diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index 0beb2c7..4697a9a 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -68,7 +68,7 @@ logging_send_syslog_msg(acct_t) miscfiles_read_localization(acct_t) -userdom_dontaudit_search_sysadm_home_dir(acct_t) +userdom_dontaudit_search_sysadm_home_dirs(acct_t) userdom_dontaudit_use_unpriv_user_fds(acct_t) ifdef(`targeted_policy',` @@ -80,7 +80,7 @@ ifdef(`targeted_policy',` optional_policy(`cron',` optional_policy(`authlogin',` # for monthly cron job - auth_filetrans_login_records(acct_t) + auth_log_filetrans_login_records(acct_t) auth_manage_login_records(acct_t) ') diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index 671397b..75bb440 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -116,11 +116,11 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms; allow amanda_t amanda_log_t:file create_file_perms; allow amanda_t amanda_log_t:dir { rw_dir_perms setattr }; -logging_filetrans_log(amanda_t,amanda_log_t,{ file dir }) +logging_log_filetrans(amanda_t,amanda_log_t,{ file dir }) allow amanda_t amanda_tmp_t:dir create_dir_perms; allow amanda_t amanda_tmp_t:file create_file_perms; -files_filetrans_tmp(amanda_t, amanda_tmp_t, { file dir }) +files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) kernel_read_system_state(amanda_t) kernel_read_kernel_sysctls(amanda_t) @@ -206,14 +206,14 @@ allow amanda_recover_t amanda_recover_dir_t:file create_file_perms; allow amanda_recover_t amanda_recover_dir_t:lnk_file create_lnk_perms; allow amanda_recover_t amanda_recover_dir_t:sock_file create_file_perms; allow amanda_recover_t amanda_recover_dir_t:fifo_file create_file_perms; -userdom_filetrans_sysadm_home_dir(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file }) +userdom_sysadm_home_dir_filetrans(amanda_recover_t,amanda_recover_dir_t,{ dir file lnk_file sock_file fifo_file }) allow amanda_recover_t amanda_tmp_t:dir create_dir_perms; allow amanda_recover_t amanda_tmp_t:file create_file_perms; allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms; allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms; allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms; -files_filetrans_tmp(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file }) +files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_system_state(amanda_recover_t) kernel_read_kernel_sysctls(amanda_recover_t) @@ -252,7 +252,7 @@ miscfiles_read_localization(amanda_recover_t) sysnet_read_config(amanda_recover_t) -userdom_search_sysadm_home_subdirs(amanda_recover_t) +userdom_search_sysadm_home_content_dirs(amanda_recover_t) optional_policy(`mount',` mount_send_nfs_client_request(amanda_recover_t) diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index e17e6df..8d9cf0d 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -105,7 +105,7 @@ optional_policy(`rpm',` ') optional_policy(`userdomain',` - userdom_use_unpriv_users_fd(consoletype_t) + userdom_use_unpriv_users_fds(consoletype_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te index 07a9e16..5ca6a16 100644 --- a/refpolicy/policy/modules/admin/firstboot.te +++ b/refpolicy/policy/modules/admin/firstboot.te @@ -40,7 +40,7 @@ allow firstboot_t firstboot_etc_t:file { getattr read }; allow firstboot_t firstboot_rw_t:dir create_dir_perms; allow firstboot_t firstboot_rw_t:file create_file_perms; -files_filetrans_etc(firstboot_t,firstboot_rw_t,file) +files_etc_filetrans(firstboot_t,firstboot_rw_t,file) # The big hammer unconfined_domain(firstboot_t) @@ -99,13 +99,13 @@ modutils_read_module_config(firstboot_t) modutils_read_module_deps(firstboot_t) # Add/remove user home directories -userdom_manage_generic_user_home_dirs(firstboot_t) -userdom_manage_generic_user_home_files(firstboot_t) -userdom_manage_generic_user_home_symlinks(firstboot_t) -userdom_manage_generic_user_home_pipes(firstboot_t) -userdom_manage_generic_user_home_sockets(firstboot_t) -userdom_filetrans_generic_user_home_dir(firstboot_t) -userdom_filetrans_generic_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file }) +userdom_manage_generic_user_home_content_dirs(firstboot_t) +userdom_manage_generic_user_home_content_files(firstboot_t) +userdom_manage_generic_user_home_content_symlinks(firstboot_t) +userdom_manage_generic_user_home_content_pipes(firstboot_t) +userdom_manage_generic_user_home_content_sockets(firstboot_t) +userdom_home_filetrans_generic_user_home_dir(firstboot_t) +userdom_generic_user_home_dir_filetrans_generic_user_home_content(firstboot_t,{ dir file lnk_file fifo_file sock_file }) ifdef(`targeted_policy',` unconfined_domtrans(firstboot_t) diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index 75cf926..8425e54 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -31,11 +31,11 @@ allow kudzu_t self:udp_socket { create ioctl }; allow kudzu_t kudzu_tmp_t:dir create_file_perms; allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms; -files_filetrans_tmp(kudzu_t, kudzu_tmp_t, { file dir chr_file }) +files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file }) allow kudzu_t kudzu_var_run_t:file create_file_perms; allow kudzu_t kudzu_var_run_t:dir create_dir_perms; -files_filetrans_pid(kudzu_t,kudzu_var_run_t) +files_pid_filetrans(kudzu_t,kudzu_var_run_t) kernel_change_ring_buffer_level(kudzu_t) kernel_list_proc(kudzu_t) @@ -119,7 +119,7 @@ modutils_domtrans_insmod(kudzu_t) sysnet_read_config(kudzu_t) -userdom_search_sysadm_home_dir(kudzu_t) +userdom_search_sysadm_home_dirs(kudzu_t) userdom_dontaudit_use_unpriv_user_fds(kudzu_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index b2395f0..52b2926 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -51,18 +51,18 @@ allow logrotate_t self:msgq create_msgq_perms; allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file create_file_perms; -files_filetrans_lock(logrotate_t,logrotate_lock_t) +files_lock_filetrans(logrotate_t,logrotate_lock_t) can_exec(logrotate_t, logrotate_tmp_t) allow logrotate_t logrotate_tmp_t:dir create_dir_perms; allow logrotate_t logrotate_tmp_t:file create_file_perms; -files_filetrans_tmp(logrotate_t, logrotate_tmp_t, { file dir }) +files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) # for /var/lib/logrotate.status and /var/lib/logcheck allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms }; allow logrotate_t logrotate_var_lib_t:file create_file_perms; -files_filetrans_var_lib(logrotate_t, logrotate_var_lib_t) +files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t) kernel_read_system_state(logrotate_t) kernel_read_kernel_sysctls(logrotate_t) @@ -118,7 +118,7 @@ seutil_dontaudit_read_config(logrotate_t) sysnet_read_config(logrotate_t) -userdom_use_unpriv_users_fd(logrotate_t) +userdom_use_unpriv_users_fds(logrotate_t) cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te index d0bcbb9..913ad19 100644 --- a/refpolicy/policy/modules/admin/logwatch.te +++ b/refpolicy/policy/modules/admin/logwatch.te @@ -32,7 +32,7 @@ allow logwatch_t logwatch_cache_t:file create_file_perms; allow logwatch_t logwatch_tmp_t:dir create_dir_perms; allow logwatch_t logwatch_tmp_t:file create_file_perms; -files_filetrans_tmp(logwatch_t, logwatch_tmp_t, { file dir }) +files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) @@ -71,7 +71,7 @@ miscfiles_read_localization(logwatch_t) selinux_dontaudit_getattr_dir(logwatch_t) -userdom_dontaudit_search_sysadm_home_dir(logwatch_t) +userdom_dontaudit_search_sysadm_home_dirs(logwatch_t) userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t) mta_send_mail(logwatch_t) diff --git a/refpolicy/policy/modules/admin/mrtg.te b/refpolicy/policy/modules/admin/mrtg.te index 8badd19..1389d4c 100644 --- a/refpolicy/policy/modules/admin/mrtg.te +++ b/refpolicy/policy/modules/admin/mrtg.te @@ -46,7 +46,7 @@ allow mrtg_t mrtg_lock_t:lnk_file create_lnk_perms; allow mrtg_t mrtg_log_t:file create_file_perms; allow mrtg_t mrtg_log_t:dir rw_dir_perms; -logging_filetrans_log(mrtg_t,mrtg_log_t,{ file dir }) +logging_log_filetrans(mrtg_t,mrtg_log_t,{ file dir }) allow mrtg_t mrtg_var_lib_t:dir rw_dir_perms; allow mrtg_t mrtg_var_lib_t:file create_file_perms; diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 003a6a5..e707217 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -39,7 +39,7 @@ allow netutils_t self:tcp_socket create_stream_socket_perms; allow netutils_t netutils_tmp_t:dir create_dir_perms; allow netutils_t netutils_tmp_t:file create_file_perms; -files_filetrans_tmp(netutils_t, netutils_tmp_t, { file dir }) +files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if index 279fd5b..7b4229f 100644 --- a/refpolicy/policy/modules/admin/portage.if +++ b/refpolicy/policy/modules/admin/portage.if @@ -129,14 +129,14 @@ template(`portage_compile_domain_template',` allow $1_t $1_tmp_t:lnk_file create_lnk_perms; allow $1_t $1_tmp_t:fifo_file manage_file_perms; allow $1_t $1_tmp_t:sock_file manage_file_perms; - files_filetrans_tmp($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file }) + files_tmp_filetrans($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file }) allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_filetrans_tmpfs($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + fs_tmpfs_filetrans($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # write merge logs allow $1_t portage_log_t:dir setattr; diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te index 4ab7df3..2d33bf9 100644 --- a/refpolicy/policy/modules/admin/portage.te +++ b/refpolicy/policy/modules/admin/portage.te @@ -55,7 +55,7 @@ allow portage_fetch_t portage_t:fifo_file rw_file_perms; allow portage_fetch_t portage_t:process sigchld; allow portage_t portage_log_t:file create_file_perms; -logging_filetrans_log(portage_t,portage_log_t) +logging_log_filetrans(portage_t,portage_log_t) # transition to sandbox for compiling domain_trans(portage_t,portage_exec_t,portage_sandbox_t) @@ -126,7 +126,7 @@ allow portage_fetch_t portage_ebuild_t:file manage_file_perms; allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms; allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms; -files_filetrans_tmp(portage_fetch_t, portage_fetch_tmp_t, { file dir }) +files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir }) # portage makes home dir the portage tmp dir, so # wget looks for .wgetrc there @@ -166,7 +166,7 @@ miscfiles_read_localization(portage_fetch_t) sysnet_read_config(portage_fetch_t) sysnet_dns_name_resolve(portage_fetch_t) -userdom_dontaudit_read_sysadm_home_files(portage_fetch_t) +userdom_dontaudit_read_sysadm_home_content_files(portage_fetch_t) ifdef(`hide_broken_symptoms',` dontaudit portage_fetch_t portage_cache_t:file read; diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te index 0c30116..cff2919 100644 --- a/refpolicy/policy/modules/admin/prelink.te +++ b/refpolicy/policy/modules/admin/prelink.te @@ -27,13 +27,13 @@ allow prelink_t self:process { execheap execmem execstack }; allow prelink_t self:fifo_file rw_file_perms; allow prelink_t prelink_cache_t:file manage_file_perms; -files_filetrans_etc(prelink_t, prelink_cache_t, file) -files_filetrans_var_lib(prelink_t, prelink_cache_t, file) +files_etc_filetrans(prelink_t, prelink_cache_t, file) +files_var_lib_filetrans(prelink_t, prelink_cache_t, file) allow prelink_t prelink_log_t:dir { setattr rw_dir_perms }; allow prelink_t prelink_log_t:file { create ra_file_perms }; allow prelink_t prelink_log_t:lnk_file read; -logging_filetrans_log(prelink_t, prelink_log_t) +logging_log_filetrans(prelink_t, prelink_log_t) # prelink misc objects that are not system # libraries or entrypoints diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index 095c168..8db168f 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -23,7 +23,7 @@ allow readahead_t self:process signal_perms; allow readahead_t readahead_var_run_t:file create_file_perms; allow readahead_t readahead_var_run_t:dir rw_dir_perms; -files_filetrans_pid(readahead_t,readahead_var_run_t) +files_pid_filetrans(readahead_t,readahead_var_run_t) kernel_read_kernel_sysctls(readahead_t) kernel_read_system_state(readahead_t) @@ -68,7 +68,7 @@ logging_send_syslog_msg(readahead_t) miscfiles_read_localization(readahead_t) userdom_dontaudit_use_unpriv_user_fds(readahead_t) -userdom_dontaudit_search_sysadm_home_dir(readahead_t) +userdom_dontaudit_search_sysadm_home_dirs(readahead_t) ifdef(`targeted_policy',` files_dontaudit_read_root_files(readahead_t) diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index c9ebd15..16570df 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -73,19 +73,19 @@ allow rpm_t self:file rw_file_perms;; allow rpm_t rpm_tmp_t:dir create_dir_perms; allow rpm_t rpm_tmp_t:file create_file_perms; -files_filetrans_tmp(rpm_t, rpm_tmp_t, { file dir }) +files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) allow rpm_t rpm_tmpfs_t:dir create_dir_perms; allow rpm_t rpm_tmpfs_t:file create_file_perms; allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms; allow rpm_t rpm_tmpfs_t:sock_file create_file_perms; allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms; -fs_filetrans_tmpfs(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Access /var/lib/rpm files allow rpm_t rpm_var_lib_t:file create_file_perms; allow rpm_t rpm_var_lib_t:dir rw_dir_perms; -files_filetrans_var_lib(rpm_t,rpm_var_lib_t,dir) +files_var_lib_filetrans(rpm_t,rpm_var_lib_t,dir) kernel_read_system_state(rpm_t) kernel_read_kernel_sysctls(rpm_t) @@ -171,7 +171,7 @@ seutil_manage_bin_policy(rpm_t) sysnet_read_config(rpm_t) -userdom_use_unpriv_users_fd(rpm_t) +userdom_use_unpriv_users_fds(rpm_t) ifdef(`distro_redhat',` unconfined_domain(rpm_t) @@ -184,7 +184,7 @@ ifdef(`targeted_policy',` # conflicts since rpm_t is an alias of # unconfined in the targeted policy allow rpm_t rpm_log_t:file create_file_perms; - logging_filetrans_log(rpm_t,rpm_log_t) + logging_log_filetrans(rpm_t,rpm_log_t) ') optional_policy(`cron',` @@ -240,14 +240,14 @@ allow rpm_script_t rpm_tmp_t:file r_file_perms; allow rpm_script_t rpm_script_tmp_t:dir mounton; allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms; allow rpm_script_t rpm_script_tmp_t:file create_file_perms; -files_filetrans_tmp(rpm_script_t, rpm_script_tmp_t, { file dir }) +files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms; allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms; allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms; -fs_filetrans_tmpfs(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow rpm_t rpm_script_t:fd use; allow rpm_script_t rpm_t:fd use; diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index 6a02a2e..b73cdf5 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -180,7 +180,7 @@ template(`su_per_userdomain_template',` miscfiles_read_localization($1_su_t) userdom_use_user_terminals($1,$1_su_t) - userdom_search_user_home($1,$1_su_t) + userdom_search_user_home_dirs($1,$1_su_t) ifdef(`enable_polyinstantiation',` fs_mount_xattr_fs($1_su_t) @@ -196,8 +196,8 @@ template(`su_per_userdomain_template',` allow $1_su_t self:process sigstop; corecmd_exec_bin($1_su_t) - userdom_manage_all_users_home_files($1_su_t) - userdom_manage_all_users_home_symlinks($1_su_t) + userdom_manage_all_users_home_content_files($1_su_t) + userdom_manage_all_users_home_content_symlinks($1_su_t) ') tunable_policy(`use_nfs_home_dirs',` diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if index 95b96e9..73fa50e 100644 --- a/refpolicy/policy/modules/admin/sudo.if +++ b/refpolicy/policy/modules/admin/sudo.if @@ -120,14 +120,14 @@ template(`sudo_per_userdomain_template',` miscfiles_read_localization($1_sudo_t) - userdom_manage_user_home_files($1,$1_sudo_t) - userdom_manage_user_home_symlinks($1,$1_sudo_t) + userdom_manage_user_home_content_files($1,$1_sudo_t) + userdom_manage_user_home_content_symlinks($1,$1_sudo_t) userdom_manage_user_tmp_files($1,$1_sudo_t) userdom_manage_user_tmp_symlinks($1,$1_sudo_t) userdom_use_user_terminals($1,$1_sudo_t) - userdom_use_unpriv_users_fd($1_sudo_t) + userdom_use_unpriv_users_fds($1_sudo_t) # for some PAM modules and for cwd - userdom_dontaudit_search_all_users_home($1_sudo_t) + userdom_dontaudit_search_all_users_home_content($1_sudo_t) optional_policy(`nis',` nis_use_ypbind($1_sudo_t) diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index 7991c6a..c3e32d1 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -82,7 +82,7 @@ seutil_read_default_contexts(updfstab_t) seutil_read_file_contexts(updfstab_t) userdom_use_sysadm_ttys(updfstab_t) -userdom_dontaudit_search_all_users_home(updfstab_t) +userdom_dontaudit_search_all_users_home_content(updfstab_t) userdom_dontaudit_use_unpriv_user_fds(updfstab_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 4f7f300..f2efebf 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -127,10 +127,10 @@ logging_send_syslog_msg(chfn_t) # uses unix_chkpwd for checking passwords seutil_dontaudit_search_config(chfn_t) -userdom_use_unpriv_users_fd(chfn_t) +userdom_use_unpriv_users_fds(chfn_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -userdom_dontaudit_search_all_users_home(chfn_t) +userdom_dontaudit_search_all_users_home_content(chfn_t) optional_policy(`nis',` nis_use_ypbind(chfn_t) @@ -155,7 +155,7 @@ files_search_var(crack_t) allow crack_t crack_tmp_t:dir create_dir_perms; allow crack_t crack_tmp_t:file create_file_perms; -files_filetrans_tmp(crack_t, crack_tmp_t, { file dir }) +files_tmp_filetrans(crack_t, crack_tmp_t, { file dir }) kernel_read_system_state(crack_t) @@ -176,7 +176,7 @@ libs_use_shared_libs(crack_t) logging_send_syslog_msg(crack_t) -userdom_dontaudit_search_sysadm_home_dir(crack_t) +userdom_dontaudit_search_sysadm_home_dirs(crack_t) optional_policy(`cron',` cron_system_entry(crack_t,crack_exec_t) @@ -244,9 +244,9 @@ auth_use_nsswitch(groupadd_t) seutil_read_config(groupadd_t) -userdom_use_unpriv_users_fd(groupadd_t) +userdom_use_unpriv_users_fds(groupadd_t) # for when /root is the cwd -userdom_dontaudit_search_sysadm_home_dir(groupadd_t) +userdom_dontaudit_search_sysadm_home_dirs(groupadd_t) optional_policy(`nis',` nis_use_ypbind(groupadd_t) @@ -333,13 +333,13 @@ miscfiles_read_localization(passwd_t) seutil_dontaudit_search_config(passwd_t) -userdom_use_unpriv_users_fd(passwd_t) +userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) userdom_read_all_users_state(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -userdom_dontaudit_search_all_users_home(passwd_t) +userdom_dontaudit_search_all_users_home_content(passwd_t) optional_policy(`nis',` nis_use_ypbind(passwd_t) @@ -372,7 +372,7 @@ allow sysadm_passwd_t self:msg { send receive }; # allow vipw to create temporary files under /var/tmp/vi.recover allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms; allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms; -files_filetrans_tmp(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) +files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) files_search_var(sysadm_passwd_t) kernel_read_kernel_sysctls(sysadm_passwd_t) @@ -427,10 +427,10 @@ logging_send_syslog_msg(sysadm_passwd_t) seutil_dontaudit_search_config(sysadm_passwd_t) -userdom_use_unpriv_users_fd(sysadm_passwd_t) +userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -userdom_dontaudit_search_all_users_home(sysadm_passwd_t) +userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t) optional_policy(`nis',` nis_use_ypbind(sysadm_passwd_t) @@ -501,13 +501,13 @@ miscfiles_read_localization(useradd_t) seutil_read_config(useradd_t) seutil_read_file_contexts(useradd_t) -userdom_use_unpriv_users_fd(useradd_t) +userdom_use_unpriv_users_fds(useradd_t) # for when /root is the cwd -userdom_dontaudit_search_sysadm_home_dir(useradd_t) +userdom_dontaudit_search_sysadm_home_dirs(useradd_t) # Add/remove user home directories -userdom_filetrans_generic_user_home_dir(useradd_t) -userdom_manage_generic_user_home_dirs(useradd_t) -userdom_filetrans_generic_user_home(useradd_t,notdevfile_class_set) +userdom_home_filetrans_generic_user_home_dir(useradd_t) +userdom_manage_generic_user_home_content_dirs(useradd_t) +userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set) mta_manage_spool(useradd_t) diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te index 05fd317..0c5ee06 100644 --- a/refpolicy/policy/modules/admin/vpn.te +++ b/refpolicy/policy/modules/admin/vpn.te @@ -38,11 +38,11 @@ allow vpnc_t self:socket create_socket_perms; allow vpnc_t vpnc_tmp_t:dir create_dir_perms; allow vpnc_t vpnc_tmp_t:file create_file_perms; -files_filetrans_tmp(vpnc_t, vpnc_tmp_t, { file dir }) +files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir }) allow vpnc_t vpnc_var_run_t:file create_file_perms; allow vpnc_t vpnc_var_run_t:dir rw_dir_perms; -files_filetrans_pid(vpnc_t,vpnc_var_run_t) +files_pid_filetrans(vpnc_t,vpnc_var_run_t) kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) @@ -98,11 +98,11 @@ miscfiles_read_localization(vpnc_t) seutil_dontaudit_search_config(vpnc_t) sysnet_exec_ifconfig(vpnc_t) -sysnet_filetrans_config(vpnc_t) +sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) userdom_use_all_users_fds(vpnc_t) -userdom_dontaudit_search_all_users_home(vpnc_t) +userdom_dontaudit_search_all_users_home_content(vpnc_t) optional_policy(`dbus',` dbus_system_bus_client_template(vpnc,vpnc_t) diff --git a/refpolicy/policy/modules/apps/cdrecord.if b/refpolicy/policy/modules/apps/cdrecord.if index b532521..41bb205 100644 --- a/refpolicy/policy/modules/apps/cdrecord.if +++ b/refpolicy/policy/modules/apps/cdrecord.if @@ -105,7 +105,7 @@ template(`cdrecord_per_userdomain_template', ` userdom_use_user_terminals($1,$1_cdrecord_t) userdom_use_user_terminals($1,$2) - userdom_read_user_home_files($1,$1_cdrecord_t) + userdom_read_user_home_content_files($1,$1_cdrecord_t) # Handle nfs home dirs tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` @@ -138,9 +138,9 @@ template(`cdrecord_per_userdomain_template', ` userdom_list_user_tmp($1,$1_cdrecord_t) userdom_read_user_tmp_files($1,$1_cdrecord_t) userdom_read_user_tmp_symlinks($1,$1_cdrecord_t) - userdom_search_user_home($1,$1_cdrecord_t) - userdom_read_user_home_files($1,$1_cdrecord_t) - userdom_read_user_home_symlinks($1,$1_cdrecord_t) + userdom_search_user_home_dirs($1,$1_cdrecord_t) + userdom_read_user_home_content_files($1,$1_cdrecord_t) + userdom_read_user_home_content_symlinks($1,$1_cdrecord_t) ifdef(`enable_mls',` ',` @@ -155,8 +155,8 @@ template(`cdrecord_per_userdomain_template', ` fs_donaudit_read_removable_files($1_cdrecord_t) userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t) userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t) - userdom_dontaudit_list_user_home_dir($1,$1_cdrecord_t) - userdom_dontaudit_read_user_home_files($1,$1_cdrecord_t) + userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t) + userdom_dontaudit_read_user_home_content_files($1,$1_cdrecord_t) ') # Handle default_t content @@ -173,7 +173,7 @@ template(`cdrecord_per_userdomain_template', ` tunable_policy(`cdrecord_read_content && read_untrusted_content',` files_list_tmp($1_cdrecord_t) files_list_home($1_cdrecord_t) - userdom_search_user_home($1,$1_cdrecord_t) + userdom_search_user_home_dirs($1,$1_cdrecord_t) userdom_list_user_untrusted_content($1,$1_cdrecord_t) userdom_read_user_untrusted_content_files($1,$1_cdrecord_t) @@ -184,7 +184,7 @@ template(`cdrecord_per_userdomain_template', ` ',` files_dontaudit_list_tmp($1_cdrecord_t) files_dontaudit_list_home($1_cdrecord_t) - userdom_dontaudit_list_user_home_dir($1,$1_cdrecord_t) + userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t) userdom_dontaudit_list_user_untrusted_content($1,$1_cdrecord_t) userdom_dontaudit_read_user_untrusted_content_files($1,$1_cdrecord_t) userdom_dontaudit_list_user_tmp_untrusted_content($1,$1_cdrecord_t) diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index f45a3e5..ebe004f 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -59,7 +59,7 @@ template(`gpg_per_userdomain_template',` files_tmp_file($1_gpg_agent_tmp_t) type $1_gpg_secret_t; - userdom_user_home_file($1,$1_gpg_secret_t) + userdom_user_home_content($1,$1_gpg_secret_t) type $1_gpg_helper_t; domain_type($1_gpg_helper_t) @@ -243,7 +243,7 @@ template(`gpg_per_userdomain_template',` allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms; allow $2 $1_gpg_agent_tmp_t:file create_file_perms; allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms; - files_filetrans_tmp($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) + files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) corecmd_search_bin($1_gpg_agent_t) diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if index 3f01ad3..6dda6fd 100644 --- a/refpolicy/policy/modules/apps/irc.if +++ b/refpolicy/policy/modules/apps/irc.if @@ -48,14 +48,14 @@ template(`irc_per_userdomain_template',` role $3 types $1_irc_t; type $1_irc_exec_t; - userdom_user_home_file($1,$1_irc_exec_t) + userdom_user_home_content($1,$1_irc_exec_t) domain_entry_file($1_irc_t,$1_irc_exec_t) type $1_irc_home_t; - userdom_user_home_file($1,$1_irc_home_t) + userdom_user_home_content($1,$1_irc_home_t) type $1_irc_tmp_t; - userdom_user_home_file($1,$1_irc_tmp_t) + userdom_user_home_content($1,$1_irc_tmp_t) ######################################## # @@ -71,7 +71,7 @@ template(`irc_per_userdomain_template',` allow $1_irc_t $1_irc_home_t:dir create_dir_perms; allow $1_irc_t $1_irc_home_t:file create_file_perms; allow $1_irc_t $1_irc_home_t:lnk_file create_lnk_perms; - userdom_filetrans_user_home_dir($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file }) + userdom_user_home_dir_filetrans($1,$1_irc_t,$1_irc_home_t,{ dir file lnk_file }) # access files under /tmp allow $1_irc_t $1_irc_tmp_t:dir create_dir_perms; @@ -79,7 +79,7 @@ template(`irc_per_userdomain_template',` allow $1_irc_t $1_irc_tmp_t:lnk_file create_lnk_perms; allow $1_irc_t $1_irc_tmp_t:sock_file create_file_perms; allow $1_irc_t $1_irc_tmp_t:fifo_file create_file_perms; - files_filetrans_tmp($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file }) + files_tmp_filetrans($1_irc_t,$1_irc_tmp_t,{ file dir lnk_file sock_file fifo_file }) # Transition from the user domain to the derived domain. domain_auto_trans($2,irc_exec_t,$1_irc_t) diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if index 930d7a6..949ac27 100644 --- a/refpolicy/policy/modules/apps/java.if +++ b/refpolicy/policy/modules/apps/java.if @@ -68,14 +68,14 @@ template(`java_per_userdomain_template',` allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms; allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms; - files_filetrans_tmp($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir }) + files_tmp_filetrans($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir }) allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_filetrans_tmpfs($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + fs_tmpfs_filetrans($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # cjp: rw_dir_perms here doesnt make sense allow $1_javaplugin_t $1_home_t:dir rw_dir_perms; @@ -140,14 +140,14 @@ template(`java_per_userdomain_template',` sysnet_read_config($1_javaplugin_t) userdom_dontaudit_use_user_terminals($1,$1_javaplugin_t) - userdom_dontaudit_setattr_user_home_files($1,$1_javaplugin_t) - userdom_dontaudit_exec_user_home_files($1,$1_javaplugin_t) - userdom_manage_user_home_subdirs($1,$1_javaplugin_t) - userdom_manage_user_home_files($1,$1_javaplugin_t) - userdom_manage_user_home_symlinks($1,$1_javaplugin_t) - userdom_manage_user_home_pipes($1,$1_javaplugin_t) - userdom_manage_user_home_sockets($1,$1_javaplugin_t) - userdom_filetrans_user_home($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file }) + userdom_dontaudit_setattr_user_home_content_files($1,$1_javaplugin_t) + userdom_dontaudit_exec_user_home_content_files($1,$1_javaplugin_t) + userdom_manage_user_home_content_dirs($1,$1_javaplugin_t) + userdom_manage_user_home_content_files($1,$1_javaplugin_t) + userdom_manage_user_home_content_symlinks($1,$1_javaplugin_t) + userdom_manage_user_home_content_pipes($1,$1_javaplugin_t) + userdom_manage_user_home_content_sockets($1,$1_javaplugin_t) + userdom_user_home_dir_filetrans_user_home_content($1,$1_javaplugin_t,{ file lnk_file sock_file fifo_file }) # libdeploy.so legacy tunable_policy(`allow_execmem',` diff --git a/refpolicy/policy/modules/apps/lockdev.if b/refpolicy/policy/modules/apps/lockdev.if index 6b94b13..f2c078d 100644 --- a/refpolicy/policy/modules/apps/lockdev.if +++ b/refpolicy/policy/modules/apps/lockdev.if @@ -68,7 +68,7 @@ template(`lockdev_per_userdomain_template',` allow $1_lockdev_t $2:process sigchld; allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms; - files_filetrans_lock($1_lockdev_t,$1_lockdev_lock_t) + files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t) files_read_all_locks($1_lockdev_t) diff --git a/refpolicy/policy/modules/apps/screen.if b/refpolicy/policy/modules/apps/screen.if index e443859..4478c4d 100644 --- a/refpolicy/policy/modules/apps/screen.if +++ b/refpolicy/policy/modules/apps/screen.if @@ -74,14 +74,14 @@ template(`screen_per_userdomain_template',` allow $1_screen_t $1_screen_tmp_t:dir create_dir_perms; allow $1_screen_t $1_screen_tmp_t:file create_file_perms; allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms; - files_filetrans_tmp($1_screen_t, $1_screen_tmp_t, { file dir }) + files_tmp_filetrans($1_screen_t, $1_screen_tmp_t, { file dir }) # Create fifo allow $1_screen_t screen_dir_t:dir rw_dir_perms; allow $1_screen_t screen_dir_t:dir create_dir_perms; allow $1_screen_t $1_screen_var_run_t:fifo_file create_file_perms; type_transition $1_screen_t screen_dir_t:fifo_file $1_screen_var_run_t; - files_filetrans_pid($1_screen_t,screen_dir_t,dir) + files_pid_filetrans($1_screen_t,screen_dir_t,dir) allow $1_screen_t $1_screen_ro_home_t:dir r_dir_perms; allow $1_screen_t $1_screen_ro_home_t:file r_file_perms; diff --git a/refpolicy/policy/modules/apps/tvtime.if b/refpolicy/policy/modules/apps/tvtime.if index 49f02e5..1bf5022 100644 --- a/refpolicy/policy/modules/apps/tvtime.if +++ b/refpolicy/policy/modules/apps/tvtime.if @@ -45,7 +45,7 @@ template(`tvtime_per_userdomain_template',` role $3 types $1_tvtime_t; type $1_tvtime_home_t alias $1_tvtime_rw_t; - userdom_user_home_file($1,$1_tvtime_home_t) + userdom_user_home_content($1,$1_tvtime_home_t) files_poly_member($1_tvtime_home_t) type $1_tvtime_tmp_t; @@ -69,18 +69,18 @@ template(`tvtime_per_userdomain_template',` allow $1_tvtime_t $1_tvtime_home_t:file manage_file_perms; allow $1_tvtime_t $1_tvtime_home_t:lnk_file create_lnk_perms; type_transition $1_tvtime_t $1_home_dir_t:dir $1_tvtime_home_t; - userdom_filetrans_user_home_dir($1,$1_tvtime_t,$1_tvtime_home_t,dir) + userdom_user_home_dir_filetrans($1,$1_tvtime_t,$1_tvtime_home_t,dir) allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms; allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms; - files_filetrans_tmp($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file }) + files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file }) allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + fs_tmpfs_filetrans($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Type transition domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t) @@ -128,7 +128,7 @@ template(`tvtime_per_userdomain_template',` miscfiles_read_fonts($1_tvtime_t) userdom_use_user_terminals($1,$1_tvtime_t) - userdom_read_user_home_files($1,$1_tvtime_t) + userdom_read_user_home_content_files($1,$1_tvtime_t) # X access, Home files tunable_policy(`use_nfs_home_dirs',` diff --git a/refpolicy/policy/modules/apps/uml.if b/refpolicy/policy/modules/apps/uml.if index 54ea479..3e2fbc1 100644 --- a/refpolicy/policy/modules/apps/uml.if +++ b/refpolicy/policy/modules/apps/uml.if @@ -81,7 +81,7 @@ template(`uml_per_userdomain_template',` allow $1_uml_t $1_uml_tmp_t:dir create_dir_perms; allow $1_uml_t $1_uml_tmp_t:file create_file_perms; - files_filetrans_tmp($1_uml_t, $1_uml_tmp_t, { file dir }) + files_tmp_filetrans($1_uml_t, $1_uml_tmp_t, { file dir }) can_exec($1_uml_t, $1_uml_tmp_t) allow $1_uml_t $1_uml_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; @@ -89,7 +89,7 @@ template(`uml_per_userdomain_template',` allow $1_uml_t $1_uml_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow $1_uml_t $1_uml_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_uml_t $1_uml_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_filetrans_tmpfs($1_uml_t,$1_uml_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + fs_tmpfs_filetrans($1_uml_t,$1_uml_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) can_exec($1_uml_t, $1_uml_tmpfs_t) # access config files @@ -102,7 +102,7 @@ template(`uml_per_userdomain_template',` allow $1_uml_t $1_uml_rw_t:lnk_file create_lnk_perms; allow $1_uml_t $1_uml_rw_t:sock_file create_file_perms; allow $1_uml_t $1_uml_rw_t:fifo_file create_file_perms; - userdom_filetrans_user_home_dir($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file }) + userdom_user_home_dir_filetrans($1,$1_uml_t,$1_uml_rw_t,{ file lnk_file sock_file fifo_file }) allow $2 uml_ro_t:dir r_dir_perms; allow $2 uml_ro_t:file r_file_perms; diff --git a/refpolicy/policy/modules/apps/uml.te b/refpolicy/policy/modules/apps/uml.te index 3f54226..db58cf3 100644 --- a/refpolicy/policy/modules/apps/uml.te +++ b/refpolicy/policy/modules/apps/uml.te @@ -32,7 +32,7 @@ allow uml_switch_t self:unix_stream_socket create_stream_socket_perms; allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms; allow uml_switch_t uml_switch_var_run_t:file create_file_perms; allow uml_switch_t uml_switch_var_run_t:dir rw_dir_perms; -files_filetrans_pid(uml_switch_t,uml_switch_var_run_t,file) +files_pid_filetrans(uml_switch_t,uml_switch_var_run_t,file) kernel_read_kernel_sysctls(uml_switch_t) kernel_list_proc(uml_switch_t) @@ -58,7 +58,7 @@ logging_send_syslog_msg(uml_switch_t) miscfiles_read_localization(uml_switch_t) userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) -userdom_dontaudit_search_sysadm_home_dir(uml_switch_t) +userdom_dontaudit_search_sysadm_home_dirs(uml_switch_t) ifdef(`targeted_policy',` files_dontaudit_read_root_files(uml_switch_t) diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if index 0a1b067..ac9f205 100644 --- a/refpolicy/policy/modules/apps/userhelper.if +++ b/refpolicy/policy/modules/apps/userhelper.if @@ -105,7 +105,7 @@ template(`userhelper_per_userdomain_template',` files_list_var_lib($1_userhelper_t) # Write to utmp. - files_filetrans_pid($1_userhelper_t,initrc_var_run_t) + files_pid_filetrans($1_userhelper_t,initrc_var_run_t) # Read the /etc/security/default_type file files_read_etc_files($1_userhelper_t) # Read /var. @@ -153,7 +153,7 @@ template(`userhelper_per_userdomain_template',` seutil_read_config($1_userhelper_t) seutil_read_default_contexts($1_userhelper_t) - userdom_use_unpriv_users_fd($1_userhelper_t) + userdom_use_unpriv_users_fds($1_userhelper_t) # Allow $1_userhelper_t to transition to user domains. userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) userdom_sbin_spec_domtrans_unpriv_users($1_userhelper_t) diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te index 04a815e..6200fae 100644 --- a/refpolicy/policy/modules/apps/webalizer.te +++ b/refpolicy/policy/modules/apps/webalizer.te @@ -50,11 +50,11 @@ allow webalizer_t webalizer_etc_t:file { getattr read }; allow webalizer_t webalizer_tmp_t:dir create_dir_perms; allow webalizer_t webalizer_tmp_t:file create_file_perms; -files_filetrans_tmp(webalizer_t, webalizer_tmp_t, { file dir }) +files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir }) allow webalizer_t webalizer_var_lib_t:file create_file_perms; allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms; -files_filetrans_var_lib(webalizer_t,webalizer_var_lib_t) +files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t) kernel_read_kernel_sysctls(webalizer_t) kernel_read_system_state(webalizer_t) @@ -86,8 +86,8 @@ miscfiles_read_localization(webalizer_t) sysnet_read_config(webalizer_t) -userdom_use_unpriv_users_fd(webalizer_t) -userdom_dontaudit_search_all_users_home(webalizer_t) +userdom_use_unpriv_users_fds(webalizer_t) +userdom_dontaudit_search_all_users_home_content(webalizer_t) apache_read_log(webalizer_t) apache_manage_sys_content(webalizer_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 8242530..9927a33 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -447,9 +447,9 @@ interface(`bootloader_manage_kernel_modules',` ######################################## # -# bootloader_filetrans_modules(domain,privatetype,[class(es)]) +# bootloader_modules_filetrans(domain,privatetype,[class(es)]) # -interface(`bootloader_filetrans_modules',` +interface(`bootloader_modules_filetrans',` gen_require(` type modules_object_t; ') diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index a432466..3a510c1 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -80,16 +80,16 @@ allow bootloader_t boot_t:lnk_file create_lnk_perms; allow bootloader_t bootloader_etc_t:file r_file_perms; # uncomment the following lines if you use "lilo -p" #allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -#files_filetrans_etc(bootloader_t,bootloader_etc_t) +#files_etc_filetrans(bootloader_t,bootloader_etc_t) allow bootloader_t bootloader_tmp_t:dir create_dir_perms; allow bootloader_t bootloader_tmp_t:file create_file_perms; allow bootloader_t bootloader_tmp_t:chr_file create_file_perms; allow bootloader_t bootloader_tmp_t:blk_file create_file_perms; allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms; -files_filetrans_tmp(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file }) +files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file }) # for tune2fs (cjp: ?) -files_filetrans_root(bootloader_t,bootloader_tmp_t) +files_root_filetrans(bootloader_t,bootloader_tmp_t) allow bootloader_t modules_object_t:dir r_dir_perms; allow bootloader_t modules_object_t:file r_file_perms; @@ -228,8 +228,8 @@ optional_policy(`rpm',` ') optional_policy(`userdomain',` - userdom_dontaudit_search_staff_home_dir(bootloader_t) - userdom_dontaudit_search_sysadm_home_dir(bootloader_t) + userdom_dontaudit_search_staff_home_dirs(bootloader_t) + userdom_dontaudit_search_sysadm_home_dirs(bootloader_t) ') ifdef(`TODO',` diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index d037910..45a9d27 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -559,7 +559,7 @@ interface(`dev_manage_generic_chr_files',` ## ## # -interface(`dev_filetrans_dev',` +interface(`dev_filetrans',` gen_require(` type device_t; ') diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 73e5560..126f85d 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -968,7 +968,7 @@ interface(`files_list_root',` ## ## # -interface(`files_filetrans_root',` +interface(`files_root_filetrans',` gen_require(` type root_t; ') @@ -1500,9 +1500,9 @@ interface(`files_manage_etc_runtime_files',` ######################################## # -# files_filetrans_etc(domain,privatetype,[class(es)]) +# files_etc_filetrans(domain,privatetype,[class(es)]) # -interface(`files_filetrans_etc',` +interface(`files_etc_filetrans',` gen_require(` type etc_t; ') @@ -1883,7 +1883,7 @@ interface(`files_list_home',` ## ## # -interface(`files_filetrans_home',` +interface(`files_home_filetrans',` gen_require(` type home_root_t; ') @@ -2297,9 +2297,9 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## # -# files_filetrans_tmp(domain,private_type,[object class(es)]) +# files_tmp_filetrans(domain,private_type,[object class(es)]) # -interface(`files_filetrans_tmp',` +interface(`files_tmp_filetrans',` gen_require(` type tmp_t; ') @@ -2467,7 +2467,7 @@ interface(`files_read_usr_symlinks',` ## ## # -interface(`files_filetrans_usr',` +interface(`files_usr_filetrans',` gen_require(` type usr_t; ') @@ -2717,7 +2717,7 @@ interface(`files_manage_var_symlinks',` ## ## # -interface(`files_filetrans_var',` +interface(`files_var_filetrans',` gen_require(` type var_t; ') @@ -2807,7 +2807,7 @@ interface(`files_list_var_lib',` ## ## # -interface(`files_filetrans_var_lib',` +interface(`files_var_lib_filetrans',` gen_require(` type var_t, var_lib_t; ') @@ -3019,9 +3019,9 @@ interface(`files_read_all_locks',` ######################################## # -# files_filetrans_lock(domain,private_type,[object class(es)]) +# files_lock_filetrans(domain,private_type,[object class(es)]) # -interface(`files_filetrans_lock',` +interface(`files_lock_filetrans',` gen_require(` type var_t, var_lock_t; ') @@ -3102,9 +3102,9 @@ interface(`files_list_pids',` ######################################## # -# files_filetrans_pid(domain,pidfile,[object class(es)]) +# files_pid_filetrans(domain,pidfile,[object class(es)]) # -interface(`files_filetrans_pid',` +interface(`files_pid_filetrans',` gen_require(` type var_t, var_run_t; ') diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 0702509..c1d5981 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -2425,9 +2425,9 @@ interface(`fs_manage_tmpfs_dirs',` ######################################## # -# fs_filetrans_tmpfs(domain,derivedtype,[class]) +# fs_tmpfs_filetrans(domain,derivedtype,[class]) # -interface(`fs_filetrans_tmpfs',` +interface(`fs_tmpfs_filetrans',` gen_require(` type tmpfs_t; ') diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index 020b6cc..81152e9 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -183,7 +183,7 @@ interface(`storage_create_fixed_disk',` ') allow $1 fixed_disk_device_t:blk_file create_file_perms; - dev_filetrans_dev($1,fixed_disk_device_t,blk_file) + dev_filetrans($1,fixed_disk_device_t,blk_file) typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') @@ -225,7 +225,7 @@ interface(`storage_create_fixed_disk_tmpfs',` ') allow $1 fixed_disk_device_t:blk_file create_file_perms; - fs_filetrans_tmpfs($1,fixed_disk_device_t,blk_file) + fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file) typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index c5a1a7b..a4d9ca5 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -84,7 +84,7 @@ template(`apache_content_template',` allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms; allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms; allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms; - files_filetrans_tmp(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file }) + files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file }) kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) @@ -274,7 +274,7 @@ template(`apache_per_userdomain_template', ` apache_content_template($1) typeattribute httpd_$1_content_t httpd_script_domains; - userdom_user_home_file($1,httpd_$1_content_t) + userdom_user_home_content($1,httpd_$1_content_t) role $3 types httpd_$1_script_t; @@ -323,9 +323,9 @@ template(`apache_per_userdomain_template', ` # allow accessing files/dirs below the users home dir tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home($1,httpd_t) - userdom_search_user_home($1,httpd_suexec_t) - userdom_search_user_home($1,httpd_$1_script_t) + userdom_search_user_home_dirs($1,httpd_t) + userdom_search_user_home_dirs($1,httpd_suexec_t) + userdom_search_user_home_dirs($1,httpd_$1_script_t) ') ') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 9704b48..39f988a 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -166,14 +166,14 @@ allow httpd_t httpd_config_t:lnk_file { getattr read }; can_exec(httpd_t, httpd_exec_t) allow httpd_t httpd_lock_t:file create_file_perms; -files_filetrans_lock(httpd_t,httpd_lock_t) +files_lock_filetrans(httpd_t,httpd_lock_t) allow httpd_t httpd_log_t:dir { setattr rw_dir_perms }; allow httpd_t httpd_log_t:file { create ra_file_perms }; allow httpd_t httpd_log_t:lnk_file read; # cjp: need to refine create interfaces to # cut this back to add_name only -logging_filetrans_log(httpd_t,httpd_log_t) +logging_log_filetrans(httpd_t,httpd_log_t) allow httpd_t httpd_modules_t:file rx_file_perms; allow httpd_t httpd_modules_t:dir r_dir_perms; @@ -190,23 +190,23 @@ allow httpd_t httpd_sys_content_t:file r_file_perms; allow httpd_t httpd_tmp_t:dir create_dir_perms; allow httpd_t httpd_tmp_t:file create_file_perms; -files_filetrans_tmp(httpd_t, httpd_tmp_t, { file dir }) +files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir }) allow httpd_t httpd_tmpfs_t:dir create_dir_perms; allow httpd_t httpd_tmpfs_t:file create_file_perms; allow httpd_t httpd_tmpfs_t:lnk_file create_lnk_perms; allow httpd_t httpd_tmpfs_t:sock_file create_file_perms; allow httpd_t httpd_tmpfs_t:fifo_file create_file_perms; -fs_filetrans_tmpfs(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow httpd_t httpd_var_lib_t:file create_file_perms; allow httpd_t httpd_var_lib_t:dir rw_dir_perms; -files_filetrans_var_lib(httpd_t,httpd_var_lib_t) +files_var_lib_filetrans(httpd_t,httpd_var_lib_t) allow httpd_t httpd_var_run_t:file create_file_perms; allow httpd_t httpd_var_run_t:sock_file create_file_perms; allow httpd_t httpd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(httpd_t,httpd_var_run_t, { file sock_file }) +files_pid_filetrans(httpd_t,httpd_var_run_t, { file sock_file }) allow httpd_t squirrelmail_spool_t:dir create_dir_perms; allow httpd_t squirrelmail_spool_t:file create_file_perms; @@ -281,8 +281,8 @@ seutil_dontaudit_search_config(httpd_t) sysnet_use_ldap(httpd_t) sysnet_read_config(httpd_t) -userdom_use_unpriv_users_fd(httpd_t) -userdom_dontaudit_search_sysadm_home_dir(httpd_t) +userdom_use_unpriv_users_fds(httpd_t) +userdom_dontaudit_search_sysadm_home_dirs(httpd_t) mta_send_mail(httpd_t) @@ -292,7 +292,7 @@ ifdef(`targeted_policy',` files_dontaudit_read_root_files(httpd_t) tunable_policy(`httpd_enable_homedirs',` - userdom_search_generic_user_home_dir(httpd_t) + userdom_search_generic_user_home_dirs(httpd_t) ') ') @@ -494,7 +494,7 @@ allow httpd_php_t httpd_log_t:file ra_file_perms; allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms; allow httpd_php_t httpd_php_tmp_t:file create_file_perms; -files_filetrans_tmp(httpd_php_t, httpd_php_tmp_t, { file dir }) +files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir }) fs_search_auto_mountpoints(httpd_php_t) @@ -502,7 +502,7 @@ libs_exec_lib_files(httpd_php_t) libs_use_ld_so(httpd_php_t) libs_use_shared_libs(httpd_php_t) -userdom_use_unpriv_users_fd(httpd_php_t) +userdom_use_unpriv_users_fds(httpd_php_t) optional_policy(`mysql',` mysql_stream_connect(httpd_php_t) @@ -539,7 +539,7 @@ allow httpd_suexec_t httpd_t:fifo_file getattr; allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms; allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms; -files_filetrans_tmp(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) +files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) @@ -568,7 +568,7 @@ miscfiles_read_localization(httpd_suexec_t) ifdef(`targeted_policy',` tunable_policy(`httpd_enable_homedirs',` - userdom_search_generic_user_home_dir(httpd_suexec_t) + userdom_search_generic_user_home_dirs(httpd_suexec_t) ') ') @@ -678,7 +678,7 @@ ifdef(`distro_redhat',` ifdef(`targeted_policy',` tunable_policy(`httpd_enable_homedirs',` - userdom_search_generic_user_home_dir(httpd_sys_script_t) + userdom_search_generic_user_home_dirs(httpd_sys_script_t) ') ') diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 79c914b..f0c11c0 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -72,16 +72,16 @@ allow apmd_t self:unix_dgram_socket create_socket_perms; allow apmd_t self:unix_stream_socket create_stream_socket_perms; allow apmd_t apmd_log_t:file create_file_perms; -logging_filetrans_log(apmd_t,apmd_log_t) +logging_log_filetrans(apmd_t,apmd_log_t) allow apmd_t apmd_tmp_t:dir create_dir_perms; allow apmd_t apmd_tmp_t:file create_file_perms; -files_filetrans_tmp(apmd_t, apmd_tmp_t, { file dir }) +files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir }) allow apmd_t apmd_var_run_t:dir rw_dir_perms; allow apmd_t apmd_var_run_t:file create_file_perms; allow apmd_t apmd_var_run_t:sock_file create_file_perms; -files_filetrans_pid(apmd_t, apmd_var_run_t, { file sock_file }) +files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(apmd_t) kernel_rw_all_sysctls(apmd_t) @@ -146,12 +146,12 @@ modutils_read_module_config(apmd_t) seutil_dontaudit_read_config(apmd_t) userdom_dontaudit_use_unpriv_user_fds(apmd_t) -userdom_dontaudit_search_sysadm_home_dir(apmd_t) -userdom_dontaudit_search_all_users_home(apmd_t) # Excessive? +userdom_dontaudit_search_sysadm_home_dirs(apmd_t) +userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive? ifdef(`distro_redhat',` allow apmd_t apmd_lock_t:file create_file_perms; - files_filetrans_lock(apmd_t,apmd_lock_t) + files_lock_filetrans(apmd_t,apmd_lock_t) can_exec(apmd_t, apmd_var_run_t) @@ -176,7 +176,7 @@ ifdef(`distro_redhat',` ifdef(`distro_suse',` allow apmd_t apmd_var_lib_t:file create_file_perms; allow apmd_t apmd_var_lib_t:dir create_dir_perms; - files_filetrans_var_lib(apmd_t,apmd_var_lib_t) + files_var_lib_filetrans(apmd_t,apmd_var_lib_t) ') ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te index 871afbd..c8c9209 100644 --- a/refpolicy/policy/modules/services/arpwatch.te +++ b/refpolicy/policy/modules/services/arpwatch.te @@ -39,11 +39,11 @@ allow arpwatch_t arpwatch_data_t:lnk_file create_lnk_perms; allow arpwatch_t arpwatch_tmp_t:dir create_dir_perms; allow arpwatch_t arpwatch_tmp_t:file create_file_perms; -files_filetrans_tmp(arpwatch_t, arpwatch_tmp_t, { file dir }) +files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) allow arpwatch_t arpwatch_var_run_t:file create_file_perms; allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms; -files_filetrans_pid(arpwatch_t,arpwatch_var_run_t) +files_pid_filetrans(arpwatch_t,arpwatch_var_run_t) kernel_read_kernel_sysctls(arpwatch_t) kernel_list_proc(arpwatch_t) @@ -89,7 +89,7 @@ miscfiles_read_localization(arpwatch_t) sysnet_read_config(arpwatch_t) userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) -userdom_dontaudit_search_sysadm_home_dir(arpwatch_t) +userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t) mta_send_mail(arpwatch_t) diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index ff2d8f6..d2d1202 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -42,20 +42,20 @@ allow automount_t automount_etc_t:file { getattr read }; can_exec(automount_t, automount_etc_t) allow automount_t automount_lock_t:file create_file_perms; -files_filetrans_lock(automount_t,automount_lock_t) +files_lock_filetrans(automount_t,automount_lock_t) allow automount_t automount_tmp_t:dir create_dir_perms; allow automount_t automount_tmp_t:file create_file_perms; -files_filetrans_tmp(automount_t, automount_tmp_t, { file dir }) +files_tmp_filetrans(automount_t, automount_tmp_t, { file dir }) # Allow automount to create and delete directories in / and /home allow automount_t automount_tmp_t:dir create_dir_perms; -files_filetrans_home(automount_t,automount_tmp_t) -files_filetrans_root(automount_t,automount_tmp_t,dir) +files_home_filetrans(automount_t,automount_tmp_t) +files_root_filetrans(automount_t,automount_tmp_t,dir) allow automount_t automount_var_run_t:file create_file_perms; allow automount_t automount_var_run_t:dir rw_dir_perms; -files_filetrans_pid(automount_t,automount_var_run_t) +files_pid_filetrans(automount_t,automount_var_run_t) kernel_read_kernel_sysctls(automount_t) kernel_read_fs_sysctls(automount_t) @@ -129,7 +129,7 @@ sysnet_use_ldap(automount_t) sysnet_read_config(automount_t) userdom_dontaudit_use_unpriv_user_fds(automount_t) -userdom_dontaudit_search_sysadm_home_dir(automount_t) +userdom_dontaudit_search_sysadm_home_dirs(automount_t) ifdef(`targeted_policy', ` files_dontaudit_read_root_files(automount_t) diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te index 9dcfe25..1ebdfcb 100644 --- a/refpolicy/policy/modules/services/avahi.te +++ b/refpolicy/policy/modules/services/avahi.te @@ -31,7 +31,7 @@ allow avahi_t self:udp_socket create_socket_perms; allow avahi_t avahi_var_run_t:sock_file create_file_perms; allow avahi_t avahi_var_run_t:file create_file_perms; allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr }; -files_filetrans_pid(avahi_t,avahi_var_run_t) +files_pid_filetrans(avahi_t,avahi_var_run_t) kernel_read_kernel_sysctls(avahi_t) kernel_list_proc(avahi_t) @@ -80,7 +80,7 @@ miscfiles_read_localization(avahi_t) sysnet_read_config(avahi_t) userdom_dontaudit_use_unpriv_user_fds(avahi_t) -userdom_dontaudit_search_sysadm_home_dir(avahi_t) +userdom_dontaudit_search_sysadm_home_dirs(avahi_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(avahi_t) diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index db63aa8..f79ebe7 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -76,16 +76,16 @@ can_exec(named_t, named_exec_t) allow named_t named_log_t:file create_file_perms; allow named_t named_log_t:dir rw_dir_perms; -logging_filetrans_log(named_t,named_log_t,{ file dir }) +logging_log_filetrans(named_t,named_log_t,{ file dir }) allow named_t named_tmp_t:dir create_dir_perms; allow named_t named_tmp_t:file create_file_perms; -files_filetrans_tmp(named_t, named_tmp_t, { file dir }) +files_tmp_filetrans(named_t, named_tmp_t, { file dir }) allow named_t named_var_run_t:dir rw_dir_perms; allow named_t named_var_run_t:file create_file_perms; allow named_t named_var_run_t:sock_file create_file_perms; -files_filetrans_pid(named_t,named_var_run_t,{ file sock_file }) +files_pid_filetrans(named_t,named_var_run_t,{ file sock_file }) # read zone files allow named_t named_zone_t:dir r_dir_perms; @@ -143,7 +143,7 @@ miscfiles_read_localization(named_t) sysnet_read_config(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) -userdom_dontaudit_search_sysadm_home_dir(named_t) +userdom_dontaudit_search_sysadm_home_dirs(named_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(named_t) diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 3a2d2e6..4215207 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -69,20 +69,20 @@ allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms; allow bluetooth_helper_t bluetooth_t:process sigchld; allow bluetooth_t bluetooth_lock_t:file create_file_perms; -files_filetrans_lock(bluetooth_t,bluetooth_lock_t) +files_lock_filetrans(bluetooth_t,bluetooth_lock_t) allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms; allow bluetooth_t bluetooth_tmp_t:file create_file_perms; -files_filetrans_tmp(bluetooth_t, bluetooth_tmp_t, { file dir }) +files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir }) allow bluetooth_t bluetooth_var_lib_t:file create_file_perms; allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms; -files_filetrans_var_lib(bluetooth_t,bluetooth_var_lib_t) +files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t) allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms; allow bluetooth_t bluetooth_var_run_t:file create_file_perms; allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms; -files_filetrans_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file }) +files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(bluetooth_t) kernel_read_system_state(bluetooth_t) @@ -135,7 +135,7 @@ sysnet_read_config(bluetooth_t) userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) userdom_dontaudit_use_sysadm_ptys(bluetooth_t) -userdom_dontaudit_search_sysadm_home_dir(bluetooth_t) +userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(bluetooth_t) @@ -175,7 +175,7 @@ allow bluetooth_helper_t bluetooth_t:socket { read write }; allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms; allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms; -files_filetrans_tmp(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir }) +files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir }) kernel_read_system_state(bluetooth_helper_t) kernel_read_kernel_sysctls(bluetooth_helper_t) @@ -202,7 +202,7 @@ logging_send_syslog_msg(bluetooth_helper_t) miscfiles_read_localization(bluetooth_helper_t) miscfiles_read_fonts(bluetooth_helper_t) -userdom_search_all_users_home(bluetooth_helper_t) +userdom_search_all_users_home_content(bluetooth_helper_t) optional_policy(`nscd',` nscd_socket_use(bluetooth_helper_t) diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index 92f4304..e8dd2f8 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -33,17 +33,17 @@ allow canna_t self:tcp_socket create_stream_socket_perms; allow canna_t canna_log_t:file create_file_perms; allow canna_t canna_log_t:dir { rw_dir_perms setattr }; -logging_filetrans_log(canna_t,canna_log_t,{ file dir }) +logging_log_filetrans(canna_t,canna_log_t,{ file dir }) allow canna_t canna_var_lib_t:dir create_dir_perms; allow canna_t canna_var_lib_t:file create_file_perms; allow canna_t canna_var_lib_t:lnk_file create_lnk_perms; -files_filetrans_var_lib(canna_t,canna_var_lib_t) +files_var_lib_filetrans(canna_t,canna_var_lib_t) allow canna_t canna_var_run_t:dir rw_dir_perms; allow canna_t canna_var_run_t:file create_file_perms; allow canna_t canna_var_run_t:sock_file create_file_perms; -files_filetrans_pid(canna_t, canna_var_run_t, { file sock_file }) +files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(canna_t) kernel_read_system_state(canna_t) @@ -85,7 +85,7 @@ miscfiles_read_localization(canna_t) sysnet_read_config(canna_t) userdom_dontaudit_use_unpriv_user_fds(canna_t) -userdom_dontaudit_search_sysadm_home_dir(canna_t) +userdom_dontaudit_search_sysadm_home_dirs(canna_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(canna_t) diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te index 0686a4b..5728688 100644 --- a/refpolicy/policy/modules/services/comsat.te +++ b/refpolicy/policy/modules/services/comsat.te @@ -33,11 +33,11 @@ allow comsat_t self:udp_socket create_socket_perms; allow comsat_t comsat_tmp_t:dir create_dir_perms; allow comsat_t comsat_tmp_t:file create_file_perms; -files_filetrans_tmp(comsat_t, comsat_tmp_t, { file dir }) +files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir }) allow comsat_t comsat_var_run_t:file create_file_perms; allow comsat_t comsat_var_run_t:dir rw_dir_perms; -files_filetrans_pid(comsat_t,comsat_var_run_t) +files_pid_filetrans(comsat_t,comsat_var_run_t) kernel_read_kernel_sysctls(comsat_t) kernel_read_network_state(comsat_t) diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 12318aa..ccaf8b9 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -141,14 +141,14 @@ template(`cron_per_userdomain_template',` userdom_manage_user_tmp_pipes($1,$1_crond_t) userdom_manage_user_tmp_sockets($1,$1_crond_t) # Run scripts in user home directory and access shared libs. - userdom_exec_user_home_files($1,$1_crond_t) + userdom_exec_user_home_content_files($1,$1_crond_t) # Access user files and dirs. # userdom_manage_user_home_subdir_dirs($1,$1_crond_t) - userdom_manage_user_home_files($1,$1_crond_t) - userdom_manage_user_home_symlinks($1,$1_crond_t) - userdom_manage_user_home_pipes($1,$1_crond_t) - userdom_manage_user_home_sockets($1,$1_crond_t) -# userdom_filetrans_user_home($1,$1_crond_t,notdevfile_class_set) + userdom_manage_user_home_content_files($1,$1_crond_t) + userdom_manage_user_home_content_symlinks($1,$1_crond_t) + userdom_manage_user_home_content_pipes($1,$1_crond_t) + userdom_manage_user_home_content_sockets($1,$1_crond_t) +# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set) tunable_policy(`fcron_crond', ` allow crond_t $1_cron_spool_t:file create_file_perms; @@ -242,7 +242,7 @@ template(`cron_per_userdomain_template',` # Access terminals. userdom_use_user_terminals($1,$1_crontab_t) # Read user crontabs - userdom_read_user_home_files($1,$1_crontab_t) + userdom_read_user_home_content_files($1,$1_crontab_t) tunable_policy(`fcron_crond', ` # fcron wants an instant update of a crontab change for the administrator diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 5dea9e5..b1ebb3d 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -80,7 +80,7 @@ allow crond_t self:msgq create_msgq_perms; allow crond_t self:msg { send receive }; allow crond_t crond_var_run_t:file create_file_perms; -files_filetrans_pid(crond_t,crond_var_run_t) +files_pid_filetrans(crond_t,crond_var_run_t) allow crond_t cron_spool_t:dir rw_dir_perms; allow crond_t cron_spool_t:file r_file_perms; @@ -134,9 +134,9 @@ seutil_sigchld_newrole(crond_t) miscfiles_read_localization(crond_t) -userdom_use_unpriv_users_fd(crond_t) +userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed -userdom_list_all_users_home_dir(crond_t) +userdom_list_all_users_home_dirs(crond_t) ifdef(`distro_redhat', ` # Run the rpm program in the rpm_t domain. Allow creation of RPM log files @@ -152,24 +152,24 @@ ifdef(`targeted_policy',` allow crond_t system_crond_tmp_t:lnk_file create_lnk_perms; allow crond_t system_crond_tmp_t:sock_file create_file_perms; allow crond_t system_crond_tmp_t:fifo_file create_file_perms; - files_filetrans_tmp(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file }) + files_tmp_filetrans(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file }) unconfined_domain(crond_t) # cjp: fix this to generic_user interfaces - userdom_manage_user_home_subdirs(user,crond_t) - userdom_manage_generic_user_home_files(crond_t) - userdom_manage_generic_user_home_symlinks(crond_t) - userdom_manage_generic_user_home_sockets(crond_t) - userdom_manage_generic_user_home_pipes(crond_t) - userdom_filetrans_generic_user_home(crond_t,{ dir file lnk_file fifo_file sock_file }) + userdom_manage_user_home_content_dirs(user,crond_t) + userdom_manage_generic_user_home_content_files(crond_t) + userdom_manage_generic_user_home_content_symlinks(crond_t) + userdom_manage_generic_user_home_content_sockets(crond_t) + userdom_manage_generic_user_home_content_pipes(crond_t) + userdom_generic_user_home_dir_filetrans_generic_user_home_content(crond_t,{ dir file lnk_file fifo_file sock_file }) allow crond_t unconfined_t:dbus send_msg; allow crond_t initrc_t:dbus send_msg; ',` allow crond_t crond_tmp_t:dir create_dir_perms; allow crond_t crond_tmp_t:file create_file_perms; - files_filetrans_tmp(crond_t, crond_tmp_t, { file dir }) + files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) mta_send_mail(crond_t) ') @@ -247,11 +247,11 @@ ifdef(`targeted_policy',` # Write /var/lock/makewhatis.lock. allow system_crond_t system_crond_lock_t:file create_file_perms; - files_filetrans_lock(system_crond_t,system_crond_lock_t) + files_lock_filetrans(system_crond_t,system_crond_lock_t) # write temporary files allow system_crond_t system_crond_tmp_t:file create_file_perms; - files_filetrans_tmp(system_crond_t,system_crond_tmp_t) + files_tmp_filetrans(system_crond_t,system_crond_tmp_t) # write temporary files in crond tmp dir: allow system_crond_t crond_tmp_t:dir rw_dir_perms; diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 7c30ba5..327f202 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -92,7 +92,7 @@ files_search_etc(cupsd_t) allow cupsd_t cupsd_rw_etc_t:file manage_file_perms; allow cupsd_t cupsd_rw_etc_t:dir manage_dir_perms; type_transition cupsd_t cupsd_etc_t:file cupsd_rw_etc_t; -files_filetrans_var(cupsd_t,cupsd_rw_etc_t,{ dir file }) +files_var_filetrans(cupsd_t,cupsd_rw_etc_t,{ dir file }) # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -101,16 +101,16 @@ allow cupsd_t cupsd_exec_t:lnk_file read; allow cupsd_t cupsd_log_t:file create_file_perms; allow cupsd_t cupsd_log_t:dir { setattr rw_dir_perms }; -logging_filetrans_log(cupsd_t,cupsd_log_t,{ file dir }) +logging_log_filetrans(cupsd_t,cupsd_log_t,{ file dir }) allow cupsd_t cupsd_tmp_t:dir create_dir_perms; allow cupsd_t cupsd_tmp_t:file create_file_perms; allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms; -files_filetrans_tmp(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) +files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) allow cupsd_t cupsd_var_run_t:file create_file_perms; allow cupsd_t cupsd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(cupsd_t,cupsd_var_run_t) +files_pid_filetrans(cupsd_t,cupsd_var_run_t) allow cupsd_t hplip_var_run_t:file { read getattr }; @@ -190,7 +190,7 @@ seutil_dontaudit_read_config(cupsd_t) sysnet_read_config(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) -userdom_dontaudit_search_all_users_home(cupsd_t) +userdom_dontaudit_search_all_users_home_content(cupsd_t) # Write to /var/spool/cups. lpd_manage_spool(cupsd_t) @@ -299,11 +299,11 @@ allow ptal_t ptal_var_run_t:file create_file_perms; allow ptal_t ptal_var_run_t:lnk_file create_lnk_perms; allow ptal_t ptal_var_run_t:sock_file create_file_perms; allow ptal_t ptal_var_run_t:fifo_file create_file_perms; -files_filetrans_pid(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file }) +files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file }) allow ptal_t ptal_var_run_t:file create_file_perms; allow ptal_t ptal_var_run_t:dir rw_dir_perms; -files_filetrans_pid(ptal_t,ptal_var_run_t) +files_pid_filetrans(ptal_t,ptal_var_run_t) kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) @@ -345,7 +345,7 @@ miscfiles_read_localization(ptal_t) sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -userdom_dontaudit_search_all_users_home(ptal_t) +userdom_dontaudit_search_all_users_home_content(ptal_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(ptal_t) @@ -390,7 +390,7 @@ files_search_etc(hplip_t) allow hplip_t hplip_var_run_t:file create_file_perms; allow hplip_t hplip_var_run_t:dir rw_dir_perms; -files_filetrans_pid(hplip_t,hplip_var_run_t) +files_pid_filetrans(hplip_t,hplip_var_run_t) kernel_read_system_state(hplip_t) kernel_read_kernel_sysctls(hplip_t) @@ -442,7 +442,7 @@ miscfiles_read_localization(hplip_t) sysnet_read_config(hplip_t) userdom_dontaudit_use_unpriv_user_fds(hplip_t) -userdom_dontaudit_search_sysadm_home_dir(hplip_t) +userdom_dontaudit_search_sysadm_home_dirs(hplip_t) lpd_read_config(cupsd_t) @@ -497,7 +497,7 @@ dontaudit cupsd_config_t cupsd_t:process ptrace; allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms; allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms; -files_filetrans_pid(cupsd_config_t,cupsd_config_var_run_t) +files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t) can_exec(cupsd_config_t, cupsd_config_exec_t) @@ -511,7 +511,7 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms; allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms; allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms; allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms; -files_filetrans_var(cupsd_config_t,cupsd_rw_etc_t) +files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t) allow cupsd_config_t cupsd_var_run_t:file { getattr read }; @@ -563,7 +563,7 @@ seutil_dontaudit_search_config(cupsd_config_t) sysnet_read_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) -userdom_dontaudit_search_sysadm_home_dir(cupsd_config_t) +userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t) ifdef(`distro_redhat',` init_getattr_script_files(cupsd_config_t) @@ -678,11 +678,11 @@ allow cupsd_lpd_t cupsd_etc_t:lnk_file { getattr read }; allow cupsd_lpd_t cupsd_lpd_tmp_t:dir create_dir_perms; allow cupsd_lpd_t cupsd_lpd_tmp_t:file create_file_perms; -files_filetrans_tmp(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir }) +files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir }) allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms; allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(cupsd_lpd_t,cupsd_lpd_var_run_t) +files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t) allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms; allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms; diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te index c4e324d..f2a985e 100644 --- a/refpolicy/policy/modules/services/cvs.te +++ b/refpolicy/policy/modules/services/cvs.te @@ -38,11 +38,11 @@ allow cvs_t cvs_data_t:lnk_file create_lnk_perms; allow cvs_t cvs_tmp_t:dir create_dir_perms; allow cvs_t cvs_tmp_t:file create_file_perms; -files_filetrans_tmp(cvs_t, cvs_tmp_t, { file dir }) +files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir }) allow cvs_t cvs_var_run_t:file create_file_perms; allow cvs_t cvs_var_run_t:dir rw_dir_perms; -files_filetrans_pid(cvs_t,cvs_var_run_t) +files_pid_filetrans(cvs_t,cvs_var_run_t) kernel_read_kernel_sysctls(cvs_t) kernel_read_system_state(cvs_t) diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te index 7ca391f..7462a07 100644 --- a/refpolicy/policy/modules/services/cyrus.te +++ b/refpolicy/policy/modules/services/cyrus.te @@ -44,16 +44,16 @@ allow cyrus_t self:udp_socket create_socket_perms; allow cyrus_t cyrus_tmp_t:dir create_dir_perms; allow cyrus_t cyrus_tmp_t:file create_file_perms; -files_filetrans_tmp(cyrus_t, cyrus_tmp_t, { file dir }) +files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir }) allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms; -files_filetrans_pid(cyrus_t,cyrus_var_run_t) +files_pid_filetrans(cyrus_t,cyrus_var_run_t) allow cyrus_t cyrus_var_run_t:dir rw_dir_perms; allow cyrus_t cyrus_var_run_t:sock_file create_file_perms; allow cyrus_t cyrus_var_run_t:file create_file_perms; -files_filetrans_pid(cyrus_t,cyrus_var_run_t,{ file sock_file }) +files_pid_filetrans(cyrus_t,cyrus_var_run_t,{ file sock_file }) kernel_read_kernel_sysctls(cyrus_t) kernel_read_system_state(cyrus_t) @@ -106,8 +106,8 @@ miscfiles_read_certs(cyrus_t) sysnet_read_config(cyrus_t) userdom_dontaudit_use_unpriv_user_fds(cyrus_t) -userdom_dontaudit_search_sysadm_home_dir(cyrus_t) -userdom_use_unpriv_users_fd(cyrus_t) +userdom_dontaudit_search_sysadm_home_dirs(cyrus_t) +userdom_use_unpriv_users_fds(cyrus_t) userdom_use_sysadm_ptys(cyrus_t) mta_manage_spool(cyrus_t) diff --git a/refpolicy/policy/modules/services/dbskk.te b/refpolicy/policy/modules/services/dbskk.te index f3494c6..de7dffa 100644 --- a/refpolicy/policy/modules/services/dbskk.te +++ b/refpolicy/policy/modules/services/dbskk.te @@ -39,11 +39,11 @@ optional_policy(`kerberos',` allow dbskkd_t dbskkd_tmp_t:dir create_dir_perms; allow dbskkd_t dbskkd_tmp_t:file create_file_perms; -files_filetrans_tmp(dbskkd_t, dbskkd_tmp_t, { file dir }) +files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir }) allow dbskkd_t dbskkd_var_run_t:file create_file_perms; allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(dbskkd_t,dbskkd_var_run_t) +files_pid_filetrans(dbskkd_t,dbskkd_var_run_t) kernel_read_kernel_sysctls(dbskkd_t) kernel_read_system_state(dbskkd_t) diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index 6c5f397..b96f17f 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -97,7 +97,7 @@ template(`dbus_per_userdomain_template',` allow $1_dbusd_t $1_dbusd_tmp_t:dir create_dir_perms; allow $1_dbusd_t $1_dbusd_tmp_t:file create_file_perms; - files_filetrans_tmp($1_dbusd_t, $1_dbusd_tmp_t, { file dir }) + files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir }) domain_auto_trans($2, system_dbusd_exec_t, $1_dbusd_t) allow $2 $1_dbusd_t:fd use; diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index 6e80243..817e0b8 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -47,12 +47,12 @@ allow system_dbusd_t dbusd_etc_t:lnk_file { getattr read }; allow system_dbusd_t system_dbusd_tmp_t:dir create_dir_perms; allow system_dbusd_t system_dbusd_tmp_t:file create_file_perms; -files_filetrans_tmp(system_dbusd_t, system_dbusd_tmp_t, { file dir }) +files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms; allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms; allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(system_dbusd_t,system_dbusd_var_run_t) +files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t) kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) @@ -108,7 +108,7 @@ seutil_read_default_contexts(system_dbusd_t) seutil_sigchld_newrole(system_dbusd_t) userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) -userdom_dontaudit_search_sysadm_home_dir(system_dbusd_t) +userdom_dontaudit_search_sysadm_home_dirs(system_dbusd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(system_dbusd_t) diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index 6f12f4c..501a064 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -41,15 +41,15 @@ can_exec(dhcpd_t,dhcpd_exec_t) allow dhcpd_t dhcpd_state_t:dir rw_dir_perms; allow dhcpd_t dhcpd_state_t:file create_file_perms; -sysnet_filetrans_dhcp_state(dhcpd_t,dhcpd_state_t) +sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t) allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms; allow dhcpd_t dhcpd_tmp_t:file create_file_perms; -files_filetrans_tmp(dhcpd_t, dhcpd_tmp_t, { file dir }) +files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir }) allow dhcpd_t dhcpd_var_run_t:file create_file_perms; allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(dhcpd_t,dhcpd_var_run_t) +files_pid_filetrans(dhcpd_t,dhcpd_var_run_t) kernel_read_system_state(dhcpd_t) kernel_read_kernel_sysctls(dhcpd_t) @@ -103,7 +103,7 @@ sysnet_read_config(dhcpd_t) sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) -userdom_dontaudit_search_sysadm_home_dir(dhcpd_t) +userdom_dontaudit_search_sysadm_home_dirs(dhcpd_t) ifdef(`distro_gentoo',` allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te index b4abd00..5ba39e2 100644 --- a/refpolicy/policy/modules/services/distcc.te +++ b/refpolicy/policy/modules/services/distcc.te @@ -32,15 +32,15 @@ allow distccd_t self:tcp_socket create_stream_socket_perms; allow distccd_t self:udp_socket create_socket_perms; allow distccd_t distccd_log_t:file create_file_perms; -logging_filetrans_log(distccd_t,distccd_log_t) +logging_log_filetrans(distccd_t,distccd_log_t) allow distccd_t distccd_tmp_t:dir create_dir_perms; allow distccd_t distccd_tmp_t:file create_file_perms; -files_filetrans_tmp(distccd_t, distccd_tmp_t, { file dir }) +files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir }) allow distccd_t distccd_var_run_t:file create_file_perms; allow distccd_t distccd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(distccd_t,distccd_var_run_t) +files_pid_filetrans(distccd_t,distccd_var_run_t) kernel_read_system_state(distccd_t) kernel_read_kernel_sysctls(distccd_t) @@ -87,7 +87,7 @@ miscfiles_read_localization(distccd_t) sysnet_read_config(distccd_t) userdom_dontaudit_use_unpriv_user_fds(distccd_t) -userdom_dontaudit_search_sysadm_home_dir(distccd_t) +userdom_dontaudit_search_sysadm_home_dirs(distccd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(distccd_t) diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index d1d8add..f1703b4 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -65,7 +65,7 @@ allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms; allow dovecot_t dovecot_var_run_t:file create_file_perms; allow dovecot_t dovecot_var_run_t:sock_file create_file_perms; allow dovecot_t dovecot_var_run_t:dir rw_dir_perms; -files_filetrans_pid(dovecot_t,dovecot_var_run_t) +files_pid_filetrans(dovecot_t,dovecot_var_run_t) kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) @@ -113,7 +113,7 @@ sysnet_read_config(dovecot_t) sysnet_use_ldap(dovecot_auth_t) userdom_dontaudit_use_unpriv_user_fds(dovecot_t) -userdom_dontaudit_search_sysadm_home_dir(dovecot_t) +userdom_dontaudit_search_sysadm_home_dirs(dovecot_t) userdom_priveleged_home_dir_manager(dovecot_t) mta_manage_spool(dovecot_t) diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te index 07fc423..bda2585 100644 --- a/refpolicy/policy/modules/services/fetchmail.te +++ b/refpolicy/policy/modules/services/fetchmail.te @@ -34,11 +34,11 @@ allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms; allow fetchmail_t fetchmail_etc_t:file r_file_perms; allow fetchmail_t fetchmail_uidl_cache_t:file create_file_perms; -mta_filetrans_spool(fetchmail_t,fetchmail_uidl_cache_t) +mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t) allow fetchmail_t fetchmail_var_run_t:file create_file_perms; allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms; -files_filetrans_pid(fetchmail_t,fetchmail_var_run_t) +files_pid_filetrans(fetchmail_t,fetchmail_var_run_t) kernel_read_kernel_sysctls(fetchmail_t) kernel_list_proc(fetchmail_t) @@ -90,7 +90,7 @@ miscfiles_read_certs(fetchmail_t) sysnet_read_config(fetchmail_t) userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) -userdom_dontaudit_search_sysadm_home_dir(fetchmail_t) +userdom_dontaudit_search_sysadm_home_dirs(fetchmail_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(fetchmail_t) diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index 0764b3f..c6bae03 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -34,14 +34,14 @@ allow fingerd_t self:unix_stream_socket create_socket_perms; allow fingerd_t fingerd_var_run_t:file create_file_perms; allow fingerd_t fingerd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(fingerd_t,fingerd_var_run_t) +files_pid_filetrans(fingerd_t,fingerd_var_run_t) allow fingerd_t fingerd_etc_t:file r_file_perms; allow fingerd_t fingerd_etc_t:dir r_dir_perms; allow fingerd_t fingerd_etc_t:lnk_file { getattr read }; allow fingerd_t fingerd_log_t:file create_file_perms; -logging_filetrans_log(fingerd_t,fingerd_log_t) +logging_log_filetrans(fingerd_t,fingerd_log_t) kernel_read_kernel_sysctls(fingerd_t) kernel_read_system_state(fingerd_t) @@ -97,9 +97,9 @@ sysnet_read_config(fingerd_t) miscfiles_read_localization(fingerd_t) -userdom_read_unpriv_users_home_files(fingerd_t) +userdom_read_unpriv_users_home_content_files(fingerd_t) userdom_dontaudit_use_unpriv_user_fds(fingerd_t) -userdom_dontaudit_search_sysadm_home_dir(fingerd_t) +userdom_dontaudit_search_sysadm_home_dirs(fingerd_t) # stop it accessing sub-directories, prevents checking a Maildir for new mail, # have to change this when we create a type for Maildir userdom_dontaudit_search_generic_user_home_dirs(fingerd_t) diff --git a/refpolicy/policy/modules/services/ftp.if b/refpolicy/policy/modules/services/ftp.if index 7e3738a..9b89315 100644 --- a/refpolicy/policy/modules/services/ftp.if +++ b/refpolicy/policy/modules/services/ftp.if @@ -25,11 +25,11 @@ # template(`ftp_per_userdomain_template',` tunable_policy(`ftpd_is_daemon',` - userdom_manage_user_home_files($1,ftpd_t) - userdom_manage_user_home_symlinks($1,ftpd_t) - userdom_manage_user_home_sockets($1,ftpd_t) - userdom_manage_user_home_pipes($1,ftpd_t) - userdom_filetrans_user_home($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) + userdom_manage_user_home_content_files($1,ftpd_t) + userdom_manage_user_home_content_symlinks($1,ftpd_t) + userdom_manage_user_home_content_sockets($1,ftpd_t) + userdom_manage_user_home_content_pipes($1,ftpd_t) + userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) ') ') diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index bb23ecb..eccdf54 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -48,22 +48,22 @@ allow ftpd_t ftpd_etc_t:file r_file_perms; allow ftpd_t ftpd_tmp_t:dir create_dir_perms; allow ftpd_t ftpd_tmp_t:file create_file_perms; -files_filetrans_tmp(ftpd_t, ftpd_tmp_t, { file dir }) +files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms; allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms; allow ftpd_t ftpd_tmpfs_t:file create_file_perms; allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms; allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms; -fs_filetrans_tmpfs(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow ftpd_t ftpd_var_run_t:file create_file_perms; allow ftpd_t ftpd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(ftpd_t,ftpd_var_run_t) +files_pid_filetrans(ftpd_t,ftpd_var_run_t) # Create and modify /var/log/xferlog. allow ftpd_t xferlog_t:file create_file_perms; -logging_filetrans_log(ftpd_t,xferlog_t) +logging_log_filetrans(ftpd_t,xferlog_t) kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) @@ -126,7 +126,7 @@ seutil_dontaudit_search_config(ftpd_t) sysnet_read_config(ftpd_t) -userdom_dontaudit_search_sysadm_home_dir(ftpd_t) +userdom_dontaudit_search_sysadm_home_dirs(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) ifdef(`targeted_policy',` @@ -137,11 +137,11 @@ ifdef(`targeted_policy',` optional_policy(`ftp',` tunable_policy(`ftpd_is_daemon',` - userdom_manage_generic_user_home_files(ftpd_t) - userdom_manage_generic_user_home_symlinks(ftpd_t) - userdom_manage_generic_user_home_sockets(ftpd_t) - userdom_manage_generic_user_home_pipes(ftpd_t) - userdom_filetrans_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file }) + userdom_manage_generic_user_home_content_files(ftpd_t) + userdom_manage_generic_user_home_content_symlinks(ftpd_t) + userdom_manage_generic_user_home_content_sockets(ftpd_t) + userdom_manage_generic_user_home_content_pipes(ftpd_t) + userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file }) ') ') ') @@ -153,19 +153,19 @@ tunable_policy(`allow_ftpd_anon_write',` tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) - userdom_read_all_users_home_files(ftpd_t) - userdom_manage_all_users_home_dirs(ftpd_t) - userdom_manage_all_users_home_files(ftpd_t) - userdom_manage_all_users_home_symlinks(ftpd_t) + userdom_read_all_users_home_content_files(ftpd_t) + userdom_manage_all_users_home_content_dirs(ftpd_t) + userdom_manage_all_users_home_content_files(ftpd_t) + userdom_manage_all_users_home_content_symlinks(ftpd_t) ifdef(`targeted_policy',` - userdom_filetrans_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file }) + userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file }) ') ') tunable_policy(`ftpd_is_daemon',` allow ftpd_t ftpd_lock_t:file create_file_perms; - files_filetrans_lock(ftpd_t,ftpd_lock_t) + files_lock_filetrans(ftpd_t,ftpd_lock_t) corenet_tcp_bind_ftp_port(ftpd_t) ') diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index a485568..37fa597 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -36,14 +36,14 @@ allow gpm_t gpm_conf_t:lnk_file { getattr read }; allow gpm_t gpm_tmp_t:dir create_dir_perms; allow gpm_t gpm_tmp_t:file create_file_perms; -files_filetrans_tmp(gpm_t, gpm_tmp_t, { file dir }) +files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir }) allow gpm_t gpm_var_run_t:file create_file_perms; -files_filetrans_pid(gpm_t,gpm_var_run_t) +files_pid_filetrans(gpm_t,gpm_var_run_t) allow gpm_t gpmctl_t:sock_file create_file_perms; allow gpm_t gpmctl_t:fifo_file create_file_perms; -dev_filetrans_dev(gpm_t,gpmctl_t,{ sock_file fifo_file }) +dev_filetrans(gpm_t,gpmctl_t,{ sock_file fifo_file }) # cjp: this has no effect allow gpm_t gpmctl_t:unix_stream_socket name_bind; @@ -76,7 +76,7 @@ logging_send_syslog_msg(gpm_t) miscfiles_read_localization(gpm_t) userdom_dontaudit_use_unpriv_user_fds(gpm_t) -userdom_dontaudit_search_sysadm_home_dir(gpm_t) +userdom_dontaudit_search_sysadm_home_dirs(gpm_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(gpm_t) diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 29ba45d..2a40ace 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -38,11 +38,11 @@ allow hald_t self:netlink_socket create_socket_perms; allow hald_t hald_tmp_t:dir create_dir_perms; allow hald_t hald_tmp_t:file create_file_perms; -files_filetrans_tmp(hald_t, hald_tmp_t, { file dir }) +files_tmp_filetrans(hald_t, hald_tmp_t, { file dir }) allow hald_t hald_var_run_t:file create_file_perms; allow hald_t hald_var_run_t:dir rw_dir_perms; -files_filetrans_pid(hald_t,hald_var_run_t) +files_pid_filetrans(hald_t,hald_var_run_t) kernel_read_system_state(hald_t) kernel_read_network_state(hald_t) @@ -141,7 +141,7 @@ seutil_read_default_contexts(hald_t) sysnet_read_config(hald_t) userdom_dontaudit_use_unpriv_user_fds(hald_t) -userdom_dontaudit_search_sysadm_home_dir(hald_t) +userdom_dontaudit_search_sysadm_home_dirs(hald_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(hald_t) diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index fb388d1..d49c0be 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -27,7 +27,7 @@ allow howl_t self:udp_socket create_socket_perms; allow howl_t howl_var_run_t:file create_file_perms; allow howl_t howl_var_run_t:dir rw_dir_perms; -files_filetrans_pid(howl_t,howl_var_run_t) +files_pid_filetrans(howl_t,howl_var_run_t) kernel_read_network_state(howl_t) kernel_read_kernel_sysctls(howl_t) @@ -74,7 +74,7 @@ miscfiles_read_localization(howl_t) sysnet_read_config(howl_t) userdom_dontaudit_use_unpriv_user_fds(howl_t) -userdom_dontaudit_search_sysadm_home_dir(howl_t) +userdom_dontaudit_search_sysadm_home_dirs(howl_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(howl_t) diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te index d279f8f..8e7904a 100644 --- a/refpolicy/policy/modules/services/i18n_input.te +++ b/refpolicy/policy/modules/services/i18n_input.te @@ -30,7 +30,7 @@ allow i18n_input_t self:udp_socket create_socket_perms; allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms; allow i18n_input_t i18n_input_var_run_t:file create_file_perms; allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms; -files_filetrans_pid(i18n_input_t,i18n_input_var_run_t) +files_pid_filetrans(i18n_input_t,i18n_input_var_run_t) can_exec(i18n_input_t, i18n_input_exec_t) @@ -83,8 +83,8 @@ miscfiles_read_localization(i18n_input_t) sysnet_read_config(i18n_input_t) userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) -userdom_dontaudit_search_sysadm_home_dir(i18n_input_t) -userdom_read_unpriv_users_home_files(i18n_input_t) +userdom_dontaudit_search_sysadm_home_dirs(i18n_input_t) +userdom_read_unpriv_users_home_content_files(i18n_input_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(i18n_input_t) diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 3bfecd8..767e5df 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -43,14 +43,14 @@ allow inetd_t self:tcp_socket create_stream_socket_perms; allow inetd_t self:udp_socket { connect connected_socket_perms }; allow inetd_t inetd_log_t:file create_file_perms; -logging_filetrans_log(inetd_t,inetd_log_t) +logging_log_filetrans(inetd_t,inetd_log_t) allow inetd_t inetd_tmp_t:dir create_dir_perms; allow inetd_t inetd_tmp_t:file create_file_perms; -files_filetrans_tmp(inetd_t, inetd_tmp_t, { file dir }) +files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir }) allow inetd_t inetd_var_run_t:file