user_target;
- ')
-
- typeattribute $1 process_user_target;
-')
-
-########################################
-## <summary>
-## Make the specified domain the source of
-## the cron domain exception of the
-## SELinux role and identity change
-## constraints.
-## </summary>
-## <desc>
-## <p>
-## Make the specified domain the source of
-## the cron domain exception of the
-## SELinux role and identity change
-## constraints.
-## </p>
-## <p>
-## This interface is needed to decouple
-## the cron domains from the base module.
-## It should not be used other than on
-## cron domains.
-## </p>
-## </desc>
-## <param name="domain">
-## Domain target for user exemption.
-## </param>
-#
-interface(`domain_cron_exemption_source',`
- gen_require(`
- attribute cron_source_domain;
- ')
-
- typeattribute $1 cron_source_domain;
-')
-
-########################################
-## <summary>
-## Make the specified domain the target of
-## the cron domain exception of the
-## SELinux role and identity change
-## constraints.
-## </summary>
-## <desc>
-## <p>
-## Make the specified domain the target of
-## the cron domain exception of the
-## SELinux role and identity change
-## constraints.
-## </p>
-## <p>
-## This interface is needed to decouple
-## the cron domains from the base module.
-## It should not be used other than on
-## user cron jobs.
-## </p>
-## </desc>
-## <param name="domain">
-## Domain target for user exemption.
-## </param>
-#
-interface(`domain_cron_exemption_target',`
- gen_require(`
- attribute cron_job_domain;
- ')
-
- typeattribute $1 cron_job_domain;
-')
-
-########################################
-#
-# domain_use_wide_inherit_fd(domain)
-#
-interface(`domain_use_wide_inherit_fd',`
- gen_require(`
- attribute privfd;
- class fd use;
- ')
-
- allow $1 privfd:fd use;
-')
-
-########################################
-#
-# domain_dontaudit_use_wide_inherit_fd(domain)
-#
-interface(`domain_dontaudit_use_wide_inherit_fd',`
- gen_require(`
- attribute privfd;
- class fd use;
- ')
-
- dontaudit $1 privfd:fd use;
-')
-
-########################################
-## <summary>
-## Send a SIGCHLD signal to domains whose file
-## discriptors are widely inheritable.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-# cjp: this was added because of newrole
-interface(`domain_sigchld_wide_inherit_fd',`
- gen_require(`
- attribute privfd;
- ')
-
- allow $1 privfd:process sigchld;
-')
-
-########################################
-#
-# domain_setpriority_all_domains(domain)
-#
-interface(`domain_setpriority_all_domains',`
- gen_require(`
- attribute domain;
- class process setsched;
- ')
-
- allow $1 domain:process setsched;
-')
-
-########################################
-## <summary>
-## Send general signals to all domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_signal_all_domains',`
- gen_require(`
- attribute domain;
- class process signal;
- ')
-
- allow $1 domain:process signal;
-')
-
-########################################
-## <summary>
-## Send a null signal to all domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_signull_all_domains',`
- gen_require(`
- attribute domain;
- class process signull;
- ')
-
- allow $1 domain:process signull;
-')
-
-########################################
-## <summary>
-## Send a stop signal to all domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_sigstop_all_domains',`
- gen_require(`
- attribute domain;
- class process sigstop;
- ')
-
- allow $1 domain:process sigstop;
-')
-
-########################################
-## <summary>
-## Send a child terminated signal to all domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_sigchld_all_domains',`
- gen_require(`
- attribute domain;
- class process sigchld;
- ')
-
- allow $1 domain:process sigchld;
-')
-
-########################################
-## <summary>
-## Send a kill signal to all domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_kill_all_domains',`
- gen_require(`
- attribute domain;
- class process sigkill;
- class capability kill;
- ')
-
- allow $1 domain:process sigkill;
- allow $1 self:capability kill;
-')
-
-########################################
-## <summary>
-## Search the process state directory (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_search_all_domains_state',`
- gen_require(`
- attribute domain;
- class dir search;
- ')
-
- kernel_search_proc($1)
- allow $1 domain:dir search;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the process
-## state directory (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`domain_dontaudit_search_all_domains_state',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read the process state (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_read_all_domains_state',`
- gen_require(`
- attribute domain;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file r_file_perms;
- ')
-
- kernel_search_proc($1)
- allow $1 domain:dir r_dir_perms;
- allow $1 domain:lnk_file r_file_perms;
- allow $1 domain:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of all domains of all domains.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_getattr_all_domains',`
- gen_require(`
- attribute domain;
- class process getattr;
- ')
-
- allow $1 domain:process getattr;
-')
-
-########################################
-## <summary>
-## Get the attributes of all domains of all domains.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:process getattr;
-')
-
-########################################
-## <summary>
-## Read the process state (/proc/pid) of all confined domains.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_read_confined_domains_state',`
- gen_require(`
- attribute domain, unconfined_domain;
- ')
-
- kernel_search_proc($1)
- allow $1 { domain -unconfined_domain }:dir r_dir_perms;
- allow $1 { domain -unconfined_domain }:lnk_file r_file_perms;
- allow $1 { domain -unconfined_domain }:file r_file_perms;
-
- dontaudit $1 unconfined_domain:dir search;
- dontaudit $1 unconfined_domain:file { getattr read };
-')
-
-########################################
-## <summary>
-## Get the attributes of all confined domains.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_getattr_confined_domains',`
- gen_require(`
- attribute domain, unconfined_domain;
- class process getattr;
- ')
-
- allow $1 { domain -unconfined_domain }:process getattr;
-')
-
-########################################
-## <summary>
-## Ptrace all domains.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_ptrace_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- allow $1 domain:process ptrace;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to ptrace all domains.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to ptrace all domains.
-## </p>
-## <p>
-## Generally this needs to be suppressed because procps tries to access
-## /proc/pid/environ and this now triggers a ptrace check in recent kernels
-## (2.4 and 2.6).
-## </p>
-## </desc>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_dontaudit_ptrace_all_domains',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:process ptrace;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to ptrace confined domains.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to ptrace confined domains.
-## </p>
-## <p>
-## Generally this needs to be suppressed because procps tries to access
-## /proc/pid/environ and this now triggers a ptrace check in recent kernels
-## (2.4 and 2.6).
-## </p>
-## </desc>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_dontaudit_ptrace_confined_domains',`
- gen_require(`
- attribute domain, unconfined_domain;
- class process ptrace;
- ')
-
- dontaudit $1 { domain -unconfined_domain }:process ptrace;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read the process
-## state (/proc/pid) of all domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_read_all_domains_state',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:dir r_dir_perms;
- dontaudit $1 domain:lnk_file r_file_perms;
- dontaudit $1 domain:file r_file_perms;
-
- # cjp: these should be removed:
- dontaudit $1 domain:sock_file r_file_perms;
- dontaudit $1 domain:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read the process state
-## directories of all domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_list_all_domains_proc',`
- gen_require(`
- attribute domain;
- class dir r_dir_perms;
- ')
-
- dontaudit $1 domain:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the session ID of all domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_getsession_all_domains',`
- gen_require(`
- attribute domain;
- class process getsession;
- ')
-
- allow $1 domain:process getsession;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## session ID of all domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getsession_all_domains',`
- gen_require(`
- attribute domain;
- class process getsession;
- ')
-
- dontaudit $1 domain:process getsession;
-')
-
-########################################
-## <summary>
-## Get the attributes of all domains
-## sockets, for all socket types.
-## </summary>
-## <desc>
-## <p>
-## Get the attributes of all domains
-## sockets, for all socket types.
-## </p>
-## <p>
-## This is commonly used for domains
-## that can use lsof on all domains.
-## </p>
-## </desc>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_getattr_all_sockets',`
- gen_require(`
- gen_require_set(getattr,socket_class_set)
- ')
-
- allow $1 domain:socket_class_set getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains sockets, for all socket types.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to get the attributes
-## of all domains sockets, for all socket types.
-## </p>
-## <p>
-## This interface was added for PCMCIA cardmgr
-## and is probably excessive.
-## </p>
-## </desc>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_sockets',`
- gen_require(`
- gen_require_set(getattr,socket_class_set)
- ')
-
- dontaudit $1 domain:socket_class_set getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains TCP sockets.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_tcp_sockets',`
- gen_require(`
- attribute domain;
- class tcp_socket getattr;
- ')
-
- dontaudit $1 domain:tcp_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains UDP sockets.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_udp_sockets',`
- gen_require(`
- attribute domain;
- class udp_socket getattr;
- ')
-
- dontaudit $1 domain:udp_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## all domains UDP sockets.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_rw_all_udp_sockets',`
- gen_require(`
- attribute domain;
- class udp_socket { read write };
- ')
-
- dontaudit $1 domain:udp_socket { read write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get attribues of
-## all domains IPSEC key management sockets.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_key_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:key_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get attribues of
-## all domains packet sockets.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_packet_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:packet_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get attribues of
-## all domains raw sockets.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_raw_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:rawip_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read or write
-## all domains key sockets.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_rw_all_key_sockets',`
- gen_require(`
- attribute domain;
- class key_socket { read write };
- ')
-
- dontaudit $1 domain:key_socket { read write };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains unix datagram sockets.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_dgram_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:unix_dgram_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains unix datagram sockets.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_stream_sockets',`
- gen_require(`
- attribute domain;
- ')
-
- dontaudit $1 domain:unix_stream_socket getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all domains unnamed pipes.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_dontaudit_getattr_all_pipes',`
- gen_require(`
- attribute domain;
- class fifo_file getattr;
- ')
-
- dontaudit $1 domain:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Get the attributes of entry point
-## files for all domains.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`domain_getattr_all_entry_files',`
- gen_require(`
- attribute entry_type;
- class file getattr;
- class lnk_file r_file_perms;
- ')
-
- allow $1 entry_type:lnk_file getattr;
- allow $1 entry_type:file r_file_perms;
-')
-
-########################################
-#
-# domain_read_all_entry_files(domain)
-#
-interface(`domain_read_all_entry_files',`
- gen_require(`
- attribute entry_type;
- class file r_file_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 entry_type:lnk_file r_file_perms;
- allow $1 entry_type:file r_file_perms;
-')
-
-########################################
-#
-# domain_exec_all_entry_files(domain)
-#
-interface(`domain_exec_all_entry_files',`
- gen_require(`
- attribute entry_type;
- ')
-
- can_exec($1,entry_type)
-')
-
-########################################
-## <summary>
-## Unconfined access to domains.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`domain_unconfined',`
- gen_require(`
- attribute domain, set_curr_context;
- attribute can_change_process_identity;
- attribute can_change_process_role;
- attribute can_change_object_identity;
- attribute unconfined_domain;
- ')
-
- typeattribute $1 unconfined_domain;
-
- # pass all constraints
- typeattribute $1 can_change_process_identity;
- typeattribute $1 can_change_process_role;
- typeattribute $1 can_change_object_identity;
- typeattribute $1 set_curr_context;
-
- # Use/sendto/connectto sockets created by any domain.
- allow $1 domain:{ socket_class_set socket key_socket } *;
-
- # Use descriptors and pipes created by any domain.
- allow $1 domain:fd use;
- allow $1 domain:fifo_file rw_file_perms;
-
- # Act upon any other process.
- allow $1 domain:process ~{ transition dyntransition execmem };
-
- # Create/access any System V IPC objects.
- allow $1 domain:{ sem msgq shm } *;
- allow $1 domain:msg { send receive };
-
- # For /proc/pid
- allow $1 domain:dir r_dir_perms;
- allow $1 domain:file r_file_perms;
- allow $1 domain:lnk_file r_file_perms;
-')
-
-#
-# These next macros are not templates, but actually are
-# support macros. Due to the domain_ prefix, they
-# are placed in this module, to try to prevent confusion.
-# They are called templates since regular m4 defines
-# wont work here.
-#
-
-########################################
-#
-# domain_trans(source_domain,entrypoint_file,target_domain)
-#
-template(`domain_trans',`
- allow $1 $2:file { getattr read execute };
- allow $1 $3:process transition;
- dontaudit $1 $3:process { noatsecure siginh rlimitinh };
-')
-
-########################################
-#
-# domain_auto_trans(source_domain,entrypoint_file,target_domain)
-#
-template(`domain_auto_trans',`
- domain_trans($1,$2,$3)
- type_transition $1 $2:process $3;
-')
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
deleted file mode 100644
index a368df8..0000000
--- a/refpolicy/policy/modules/system/domain.te
+++ /dev/null
@@ -1,69 +0,0 @@
-
-policy_module(domain,1.0)
-
-########################################
-#
-# Declarations
-#
-
-# Mark process types as domains
-attribute domain;
-
-# Transitions only allowed from domains to other domains
-neverallow domain ~domain:process { transition dyntransition };
-
-# Domains that are unconfined
-attribute unconfined_domain;
-
-# Domains that can set their current context
-# (perform dynamic transitions)
-attribute set_curr_context;
-
-# enabling setcurrent breaks process tranquility. If you do not
-# know what this means or do not understand the implications of a
-# dynamic transition, you should not be using it!!!
-neverallow { domain -set_curr_context } self:process setcurrent;
-
-# entrypoint executables
-attribute entry_type;
-
-# widely-inheritable file descriptors
-attribute privfd;
-
-#
-# constraint related attributes
-#
-
-# [1] types that can change SELinux identity on transition
-attribute can_change_process_identity;
-
-# [2] types that can change SELinux role on transition
-attribute can_change_process_role;
-
-# [3] types that can change the SELinux identity on a filesystem
-# object or a socket object on a create or relabel
-attribute can_change_object_identity;
-
-# [3] types that can change to system_u:system_r
-attribute can_system_change;
-
-# [4] types that have attribute 1 can change the SELinux
-# identity only if the target domain has this attribute.
-# Types that have attribute 2 can change the SELinux role
-# only if the target domain has this attribute.
-attribute process_user_target;
-
-# For cron jobs
-# [5] types used for cron daemons
-attribute cron_source_domain;
-# [6] types used for cron jobs
-attribute cron_job_domain;
-
-# [7] types that are unconditionally exempt from
-# SELinux identity and role change constraints
-attribute process_uncond_exempt; # add userhelperdomain to this one
-
-# TODO:
-# cjp: also need to except correctly for SEFramework
-neverallow { domain unlabeled_t } file_type:process *;
-neverallow ~{ domain unlabeled_t } *:process *;
diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc
deleted file mode 100644
index 0c19f57..0000000
--- a/refpolicy/policy/modules/system/files.fc
+++ /dev/null
@@ -1,216 +0,0 @@
-
-#
-# /
-#
-/.* gen_context(system_u:object_r:default_t,s0)
-/ -d gen_context(system_u:object_r:root_t,s0)
-/\.journal <<none>>
-
-ifdef(`distro_redhat',`
-/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-ifdef(`distro_suse',`
-/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-#
-# /boot
-#
-/boot/\.journal <<none>>
-/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
-/boot/lost\+found/.* <<none>>
-
-#
-# /emul
-#
-
-ifdef(`distro_redhat',`
-/emul(/.*)? gen_context(system_u:object_r:usr_t,s0)
-')
-
-#
-# /etc
-#
-/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/blkid\.tab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
-/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
-/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-
-/etc/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0)
-
-/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-/etc/network/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
-/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
-/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:etc_t,s0)
-
-/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
-ifdef(`distro_gentoo', `
-/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-ifdef(`distro_redhat',`
-/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
-')
-
-ifdef(`distro_suse',`
-/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-#
-# HOME_ROOT
-# expanded by genhomedircon
-#
-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0)
-HOME_ROOT/\.journal <<none>>
-HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
-HOME_ROOT/lost\+found/.* <<none>>
-
-#
-# /initrd
-#
-# initrd mount point, only used during boot
-/initrd -d gen_context(system_u:object_r:root_t,s0)
-
-#
-# /lost+found
-#
-/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
-/lost\+found/.* <<none>>
-
-#
-# /media
-#
-# Mount points; do not relabel subdirectories, since
-# we don't want to change any removable media by default.