create_file_perms; -files_filetrans_pid(inetd_t,inetd_var_run_t) +files_pid_filetrans(inetd_t,inetd_var_run_t) kernel_read_kernel_sysctls(inetd_t) kernel_list_proc(inetd_t) @@ -119,7 +119,7 @@ miscfiles_read_localization(inetd_t) sysnet_read_config(inetd_t) userdom_dontaudit_use_unpriv_user_fds(inetd_t) -userdom_dontaudit_search_sysadm_home_dir(inetd_t) +userdom_dontaudit_search_sysadm_home_dirs(inetd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(inetd_t) @@ -175,11 +175,11 @@ files_search_home(inetd_child_t) allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms; allow inetd_child_t inetd_child_tmp_t:file create_file_perms; -files_filetrans_tmp(inetd_child_t, inetd_child_tmp_t, { file dir }) +files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir }) allow inetd_child_t inetd_child_var_run_t:file create_file_perms; allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms; -files_filetrans_pid(inetd_child_t,inetd_child_var_run_t) +files_pid_filetrans(inetd_child_t,inetd_child_var_run_t) kernel_read_kernel_sysctls(inetd_child_t) kernel_read_system_state(inetd_child_t) diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index 5a65b0d..af05b80 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -45,16 +45,16 @@ can_exec(innd_t, innd_exec_t) allow innd_t innd_log_t:file manage_file_perms; allow innd_t innd_log_t:dir { setattr rw_dir_perms }; -logging_filetrans_log(innd_t,innd_log_t) +logging_log_filetrans(innd_t,innd_log_t) allow innd_t innd_var_lib_t:dir create_dir_perms; allow innd_t innd_var_lib_t:file create_file_perms; -files_filetrans_var_lib(innd_t,innd_var_lib_t) +files_var_lib_filetrans(innd_t,innd_var_lib_t) allow innd_t innd_var_run_t:dir create_dir_perms; allow innd_t innd_var_run_t:file create_file_perms; allow innd_t innd_var_run_t:sock_file create_file_perms; -files_filetrans_pid(innd_t,innd_var_run_t) +files_pid_filetrans(innd_t,innd_var_run_t) allow innd_t news_spool_t:dir create_dir_perms; allow innd_t news_spool_t:file create_file_perms; @@ -112,7 +112,7 @@ seutil_dontaudit_search_config(innd_t) sysnet_read_config(innd_t) userdom_dontaudit_use_unpriv_user_fds(innd_t) -userdom_dontaudit_search_sysadm_home_dir(innd_t) +userdom_dontaudit_search_sysadm_home_dirs(innd_t) mta_send_mail(innd_t) diff --git a/refpolicy/policy/modules/services/irqbalance.te b/refpolicy/policy/modules/services/irqbalance.te index 9273682..477dcd9 100644 --- a/refpolicy/policy/modules/services/irqbalance.te +++ b/refpolicy/policy/modules/services/irqbalance.te @@ -23,7 +23,7 @@ allow irqbalance_t self:process signal_perms; allow irqbalance_t irqbalance_var_run_t:file create_file_perms; allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms; -files_filetrans_pid(irqbalance_t,irqbalance_var_run_t) +files_pid_filetrans(irqbalance_t,irqbalance_var_run_t) kernel_read_system_state(irqbalance_t) kernel_read_kernel_sysctls(irqbalance_t) @@ -52,7 +52,7 @@ logging_send_syslog_msg(irqbalance_t) miscfiles_read_localization(irqbalance_t) userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) -userdom_dontaudit_search_sysadm_home_dir(irqbalance_t) +userdom_dontaudit_search_sysadm_home_dirs(irqbalance_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(irqbalance_t) diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index 482827d..3a22cbf 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -62,7 +62,7 @@ allow kadmind_t self:tcp_socket connected_stream_socket_perms; allow kadmind_t self:udp_socket create_socket_perms; allow kadmind_t kadmind_log_t:file create_file_perms; -logging_filetrans_log(kadmind_t,kadmind_log_t) +logging_log_filetrans(kadmind_t,kadmind_log_t) allow kadmind_t krb5_conf_t:file r_file_perms; dontaudit kadmind_t krb5_conf_t:file write; @@ -77,11 +77,11 @@ can_exec(kadmind_t, kadmind_exec_t) allow kadmind_t kadmind_tmp_t:dir create_dir_perms; allow kadmind_t kadmind_tmp_t:file create_file_perms; -files_filetrans_tmp(kadmind_t, kadmind_tmp_t, { file dir }) +files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) allow kadmind_t kadmind_var_run_t:file create_file_perms; allow kadmind_t kadmind_var_run_t:dir rw_dir_perms; -files_filetrans_pid(kadmind_t,kadmind_var_run_t) +files_pid_filetrans(kadmind_t,kadmind_var_run_t) kernel_read_kernel_sysctls(kadmind_t) kernel_list_proc(kadmind_t) @@ -129,7 +129,7 @@ miscfiles_read_localization(kadmind_t) sysnet_read_config(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t) -userdom_dontaudit_search_sysadm_home_dir(kadmind_t) +userdom_dontaudit_search_sysadm_home_dirs(kadmind_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(kadmind_t) @@ -172,18 +172,18 @@ allow krb5kdc_t krb5kdc_conf_t:file r_file_perms; dontaudit krb5kdc_t krb5kdc_conf_t:file write; allow krb5kdc_t krb5kdc_log_t:file create_file_perms; -logging_filetrans_log(krb5kdc_t,krb5kdc_log_t) +logging_log_filetrans(krb5kdc_t,krb5kdc_log_t) allow krb5kdc_t krb5kdc_principal_t:file r_file_perms; dontaudit krb5kdc_t krb5kdc_principal_t:file write; allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms; allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms; -files_filetrans_tmp(krb5kdc_t, krb5kdc_tmp_t, { file dir }) +files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms; allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms; -files_filetrans_pid(krb5kdc_t,krb5kdc_var_run_t) +files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t) kernel_read_system_state(krb5kdc_t) kernel_read_kernel_sysctls(krb5kdc_t) @@ -229,7 +229,7 @@ miscfiles_read_localization(krb5kdc_t) sysnet_read_config(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -userdom_dontaudit_search_sysadm_home_dir(krb5kdc_t) +userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(krb5kdc_t) diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te index 284c1c3..7e2ee1a 100644 --- a/refpolicy/policy/modules/services/ktalk.te +++ b/refpolicy/policy/modules/services/ktalk.te @@ -40,11 +40,11 @@ optional_policy(`kerberos',` allow ktalkd_t ktalkd_tmp_t:dir create_dir_perms; allow ktalkd_t ktalkd_tmp_t:file create_file_perms; -files_filetrans_tmp(ktalkd_t, ktalkd_tmp_t, { file dir }) +files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir }) allow ktalkd_t ktalkd_var_run_t:file create_file_perms; allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(ktalkd_t,ktalkd_var_run_t) +files_pid_filetrans(ktalkd_t,ktalkd_var_run_t) kernel_read_kernel_sysctls(ktalkd_t) kernel_read_system_state(ktalkd_t) diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 6c4ddfc..ac2a356 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -59,7 +59,7 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms; allow slapd_t slapd_etc_t:file { getattr read }; allow slapd_t slapd_lock_t:file create_file_perms; -files_filetrans_lock(slapd_t,slapd_lock_t) +files_lock_filetrans(slapd_t,slapd_lock_t) # Allow access to write the replication log (should tighten this) allow slapd_t slapd_replog_t:dir create_dir_perms; @@ -68,11 +68,11 @@ allow slapd_t slapd_replog_t:lnk_file create_lnk_perms; allow slapd_t slapd_tmp_t:dir create_dir_perms; allow slapd_t slapd_tmp_t:file create_file_perms; -files_filetrans_tmp(slapd_t, slapd_tmp_t, { file dir }) +files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) allow slapd_t slapd_var_run_t:file create_file_perms; allow slapd_t slapd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(slapd_t,slapd_var_run_t) +files_pid_filetrans(slapd_t,slapd_var_run_t) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) @@ -121,17 +121,17 @@ miscfiles_read_localization(slapd_t) sysnet_read_config(slapd_t) userdom_dontaudit_use_unpriv_user_fds(slapd_t) -userdom_dontaudit_search_sysadm_home_dir(slapd_t) +userdom_dontaudit_search_sysadm_home_dirs(slapd_t) ifdef(`targeted_policy',` #reh slapcat will want to talk to the terminal term_use_generic_ptys(slapd_t) term_use_unallocated_ttys(slapd_t) - userdom_search_generic_user_home_dir(slapd_t) + userdom_search_generic_user_home_dirs(slapd_t) #need to be able to read ldif files created by root # cjp: fix to not use templated interface: - userdom_read_user_home_files(user,slapd_t) + userdom_read_user_home_content_files(user,slapd_t) term_dontaudit_use_unallocated_ttys(slapd_t) term_dontaudit_use_generic_ptys(slapd_t) diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if index 7f22955..da7e607 100644 --- a/refpolicy/policy/modules/services/lpd.if +++ b/refpolicy/policy/modules/services/lpd.if @@ -81,7 +81,7 @@ template(`lpd_per_userdomain_template',` allow $1_lpr_t $1_lpr_tmp_t:dir create_dir_perms; allow $1_lpr_t $1_lpr_tmp_t:file create_file_perms; - files_filetrans_tmp($1_lpr_t, $1_lpr_tmp_t, { file dir }) + files_tmp_filetrans($1_lpr_t, $1_lpr_tmp_t, { file dir }) allow $1_lpr_t $1_print_spool_t:file create_file_perms; allow $1_lpr_t print_spool_t:dir rw_dir_perms; @@ -162,7 +162,7 @@ template(`lpd_per_userdomain_template',` tunable_policy(`read_untrusted_content',` #list and read user specific untrusted content files_list_home($1_lpr_t) - userdom_list_user_home($1,$1_lpr_t) + userdom_list_user_home_dirs($1,$1_lpr_t) userdom_read_user_untrusted_content_files($1,$1_lpr_t) #list and read user specific temporary untrusted content @@ -234,7 +234,7 @@ template(`lpr_admin_template',` type $1_lpr_t; ') - userdom_read_all_users_home_files($1_lpr_t) + userdom_read_all_users_home_content_files($1_lpr_t) # Allow per user lpr domain read acces for specific user. tunable_policy(`read_untrusted_content',` diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index 265095c..ef2913c 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -49,7 +49,7 @@ allow checkpc_t self:process { fork signal_perms }; allow checkpc_t self:unix_stream_socket create_socket_perms; allow checkpc_t checkpc_log_t:file create_file_perms; -logging_filetrans_log(checkpc_t,checkpc_log_t) +logging_log_filetrans(checkpc_t,checkpc_log_t) allow checkpc_t lpd_var_run_t:dir { search getattr }; files_search_pids(checkpc_t) @@ -130,12 +130,12 @@ allow lpd_t self:unix_dgram_socket create_socket_perms; allow lpd_t lpd_tmp_t:dir create_dir_perms; allow lpd_t lpd_tmp_t:file create_file_perms; -files_filetrans_tmp(lpd_t, lpd_tmp_t, { file dir }) +files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) allow lpd_t lpd_var_run_t:dir rw_dir_perms; allow lpd_t lpd_var_run_t:file create_file_perms; allow lpd_t lpd_var_run_t:sock_file create_file_perms; -files_filetrans_pid(lpd_t,lpd_var_run_t) +files_pid_filetrans(lpd_t,lpd_var_run_t) # Write to /var/spool/lpd. allow lpd_t print_spool_t:dir rw_dir_perms; @@ -149,7 +149,7 @@ can_exec(lpd_t, printconf_t) # Create and bind to /dev/printer. allow lpd_t printer_t:lnk_file create_lnk_perms; -dev_filetrans_dev(lpd_t,printer_t,lnk_file) +dev_filetrans(lpd_t,printer_t,lnk_file) # cjp: I believe these have no effect: allow lpd_t printer_t:unix_stream_socket name_bind; allow lpd_t printer_t:unix_dgram_socket name_bind; @@ -215,7 +215,7 @@ miscfiles_read_localization(lpd_t) sysnet_read_config(lpd_t) userdom_dontaudit_use_unpriv_user_fds(lpd_t) -userdom_dontaudit_search_sysadm_home_dir(lpd_t) +userdom_dontaudit_search_sysadm_home_dirs(lpd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(lpd_t) diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if index 38f683a..b63b610 100644 --- a/refpolicy/policy/modules/services/mailman.if +++ b/refpolicy/policy/modules/services/mailman.if @@ -37,15 +37,15 @@ template(`mailman_domain_template', ` allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; allow mailman_$1_t mailman_lock_t:file create_file_perms; - files_filetrans_lock(mailman_$1_t,mailman_lock_t) + files_lock_filetrans(mailman_$1_t,mailman_lock_t) allow mailman_$1_t mailman_log_t:dir rw_dir_perms; allow mailman_$1_t mailman_log_t:file create_file_perms; - logging_filetrans_log(mailman_$1_t,mailman_log_t) + logging_log_filetrans(mailman_$1_t,mailman_log_t) allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms; allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms; - files_filetrans_tmp(mailman_$1_t, mailman_$1_tmp_t, { file dir }) + files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) kernel_read_kernel_sysctls(mailman_$1_t) kernel_read_system_state(mailman_$1_t) diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te index 1f6880b..de1c248 100644 --- a/refpolicy/policy/modules/services/mailman.te +++ b/refpolicy/policy/modules/services/mailman.te @@ -98,8 +98,8 @@ seutil_dontaudit_search_config(mailman_queue_t) # some of the following could probably be changed to dontaudit, someone who # knows mailman well should test this out and send the changes -userdom_search_sysadm_home_dir(mailman_queue_t) -userdom_getattr_sysadm_home_dir(mailman_queue_t) +userdom_search_sysadm_home_dirs(mailman_queue_t) +userdom_getattr_sysadm_home_dirs(mailman_queue_t) mta_tcp_connect_all_mailservers(mailman_queue_t) diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 6b60171..3888dce 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -118,7 +118,7 @@ template(`mta_base_mail_template',` allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms; allow $1_mail_t $1_mail_tmp_t:file create_file_perms; - files_filetrans_tmp($1_mail_t, $1_mail_tmp_t, { file dir }) + files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) allow $1_mail_t etc_mail_t:dir { getattr search }; @@ -214,16 +214,16 @@ template(`mta_per_userdomain_template',` # Write to the user domain tty. cjp: why? userdom_use_user_terminals($1,mta_user_agent) # Create dead.letter in user home directories. - userdom_manage_user_home_files($1,$1_mail_t) - userdom_filetrans_user_home($1,$1_mail_t,file) + userdom_manage_user_home_content_files($1,$1_mail_t) + userdom_user_home_dir_filetrans_user_home_content($1,$1_mail_t,file) # for reading .forward - maybe we need a new type for it? # also for delivering mail to maildir - userdom_manage_user_home_subdirs($1,mailserver_delivery) - userdom_manage_user_home_files($1,mailserver_delivery) - userdom_manage_user_home_symlinks($1,mailserver_delivery) - userdom_manage_user_home_pipes($1,mailserver_delivery) - userdom_manage_user_home_sockets($1,mailserver_delivery) - userdom_filetrans_user_home($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) + userdom_manage_user_home_content_dirs($1,mailserver_delivery) + userdom_manage_user_home_content_files($1,mailserver_delivery) + userdom_manage_user_home_content_symlinks($1,mailserver_delivery) + userdom_manage_user_home_content_pipes($1,mailserver_delivery) + userdom_manage_user_home_content_sockets($1,mailserver_delivery) + userdom_user_home_dir_filetrans_user_home_content($1,mailserver_delivery,{ dir file lnk_file fifo_file sock_file }) # Read user temporary files. userdom_read_user_tmp_files($1,$1_mail_t) userdom_dontaudit_append_user_tmp_files($1,$1_mail_t) @@ -279,7 +279,7 @@ template(`mta_admin_template',` ifdef(`strict_policy',` # allow the sysadmin to do "mail someone < /home/user/whatever" - userdom_read_unpriv_users_home_files($1_mail_t) + userdom_read_unpriv_users_home_content_files($1_mail_t) ') optional_policy(`postfix',` @@ -295,7 +295,7 @@ template(`mta_admin_template',` allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms; allow $1_mail_t etc_aliases_t:sock_file create_file_perms; allow $1_mail_t etc_aliases_t:fifo_file create_file_perms; - files_filetrans_etc($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) + files_etc_filetrans($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) # postfix needs this for newaliases files_getattr_tmp_dirs($1_mail_t) @@ -304,7 +304,7 @@ template(`mta_admin_template',` ifdef(`distro_redhat',` # compatability for old default main.cf - postfix_filetrans_config($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) + postfix_config_filetrans($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) ') ') ') @@ -534,12 +534,12 @@ interface(`mta_read_aliases',` ## ## # -interface(`mta_filetrans_aliases',` +interface(`mta_etc_filetrans_aliases',` gen_require(` type etc_aliases_t; ') - files_filetrans_etc($1,etc_aliases_t, file) + files_etc_filetrans($1,etc_aliases_t, file) ') ####################################### @@ -661,7 +661,7 @@ interface(`mta_dontaudit_getattr_spool_files',` ## ## # -interface(`mta_filetrans_spool',` +interface(`mta_spool_filetrans',` gen_require(` type mail_spool_t; ') diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index b7f2cf1..df81f21 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -77,12 +77,12 @@ ifdef(`targeted_policy',` # for reading .forward - maybe we need a new type for it? # also for delivering mail to maildir # cjp: fix this to generic_user interfaces - userdom_manage_user_home_subdirs(user,mailserver_delivery) - userdom_manage_generic_user_home_files(mailserver_delivery) - userdom_manage_generic_user_home_symlinks(mailserver_delivery) - userdom_manage_generic_user_home_sockets(mailserver_delivery) - userdom_manage_generic_user_home_pipes(mailserver_delivery) - userdom_filetrans_generic_user_home(mailserver_delivery,{ dir file lnk_file sock_file fifo_file }) + userdom_manage_user_home_content_dirs(user,mailserver_delivery) + userdom_manage_generic_user_home_content_files(mailserver_delivery) + userdom_manage_generic_user_home_content_symlinks(mailserver_delivery) + userdom_manage_generic_user_home_content_sockets(mailserver_delivery) + userdom_manage_generic_user_home_content_pipes(mailserver_delivery) + userdom_generic_user_home_dir_filetrans_generic_user_home_content(mailserver_delivery,{ dir file lnk_file sock_file fifo_file }) # cjp: another require-in-else to resolve # optional_policy(`postfix',`',` @@ -140,7 +140,7 @@ optional_policy(`postfix',` allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms; allow system_mail_t etc_aliases_t:sock_file create_file_perms; allow system_mail_t etc_aliases_t:fifo_file create_file_perms; - files_filetrans_etc(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) + files_etc_filetrans(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -153,7 +153,7 @@ optional_policy(`postfix',` ifdef(`distro_redhat',` # compatability for old default main.cf - postfix_filetrans_config(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) + postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) ') optional_policy(`cron',` diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index aa6dc58..0e3f1cd 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -42,23 +42,23 @@ allow mysqld_t self:udp_socket create_socket_perms; allow mysqld_t mysqld_db_t:dir create_dir_perms; allow mysqld_t mysqld_db_t:file create_file_perms; allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms; -files_filetrans_var_lib(mysqld_t,mysqld_db_t,{ dir file }) +files_var_lib_filetrans(mysqld_t,mysqld_db_t,{ dir file }) allow mysqld_t mysqld_etc_t:file { getattr read }; allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file create_file_perms; -logging_filetrans_log(mysqld_t,mysqld_log_t) +logging_log_filetrans(mysqld_t,mysqld_log_t) allow mysqld_t mysqld_tmp_t:dir create_dir_perms; allow mysqld_t mysqld_tmp_t:file create_file_perms; -files_filetrans_tmp(mysqld_t, mysqld_tmp_t, { file dir }) +files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) allow mysqld_t mysqld_var_run_t:dir rw_dir_perms; allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; allow mysqld_t mysqld_var_run_t:file create_file_perms; -files_filetrans_pid(mysqld_t,mysqld_var_run_t) +files_pid_filetrans(mysqld_t,mysqld_var_run_t) kernel_list_proc(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) @@ -108,7 +108,7 @@ sysnet_read_config(mysqld_t) userdom_dontaudit_use_unpriv_user_fds(mysqld_t) # for /root/.my.cnf - should not be needed: -userdom_read_sysadm_home_files(mysqld_t) +userdom_read_sysadm_home_content_files(mysqld_t) ifdef(`distro_redhat',` # because Fedora has the sock_file in the database directory diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index 189b266..7529c39 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -32,7 +32,7 @@ allow NetworkManager_t self:packet_socket create_socket_perms; allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms; allow NetworkManager_t NetworkManager_var_run_t:dir create_dir_perms; allow NetworkManager_t NetworkManager_var_run_t:sock_file create_file_perms; -files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) +files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file }) kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) @@ -103,10 +103,10 @@ sysnet_delete_dhcpc_pid(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) # in /etc created by NetworkManager will be labelled net_conf_t. sysnet_manage_config(NetworkManager_t) -sysnet_filetrans_config(NetworkManager_t) +sysnet_etc_filetrans_config(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) -userdom_dontaudit_search_sysadm_home_dir(NetworkManager_t) +userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t) userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index 590597a..f2a9f22 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -54,11 +54,11 @@ allow ypbind_t self:udp_socket create_socket_perms; allow ypbind_t ypbind_tmp_t:dir create_dir_perms; allow ypbind_t ypbind_tmp_t:file create_file_perms; -files_filetrans_tmp(ypbind_t, ypbind_tmp_t, { file dir }) +files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir }) allow ypbind_t ypbind_var_run_t:file manage_file_perms; allow ypbind_t ypbind_var_run_t:dir rw_dir_perms; -files_filetrans_pid(ypbind_t,ypbind_var_run_t) +files_pid_filetrans(ypbind_t,ypbind_var_run_t) allow ypbind_t