-/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
-/media/[^/]*/.* <<none>>
-
-#
-# /mnt
-#
-/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
-/mnt/[^/]*/.* <<none>>
-
-#
-# /opt
-#
-/opt(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
-/opt(/.*)?/var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-
-#
-# /proc
-#
-/proc(/.*)? <<none>>
-
-#
-# /selinux
-#
-/selinux(/.*)? <<none>>
-
-#
-# /srv
-#
-/srv(/.*)? gen_context(system_u:object_r:var_t,s0)
-
-#
-# /sys
-#
-/sys(/.*)? <<none>>
-
-#
-# /tmp
-#
-/tmp -d gen_context(system_u:object_r:tmp_t,s0)
-/tmp/.* <<none>>
-/tmp/\.journal <<none>>
-
-/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
-/tmp/lost\+found/.* <<none>>
-
-#
-# /usr
-#
-/usr(/.*)? gen_context(system_u:object_r:usr_t,s0)
-/usr/\.journal <<none>>
-
-/usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
-/usr/local/\.journal <<none>>
-
-/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
-/usr/local/lost\+found/.* <<none>>
-
-/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
-
-/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
-/usr/lost\+found/.* <<none>>
-
-/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
-/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
-
-/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0)
-/usr/tmp/.* <<none>>
-
-#
-# /var
-#
-/var(/.*)? gen_context(system_u:object_r:var_t,s0)
-/var/\.journal <<none>>
-
-/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
-
-/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-
-/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-
-/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-
-/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
-
-/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
-/var/lost\+found/.* <<none>>
-
-/var/run(/.*)? gen_context(system_u:object_r:var_run_t,s0)
-/var/run/.*\.*pid <<none>>
-
-/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
-
-/var/tmp -d gen_context(system_u:object_r:tmp_t,s0)
-/var/tmp/.* <<none>>
-/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
-/var/tmp/lost\+found/.* <<none>>
-/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
deleted file mode 100644
index c43fa98..0000000
--- a/refpolicy/policy/modules/system/files.if
+++ /dev/null
@@ -1,3104 +0,0 @@
-## <summary>
-## Basic filesystem types and interfaces.
-## </summary>
-## <desc>
-## <p>
-## This module contains basic filesystem types and interfaces. This
-## includes:
-## <ul>
-## <li>The concept of different file types including basic
-## files, mount points, tmp files, etc.</li>
-## <li>Access to groups of files and all files.</li>
-## <li>Types and interfaces for the basic filesystem layout
-## (/, /etc, /tmp, /usr, etc.).</li>
-## </ul>
-## </p>
-## </desc>
-## <required val="true">
-## Contains the concept of a file.
-## Comains the file initial SID.
-## </required>
-
-########################################
-## <summary>
-## Make the specified type usable for files
-## in a filesystem.
-## </summary>
-## <param name="type">
-## Type to be used for files.
-## </param>
-#
-interface(`files_type',`
- gen_require(`
- attribute file_type;
- ')
-
- fs_associate($1)
- fs_associate_noxattr($1)
- typeattribute $1 file_type;
-')
-
-########################################
-#
-# files_lock_file(type)
-#
-interface(`files_lock_file',`
- gen_require(`
- attribute lockfile;
- ')
-
- files_type($1)
- typeattribute $1 lockfile;
-')
-
-########################################
-#
-# files_mountpoint(type)
-#
-interface(`files_mountpoint',`
- gen_require(`
- attribute mountpoint;
- ')
-
- files_type($1)
- typeattribute $1 mountpoint;
-')
-
-########################################
-#
-# files_pid_file(type)
-#
-interface(`files_pid_file',`
- gen_require(`
- attribute pidfile;
- ')
-
- files_type($1)
- typeattribute $1 pidfile;
-')
-
-########################################
-## <summary>
-## Make the specified type a
-## configuration file.
-## </summary>
-## <param name="file_type">
-## Type to be used as a configuration file.
-## </param>
-#
-interface(`files_config_file',`
- gen_require(`
- attribute usercanread;
- ')
-
- files_type($1)
-
- # this is a hack and should be removed.
- typeattribute $1 usercanread;
-')
-
-########################################
-## <summary>
-## Make the specified type a
-## polyinstantiated directory.
-## </summary>
-## <param name="file_type">
-## Type of the file to be used as a
-## polyinstantiated directory.
-## </param>
-#
-interface(`files_poly',`
- gen_require(`
- attribute polydir;
- ')
-
- files_type($1)
- typeattribute $1 polydir;
-')
-
-########################################
-## <summary>
-## Make the specified type a parent
-## of a polyinstantiated directory.
-## </summary>
-## <param name="file_type">
-## Type of the file to be used as a
-## parent directory.
-## </param>
-#
-interface(`files_poly_parent',`
- gen_require(`
- attribute polyparent;
- ')
-
- files_type($1)
- typeattribute $1 polyparent;
-')
-
-########################################
-## <summary>
-## Make the specified type a
-## polyinstantiation member directory.
-## </summary>
-## <param name="file_type">
-## Type of the file to be used as a
-## member directory.
-## </param>
-#
-interface(`files_poly_member',`
- gen_require(`
- attribute polymember;
- ')
-
- files_type($1)
- typeattribute $1 polymember;
-')
-
-########################################
-## <summary>
-## Make the domain use the specified
-## type of polyinstantiated directory.
-## </summary>
-## <param name="domain">
-## Domain using the polyinstantiated
-## directory.
-## </param>
-## <param name="file_type">
-## Type of the file to be used as a
-## member directory.
-## </param>
-#
-interface(`files_poly_member_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
- type_member $1 tmp_t:dir $2;
-')
-
-########################################
-## <summary>
-## Make the specified type a file that
-## should not be dontaudited from
-## browsing from user domains.
-## </summary>
-## <param name="file_type">
-## Type of the file to be used as a
-## member directory.
-## </param>
-#
-interface(`files_security_file',`
- gen_require(`
- attribute security_file_type;
- ')
-
- files_type($1)
- typeattribute $1 security_file_type;
-')
-
-########################################
-## <summary>
-## Make the specified type a file
-## used for temporary files.
-## </summary>
-## <param name="file_type">
-## Type of the file to be used as a
-## temporary file.
-## </param>
-#
-interface(`files_tmp_file',`
- gen_require(`
- attribute tmpfile;
- type tmp_t;
- ')
-
- files_type($1)
- files_poly_member($1)
- fs_associate_tmpfs($1)
- typeattribute $1 tmpfile;
- allow $1 tmp_t:filesystem associate;
-')
-
-########################################
-## <summary>
-## Transform the type into a file, for use on a
-## virtual memory filesystem (tmpfs).
-## </summary>
-## <param name="type">
-## The type to be transformed.
-## </param>
-#
-interface(`files_tmpfs_file',`
- gen_require(`
- attribute tmpfsfile;
- ')
-
- files_type($1)
- fs_associate_tmpfs($1)
- typeattribute $1 tmpfsfile;
-')
-
-########################################
-## <summary>
-## Get the attributes of all directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-# cjp: this is an odd interface, because to getattr
-# all dirs, you need to search all the parent directories
-#
-interface(`files_getattr_all_dirs',`
- gen_require(`
- attribute file_type;
- class dir { getattr search };
- ')
-
- allow $1 file_type:dir { getattr search };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all directories.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_all_dirs',`
- gen_require(`
- attribute file_type;
- class dir getattr;
- ')
-
- dontaudit $1 file_type:dir getattr;
-')
-
-########################################
-## <summary>
-## Search all directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_search_all',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir { getattr search };
-')
-
-########################################
-## <summary>
-## List the contents of all directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_list_all_dirs',`
- gen_require(`
- attribute file_type;
- class dir r_dir_perms;
- ')
-
- allow $1 file_type:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list all
-## non security directories.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_list_non_security',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of all files.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_getattr_all_files',`
- gen_require(`
- attribute file_type;
- class dir search;
- class file getattr;
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:file getattr;
-')
-
-########################################
-## <summary>
-## Get the attributes of all sockets
-## with the type of a file.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-# cjp: added for initrc_t/distro_redhat. I
-# do not think it has any effect.
-interface(`files_getattr_all_file_type_sockets',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:socket_class_set getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all files.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_all_files',`
- gen_require(`
- attribute file_type;
- ')
-
- dontaudit $1 file_type:file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security files.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_files',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:file getattr;
-')
-
-########################################
-## <summary>
-## Read all files.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_all_files',`
- gen_require(`
- attribute file_type;
- class dir search;
- class file r_file_perms;
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:file r_file_perms;
-
- optional_policy(`authlogin',`
- auth_read_shadow($1)
- ')
-')
-
-########################################
-## <summary>
-## Read all directories on the filesystem, except
-## the listed exceptions.
-## </summary>
-## <param name="domain">
-## The type of the domain perfoming this action.
-## </param>
-## <param name="exception_types" optional="true">
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </param>
-#
-interface(`files_read_all_dirs_except',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 { file_type $2 }:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read all files on the filesystem, except
-## the listed exceptions.
-## </summary>
-## <param name="domain">
-## The type of the domain perfoming this action.
-## </param>
-## <param name="exception_types" optional="true">
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </param>
-#
-interface(`files_read_all_files_except',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 { file_type $2 }:dir search;
- allow $1 { file_type $2 }:file r_file_perms;
-
-')
-
-########################################
-## <summary>
-## Read all symbloic links on the filesystem, except
-## the listed exceptions.
-## </summary>
-## <param name="domain">
-## The type of the domain perfoming this action.
-## </param>
-## <param name="exception_types" optional="true">
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </param>
-#
-interface(`files_read_all_symlinks_except',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 { file_type $2 }:dir search;
- allow $1 { file_type $2 }:lnk_file r_file_perms;
-
-')
-
-########################################
-## <summary>
-## Get the attributes of all symbolic links.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_getattr_all_symlinks',`
- gen_require(`
- attribute file_type;
- class dir search;
- class lnk_file getattr;
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:lnk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all symbolic links.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_all_symlinks',`
- gen_require(`
- attribute file_type;
- class lnk_file getattr;
- ')
-
- dontaudit $1 file_type:lnk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security symbolic links.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_symlinks',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:lnk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security block devices.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_blk_dev',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:blk_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security character devices.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_chr_dev',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:chr_file getattr;
-')
-
-########################################
-## <summary>
-## Read all symbolic links.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_all_symlinks',`
- gen_require(`
- attribute file_type;
- class dir search;
- class lnk_file { getattr read };
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Get the attributes of all named pipes.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_getattr_all_pipes',`
- gen_require(`
- attribute file_type;
- class dir search;
- class fifo_file getattr;
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all named pipes.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_all_pipes',`
- gen_require(`
- attribute file_type;
- class fifo_file getattr;
- ')
-
- dontaudit $1 file_type:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security named pipes.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_pipes',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:fifo_file getattr;
-')
-
-########################################
-## <summary>
-## Get the attributes of all named sockets.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_getattr_all_sockets',`
- gen_require(`
- attribute file_type;
- class dir search;
- class sock_file getattr;
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:sock_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of all named sockets.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_all_sockets',`
- gen_require(`
- attribute file_type;
- class sock_file getattr;
- ')
-
- dontaudit $1 file_type:sock_file getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of non security named sockets.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_non_security_sockets',`
- gen_require(`
- attribute file_type, security_file_type;
- ')
-
- dontaudit $1 { file_type -security_file_type }:sock_file getattr;
-')
-
-########################################
-## <summary>
-## Read all block nodes with file types.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_all_blk_nodes',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:blk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Read all character nodes with file types.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_all_chr_nodes',`
- gen_require(`
- attribute file_type;
- ')
-
- allow $1 file_type:dir search;
- allow $1 file_type:chr_file { getattr read };
-')
-
-########################################
-## <summary>
-## Relabel all files on the filesystem, except
-## the listed exceptions.
-## </summary>
-## <param name="domain">
-## The type of the domain perfoming this action.
-## </param>
-## <param name="exception_types" optional="true">
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </param>
-#
-interface(`files_relabel_all_files',`
- gen_require(`
- attribute file_type;
- class dir { r_dir_perms relabelfrom relabelto };
- class file { relabelfrom relabelto };
- class lnk_file { relabelfrom relabelto };
- class fifo_file { relabelfrom relabelto };
- class sock_file { relabelfrom relabelto };
- class blk_file relabelfrom;
- class chr_file relabelfrom;
- ')
-
- allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
- allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
- allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
- allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
-
- # satisfy the assertions:
- seutil_relabelto_binary_pol($1)
-')
-
-########################################
-## <summary>
-## Manage all files on the filesystem, except
-## the listed exceptions.
-## </summary>
-## <param name="domain">
-## The type of the domain perfoming this action.
-## </param>
-## <param name="exception_types" optional="true">
-## The types to be excluded. Each type or attribute
-## must be negated by the caller.
-## </param>
-#
-interface(`files_manage_all_files',`
- gen_require(`
- attribute file_type;
- class dir create_dir_perms;
- class file create_file_perms;
- class lnk_file create_lnk_perms;
- class fifo_file create_file_perms;
- class sock_file create_file_perms;
- ')
-
- allow $1 { file_type $2 }:dir create_dir_perms;
- allow $1 { file_type $2 }:file create_file_perms;
- allow $1 { file_type $2 }:lnk_file create_lnk_perms;
- allow $1 { file_type $2 }:fifo_file create_file_perms;
- allow $1 { file_type $2 }:sock_file create_file_perms;
-
- # satisfy the assertions:
- seutil_create_binary_pol($1)
- bootloader_manage_kernel_modules($1)
-')
-
-########################################
-#
-# files_search_all_dirs(domain)
-#
-interface(`files_search_all_dirs',`
- gen_require(`
- attribute file_type;
- class dir search;
- ')
-
- allow $1 file_type:dir search;
-')
-
-########################################
-#
-# files_list_all_dirs(domain)
-#
-interface(`files_list_all_dirs',`
- gen_require(`
- attribute file_type;
- class dir r_dir_perms;
- ')
-
- allow $1 file_type:dir r_dir_perms;
-')
-
-########################################
-#
-# files_dontaudit_search_all_dirs(domain)
-#
-interface(`files_dontaudit_search_all_dirs',`
- gen_require(`
- attribute file_type;
- class dir search;
- ')
-
- dontaudit $1 file_type:dir search;
-')
-
-#######################################
-#
-# files_relabelto_all_file_type_fs(domain)
-#
-interface(`files_relabelto_all_file_type_fs',`
- gen_require(`
- attribute file_type;
- class filesystem relabelto;
- ')
-
- allow $1 file_type:filesystem relabelto;
-')
-
-#######################################
-#
-# files_mount_all_file_type_fs(domain)
-#
-interface(`files_mount_all_file_type_fs',`
- gen_require(`
- attribute file_type;
- class filesystem mount;
- ')
-
- allow $1 file_type:filesystem mount;
-')
-
-#######################################
-#
-# files_unmount_all_file_type_fs(domain)
-#
-interface(`files_unmount_all_file_type_fs',`
- gen_require(`
- attribute file_type;
- class filesystem unmount;
- ')
-
- allow $1 file_type:filesystem unmount;
-')
-
-########################################
-#
-# files_mounton_all_mountpoints(domain)
-#
-interface(`files_mounton_all_mountpoints',`
- gen_require(`
- attribute mountpoint;
- class dir { getattr search mounton };
- class file { getattr mounton };
- ')
-
- allow $1 mountpoint:dir { getattr search mounton };
- allow $1 mountpoint:file { getattr mounton };
-')
-
-########################################
-#
-# files_list_root(domain)
-#
-interface(`files_list_root',`
- gen_require(`
- type root_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 root_t:dir r_dir_perms;
- allow $1 root_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create an object in the root directory, with a private
-## type. If no object class is specified, the
-## default is file.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-## <param name="private type" optional="true">
-## The type of the object to be created. If no type
-## is specified, the type of the root directory will
-## be used.
-## </param>
-## <param name="object" optional="true">
-## The object class of the object being created. If
-## no class is specified, file will be used.
-## </param>
-#
-interface(`files_create_root',`
- gen_require(`
- type root_t;
- class dir create_dir_perms;
- ')
-
- allow $1 root_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- ifelse(`$2',`',`
- allow $1 root_t:file create_file_perms;
- ',`
- type_transition $1 root_t:file $2;
- ')
- ',`
- ifelse(`$2',`',`
- allow $1 root_t:$3 create_file_perms;
- ',`
- type_transition $1 root_t:$3 $2;
- ')
- ')
-')
-
-########################################
-#
-# files_dontaudit_read_root_file(domain)
-#
-interface(`files_dontaudit_read_root_file',`
- gen_require(`
- type root_t;
- ')
-
- dontaudit $1 root_t:file { getattr read };
-')
-
-########################################
-#
-# files_dontaudit_rw_root_file(domain)
-#
-interface(`files_dontaudit_rw_root_file',`
- gen_require(`
- type root_t;
- class file { read write };
- ')
-
- dontaudit $1 root_t:file { read write };
-')
-
-########################################
-#
-# files_dontaudit_rw_root_chr_dev(domain)
-#
-interface(`files_dontaudit_rw_root_chr_dev',`
- gen_require(`
- type root_t;
- class chr_file { read write };
- ')
-
- dontaudit $1 root_t:chr_file { read write };
-')
-
-########################################
-#
-# files_delete_root_dir_entry(domain)
-#
-interface(`files_delete_root_dir_entry',`
- gen_require(`
- type root_t;
- class dir rw_dir_perms;
- ')
-
- allow $1 root_t:dir rw_dir_perms;
-')
-
-########################################
-#
-# files_unmount_rootfs(domain)
-#
-interface(`files_unmount_rootfs',`
- gen_require(`
- type root_t;
- class filesystem unmount;
- ')
-
- allow $1 root_t:filesystem unmount;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes of
-## directories with the default file type.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_default_dir',`
- gen_require(`
- type default_t;
- ')
-
- dontaudit $1 default_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the contents of directories with the default file type.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_search_default',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:dir search;
-')
-
-########################################
-## <summary>
-## List contents of directories with the default file type.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_list_default',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to list contents of
-## directories with the default file type.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_list_default',`
- gen_require(`
- type default_t;
- ')
-
- dontaudit $1 default_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Mount a filesystem on a directory with the default file type.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_mounton_default',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:dir { getattr search mounton };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes of
-## files with the default file type.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_default_files',`
- gen_require(`
- type default_t;
- ')
-
- dontaudit $1 default_t:file getattr;
-')
-
-########################################
-## <summary>
-## Read files with the default file type.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_default_files',`
- gen_require(`
- type default_t;
- ')
-
- allow $1 default_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read files
-## with the default file type.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_read_default_files',`
- gen_require(`
- type default_t;
- ')
-
- dontaudit $1 default_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read symbolic links with the default file type.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_default_symlinks',`
- gen_require(`
- type default_t;
- class lnk_file r_file_perms;
- ')
-
- allow $1 default_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read sockets with the default file type.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_default_sockets',`
- gen_require(`
- type default_t;
- class sock_file r_file_perms;
- ')
-
- allow $1 default_t:sock_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read named pipes with the default file type.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_default_pipes',`
- gen_require(`
- type default_t;
- class fifo_file r_file_perms;
- ')
-
- allow $1 default_t:fifo_file r_file_perms;
-')
-
-########################################
-#
-# files_search_etc(domain)
-#
-interface(`files_search_etc',`
- gen_require(`
- type etc_t;
- class dir search;
- ')
-
- allow $1 etc_t:dir search;
-')
-
-########################################
-## <summary>
-## Set the attributes of the /etc directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_setattr_etc_dir',`
- gen_require(`
- type etc_t;
- class dir setattr;
- ')
-
- allow $1 etc_t:dir setattr;
-')
-
-########################################
-#
-# files_list_etc(domain)
-#
-interface(`files_list_etc',`
- gen_require(`
- type etc_t;
- class dir r_dir_perms;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
-')
-
-########################################
-#
-# files_read_etc_files(domain)
-#
-interface(`files_read_etc_files',`
- gen_require(`
- type etc_t;
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_t:file r_file_perms;
- allow $1 etc_t:lnk_file r_file_perms;
-')
-
-########################################
-#
-# files_rw_etc_files(domain)
-#
-interface(`files_rw_etc_files',`
- gen_require(`
- type etc_t;
- class dir r_dir_perms;
- class file rw_file_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_t:file rw_file_perms;
- allow $1 etc_t:lnk_file r_file_perms;
-')
-
-########################################
-#
-# files_manage_etc_files(domain)
-#
-interface(`files_manage_etc_files',`
- gen_require(`
- type etc_t;
- class dir rw_dir_perms;
- class file create_file_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 etc_t:dir rw_dir_perms;
- allow $1 etc_t:file create_file_perms;
- allow $1 etc_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Delete system configuration files in /etc.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_delete_etc_files',`
- gen_require(`
- type etc_t;
- class dir rw_dir_perms;
- class file unlink;
- ')
-
- allow $1 etc_t:dir rw_dir_perms;
- allow $1 etc_t:file unlink;
-')
-
-########################################
-#
-# files_exec_etc_files(domain)
-#
-interface(`files_exec_etc_files',`
- gen_require(`
- type etc_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_t:lnk_file r_file_perms;
- can_exec($1,etc_t)
-
-')
-
-#######################################
-## <summary>
-## Relabel from and to generic files in /etc.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_relabel_etc_files',`
- gen_require(`
- type etc_t;
- ')
-
- allow $1 etc_t:dir list_dir_perms;
- allow $1 etc_t:file { relabelfrom relabelto };
-')
-
-########################################
-#
-# files_create_boot_flag(domain)
-#
-# /halt, /.autofsck, etc
-#
-interface(`files_create_boot_flag',`
- gen_require(`
- type root_t, etc_runtime_t;
- class dir rw_dir_perms;
- class file { create read write setattr unlink};
- ')
-
- allow $1 root_t:dir rw_dir_perms;
- allow $1 etc_runtime_t:file { create read write setattr unlink };
- type_transition $1 root_t:file etc_runtime_t;
-')
-
-########################################
-## <summary>
-## Read files in /etc that are dynamically
-## created on boot, such as mtab.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_etc_runtime_files',`
- gen_require(`
- type etc_t, etc_runtime_t;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_runtime_t:file r_file_perms;
- allow $1 etc_runtime_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Do not audit attempts to read files
-## in /etc that are dynamically
-## created on boot, such as mtab.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_read_etc_runtime_files',`
- gen_require(`
- type etc_runtime_t;
- class file { getattr read };
- ')
-
- dontaudit $1 etc_runtime_t:file { getattr read };
-')
-
-########################################
-## <summary>
-## Read and write files in /etc that are dynamically
-## created on boot, such as mtab.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_rw_etc_runtime_files',`
- gen_require(`
- type etc_t, etc_runtime_t;
- class dir r_dir_perms;
- class file rw_file_perms;
- ')
-
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_runtime_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files in
-## /etc that are dynamically created on boot,
-## such as mtab.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_manage_etc_runtime_files',`
- gen_require(`
- type etc_t, etc_runtime_t;
- class dir rw_dir_perms;
- class file create_file_perms;
- ')
-
- allow $1 etc_t:dir rw_dir_perms;
- allow $1 etc_runtime_t:file create_file_perms;
- type_transition $1 etc_t:file etc_runtime_t;
-')
-
-########################################
-#
-# files_create_etc_config(domain,privatetype,[class(es)])
-#
-interface(`files_create_etc_config',`
- gen_require(`
- type etc_t;
- class dir rw_dir_perms;
- ')
-
- allow $1 etc_t:dir rw_dir_perms;
- ifelse(`$3',`',`
- type_transition $1 etc_t:file $2;
- ',`
- type_transition $1 etc_t:$3 $2;
- ')
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search directories on new filesystems
-## that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_dontaudit_search_isid_type_dir',`
- gen_require(`
- type file_t;
- ')
-
- dontaudit $1 file_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List the contents of directories on new filesystems
-## that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_list_isid_type_dir',`
- gen_require(`
- type file_t;
- class dir r_dir_perms;
- ')
-
- allow $1 file_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read and write directories on new filesystems
-## that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_rw_isid_type_dir',`
- gen_require(`
- type file_t;
- class dir rw_dir_perms;
- ')
-
- allow $1 file_t:dir rw_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete directories
-## on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_isid_type_dir',`
- gen_require(`
- type file_t;
- class dir create_dir_perms;
- ')
-
- allow $1 file_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Mount a filesystem on a directory on new filesystems
-## that has not yet been labeled.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_mounton_isid_type_dir',`
- gen_require(`
- type file_t;
- class dir { getattr search mounton };
- ')
-
- allow $1 file_t:dir { getattr search mounton };
-')
-
-########################################
-## <summary>
-## Read files on new filesystems
-## that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_read_isid_type_file',`
- gen_require(`
- type file_t;
- class dir search;
- class file r_file_perms;
- ')
-
- allow $1 file_t:dir search;
- allow $1 file_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files
-## on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_isid_type_file',`
- gen_require(`
- type file_t;
- class dir rw_dir_perms;
- class file create_file_perms;
- ')
-
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete symbolic links
-## on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_isid_type_symlink',`
- gen_require(`
- type file_t;
- class dir rw_dir_perms;
- class lnk_file create_lnk_perms;
- ')
-
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Read and write block device nodes on new filesystems
-## that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_rw_isid_type_blk_node',`
- gen_require(`
- type file_t;
- class dir search;
- class blk_file rw_file_perms;
- ')
-
- allow $1 file_t:dir search;
- allow $1 file_t:blk_file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete block device nodes
-## on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_isid_type_blk_node',`
- gen_require(`
- type file_t;
- class dir rw_dir_perms;
- class blk_file create_file_perms;
- ')
-
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:blk_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete character device nodes
-## on new filesystems that have not yet been labeled.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_isid_type_chr_node',`
- gen_require(`
- type file_t;
- class dir rw_dir_perms;
- class chr_file create_file_perms;
- ')
-
- allow $1 file_t:dir rw_dir_perms;
- allow $1 file_t:chr_file create_file_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of the home directories root
-## (/home).
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_getattr_home_dir',`
- gen_require(`
- type home_root_t;
- ')
-
- allow $1 home_root_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## attributes of the home directories root
-## (/home).
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_home_dir',`
- gen_require(`
- type home_root_t;
- ')
-
- dontaudit $1 home_root_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search home directories root (/home).
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_search_home',`
- gen_require(`
- type home_root_t;
- ')
-
- allow $1 home_root_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search
-## home directories root (/home).
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_search_home',`
- gen_require(`
- type home_root_t;
- ')
-
- dontaudit $1 home_root_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Get listing of home directories.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_list_home',`
- gen_require(`
- type home_root_t;
- class dir r_dir_perms;
- ')
-
- allow $1 home_root_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Create home directories
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-## <param name="home_type">
-## The type of the home directory
-## </param>
-#
-interface(`files_create_home_dirs',`
- gen_require(`
- type home_root_t;
- class dir rw_dir_perms;
- ')
-
- allow $1 home_root_t:dir rw_dir_perms;
- type_transition $1 home_root_t:dir $2;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete objects in
-## lost+found directories.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_manage_lost_found',`
- gen_require(`
- type lost_found_t;
- class dir create_dir_perms;
- class file create_file_perms;
- class sock_file create_file_perms;
- class fifo_file create_file_perms;
- class lnk_file create_lnk_perms;
- ')
-
- allow $1 lost_found_t:dir create_dir_perms;
- allow $1 lost_found_t:file create_file_perms;
- allow $1 lost_found_t:sock_file create_file_perms;
- allow $1 lost_found_t:fifo_file create_file_perms;
- allow $1 lost_found_t:lnk_file create_lnk_perms;
-')
-
-########################################
-#
-# files_search_mnt(domain)
-#
-interface(`files_search_mnt',`
- gen_require(`
- type mnt_t;
- class dir search;
- ')
-
- allow $1 mnt_t:dir search;
-')
-
-########################################
-#
-# files_list_mnt(domain)
-#
-interface(`files_list_mnt',`
- gen_require(`
- type mnt_t;
- class dir r_dir_perms;
- ')
-
- allow $1 mnt_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Mount a filesystem on /mnt.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_mounton_mnt',`
- gen_require(`
- type mnt_t;
- class dir { search mounton };
- ')
-
- allow $1 mnt_t:dir { search mounton };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete directories in /mnt.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_manage_mnt_dirs',`
- gen_require(`
- type mnt_t;
- class dir create_dir_perms;
- ')
-
- allow $1 mnt_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files in /mnt.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_manage_mnt_files',`
- gen_require(`
- type mnt_t;
- class dir rw_dir_perms;
- class file create_file_perms;
- ')
-
- allow $1 mnt_t:dir rw_dir_perms;
- allow $1 mnt_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete symbolic links in /mnt.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_manage_mnt_symlinks',`
- gen_require(`
- type mnt_t;
- class dir rw_dir_perms;
- class lnk_file create_lnk_perms;
- ')
-
- allow $1 mnt_t:dir rw_dir_perms;
- allow $1 mnt_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## List world-readable directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_list_world_readable',`
- gen_require(`
- type readable_t;
- class dir r_dir_perms;
- ')
-
- allow $1 readable_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Read world-readable files.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_world_readable_files',`
- gen_require(`
- type readable_t;
- class file r_file_perms;
- ')
-
- allow $1 readable_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read world-readable symbolic links.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_world_readable_symlinks',`
- gen_require(`
- type readable_t;
- class lnk_file r_file_perms;
- ')
-
- allow $1 readable_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read world-readable named pipes.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_world_readable_pipes',`
- gen_require(`
- type readable_t;
- class fifo_file r_file_perms;
- ')
-
- allow $1 readable_t:fifo_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read world-readable sockets.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_world_readable_sockets',`
- gen_require(`
- type readable_t;
- class sock_file r_file_perms;
- ')
-
- allow $1 readable_t:sock_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Allow the specified type to associate
-## to a filesystem with the type of the
-## temporary directory (/tmp).
-## </summary>
-## <param name="file_type">
-## Type of the file to associate.
-## </param>
-#
-interface(`files_associate_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:filesystem associate;
-')
-
-########################################
-## <summary>
-## Get the attributes of the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_getattr_tmp_dir',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the
-## attributes of the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_dontaudit_getattr_tmp_dir',`
- gen_require(`
- type tmp_t;
- class dir getattr;
- ')
-
- dontaudit $1 tmp_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Allow domain to getattr on /tmp directory.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_getattr_tmp_dir',`
- gen_require(`
- type tmp_t;
- class dir getattr;
- ')
-
- allow $1 tmp_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_search_tmp',`
- gen_require(`
- type tmp_t;
- class dir search;
- ')
-
- allow $1 tmp_t:dir search;
-')
-
-########################################
-## <summary>
-## Read the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_list_tmp',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir list_dir_perms;
-')
-
-########################################
-## <summary>
-## Read files in the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_read_generic_tmp_files',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir search_dir_perms;
- allow $1 tmp_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read symbolic links in the tmp directory (/tmp).
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_read_generic_tmp_symlinks',`
- gen_require(`
- type tmp_t;
- ')
-
- allow $1 tmp_t:dir search_dir_perms;
- allow $1 tmp_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Set the attributes of all tmp directories.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_setattr_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
- class dir { search setattr };
- ')
-
- allow $1 tmpfile:dir { search getattr };
-')
-
-########################################
-#
-# files_create_tmp_files(domain,private_type,[object class(es)])
-#
-interface(`files_create_tmp_files',`
- gen_require(`
- type tmp_t;
- class dir rw_dir_perms;
- ')
-
- allow $1 tmp_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 tmp_t:file $2;
- ',`
- type_transition $1 tmp_t:$3 $2;
- ')
-')
-
-########################################
-#
-# files_purge_tmp(domain)
-#
-interface(`files_purge_tmp',`
- gen_require(`
- attribute tmpfile;
- class dir { rw_dir_perms rmdir };
- gen_require_set({ getattr unlink },notdevfile_class_set)
- ')
-
- allow $1 tmpfile:dir { rw_dir_perms rmdir };
- allow $1 tmpfile:notdevfile_class_set { getattr unlink };
-')
-
-########################################
-#
-# files_search_usr(domain)
-#
-interface(`files_search_usr',`
- gen_require(`
- type usr_t;
- class dir search;
- ')
-
- allow $1 usr_t:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of generic
-## directories in /usr.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_list_usr',`
- gen_require(`
- type usr_t;
- class dir r_dir_perms;
- ')
-
- allow $1 usr_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Get the attributes of files in /usr.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_getattr_usr_files',`
- gen_require(`
- type usr_t;
- class dir search;
- class file getattr;
- ')
-
- allow $1 usr_t:dir search;
- allow $1 usr_t:file getattr;
-')
-
-########################################
-#
-# files_read_usr_files(domain)
-#
-interface(`files_read_usr_files',`
- gen_require(`
- type usr_t;
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
- ')
-
- allow $1 usr_t:dir r_dir_perms;
- allow $1 usr_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Execute generic programs in /usr in the caller domain.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_exec_usr_files',`
- gen_require(`
- type usr_t;
- ')
-
- allow $1 usr_t:dir r_dir_perms;
- allow $1 usr_t:lnk_file r_file_perms;
- can_exec($1,usr_t)
-
-')
-
-########################################
-## <summary>
-## Relabel a file to the type used in /usr.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_relabelto_usr_files',`
- gen_require(`
- type usr_t;
- class file relabelto;
- ')
-
- allow $1 usr_t:file relabelto;
-')
-
-########################################
-## <summary>
-## Read symbolic links in /usr.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_usr_symlinks',`
- gen_require(`
- type usr_t;
- class dir search;
- class file r_file_perms;
- ')
-
- allow $1 usr_t:dir search;
- allow $1 usr_t:lnk_file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create objects in the /usr directory
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-## <param name="file_type">
-## The type of the object to be created
-## </param>
-## <param name="object_class" optional="true">
-## The object class. If not specified, file is used.
-## </param>
-#
-interface(`files_create_usr',`
- gen_require(`
- type usr_t;
- class dir rw_dir_perms;
- ')
-
- allow $1 usr_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 usr_t:file $2;
- ',`
- type_transition $1 usr_t:$3 $2;
- ')
-')
-
-########################################
-## <summary>
-## Execute programs in /usr/src in the caller domain.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_exec_usr_src_files',`
- gen_require(`
- type usr_t, src_t;
- ')
-
- allow $1 usr_t:dir search;
- allow $1 src_t:dir r_dir_perms;
- allow $1 src_t:lnk_file r_file_perms;
- can_exec($1,src_t)
-')
-
-########################################
-#
-# files_dontaudit_search_src(domain)
-#
-interface(`files_dontaudit_search_src',`
- gen_require(`
- type src_t;
- ')
-
- dontaudit $1 src_t:dir search;
-')
-
-########################################
-#
-# files_read_usr_src_files(domain)
-#
-interface(`files_read_usr_src_files',`
- gen_require(`
- type usr_t, src_t;
- ')
-
- allow $1 usr_t:dir search;
- allow $1 src_t:dir r_dir_perms;
- allow $1 src_t:{ file lnk_file } r_file_perms;
-')
-
-########################################
-## <summary>
-## Search the contents of /var.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_search_var',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search
-## the contents of /var.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_search_var',`
- gen_require(`
- type var_t;
- ')
-
- dontaudit $1 var_t:dir search;
-')
-
-########################################
-## <summary>
-## List the contents of /var.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_list_var',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete directories
-## in the /var directory.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_manage_var_dirs',`
- gen_require(`
- type var_t;
- class dir create_dir_perms;
- ')
-
- allow $1 var_t:dir create_dir_perms;
-')
-
-########################################
-## <summary>
-## Read files in the /var directory.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_read_var_files',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete files in the /var directory.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_manage_var_files',`
- gen_require(`
- type var_t;
- class dir rw_dir_perms;
- class file create_file_perms;
- ')
-
- allow $1 var_t:dir rw_dir_perms;
- allow $1 var_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Read symbolic links in the /var directory.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_var_symlink',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete symbolic
-## links in the /var directory.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_manage_var_symlinks',`
- gen_require(`
- type var_t;
- ')
-
- allow $1 var_t:dir rw_dir_perms;
- allow $1 var_t:lnk_file create_lnk_perms;
-')
-
-########################################
-## <summary>
-## Create objects in the /var directory
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-## <param name="file_type">
-## The type of the object to be created
-## </param>
-## <param name="object_class" optional="true">
-## The object class. If not specified, file is used.
-## </param>
-#
-interface(`files_create_var',`
- gen_require(`
- type var_t;
- class dir rw_dir_perms;
- ')
-
- allow $1 var_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 var_t:file $2;
- ',`
- type_transition $1 var_t:$3 $2;
- ')
-')
-
-########################################
-## <summary>
-## Search directories in /var/lib.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_search_var_lib_dir',`
- gen_require(`
- type var_t, var_lib_t;
- class dir search;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_lib_t:dir search;
-')
-
-########################################
-## <summary>
-## Get the attributes of the /var/lib directory.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_getattr_var_lib_dir',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir getattr;
-')
-
-########################################
-## <summary>
-## Search the /var/lib directory.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_search_var_lib',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 { var_t var_lib_t }:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## List the contents of the /var/lib directory.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_list_var_lib',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir r_dir_perms;
-')
-
-########################################
-## <summary>
-## Create objects in the /var/lib directory
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-## <param name="file_type">
-## The type of the object to be created
-## </param>
-## <param name="object_class" optional="true">
-## The object class. If not specified, file is used.
-## </param>
-#
-interface(`files_create_var_lib',`
- gen_require(`
- type var_t, var_lib_t;
- class dir rw_dir_perms;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 var_lib_t:file $2;
- ',`
- type_transition $1 var_lib_t:$3 $2;
- ')
-')
-
-########################################
-## <summary>
-## Read generic files in /var/lib.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_var_lib_files',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 { var_t var_lib_t }:dir search_dir_perms;
- allow $1 var_lib_t:file r_file_perms;
-')
-
-########################################
-## <summary>
-## Read generic symbolic links in /var/lib
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_read_var_lib_symlinks',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 { var_t var_lib_t }:dir search_dir_perms;
- allow $1 var_lib_t:lnk_file { getattr read };
-')
-
-# cjp: the next two interfaces really need to be fixed
-# in some way. They really neeed their own types.
-
-########################################
-#
-# files_manage_urandom_seed(domain)
-#
-interface(`files_manage_urandom_seed',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir rw_dir_perms;
- allow $1 var_lib_t:file manage_file_perms;
-')
-
-########################################
-## <summary>
-## Allow domain to manage mount tables
-## necessary for rpcd, nfsd, etc.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_manage_mounttab',`
- gen_require(`
- type var_t, var_lib_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lib_t:dir rw_dir_perms;
- allow $1 var_lib_t:file manage_file_perms;
-')
-
-########################################
-#
-# files_search_locks(domain)
-#
-interface(`files_search_locks',`
- gen_require(`
- type var_t, var_lock_t;
- ')
-
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search the
-## locks directory (/var/lock).
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_search_locks',`
- gen_require(`
- type var_lock_t;
- ')
-
- dontaudit $1 var_lock_t:dir search;
-')
-
-########################################
-## <summary>
-## Add and remove entries in the /var/lock
-## directories.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_rw_locks_dir',`
- gen_require(`
- type var_t, var_lock_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:dir rw_dir_perms;
-')
-
-########################################
-#
-# files_getattr_generic_locks(domain)
-#
-interface(`files_getattr_generic_locks',`
- gen_require(`
- type var_t, var_lock_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:dir r_dir_perms;
- allow $1 var_lock_t:file getattr;
-')
-
-########################################
-#
-# files_manage_generic_locks(domain)
-#
-interface(`files_manage_generic_locks',`
- gen_require(`
- type var_lock_t;
- ')
-
- allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
- allow $1 var_lock_t:file { getattr create read write setattr unlink };
-')
-
-########################################
-#
-# files_delete_all_locks(domain)
-#
-interface(`files_delete_all_locks',`
- gen_require(`
- attribute lockfile;
- class dir rw_dir_perms;
- class file { getattr unlink };
- ')
-
- allow $1 lockfile:dir rw_dir_perms;
- allow $1 lockfile:file { getattr unlink };
-')
-
-########################################
-#
-# files_create_lock(domain,private_type,[object class(es)])
-#
-interface(`files_create_lock',`
- gen_require(`
- type var_t, var_lock_t;
- class dir rw_dir_perms;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_lock_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 var_lock_t:file $2;
- ',`
- type_transition $1 var_lock_t:$3 $2;
- ')
-')
-
-########################################
-## <summary>
-## Do not audit attempts to get the attributes
-## of the /var/run directory.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_getattr_pid_dir',`
- gen_require(`
- type var_run_t;
- class dir getattr;
- ')
-
- dontaudit $1 var_run_t:dir getattr;
-')
-
-########################################
-#
-# files_search_pids(domain)
-#
-interface(`files_search_pids',`
- gen_require(`
- type var_t, var_run_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to search
-## the /var/run directory.
-## </summary>
-## <param name="domain">
-## Domain to not audit.
-## </param>
-#
-interface(`files_dontaudit_search_pids',`
- gen_require(`
- type var_run_t;
- ')
-
- dontaudit $1 var_run_t:dir search;
-')
-
-########################################
-#
-# files_list_pids(domain)
-#
-interface(`files_list_pids',`
- gen_require(`
- type var_t, var_run_t;
- class dir r_dir_perms;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:dir r_dir_perms;
-')
-
-########################################
-#
-# files_create_pid(domain,pidfile,[object class(es)])
-#
-interface(`files_create_pid',`
- gen_require(`
- type var_t, var_run_t;
- class dir rw_dir_perms;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_run_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 var_run_t:file $2;
- ',`
- type_transition $1 var_run_t:$3 $2;
- ')
-')
-
-########################################
-#
-# files_rw_generic_pids(domain)
-#
-interface(`files_rw_generic_pids',`
- gen_require(`
- type var_t, var_run_t;
- class dir r_dir_perms;
- class file rw_file_perms;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_run_t:dir r_dir_perms;
- allow $1 var_run_t:file rw_file_perms;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to write to daemon runtime data files.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_dontaudit_write_all_pids',`
- gen_require(`
- attribute pidfile;
- ')
-
- dontaudit $1 pidfile:file write;
-')
-
-########################################
-## <summary>
-## Do not audit attempts to ioctl daemon runtime data files.
-## </summary>
-## <param name="domain">
-## The type of the process performing this action.
-## </param>
-#
-interface(`files_dontaudit_ioctl_all_pids',`
- gen_require(`
- attribute pidfile;
- ')
-
- dontaudit $1 pidfile:file ioctl;
-')
-
-########################################
-#
-# files_read_all_pids(domain)
-#
-interface(`files_read_all_pids',`
- gen_require(`
- attribute pidfile;
- type var_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 pidfile:dir r_dir_perms;
- allow $1 pidfile:file r_file_perms;
-')
-
-########################################
-#
-# files_delete_all_pids(domain)
-#
-interface(`files_delete_all_pids',`
- gen_require(`
- attribute pidfile;
- type var_t, var_run_t;
- class dir rw_dir_perms;
- class file { getattr unlink };
- class lnk_file { getattr unlink };
- class sock_file { getattr unlink };
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
- allow $1 var_run_t:dir rmdir;
- allow $1 pidfile:dir rw_dir_perms;
- allow $1 pidfile:file { getattr unlink };
- allow $1 pidfile:sock_file { getattr unlink };
-')
-
-########################################
-#
-# files_delete_all_pid_dirs(domain)
-#
-interface(`files_delete_all_pid_dirs',`
- gen_require(`
- attribute pidfile;
- type var_t;
- ')
-
- allow $1 var_t:dir search;
- allow $1 pidfile:dir { rw_dir_perms rmdir };
-')
-
-########################################
-#
-# files_search_spool(domain)
-#
-interface(`files_search_spool',`
- gen_require(`
- type var_t, var_spool_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_spool_t:dir search_dir_perms;
-')
-
-########################################
-#
-# files_list_spool(domain)
-#
-interface(`files_list_spool',`
- gen_require(`
- type var_t, var_spool_t;
- class dir r_dir_perms;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir r_dir_perms;
-')
-
-########################################
-#
-# files_manage_generic_spool_dirs(domain)
-#
-interface(`files_manage_generic_spool_dirs',`
- gen_require(`
- type var_t, var_spool_t;
- class dir create_dir_perms;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir create_dir_perms;
-')
-
-########################################
-#
-# files_read_generic_spools(domain)
-#
-interface(`files_read_generic_spools',`
- gen_require(`
- type var_t, var_spool_t;
- class dir r_dir_perms;
- class file r_file_perms;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir r_dir_perms;
- allow $1 var_spool_t:file r_file_perms;
-')
-
-########################################
-#
-# files_manage_generic_spools(domain)
-#
-interface(`files_manage_generic_spools',`
- gen_require(`
- type var_t, var_spool_t;
- class dir rw_dir_perms;
- class file create_file_perms;
- ')
-
- allow $1 var_t:dir search;
- allow $1 var_spool_t:dir rw_dir_perms;
- allow $1 var_spool_t:file create_file_perms;
-')
-
-########################################
-## <summary>
-## Unconfined access to files.
-## </summary>
-## <param name="domain">
-## Domain allowed access.
-## </param>
-#
-interface(`files_unconfined',`
- gen_require(`
- attribute file_type;
- ')
-
- # Create/access any file in a labeled filesystem;
- allow $1 file_type:{ file chr_file } ~execmod;
- allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
-
- # Mount/unmount any filesystem with the context= option.
- allow $1 file_type:filesystem *;
-
- # Bind to any network address.
- # cjp: need to check this, I dont think this has any effect.
- allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
-
- ifdef(`targeted_policy',`
- tunable_policy(`allow_execmod',`
- allow $1 file_type:file execmod;
- ')
- ')
-')
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
deleted file mode 100644
index 46260eb..0000000
--- a/refpolicy/policy/modules/system/files.te
+++ /dev/null
@@ -1,169 +0,0 @@
-
-policy_module(files,1.0)
-
-########################################
-#
-# Declarations
-#
-
-attribute file_type;
-
-# cjp: should handle this different
-allow file_type self:filesystem associate;
-
-attribute lockfile;
-attribute mountpoint;
-attribute pidfile;
-
-# For labeling types that are to be polyinstantiated
-attribute polydir;
-
-# this is a hack and should be changed
-attribute usercanread;
-
-# And for labeling the parent directories of those polyinstantiated directories
-# This is necessary for remounting the original in the parent to give
-# security aware apps access
-attribute polyparent;
-
-# And labeling for the member directories
-attribute polymember;
-
-# sensitive security files whose accesses should
-# not be dontaudited for uses
-attribute security_file_type;
-
-attribute tmpfile;
-attribute tmpfsfile;
-
-# default_t is the default type for files that do not
-# match any specification in the file_contexts configuration
-# other than the generic /.* specification.
-type default_t, file_type, mountpoint;
-fs_associate(default_t)
-fs_associate_noxattr(default_t)
-
-#
-# etc_t is the type of the system etc directories.
-#
-type etc_t, file_type;
-fs_associate(etc_t)
-fs_associate_noxattr(etc_t)
-
-#
-# etc_runtime_t is the type of various
-# files in /etc that are automatically
-# generated during initialization.
-#
-type etc_runtime_t, file_type;
-fs_associate(etc_runtime_t)
-fs_associate_noxattr(etc_runtime_t)
-
-#
-# file_t is the default type of a file that has not yet been
-# assigned an extended attribute (EA) value (when using a filesystem
-# that supports EAs).
-#
-type file_t, file_type, mountpoint;
-fs_associate(file_t)
-fs_associate_noxattr(file_t)
-kernel_rootfs_mountpoint(file_t)
-sid file gen_context(system_u:object_r:file_t,s0)
-
-#
-# home_root_t is the type for the directory where user home directories
-# are created
-#
-type home_root_t, file_type, mountpoint; #, polyparent
-fs_associate(home_root_t)
-fs_associate_noxattr(home_root_t)
-
-#
-# lost_found_t is the type for the lost+found directories.
-#
-type lost_found_t, file_type;
-fs_associate(lost_found_t)
-fs_associate_noxattr(lost_found_t)
-
-#
-# mnt_t is the type for mount points such as /mnt/cdrom
-#
-type mnt_t, file_type, mountpoint;
-fs_associate(mnt_t)
-fs_associate_noxattr(mnt_t)
-
-type no_access_t, file_type;
-fs_associate(no_access_t)
-fs_associate_noxattr(no_access_t)
-
-type poly_t, file_type;
-fs_associate(poly_t)
-fs_associate_noxattr(poly_t)
-
-type readable_t, file_type;
-fs_associate(readable_t)
-fs_associate_noxattr(readable_t)
-
-#
-# root_t is the type for rootfs and the root directory.
-#
-type root_t, file_type, mountpoint; #, polyparent
-fs_associate(root_t)
-fs_associate_noxattr(root_t)
-kernel_rootfs_mountpoint(root_t)
-genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
-
-#
-# src_t is the type of files in the system src directories.
-#
-type src_t, file_type, mountpoint;
-fs_associate(src_t)
-fs_associate_noxattr(src_t)
-
-#
-# tmp_t is the type of the temporary directories
-#
-type tmp_t, mountpoint; #, polydir
-files_tmp_file(tmp_t)
-
-#
-# usr_t is the type for /usr.
-#
-type usr_t, file_type, mountpoint;
-fs_associate(usr_t)
-fs_associate_noxattr(usr_t)
-
-#
-# var_t is the type of /var
-#
-type var_t, file_type, mountpoint;
-fs_associate(var_t)
-fs_associate_noxattr(var_t)
-
-#
-# var_lib_t is the type of /var/lib
-#
-type var_lib_t, file_type, mountpoint;
-fs_associate(var_lib_t)
-fs_associate_noxattr(var_lib_t)
-
-#
-# var_lock_t is tye type of /var/lock
-#
-type var_lock_t, file_type, lockfile;
-fs_associate(var_lock_t)
-fs_associate_noxattr(var_lock_t)
-
-#
-# var_run_t is the type of /var/run, usually
-# used for pid and other runtime files.
-#
-type var_run_t, file_type, pidfile;
-fs_associate(var_run_t)
-fs_associate_noxattr(var_run_t)
-
-#
-# var_spool_t is the type of /var/spool
-#
-type var_spool_t;
-files_tmp_file(var_spool_t)