var_yp_t:dir rw_dir_perms; allow ypbind_t var_yp_t:file create_file_perms; @@ -113,7 +113,7 @@ miscfiles_read_localization(ypbind_t) sysnet_read_config(ypbind_t) userdom_dontaudit_use_unpriv_user_fds(ypbind_t) -userdom_dontaudit_search_sysadm_home_dir(ypbind_t) +userdom_dontaudit_search_sysadm_home_dirs(ypbind_t) portmap_udp_send(ypbind_t) @@ -151,7 +151,7 @@ allow yppasswdd_t self:udp_socket create_socket_perms; allow yppasswdd_t yppasswdd_var_run_t:file create_file_perms; allow yppasswdd_t yppasswdd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(yppasswdd_t,yppasswdd_var_run_t) +files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t) allow yppasswdd_t var_yp_t:dir rw_dir_perms; allow yppasswdd_t var_yp_t:file create_file_perms; @@ -214,7 +214,7 @@ miscfiles_read_localization(yppasswdd_t) sysnet_read_config(yppasswdd_t) userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t) -userdom_dontaudit_search_sysadm_home_dir(yppasswdd_t) +userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t) portmap_udp_send(yppasswdd_t) @@ -256,11 +256,11 @@ allow ypserv_t ypserv_conf_t:file { getattr read }; allow ypserv_t ypserv_tmp_t:dir create_dir_perms; allow ypserv_t ypserv_tmp_t:file create_file_perms; -files_filetrans_tmp(ypserv_t, ypserv_tmp_t, { file dir }) +files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir }) allow ypserv_t ypserv_var_run_t:dir rw_dir_perms; allow ypserv_t ypserv_var_run_t:file manage_file_perms; -files_filetrans_pid(ypserv_t,ypserv_var_run_t) +files_pid_filetrans(ypserv_t,ypserv_var_run_t) kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) @@ -309,7 +309,7 @@ miscfiles_read_localization(ypserv_t) sysnet_read_config(ypserv_t) userdom_dontaudit_use_unpriv_user_fds(ypserv_t) -userdom_dontaudit_search_sysadm_home_dir(ypserv_t) +userdom_dontaudit_search_sysadm_home_dirs(ypserv_t) portmap_udp_send(ypserv_t) diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 1fbb726..9604862 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -45,12 +45,12 @@ allow nscd_t self:udp_socket create_socket_perms; allow nscd_t self:nscd { admin getstat }; allow nscd_t nscd_log_t:file create_file_perms; -logging_filetrans_log(nscd_t,nscd_log_t) +logging_log_filetrans(nscd_t,nscd_log_t) allow nscd_t nscd_var_run_t:file create_file_perms; allow nscd_t nscd_var_run_t:sock_file create_file_perms; allow nscd_t nscd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(nscd_t,nscd_var_run_t,{ file sock_file }) +files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file }) kernel_read_kernel_sysctls(nscd_t) kernel_list_proc(nscd_t) @@ -111,7 +111,7 @@ seutil_sigchld_newrole(nscd_t) sysnet_read_config(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) -userdom_dontaudit_search_sysadm_home_dir(nscd_t) +userdom_dontaudit_search_sysadm_home_dirs(nscd_t) ifdef(`targeted_policy',` term_use_unallocated_ttys(nscd_t) diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 990ff20..1bc5d90 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -49,16 +49,16 @@ can_exec(ntpd_t,ntpd_exec_t) allow ntpd_t ntpd_log_t:file create_file_perms; allow ntpd_t ntpd_log_t:dir { rw_dir_perms setattr }; -logging_filetrans_log(ntpd_t,ntpd_log_t,{ file dir }) +logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir }) # for some reason it creates a file in /tmp allow ntpd_t ntpd_tmp_t:dir create_dir_perms; allow ntpd_t ntpd_tmp_t:file create_file_perms; -files_filetrans_tmp(ntpd_t, ntpd_tmp_t, { file dir }) +files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir }) allow ntpd_t ntpd_var_run_t:file create_file_perms; allow ntpd_t ntpd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(ntpd_t,ntpd_var_run_t) +files_pid_filetrans(ntpd_t,ntpd_var_run_t) kernel_read_kernel_sysctls(ntpd_t) kernel_read_system_state(ntpd_t) @@ -113,8 +113,8 @@ miscfiles_read_localization(ntpd_t) sysnet_read_config(ntpd_t) userdom_dontaudit_use_unpriv_user_fds(ntpd_t) -userdom_list_sysadm_home_dir(ntpd_t) -userdom_dontaudit_list_sysadm_home_dir(ntpd_t) +userdom_list_sysadm_home_dirs(ntpd_t) +userdom_dontaudit_list_sysadm_home_dirs(ntpd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(ntpd_t) diff --git a/refpolicy/policy/modules/services/openct.te b/refpolicy/policy/modules/services/openct.te index 3c10585..57bf22b 100644 --- a/refpolicy/policy/modules/services/openct.te +++ b/refpolicy/policy/modules/services/openct.te @@ -23,7 +23,7 @@ allow openct_t self:process signal_perms; allow openct_t openct_var_run_t:file create_file_perms; allow openct_t openct_var_run_t:dir rw_dir_perms; -files_filetrans_pid(openct_t,openct_var_run_t) +files_pid_filetrans(openct_t,openct_var_run_t) kernel_read_kernel_sysctls(openct_t) kernel_list_proc(openct_t) @@ -54,7 +54,7 @@ logging_send_syslog_msg(openct_t) miscfiles_read_localization(openct_t) userdom_dontaudit_use_unpriv_user_fds(openct_t) -userdom_dontaudit_search_sysadm_home_dir(openct_t) +userdom_dontaudit_search_sysadm_home_dirs(openct_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(openct_t) diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te index a7805de..e1eb171 100644 --- a/refpolicy/policy/modules/services/pegasus.te +++ b/refpolicy/policy/modules/services/pegasus.te @@ -54,12 +54,12 @@ allow pegasus_t pegasus_mof_t:lnk_file { getattr read }; allow pegasus_t pegasus_tmp_t:dir create_dir_perms; allow pegasus_t pegasus_tmp_t:file create_file_perms; -files_filetrans_tmp(pegasus_t, pegasus_tmp_t, { file dir }) +files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) allow pegasus_t pegasus_var_run_t:file create_file_perms; allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; allow pegasus_t pegasus_var_run_t:dir rw_dir_perms; -files_filetrans_pid(pegasus_t,pegasus_var_run_t) +files_pid_filetrans(pegasus_t,pegasus_var_run_t) kernel_read_kernel_sysctls(pegasus_t) kernel_read_fs_sysctls(pegasus_t) @@ -109,7 +109,7 @@ miscfiles_read_localization(pegasus_t) sysnet_read_config(pegasus_t) userdom_dontaudit_use_unpriv_user_fds(pegasus_t) -userdom_dontaudit_search_sysadm_home_dir(pegasus_t) +userdom_dontaudit_search_sysadm_home_dirs(pegasus_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(pegasus_t) diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index aca993b..46bddd5 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -36,11 +36,11 @@ allow portmap_t self:udp_socket create_socket_perms; allow portmap_t portmap_tmp_t:dir create_dir_perms; allow portmap_t portmap_tmp_t:file create_file_perms; -files_filetrans_tmp(portmap_t, portmap_tmp_t, { file dir }) +files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir }) allow portmap_t portmap_var_run_t:file create_file_perms; allow portmap_t portmap_var_run_t:dir rw_dir_perms; -files_filetrans_pid(portmap_t,portmap_var_run_t) +files_pid_filetrans(portmap_t,portmap_var_run_t) kernel_read_kernel_sysctls(portmap_t) kernel_list_proc(portmap_t) @@ -95,7 +95,7 @@ miscfiles_read_localization(portmap_t) sysnet_read_config(portmap_t) userdom_dontaudit_use_unpriv_user_fds(portmap_t) -userdom_dontaudit_search_sysadm_home_dir(portmap_t) +userdom_dontaudit_search_sysadm_home_dirs(portmap_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(portmap_t) @@ -162,7 +162,7 @@ allow portmap_helper_t self:tcp_socket create_stream_socket_perms; allow portmap_helper_t self:udp_socket create_socket_perms; allow portmap_helper_t portmap_var_run_t:file create_file_perms; -files_filetrans_pid(portmap_helper_t,portmap_var_run_t) +files_pid_filetrans(portmap_helper_t,portmap_var_run_t) corenet_tcp_sendrecv_all_if(portmap_helper_t) corenet_udp_sendrecv_all_if(portmap_helper_t) diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index d3c86c2..fe36911 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -45,7 +45,7 @@ template(`postfix_domain_template',` allow postfix_$1_t postfix_spool_t:dir r_dir_perms; allow postfix_$1_t postfix_var_run_t:file manage_file_perms; - files_filetrans_pid(postfix_$1_t,postfix_var_run_t) + files_pid_filetrans(postfix_$1_t,postfix_var_run_t) kernel_read_system_state(postfix_$1_t) kernel_read_network_state(postfix_$1_t) @@ -216,7 +216,7 @@ interface(`postfix_read_config',` ## ## # -interface(`postfix_filetrans_config',` +interface(`postfix_config_filetrans',` gen_require(` type postfix_etc_t; ') diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 31794c4..b38aeee 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -257,7 +257,7 @@ allow postfix_local_t self:process { setsched setrlimit }; allow postfix_local_t postfix_local_tmp_t:dir create_dir_perms; allow postfix_local_t postfix_local_tmp_t:file create_file_perms; -files_filetrans_tmp(postfix_local_t, postfix_local_tmp_t, { file dir }) +files_tmp_filetrans(postfix_local_t, postfix_local_tmp_t, { file dir }) # connect to master process allow postfix_local_t postfix_master_t:unix_stream_socket connectto; @@ -301,7 +301,7 @@ allow postfix_map_t postfix_etc_t:lnk_file create_lnk_perms; allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms; allow postfix_map_t postfix_map_tmp_t:file create_file_perms; -files_filetrans_tmp(postfix_map_t, postfix_map_tmp_t, { file dir }) +files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir }) kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te index 477b642..4a9ca6e 100644 --- a/refpolicy/policy/modules/services/postgresql.te +++ b/refpolicy/policy/modules/services/postgresql.te @@ -48,7 +48,7 @@ allow postgresql_t postgresql_db_t:fifo_file create_file_perms; allow postgresql_t postgresql_db_t:file create_file_perms; allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms; allow postgresql_t postgresql_db_t:sock_file create_file_perms; -files_filetrans_var_lib(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) +files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) allow postgresql_t postgresql_etc_t:dir r_dir_perms; allow postgresql_t postgresql_etc_t:file r_file_perms; @@ -58,24 +58,24 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file create_file_perms; -files_filetrans_lock(postgresql_t,postgresql_lock_t) +files_lock_filetrans(postgresql_t,postgresql_lock_t) allow postgresql_t postgresql_log_t:dir rw_dir_perms; allow postgresql_t postgresql_log_t:file create_file_perms; -logging_filetrans_log(postgresql_t,postgresql_log_t,{ file dir }) +logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir }) allow postgresql_t postgresql_tmp_t:dir create_dir_perms; allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms; allow postgresql_t postgresql_tmp_t:file create_file_perms; allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms; allow postgresql_t postgresql_tmp_t:sock_file create_file_perms; -files_filetrans_tmp(postgresql_t, postgresql_tmp_t, { dir file sock_file }) -fs_filetrans_tmpfs(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) +files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) +fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) allow postgresql_t postgresql_var_run_t:dir rw_dir_perms; allow postgresql_t postgresql_var_run_t:file create_file_perms; allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; -files_filetrans_pid(postgresql_t,postgresql_var_run_t) +files_pid_filetrans(postgresql_t,postgresql_var_run_t) kernel_read_kernel_sysctls(postgresql_t) kernel_read_system_state(postgresql_t) @@ -136,7 +136,7 @@ seutil_dontaudit_search_config(postgresql_t) sysnet_read_config(postgresql_t) -userdom_dontaudit_search_sysadm_home_dir(postgresql_t) +userdom_dontaudit_search_sysadm_home_dirs(postgresql_t) userdom_dontaudit_use_sysadm_ttys(postgresql_t) userdom_dontaudit_use_unpriv_user_fds(postgresql_t) diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index 941f901..864bdc3 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -80,23 +80,23 @@ allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr }; allow pppd_t pppd_etc_t:dir rw_dir_perms; allow pppd_t pppd_etc_t:file r_file_perms; allow pppd_t pppd_etc_t:lnk_file { getattr read }; -files_filetrans_etc(pppd_t,pppd_etc_t) +files_etc_filetrans(pppd_t,pppd_etc_t) allow pppd_t pppd_etc_rw_t:file create_file_perms; allow pppd_t pppd_lock_t:file create_file_perms; -files_filetrans_lock(pppd_t,pppd_lock_t) +files_lock_filetrans(pppd_t,pppd_lock_t) allow pppd_t pppd_log_t:file create_file_perms; -logging_filetrans_log(pppd_t,pppd_log_t) +logging_log_filetrans(pppd_t,pppd_log_t) allow pppd_t pppd_tmp_t:dir create_dir_perms; allow pppd_t pppd_tmp_t:file create_file_perms; -files_filetrans_tmp(pppd_t, pppd_tmp_t, { file dir }) +files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) allow pppd_t pppd_var_run_t:dir rw_dir_perms; allow pppd_t pppd_var_run_t:file create_file_perms; -files_filetrans_pid(pppd_t,pppd_var_run_t) +files_pid_filetrans(pppd_t,pppd_var_run_t) allow pppd_t pptp_t:process signal; @@ -170,10 +170,10 @@ sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) userdom_dontaudit_use_unpriv_user_fds(pppd_t) -userdom_dontaudit_search_sysadm_home_dir(pppd_t) +userdom_dontaudit_search_sysadm_home_dirs(pppd_t) # for ~/.ppprc - if it actually exists then you need some policy to read it #allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; -userdom_search_sysadm_home_dir(pppd_t) +userdom_search_sysadm_home_dirs(pppd_t) userdom_search_unpriv_users_home_dirs(pppd_t) ifdef(`targeted_policy', ` @@ -248,12 +248,12 @@ can_exec(pptp_t, pppd_etc_rw_t) allow pptp_t pppd_log_t:file append; allow pptp_t pptp_log_t:file create_file_perms; -logging_filetrans_log(pptp_t,pptp_log_t) +logging_log_filetrans(pptp_t,pptp_log_t) allow pptp_t pptp_var_run_t:file create_file_perms; allow pptp_t pptp_var_run_t:dir rw_dir_perms; allow pptp_t pptp_var_run_t:sock_file create_file_perms; -files_filetrans_pid(pptp_t,pptp_var_run_t) +files_pid_filetrans(pptp_t,pptp_var_run_t) kernel_list_proc(pptp_t) kernel_read_kernel_sysctls(pptp_t) @@ -294,7 +294,7 @@ miscfiles_read_localization(pptp_t) sysnet_read_config(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -userdom_dontaudit_search_sysadm_home_dir(pptp_t) +userdom_dontaudit_search_sysadm_home_dirs(pptp_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(pptp_t) diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index 00d5514..df6d6e4 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -32,11 +32,11 @@ allow privoxy_t privoxy_etc_rw_t:file rw_file_perms; allow privoxy_t privoxy_log_t:file create_file_perms; allow privoxy_t privoxy_log_t:dir rw_dir_perms; -logging_filetrans_log(privoxy_t,privoxy_log_t) +logging_log_filetrans(privoxy_t,privoxy_log_t) allow privoxy_t privoxy_var_run_t:file create_file_perms; allow privoxy_t privoxy_var_run_t:dir rw_dir_perms; -files_filetrans_pid(privoxy_t,privoxy_var_run_t) +files_pid_filetrans(privoxy_t,privoxy_var_run_t) kernel_read_kernel_sysctls(privoxy_t) kernel_list_proc(privoxy_t) @@ -76,7 +76,7 @@ miscfiles_read_localization(privoxy_t) sysnet_dns_name_resolve(privoxy_t) userdom_dontaudit_use_unpriv_user_fds(privoxy_t) -userdom_dontaudit_search_sysadm_home_dir(privoxy_t) +userdom_dontaudit_search_sysadm_home_dirs(privoxy_t) # cjp: this should really not be needed userdom_use_sysadm_terms(privoxy_t) diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te index 7e38643..a5fd87c 100644 --- a/refpolicy/policy/modules/services/procmail.te +++ b/refpolicy/policy/modules/services/procmail.te @@ -65,8 +65,8 @@ miscfiles_read_localization(procmail_t) # only works until we define a different type for maildir userdom_priveleged_home_dir_manager(procmail_t) # Do not audit attempts to access /root. -userdom_dontaudit_search_sysadm_home_dir(procmail_t) -userdom_dontaudit_search_staff_home_dir(procmail_t) +userdom_dontaudit_search_sysadm_home_dirs(procmail_t) +userdom_dontaudit_search_staff_home_dirs(procmail_t) mta_manage_spool(procmail_t) diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te index 6ee1d51..01ebb54 100644 --- a/refpolicy/policy/modules/services/radius.te +++ b/refpolicy/policy/modules/services/radius.te @@ -41,11 +41,11 @@ files_search_etc(radiusd_t) allow radiusd_t radiusd_log_t:file create_file_perms; allow radiusd_t radiusd_log_t:dir create_dir_perms; -logging_filetrans_log(radiusd_t,radiusd_log_t,{ file dir }) +logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir }) allow radiusd_t radiusd_var_run_t:file create_file_perms; allow radiusd_t radiusd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(radiusd_t,radiusd_var_run_t) +files_pid_filetrans(radiusd_t,radiusd_var_run_t) kernel_read_kernel_sysctls(radiusd_t) kernel_read_system_state(radiusd_t) @@ -100,7 +100,7 @@ miscfiles_read_localization(radiusd_t) sysnet_read_config(radiusd_t) userdom_dontaudit_use_unpriv_user_fds(radiusd_t) -userdom_dontaudit_search_sysadm_home_dir(radiusd_t) +userdom_dontaudit_search_sysadm_home_dirs(radiusd_t) userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te index 7a6fb7c..c80d3bf 100644 --- a/refpolicy/policy/modules/services/radvd.te +++ b/refpolicy/policy/modules/services/radvd.te @@ -32,7 +32,7 @@ allow radvd_t radvd_etc_t:file { getattr read }; allow radvd_t radvd_var_run_t:file create_file_perms; allow radvd_t radvd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(radvd_t,radvd_var_run_t) +files_pid_filetrans(radvd_t,radvd_var_run_t) kernel_read_kernel_sysctls(radvd_t) kernel_read_net_sysctls(radvd_t) @@ -76,7 +76,7 @@ miscfiles_read_localization(radvd_t) sysnet_read_config(radvd_t) userdom_dontaudit_use_unpriv_user_fds(radvd_t) -userdom_dontaudit_search_sysadm_home_dir(radvd_t) +userdom_dontaudit_search_sysadm_home_dirs(radvd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(radvd_t) diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 675e8f5..838748f 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -40,7 +40,7 @@ allow remote_login_t self:msg { send receive }; allow remote_login_t remote_login_tmp_t:dir create_dir_perms; allow remote_login_t remote_login_tmp_t:file create_file_perms; -files_filetrans_tmp(remote_login_t, remote_login_tmp_t, { file dir }) +files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) kernel_read_system_state(remote_login_t) kernel_read_kernel_sysctls(remote_login_t) @@ -120,8 +120,8 @@ sysnet_dns_name_resolve(remote_login_t) miscfiles_read_localization(remote_login_t) -userdom_use_unpriv_users_fd(remote_login_t) -userdom_search_all_users_home(remote_login_t) +userdom_use_unpriv_users_fds(remote_login_t) +userdom_search_all_users_home_content(remote_login_t) # Only permit unprivileged user domains to be entered via rlogin, # since very weak authentication is used. userdom_signal_unpriv_users(remote_login_t) diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te index 31655e7..3ad6d0c 100644 --- a/refpolicy/policy/modules/services/rlogin.te +++ b/refpolicy/policy/modules/services/rlogin.te @@ -41,11 +41,11 @@ can_exec(rlogind_t, rlogind_exec_t) allow rlogind_t rlogind_tmp_t:dir create_dir_perms; allow rlogind_t rlogind_tmp_t:file create_file_perms; -files_filetrans_tmp(rlogind_t, rlogind_tmp_t, { file dir }) +files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir }) allow rlogind_t rlogind_var_run_t:file create_file_perms; allow rlogind_t rlogind_var_run_t:dir rw_dir_perms; -files_filetrans_pid(rlogind_t,rlogind_var_run_t) +files_pid_filetrans(rlogind_t,rlogind_var_run_t) kernel_read_kernel_sysctls(rlogind_t) kernel_read_system_state(rlogind_t) @@ -90,7 +90,7 @@ sysnet_read_config(rlogind_t) userdom_setattr_unpriv_users_ptys(rlogind_t) # cjp: this is egregious -userdom_read_all_users_home_files(rlogind_t) +userdom_read_all_users_home_content_files(rlogind_t) remotelogin_domtrans(rlogind_t) diff --git a/refpolicy/policy/modules/services/roundup.te b/refpolicy/policy/modules/services/roundup.te index 1a04c2e..50168fb 100644 --- a/refpolicy/policy/modules/services/roundup.te +++ b/refpolicy/policy/modules/services/roundup.te @@ -30,11 +30,11 @@ allow roundup_t self:udp_socket create_socket_perms; allow roundup_t roundup_var_run_t:file create_file_perms; allow roundup_t roundup_var_run_t:dir rw_dir_perms; -files_filetrans_pid(roundup_t,roundup_var_run_t) +files_pid_filetrans(roundup_t,roundup_var_run_t) allow roundup_t roundup_var_lib_t:file create_file_perms; allow roundup_t roundup_var_lib_t:dir rw_dir_perms; -files_filetrans_var_lib(roundup_t,roundup_var_lib_t) +files_var_lib_filetrans(roundup_t,roundup_var_lib_t) kernel_read_kernel_sysctls(roundup_t) kernel_list_proc(roundup_t) @@ -86,7 +86,7 @@ miscfiles_read_localization(roundup_t) sysnet_read_config(roundup_t) userdom_dontaudit_use_unpriv_user_fds(roundup_t) -userdom_dontaudit_search_sysadm_home_dir(roundup_t) +userdom_dontaudit_search_sysadm_home_dirs(roundup_t) ifdef(`targeted_policy',` files_dontaudit_read_root_files(roundup_t) diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te index 2611e71..741c612 100644 --- a/refpolicy/policy/modules/services/rpc.te +++ b/refpolicy/policy/modules/services/rpc.te @@ -43,7 +43,7 @@ allow rpcd_t self:file { getattr read }; allow rpcd_t rpcd_var_run_t:file manage_file_perms; allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr }; -files_filetrans_pid(rpcd_t,rpcd_var_run_t) +files_pid_filetrans(rpcd_t,rpcd_var_run_t) kernel_search_network_state(rpcd_t) # for rpc.rquotad @@ -124,7 +124,7 @@ allow gssd_t self:fifo_file { read write }; allow gssd_t gssd_tmp_t:dir create_dir_perms; allow gssd_t gssd_tmp_t:file create_file_perms; -files_filetrans_tmp(gssd_t, gssd_tmp_t, { file dir }) +files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te index 6069c54..0d78310 100644 --- a/refpolicy/policy/modules/services/rshd.te +++ b/refpolicy/policy/modules/services/rshd.te @@ -65,7 +65,7 @@ seutil_read_default_contexts(rshd_t) sysnet_read_config(rshd_t) -userdom_search_all_users_home(rshd_t) +userdom_search_all_users_home_content(rshd_t) ifdef(`targeted_policy',` unconfined_domain(rshd_t) diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index 5b4b55e..2939b65 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -44,11 +44,11 @@ allow rsync_t rsync_data_t:lnk_file r_file_perms; allow rsync_t rsync_tmp_t:dir create_dir_perms; allow rsync_t rsync_tmp_t:file create_file_perms; -files_filetrans_tmp(rsync_t, rsync_tmp_t, { file dir }) +files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) allow rsync_t rsync_var_run_t:file create_file_perms; allow rsync_t rsync_var_run_t:dir rw_dir_perms; -files_filetrans_pid(rsync_t,rsync_var_run_t) +files_pid_filetrans(rsync_t,rsync_var_run_t) kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if index 3e5a308..a38a6ea 100644 --- a/refpolicy/policy/modules/services/samba.if +++ b/refpolicy/policy/modules/services/samba.if @@ -33,11 +33,11 @@ template(`samba_per_userdomain_template',` ') tunable_policy(`samba_enable_home_dirs',` - userdom_manage_user_home_files($1,smbd_t) - userdom_manage_user_home_symlinks($1,smbd_t) - userdom_manage_user_home_sockets($1,smbd_t) - userdom_manage_user_home_pipes($1,smbd_t) - userdom_filetrans_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file }) + userdom_manage_user_home_content_files($1,smbd_t) + userdom_manage_user_home_content_symlinks($1,smbd_t) + userdom_manage_user_home_content_sockets($1,smbd_t) + userdom_manage_user_home_content_pipes($1,smbd_t) + userdom_user_home_dir_filetrans_user_home_content($1,smbd_t,{ dir file lnk_file sock_file fifo_file }) ') ') diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 25dc988..9d72348 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -103,7 +103,7 @@ type_transition samba_net_t samba_etc_t:file samba_secrets_t; allow samba_net_t samba_net_tmp_t:dir create_dir_perms; allow samba_net_t samba_net_tmp_t:file create_file_perms; -files_filetrans_tmp(samba_net_t, samba_net_tmp_t, { file dir }) +files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) allow samba_net_t samba_var_t:dir rw_dir_perms; allow samba_net_t samba_var_t:lnk_file create_lnk_perms; @@ -139,7 +139,7 @@ miscfiles_read_localization(samba_net_t) sysnet_read_config(samba_net_t) -userdom_dontaudit_search_sysadm_home_dir(samba_net_t) +userdom_dontaudit_search_sysadm_home_dirs(samba_net_t) ifdef(`targeted_policy',` term_use_generic_ptys(samba_net_t) @@ -212,14 +212,14 @@ allow smbd_t samba_var_t:sock_file create_file_perms; allow smbd_t smbd_tmp_t:dir create_dir_perms; allow smbd_t smbd_tmp_t:file create_file_perms; -files_filetrans_tmp(smbd_t, smbd_tmp_t, { file dir }) +files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) allow smbd_t nmbd_var_run_t:file rw_file_perms; allow smbd_t smbd_var_run_t:dir create_dir_perms; allow smbd_t smbd_var_run_t:file create_file_perms; allow smbd_t smbd_var_run_t:sock_file create_file_perms; -files_filetrans_pid(smbd_t,smbd_var_run_t) +files_pid_filetrans(smbd_t,smbd_var_run_t) allow smbd_t winbind_var_run_t:sock_file { read write getattr }; @@ -284,9 +284,9 @@ mount_send_nfs_client_request(smbd_t) sysnet_read_config(smbd_t) -userdom_dontaudit_search_sysadm_home_dir(smbd_t) +userdom_dontaudit_search_sysadm_home_dirs(smbd_t) userdom_dontaudit_use_unpriv_user_fds(smbd_t) -userdom_use_unpriv_users_fd(smbd_t) +userdom_use_unpriv_users_fds(smbd_t) ifdef(`targeted_policy', ` files_dontaudit_read_root_files(smbd_t) @@ -356,7 +356,7 @@ allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow nmbd_t nmbd_var_run_t:file create_file_perms; allow nmbd_t nmbd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(nmbd_t,nmbd_var_run_t) +files_pid_filetrans(nmbd_t,nmbd_var_run_t) allow nmbd_t samba_etc_t:dir { search getattr }; allow nmbd_t samba_etc_t:file { getattr read }; @@ -415,9 +415,9 @@ miscfiles_read_localization(nmbd_t) sysnet_read_config(nmbd_t) -userdom_dontaudit_search_sysadm_home_dir(nmbd_t) +userdom_dontaudit_search_sysadm_home_dirs(nmbd_t) userdom_dontaudit_use_unpriv_user_fds(nmbd_t) -userdom_use_unpriv_users_fd(nmbd_t) +userdom_use_unpriv_users_fds(nmbd_t) ifdef(`targeted_policy', ` files_dontaudit_read_root_files(nmbd_t) @@ -559,11 +559,11 @@ allow swat_t smbd_var_run_t:file read; allow swat_t swat_tmp_t:dir create_dir_perms; allow swat_t swat_tmp_t:file create_file_perms; -files_filetrans_tmp(swat_t, swat_tmp_t, { file dir }) +files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) allow swat_t swat_var_run_t:file create_file_perms; allow swat_t swat_var_run_t:dir rw_dir_perms; -files_filetrans_pid(swat_t,swat_var_run_t) +files_pid_filetrans(swat_t,swat_var_run_t) allow swat_t winbind_exec_t:file execute; @@ -652,16 +652,16 @@ allow winbind_t samba_var_t:file create_file_perms; allow winbind_t samba_var_t:lnk_file create_lnk_perms; allow winbind_t winbind_log_t:file create_file_perms; -logging_filetrans_log(winbind_t,winbind_log_t) +logging_log_filetrans(winbind_t,winbind_log_t) allow winbind_t winbind_tmp_t:dir create_dir_perms; allow winbind_t winbind_tmp_t:file create_file_perms; -files_filetrans_tmp(winbind_t, winbind_tmp_t, { file dir }) +files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) allow winbind_t winbind_var_run_t:file create_file_perms; allow winbind_t winbind_var_run_t:sock_file create_file_perms; allow winbind_t winbind_var_run_t:dir rw_dir_perms; -files_filetrans_pid(winbind_t,winbind_var_run_t) +files_pid_filetrans(winbind_t,winbind_var_run_t) kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) @@ -708,7 +708,7 @@ sysnet_read_config(winbind_t) sysnet_dns_name_resolve(winbind_t) userdom_dontaudit_use_unpriv_user_fds(winbind_t) -userdom_dontaudit_search_sysadm_home_dir(winbind_t) +userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index c3fe9f6..f45f555 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -29,7 +29,7 @@ allow saslauthd_t self:tcp_socket create_socket_perms; allow saslauthd_t saslauthd_var_run_t:file create_file_perms; allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(saslauthd_t,saslauthd_var_run_t) +files_pid_filetrans(saslauthd_t,saslauthd_var_run_t) kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) @@ -79,7 +79,7 @@ seutil_dontaudit_read_config(saslauthd_t) sysnet_read_config(saslauthd_t) userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) -userdom_dontaudit_search_sysadm_home_dir(saslauthd_t) +userdom_dontaudit_search_sysadm_home_dirs(saslauthd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(saslauthd_t) diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if index 28872b0..6af71b9 100644 --- a/refpolicy/policy/modules/services/sendmail.if +++ b/refpolicy/policy/modules/services/sendmail.if @@ -110,5 +110,5 @@ interface(`sendmail_create_log',` type sendmail_log_t; ') - logging_filetrans_log($1,sendmail_log_t,file) + logging_log_filetrans($1,sendmail_log_t,file) ') diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index c47c717..a03daf5 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -35,7 +35,7 @@ allow sendmail_t self:udp_socket create_socket_perms; allow sendmail_t sendmail_log_t:file create_file_perms; allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr }; -logging_filetrans_log(sendmail_t,sendmail_log_t,{ file dir }) +logging_log_filetrans(sendmail_t,sendmail_log_t,{ file dir }) kernel_read_kernel_sysctls(sendmail_t) # for piping mail to a command @@ -92,10 +92,10 @@ miscfiles_read_localization(sendmail_t) sysnet_read_config(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) -userdom_dontaudit_search_sysadm_home_dir(sendmail_t) +userdom_dontaudit_search_sysadm_home_dirs(sendmail_t) mta_read_config(sendmail_t) -mta_filetrans_aliases(sendmail_t) +mta_etc_filetrans_aliases(sendmail_t) # Write to /etc/aliases and /etc/mail. mta_rw_aliases(sendmail_t) # Write to /var/spool/mail and /var/spool/mqueue. @@ -110,10 +110,10 @@ ifdef(`targeted_policy',` ',` allow sendmail_t sendmail_tmp_t:dir create_dir_perms; allow sendmail_t sendmail_tmp_t:file create_file_perms; - files_filetrans_tmp(sendmail_t, sendmail_tmp_t, { file dir }) + files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock }; - files_filetrans_pid(sendmail_t,sendmail_var_run_t) + files_pid_filetrans(sendmail_t,sendmail_var_run_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/slrnpull.te b/refpolicy/policy/modules/services/slrnpull.te index 1c5679e..da215c1 100644 --- a/refpolicy/policy/modules/services/slrnpull.te +++ b/refpolicy/policy/modules/services/slrnpull.te @@ -28,7 +28,7 @@ dontaudit slrnpull_t self:capability sys_tty_config; allow slrnpull_t self:process signal_perms; allow slrnpull_t slrnpull_log_t:file create_file_perms; -logging_filetrans_log(slrnpull_t,slrnpull_log_t) +logging_log_filetrans(slrnpull_t,slrnpull_log_t) allow slrnpull_t slrnpull_spool_t:dir rw_dir_perms; allow slrnpull_t slrnpull_spool_t:dir create_dir_perms; @@ -38,7 +38,7 @@ files_search_spool(slrnpull_t) allow slrnpull_t slrnpull_var_run_t:file create_file_perms; allow slrnpull_t slrnpull_var_run_t:dir rw_dir_perms; -files_filetrans_pid(slrnpull_t,slrnpull_var_run_t) +files_pid_filetrans(slrnpull_t,slrnpull_var_run_t) kernel_list_proc(slrnpull_t) kernel_read_kernel_sysctls(slrnpull_t) @@ -66,7 +66,7 @@ logging_send_syslog_msg(slrnpull_t) miscfiles_read_localization(slrnpull_t) userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) -userdom_dontaudit_search_sysadm_home_dir(slrnpull_t) +userdom_dontaudit_search_sysadm_home_dirs(slrnpull_t) ifdef(`targeted_policy',` files_dontaudit_read_root_files(slrnpull_t) diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te index dffd659..d0b84a1 100644 --- a/refpolicy/policy/modules/services/smartmon.te +++ b/refpolicy/policy/modules/services/smartmon.te @@ -31,11 +31,11 @@ allow fsdaemon_t self:udp_socket create_socket_perms; allow fsdaemon_t fsdaemon_tmp_t:dir create_dir_perms; allow fsdaemon_t fsdaemon_tmp_t:file create_file_perms; -files_filetrans_tmp(fsdaemon_t, fsdaemon_tmp_t, { file dir }) +files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir }) allow fsdaemon_t fsdaemon_var_run_t:file create_file_perms; allow fsdaemon_t fsdaemon_var_run_t:dir rw_dir_perms; -files_filetrans_pid(fsdaemon_t,fsdaemon_var_run_t) +files_pid_filetrans(fsdaemon_t,fsdaemon_var_run_t) kernel_read_kernel_sysctls(fsdaemon_t) kernel_read_software_raid_state(fsdaemon_t) @@ -86,7 +86,7 @@ miscfiles_read_localization(fsdaemon_t) sysnet_read_config(fsdaemon_t) userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) -userdom_dontaudit_search_sysadm_home_dir(fsdaemon_t) +userdom_dontaudit_search_sysadm_home_dirs(fsdaemon_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(fsdaemon_t) diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index 8da42d7..db1fd25 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -36,18 +36,18 @@ allow snmpd_t self:udp_socket connected_stream_socket_perms; allow snmpd_t snmpd_etc_t:file { getattr read }; allow snmpd_t snmpd_log_t:file create_file_perms; -logging_filetrans_log(snmpd_t,snmpd_log_t) +logging_log_filetrans(snmpd_t,snmpd_log_t) allow snmpd_t snmpd_var_lib_t:file create_file_perms; allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms; allow snmpd_t snmpd_var_lib_t:dir create_dir_perms; -files_filetrans_usr(snmpd_t,snmpd_var_lib_t) -files_filetrans_var(snmpd_t,snmpd_var_lib_t,{ file dir sock_file }) -files_filetrans_var_lib(snmpd_t,snmpd_var_lib_t) +files_usr_filetrans(snmpd_t,snmpd_var_lib_t) +files_var_filetrans(snmpd_t,snmpd_var_lib_t,{ file dir sock_file }) +files_var_lib_filetrans(snmpd_t,snmpd_var_lib_t) allow snmpd_t snmpd_var_run_t:file create_file_perms; allow snmpd_t snmpd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(snmpd_t,snmpd_var_run_t) +files_pid_filetrans(snmpd_t,snmpd_var_run_t) kernel_read_kernel_sysctls(snmpd_t) kernel_read_net_sysctls(snmpd_t) @@ -114,7 +114,7 @@ seutil_dontaudit_search_config(snmpd_t) sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) -userdom_dontaudit_search_sysadm_home_dir(snmpd_t) +userdom_dontaudit_search_sysadm_home_dirs(snmpd_t) ifdef(`distro_redhat', ` optional_policy(`rpm',` diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if index f041eb6..00f5e90 100644 --- a/refpolicy/policy/modules/services/spamassassin.if +++ b/refpolicy/policy/modules/services/spamassassin.if @@ -54,7 +54,7 @@ template(`spamassassin_per_userdomain_template',` role $3 types $1_spamassassin_t; type $1_spamassassin_home_t alias $1_spamassassin_rw_t; - userdom_user_home_file($1,$1_spamassassin_home_t) + userdom_user_home_content($1,$1_spamassassin_home_t) files_poly_member($1_spamassassin_home_t) type $1_spamassassin_tmp_t; @@ -82,7 +82,7 @@ template(`spamassassin_per_userdomain_template',` allow $1_spamc_t $1_spamc_tmp_t:dir create_dir_perms; allow $1_spamc_t $1_spamc_tmp_t:file create_file_perms; - files_filetrans_tmp($1_spamc_t, $1_spamc_tmp_t, { file dir }) + files_tmp_filetrans($1_spamc_t, $1_spamc_tmp_t, { file dir }) # Allow connecting to a local spamd allow $1_spamc_t spamd_t:tcp_socket { connectto recvfrom }; @@ -147,7 +147,7 @@ template(`spamassassin_per_userdomain_template',` sysnet_read_config($1_spamc_t) - userdom_use_unpriv_users_fd($1_spamc_t) + userdom_use_unpriv_users_fds($1_spamc_t) # cjp: this really should just be the # terminal specific to the role userdom_use_unpriv_users_ptys($1_spamc_t) @@ -201,11 +201,11 @@ template(`spamassassin_per_userdomain_template',` allow $1_spamassassin_t $1_spamassassin_home_t:lnk_file create_lnk_perms; allow $1_spamassassin_t $1_spamassassin_home_t:sock_file create_file_perms; allow $1_spamassassin_t $1_spamassassin_home_t:fifo_file create_file_perms; - userdom_filetrans_user_home_dir($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) + userdom_user_home_dir_filetrans($1,$1_spamassassin_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) allow $1_spamassassin_t $1_spamassassin_tmp_t:dir create_dir_perms; allow $1_spamassassin_t $1_spamassassin_tmp_t:file create_file_perms; - files_filetrans_tmp($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) + files_tmp_filetrans($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) allow $2 $1_spamassassin_home_t:dir { create_dir_perms relabelfrom relabelto }; allow $2 $1_spamassassin_home_t:file { create_file_perms relabelfrom relabelto }; @@ -222,7 +222,7 @@ template(`spamassassin_per_userdomain_template',` allow spamd_t $1_spamassassin_home_t:lnk_file create_lnk_perms; allow spamd_t $1_spamassassin_home_t:sock_file create_file_perms; allow spamd_t $1_spamassassin_home_t:fifo_file create_file_perms; - userdom_filetrans_user_home_dir($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) + userdom_user_home_dir_filetrans($1,spamd_t,$1_spamassassin_home_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctls($1_spamassassin_t) @@ -262,8 +262,8 @@ template(`spamassassin_per_userdomain_template',` sysnet_dns_name_resolve($1_spamassassin_t) - userdom_use_unpriv_users_fd($1_spamassassin_t) - userdom_search_user_home($1,$1_spamassassin_t) + userdom_use_unpriv_users_fds($1_spamassassin_t) + userdom_search_user_home_dirs($1,$1_spamassassin_t) # cjp: this really should just be the # terminal specific to the role userdom_use_unpriv_users_ptys($1_spamassassin_t) diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index eed5758..11f974f 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -51,11 +51,11 @@ allow spamd_t self:udp_socket create_socket_perms; allow spamd_t spamd_tmp_t:dir create_dir_perms; allow spamd_t spamd_tmp_t:file create_file_perms; -files_filetrans_tmp(spamd_t, spamd_tmp_t, { file dir }) +files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) allow spamd_t spamd_var_run_t:file create_file_perms; allow spamd_t spamd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(spamd_t,spamd_var_run_t) +files_pid_filetrans(spamd_t,spamd_var_run_t) kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) @@ -115,18 +115,18 @@ miscfiles_read_localization(spamd_t) sysnet_read_config(spamd_t) sysnet_use_ldap(spamd_t) -userdom_use_unpriv_users_fd(spamd_t) +userdom_use_unpriv_users_fds(spamd_t) userdom_search_unpriv_users_home_dirs(spamd_t) -userdom_dontaudit_search_sysadm_home_dir(spamd_t) +userdom_dontaudit_search_sysadm_home_dirs(spamd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(spamd_t) term_dontaudit_use_generic_ptys(spamd_t) files_dontaudit_read_root_files(spamd_t) tunable_policy(`spamd_enable_home_dirs',` - userdom_manage_generic_user_home_dirs(spamd_t) - userdom_manage_generic_user_home_files(spamd_t) - userdom_manage_generic_user_home_symlinks(spamd_t) + userdom_manage_generic_user_home_content_dirs(spamd_t) + userdom_manage_generic_user_home_content_files(spamd_t) + userdom_manage_generic_user_home_content_symlinks(spamd_t) ') ') diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index f11e92a..07f819d 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -58,11 +58,11 @@ can_exec(squid_t,squid_exec_t) allow squid_t squid_log_t:file create_file_perms; allow squid_t squid_log_t:dir rw_dir_perms; -logging_filetrans_log(squid_t,squid_log_t,{ file dir }) +logging_log_filetrans(squid_t,squid_log_t,{ file dir }) allow squid_t squid_var_run_t:file create_file_perms; allow squid_t squid_var_run_t:dir rw_dir_perms; -files_filetrans_pid(squid_t,squid_var_run_t) +files_pid_filetrans(squid_t,squid_var_run_t) kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) @@ -131,9 +131,9 @@ miscfiles_read_localization(squid_t) sysnet_read_config(squid_t) -userdom_use_unpriv_users_fd(squid_t) +userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_use_unpriv_user_fds(squid_t) -userdom_dontaudit_search_sysadm_home_dir(squid_t) +userdom_dontaudit_search_sysadm_home_dirs(squid_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(squid_t) diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 337db11..085171e 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -47,7 +47,7 @@ template(`ssh_per_userdomain_template',` # type $1_home_ssh_t; - userdom_user_home_file($1,$1_home_ssh_t) + userdom_user_home_content($1,$1_home_ssh_t) role $3 types $1_ssh_t; type $1_ssh_t; @@ -90,7 +90,7 @@ template(`ssh_per_userdomain_template',` allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms; allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms; allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms; - fs_filetrans_tmpfs($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + fs_tmpfs_filetrans($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Transition from the user domain to the derived domain. domain_auto_trans($2, ssh_exec_t, $1_ssh_t) @@ -105,7 +105,7 @@ template(`ssh_per_userdomain_template',` # Access the ssh temporary files. allow $1_ssh_t sshd_tmp_t:dir create_dir_perms; allow $1_ssh_t sshd_tmp_t:file create_file_perms; - files_filetrans_tmp($1_ssh_t, sshd_tmp_t, { file dir }) + files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir }) # for rsync allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; @@ -124,7 +124,7 @@ template(`ssh_per_userdomain_template',` allow $2 sshd_t:unix_stream_socket rw_stream_socket_perms; # ssh client can manage the keys and config - userdom_search_user_home($1,$1_ssh_t) + userdom_search_user_home_dirs($1,$1_ssh_t) allow $1_ssh_t $1_home_ssh_t:dir r_dir_perms; allow $1_ssh_t $1_home_ssh_t:file create_file_perms; allow $1_ssh_t $1_home_ssh_t:lnk_file { getattr read }; @@ -181,7 +181,7 @@ template(`ssh_per_userdomain_template',` sysnet_read_config($1_ssh_t) sysnet_dns_name_resolve($1_ssh_t) - userdom_use_unpriv_users_fd($1_ssh_t) + userdom_use_unpriv_users_fds($1_ssh_t) # Write to the user domain tty. userdom_use_user_terminals($1,$1_ssh_t) @@ -440,7 +440,7 @@ template(`ssh_server_template', ` term_create_pty($1_t,$1_devpts_t) allow $1_t $1_var_run_t:file create_file_perms; - files_filetrans_pid($1_t,$1_var_run_t,file) + files_pid_filetrans($1_t,$1_var_run_t,file) can_exec($1_t, sshd_exec_t) @@ -513,7 +513,7 @@ template(`ssh_server_template', ` sysnet_read_config($1_t) userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t) - userdom_search_all_users_home($1_t) + userdom_search_all_users_home_content($1_t) # Allow checking users mail at login mta_getattr_spool($1_t) diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index a52fc49..9828be8 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -82,7 +82,7 @@ ifdef(`targeted_policy',`',` allow sshd_t sshd_tmp_t:dir create_dir_perms; allow sshd_t sshd_tmp_t:file create_file_perms; allow sshd_t sshd_tmp_t:sock_file create_file_perms; - files_filetrans_tmp(sshd_t, sshd_tmp_t, { dir file sock_file }) + files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) @@ -217,7 +217,7 @@ ifdef(`targeted_policy',`',` allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file create_file_perms; - files_filetrans_etc(ssh_keygen_t,sshd_key_t,file) + files_etc_filetrans(ssh_keygen_t,sshd_key_t,file) kernel_read_kernel_sysctls(ssh_keygen_t) diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te index 6bf3ecc..47a194b 100644 --- a/refpolicy/policy/modules/services/stunnel.te +++ b/refpolicy/policy/modules/services/stunnel.te @@ -45,11 +45,11 @@ allow stunnel_t stunnel_etc_t:lnk_file { getattr read }; allow stunnel_t stunnel_tmp_t:dir create_dir_perms; allow stunnel_t stunnel_tmp_t:file create_file_perms; -files_filetrans_tmp(stunnel_t, stunnel_tmp_t, { file dir }) +files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) allow stunnel_t stunnel_var_run_t:file create_file_perms; allow stunnel_t stunnel_var_run_t:dir rw_dir_perms; -files_filetrans_pid(stunnel_t,stunnel_var_run_t) +files_pid_filetrans(stunnel_t,stunnel_var_run_t) kernel_read_kernel_sysctls(stunnel_t) kernel_read_system_state(stunnel_t) @@ -95,7 +95,7 @@ ifdef(`distro_gentoo', ` init_use_script_ptys(stunnel_t) userdom_dontaudit_use_unpriv_user_fds(stunnel_t) - userdom_dontaudit_search_sysadm_home_dir(stunnel_t) + userdom_dontaudit_search_sysadm_home_dirs(stunnel_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(stunnel_t) diff --git a/refpolicy/policy/modules/services/sysstat.te b/refpolicy/policy/modules/services/sysstat.te index f0a84f2..a3b3844 100644 --- a/refpolicy/policy/modules/services/sysstat.te +++ b/refpolicy/policy/modules/services/sysstat.te @@ -27,7 +27,7 @@ can_exec(sysstat_t, sysstat_exec_t) allow sysstat_t sysstat_log_t:file create_file_perms; allow sysstat_t sysstat_log_t:dir rw_dir_perms; -logging_filetrans_log(sysstat_t,sysstat_log_t,{ file dir }) +logging_log_filetrans(sysstat_t,sysstat_log_t,{ file dir }) # get info from /proc kernel_read_system_state(sysstat_t) @@ -59,7 +59,7 @@ libs_use_shared_libs(sysstat_t) miscfiles_read_localization(sysstat_t) -userdom_dontaudit_list_sysadm_home_dir(sysstat_t) +userdom_dontaudit_list_sysadm_home_dirs(sysstat_t) optional_policy(`cron',` cron_system_entry(sysstat_t,sysstat_exec_t) diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te index 447c3e2..dc6ec20 100644 --- a/refpolicy/policy/modules/services/tcpd.te +++ b/refpolicy/policy/modules/services/tcpd.te @@ -21,7 +21,7 @@ allow tcpd_t self:tcp_socket create_stream_socket_perms; allow tcpd_t tcpd_tmp_t:dir create_dir_perms; allow tcpd_t tcpd_tmp_t:file create_file_perms; -files_filetrans_tmp(tcpd_t, tcpd_tmp_t, { file dir }) +files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) corenet_raw_sendrecv_all_if(tcpd_t) corenet_tcp_sendrecv_all_if(tcpd_t) diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te index e707da1..e682d0d 100644 --- a/refpolicy/policy/modules/services/telnet.te +++ b/refpolicy/policy/modules/services/telnet.te @@ -39,11 +39,11 @@ term_create_pty(telnetd_t,telnetd_devpts_t) allow telnetd_t telnetd_tmp_t:dir create_dir_perms; allow telnetd_t telnetd_tmp_t:file create_file_perms; -files_filetrans_tmp(telnetd_t, telnetd_tmp_t, { file dir }) +files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) allow telnetd_t telnetd_var_run_t:file create_file_perms; allow telnetd_t telnetd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(telnetd_t,telnetd_var_run_t) +files_pid_filetrans(telnetd_t,telnetd_var_run_t) kernel_read_kernel_sysctls(telnetd_t) kernel_read_system_state(telnetd_t) diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te index 829137b..33c0b16 100644 --- a/refpolicy/policy/modules/services/tftp.te +++ b/refpolicy/policy/modules/services/tftp.te @@ -35,7 +35,7 @@ allow tftpd_t tftpdir_t:lnk_file { getattr read }; allow tftpd_t tftpd_var_run_t:file create_file_perms; allow tftpd_t tftpd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(tftpd_t,tftpd_var_run_t) +files_pid_filetrans(tftpd_t,tftpd_var_run_t) kernel_read_kernel_sysctls(tftpd_t) kernel_list_proc(tftpd_t) @@ -82,7 +82,7 @@ sysnet_read_config(tftpd_t) userdom_dontaudit_use_unpriv_user_fds(tftpd_t) userdom_dontaudit_use_sysadm_ttys(tftpd_t) -userdom_dontaudit_search_sysadm_home_dir(tftpd_t) +userdom_dontaudit_search_sysadm_home_dirs(tftpd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(tftpd_t) diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te index 945716e..45d5f26 100644 --- a/refpolicy/policy/modules/services/timidity.te +++ b/refpolicy/policy/modules/services/timidity.te @@ -33,7 +33,7 @@ allow timidity_t timidity_tmpfs_t:file create_file_perms; allow timidity_t timidity_tmpfs_t:lnk_file create_lnk_perms; allow timidity_t timidity_tmpfs_t:sock_file create_file_perms; allow timidity_t timidity_tmpfs_t:fifo_file create_file_perms; -fs_filetrans_tmpfs(timidity_t,timidity_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(timidity_t,timidity_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctls(timidity_t) # read /proc/cpuinfo @@ -83,7 +83,7 @@ userdom_dontaudit_use_unpriv_user_fds(timidity_t) # stupid timidity won't start if it can't search its current directory. # allow this so /etc/init.d/alsasound start works from /root # cjp: this should be fixed if possible so this rule can be removed. -userdom_search_sysadm_home_dir(timidity_t) +userdom_search_sysadm_home_dirs(timidity_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(timidity_t) diff --git a/refpolicy/policy/modules/services/uucp.te b/refpolicy/policy/modules/services/uucp.te index 75c1bee..73dc366 100644 --- a/refpolicy/policy/modules/services/uucp.te +++ b/refpolicy/policy/modules/services/uucp.te @@ -41,7 +41,7 @@ allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow uucpd_t uucpd_log_t:file create_file_perms; allow uucpd_t uucpd_log_t:dir { rw_dir_perms setattr }; -logging_filetrans_log(uucpd_t,uucpd_log_t,{ file dir }) +logging_log_filetrans(uucpd_t,uucpd_log_t,{ file dir }) allow uucpd_t uucpd_ro_t:dir r_dir_perms; allow uucpd_t uucpd_ro_t:file r_file_perms; @@ -57,11 +57,11 @@ allow uucpd_t uucpd_spool_t:lnk_file create_lnk_perms; allow uucpd_t uucpd_tmp_t:dir create_dir_perms; allow uucpd_t uucpd_tmp_t:file create_file_perms; -files_filetrans_tmp(uucpd_t, uucpd_tmp_t, { file dir }) +files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir }) allow uucpd_t uucpd_var_run_t:file create_file_perms; allow uucpd_t uucpd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(uucpd_t,uucpd_var_run_t) +files_pid_filetrans(uucpd_t,uucpd_var_run_t) kernel_read_kernel_sysctls(uucpd_t) kernel_read_system_state(uucpd_t) diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te index 0e76f13..916d0a5 100644 --- a/refpolicy/policy/modules/services/xfs.te +++ b/refpolicy/policy/modules/services/xfs.te @@ -29,11 +29,11 @@ allow xfs_t self:unix_dgram_socket create_socket_perms; allow xfs_t xfs_tmp_t:dir create_dir_perms; allow xfs_t xfs_tmp_t:sock_file create_file_perms; -files_filetrans_tmp(xfs_t, xfs_tmp_t, { sock_file dir }) +files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir }) allow xfs_t xfs_var_run_t:file create_file_perms; allow xfs_t xfs_var_run_t:dir rw_dir_perms; -files_filetrans_pid(xfs_t,xfs_var_run_t) +files_pid_filetrans(xfs_t,xfs_var_run_t) # Bind to /tmp/.font-unix/fs-1. # cjp: I do not believe this has an effect. @@ -66,11 +66,11 @@ miscfiles_read_localization(xfs_t) miscfiles_read_fonts(xfs_t) userdom_dontaudit_use_unpriv_user_fds(xfs_t) -userdom_dontaudit_search_sysadm_home_dir(xfs_t) +userdom_dontaudit_search_sysadm_home_dirs(xfs_t) ifdef(`distro_debian',` # for /tmp/.font-unix/fs7100 - init_filetrans_script_tmp(xfs_t,xfs_tmp_t,sock_file) + init_script_tmp_filetrans(xfs_t,xfs_tmp_t,sock_file) ') ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index 5b4b838..9572d18 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -61,7 +61,7 @@ template(`xserver_common_domain_template',` allow $1_xserver_t $1_xserver_tmp_t:dir manage_dir_perms; allow $1_xserver_t $1_xserver_tmp_t:file manage_file_perms; allow $1_xserver_t $1_xserver_tmp_t:sock_file manage_file_perms; - files_filetrans_tmp($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file }) + files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file }) allow $1_xserver_t xdm_xserver_tmp_t:dir rw_dir_perms; type_transition $1_xserver_t xdm_xserver_tmp_t:sock_file $1_xserver_tmp_t; @@ -71,7 +71,7 @@ template(`xserver_common_domain_template',` allow $1_xserver_t $1_xserver_tmpfs_t:lnk_file create_lnk_perms; allow $1_xserver_t $1_xserver_tmpfs_t:sock_file manage_file_perms; allow $1_xserver_t $1_xserver_tmpfs_t:fifo_file manage_file_perms; - fs_filetrans_tmpfs($1_xserver_t,$1_xserver_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + fs_tmpfs_filetrans($1_xserver_t,$1_xserver_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow $1_xserver_t xkb_var_lib_t:dir rw_dir_perms; allow $1_xserver_t xkb_var_lib_t:file manage_file_perms; @@ -81,7 +81,7 @@ template(`xserver_common_domain_template',` # Create files in /var/log with the xserver_log_t type. allow $1_xserver_t xserver_log_t:file manage_file_perms; allow $1_xserver_t xserver_log_t:dir r_dir_perms; - logging_filetrans_log($1_xserver_t,xserver_log_t,file) + logging_log_filetrans($1_xserver_t,xserver_log_t,file) kernel_read_system_state($1_xserver_t) kernel_read_device_sysctls($1_xserver_t) @@ -235,7 +235,7 @@ template(`xserver_per_userdomain_template',` type $1_iceauth_home_t alias $1_iceauth_rw_t; files_poly_member($1_iceauth_home_t) - userdom_user_home_file($1,$1_iceauth_home_t) + userdom_user_home_content($1,$1_iceauth_home_t) type $1_xauth_t; domain_type($1_xauth_t) @@ -243,7 +243,7 @@ template(`xserver_per_userdomain_template',` type $1_xauth_home_t alias $1_xauth_rw_t; files_poly_member($1_xauth_home_t) - userdom_user_home_file($1,$1_xauth_home_t) + userdom_user_home_content($1,$1_xauth_home_t) type $1_xauth_tmp_t; files_tmp_file($1_xauth_tmp_t) @@ -283,7 +283,7 @@ template(`xserver_per_userdomain_template',` locallogin_use_fd($1_xserver_t) - userdom_search_user_home($1,$1_xserver_t) + userdom_search_user_home_dirs($1,$1_xserver_t) userdom_use_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t) @@ -314,11 +314,11 @@ template(`xserver_per_userdomain_template',` allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; allow $1_xauth_t $1_xauth_home_t:file manage_file_perms; - userdom_filetrans_user_home_dir($1,$1_xauth_t,$1_xauth_home_t,file) + userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file) allow $1_xauth_t $1_xauth_tmp_t:dir create_dir_perms; allow $1_xauth_t $1_xauth_tmp_t:file create_file_perms; - files_filetrans_tmp($1_xauth_t, $1_xauth_tmp_t, { file dir }) + files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir }) domain_auto_trans($2, xauth_exec_t, $1_xauth_t) allow $2 $1_xauth_t:fd use; @@ -342,7 +342,7 @@ template(`xserver_per_userdomain_template',` allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; allow xdm_t $1_xauth_home_t:file manage_file_perms; - userdom_filetrans_user_home_dir($1,xdm_t,$1_xauth_home_t,file) + userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file) domain_use_interactive_fds($1_xauth_t) @@ -393,7 +393,7 @@ template(`xserver_per_userdomain_template',` allow $1_iceauth_t $2:process sigchld; allow $1_iceauth_t $1_iceauth_home_t:file manage_file_perms; - userdom_filetrans_user_home_dir($1,$1_iceauth_t,$1_iceauth_home_t,file) + userdom_user_home_dir_filetrans($1,$1_iceauth_t,$1_iceauth_home_t,file) # allow ps to show iceauth allow $2 $1_iceauth_t:dir { search getattr read }; @@ -553,9 +553,9 @@ template(`xserver_user_client_template',` miscfiles_read_fonts($2) - userdom_search_user_home($1,$2) + userdom_search_user_home_dirs($1,$2) # for .xsession-errors - userdom_dontaudit_write_user_home_files($1,$2) + userdom_dontaudit_write_user_home_content_files($1,$2) xserver_ro_session_template(xdm,$2,$3) xserver_rw_session_template($1,$2,$3) diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index 06423fc..21a978c 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -202,9 +202,9 @@ seutil_read_default_contexts(xdm_t) sysnet_read_config(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) -userdom_dontaudit_search_sysadm_home_dir(xdm_t) +userdom_dontaudit_search_sysadm_home_dirs(xdm_t) # for .dmrc -userdom_read_unpriv_users_home_files(xdm_t) +userdom_read_unpriv_users_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -216,27 +216,27 @@ ifdef(`enable_polyinstantiation',` ifdef(`strict_policy',` allow xdm_t xdm_lock_t:file create_file_perms; - files_filetrans_lock(xdm_t,xdm_lock_t) + files_lock_filetrans(xdm_t,xdm_lock_t) allow xdm_t xdm_tmp_t:dir create_dir_perms; allow xdm_t xdm_tmp_t:file create_file_perms; allow xdm_t xdm_tmp_t:file create_file_perms; - files_filetrans_tmp(xdm_t, xdm_tmp_t, { file dir sock_file }) + files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_filetrans_tmpfs(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow xdm_t xdm_var_lib_t:file create_file_perms; allow xdm_t xdm_var_lib_t:dir create_dir_perms; - files_filetrans_var_lib(xdm_t,xdm_var_lib_t) + files_var_lib_filetrans(xdm_t,xdm_var_lib_t) allow xdm_t xdm_var_run_t:dir manage_dir_perms; allow xdm_t xdm_var_run_t:fifo_file manage_file_perms; - files_filetrans_pid(xdm_t,xdm_var_run_t,{ dir fifo_file }) + files_pid_filetrans(xdm_t,xdm_var_run_t,{ dir fifo_file }) allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; @@ -267,7 +267,7 @@ ifdef(`strict_policy',` allow xdm_t xserver_log_t:dir { rw_dir_perms setattr }; allow xdm_t xserver_log_t:file manage_file_perms; allow xdm_t xserver_log_t:fifo_file manage_file_perms; - logging_filetrans_log(xdm_t,xserver_log_t,file) + logging_log_filetrans(xdm_t,xserver_log_t,file) domain_subj_id_change_exemption(xdm_t) domain_role_change_exemption(xdm_t) @@ -412,7 +412,7 @@ ifdef(`strict_policy',` # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) - userdom_read_unpriv_users_home_files(xdm_xserver_t) + userdom_read_unpriv_users_home_content_files(xdm_xserver_t) ifdef(`TODO',` # Read all global and per user fonts diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index f23c3d9..b606499 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -45,16 +45,16 @@ allow zebra_t zebra_conf_t:lnk_file { getattr read }; allow zebra_t zebra_log_t:file create_file_perms; allow zebra_t zebra_log_t:sock_file create_file_perms; allow zebra_t zebra_log_t:dir { rw_dir_perms setattr }; -logging_filetrans_log(zebra_t,zebra_log_t,{ sock_file file dir }) +logging_log_filetrans(zebra_t,zebra_log_t,{ sock_file file dir }) # /tmp/.bgpd is such a bad idea! allow zebra_t zebra_tmp_t:sock_file create_file_perms; -files_filetrans_tmp(zebra_t,zebra_tmp_t,sock_file) +files_tmp_filetrans(zebra_t,zebra_tmp_t,sock_file) allow zebra_t zebra_var_run_t:file manage_file_perms; allow zebra_t zebra_var_run_t:sock_file manage_file_perms; allow zebra_t zebra_var_run_t:dir rw_dir_perms; -files_filetrans_pid(zebra_t,zebra_var_run_t, { file sock_file }) +files_pid_filetrans(zebra_t,zebra_var_run_t, { file sock_file }) kernel_read_system_state(zebra_t) kernel_read_kernel_sysctls(zebra_t) @@ -105,7 +105,7 @@ miscfiles_read_localization(zebra_t) sysnet_read_config(zebra_t) userdom_dontaudit_use_unpriv_user_fds(zebra_t) -userdom_dontaudit_search_sysadm_home_dir(zebra_t) +userdom_dontaudit_search_sysadm_home_dirs(zebra_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(zebra_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 34ba8a2..9e864a3 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -413,7 +413,7 @@ interface(`auth_manage_shadow',` ') allow $1 shadow_t:file create_file_perms; - files_filetrans_etc($1,shadow_t,file) + files_etc_filetrans($1,shadow_t,file) typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; ') @@ -1109,14 +1109,14 @@ interface(`auth_rw_login_records',` ####################################### # -# auth_filetrans_login_records(domain) +# auth_log_filetrans_login_records(domain) # -interface(`auth_filetrans_login_records',` +interface(`auth_log_filetrans_login_records',` gen_require(` type wtmp_t; ') - logging_filetrans_log($1,wtmp_t,file) + logging_log_filetrans($1,wtmp_t,file) ') ####################################### diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 5f5fa7b..defb023 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -96,7 +96,7 @@ allow pam_t pam_var_run_t:file { getattr read unlink }; allow pam_t pam_tmp_t:dir create_dir_perms; allow pam_t pam_tmp_t:file create_file_perms; -files_filetrans_tmp(pam_t, pam_tmp_t, { file dir }) +files_tmp_filetrans(pam_t, pam_tmp_t, { file dir }) kernel_read_system_state(pam_t) @@ -115,7 +115,7 @@ libs_use_shared_libs(pam_t) logging_send_syslog_msg(pam_t) -userdom_use_unpriv_users_fd(pam_t) +userdom_use_unpriv_users_fds(pam_t) optional_policy(`locallogin',` locallogin_use_fd(pam_t) diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 89c2d44..6283ca0 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -42,7 +42,7 @@ can_exec(fsadm_t, fsadm_exec_t) allow fsadm_t fsadm_tmp_t:dir create_dir_perms; allow fsadm_t fsadm_tmp_t:file create_file_perms; -files_filetrans_tmp(fsadm_t, fsadm_tmp_t, { file dir }) +files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) # Enable swapping to files allow fsadm_t swapfile_t:file { getattr swapon }; @@ -139,7 +139,7 @@ modutils_read_module_config(fsadm_t) seutil_read_config(fsadm_t) -userdom_use_unpriv_users_fd(fsadm_t) +userdom_use_unpriv_users_fds(fsadm_t) ifdef(`targeted_policy',` term_use_unallocated_ttys(fsadm_t) diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 3afcb6a..bebab10 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -44,21 +44,21 @@ allow getty_t self:process { getpgid getsession signal_perms }; allow getty_t getty_etc_t:dir r_dir_perms; allow getty_t getty_etc_t:file r_file_perms; allow getty_t getty_etc_t:lnk_file { getattr read }; -files_filetrans_etc(getty_t,getty_etc_t,{ file dir }) +files_etc_filetrans(getty_t,getty_etc_t,{ file dir }) allow getty_t getty_lock_t:file create_file_perms; -files_filetrans_lock(getty_t,getty_lock_t) +files_lock_filetrans(getty_t,getty_lock_t) allow getty_t getty_log_t:file create_file_perms; -logging_filetrans_log(getty_t,getty_log_t) +logging_log_filetrans(getty_t,getty_log_t) allow getty_t getty_tmp_t:file create_file_perms; allow getty_t getty_tmp_t:dir create_dir_perms; -files_filetrans_tmp(getty_t,getty_tmp_t,{ file dir }) +files_tmp_filetrans(getty_t,getty_tmp_t,{ file dir }) allow getty_t getty_var_run_t:file create_file_perms; allow getty_t getty_var_run_t:dir rw_dir_perms; -files_filetrans_pid(getty_t,getty_var_run_t) +files_pid_filetrans(getty_t,getty_var_run_t) kernel_list_proc(getty_t) kernel_read_proc_symlinks(getty_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 481ebf3..723bd71 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -42,7 +42,7 @@ can_exec(hotplug_t,hotplug_exec_t) allow hotplug_t hotplug_var_run_t:file manage_file_perms; allow hotplug_t hotplug_var_run_t:dir rw_dir_perms; -files_filetrans_pid(hotplug_t,hotplug_var_run_t) +files_pid_filetrans(hotplug_t,hotplug_var_run_t) kernel_sigchld(hotplug_t) kernel_setpgid(hotplug_t) @@ -123,7 +123,7 @@ seutil_dontaudit_search_config(hotplug_t) sysnet_read_config(hotplug_t) userdom_dontaudit_use_unpriv_user_fds(hotplug_t) -userdom_dontaudit_search_sysadm_home_dir(hotplug_t) +userdom_dontaudit_search_sysadm_home_dirs(hotplug_t) ifdef(`distro_redhat', ` optional_policy(`netutils',` diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 11109a2..1da9f70 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -816,7 +816,7 @@ interface(`init_rw_script_tmp_files',` ## ## # -interface(`init_filetrans_script_tmp',` +interface(`init_script_tmp_filetrans',` gen_require(` type initrc_tmp_t; ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 9cf5c54..d83d909 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -104,11 +104,11 @@ allow init_t initrc_t:unix_stream_socket connectto; # For /var/run/shutdown.pid. allow init_t init_var_run_t:file { create getattr read append write setattr unlink }; -files_filetrans_pid(init_t,init_var_run_t) +files_pid_filetrans(init_t,init_var_run_t) allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink }; fs_associate_tmpfs(initctl_t) -dev_filetrans_dev(init_t,initctl_t,fifo_file) +dev_filetrans(init_t,initctl_t,fifo_file) # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; @@ -167,7 +167,7 @@ miscfiles_read_localization(init_t) ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(init_t) - fs_filetrans_tmpfs(init_t,initctl_t,fifo_file) + fs_tmpfs_filetrans(init_t,initctl_t,fifo_file) ') ifdef(`targeted_policy',` @@ -224,12 +224,12 @@ allow initrc_t initrc_state_t:file create_file_perms; allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename }; allow initrc_t initrc_var_run_t:file create_file_perms; -files_filetrans_pid(initrc_t,initrc_var_run_t) +files_pid_filetrans(initrc_t,initrc_var_run_t) can_exec(initrc_t,initrc_tmp_t) allow initrc_t initrc_tmp_t:file create_file_perms; allow initrc_t initrc_tmp_t:dir create_dir_perms; -files_filetrans_tmp(initrc_t,initrc_tmp_t, { file dir }) +files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir }) init_write_initctl(initrc_t) @@ -382,7 +382,7 @@ sysnet_read_config(initrc_t) udev_rw_db(initrc_t) -userdom_read_all_users_home_files(initrc_t) +userdom_read_all_users_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. @@ -391,7 +391,7 @@ userdom_use_sysadm_terms(initrc_t) ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) - fs_filetrans_tmpfs(initrc_t,initrc_var_run_t,dir) + fs_tmpfs_filetrans(initrc_t,initrc_var_run_t,dir) # for storing state under /dev/shm fs_setattr_tmpfs_dirs(initrc_t) diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index 06a1537..9010cfe 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -57,7 +57,7 @@ allow ipsec_t ipsec_key_file_t:lnk_file r_file_perms; allow ipsec_t ipsec_var_run_t:file create_file_perms; allow ipsec_t ipsec_var_run_t:sock_file create_file_perms; -files_filetrans_pid(ipsec_t,ipsec_var_run_t,{ file sock_file }) +files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file }) can_exec(ipsec_t, ipsec_mgmt_exec_t) @@ -122,7 +122,7 @@ miscfiles_read_localization(ipsec_t) sysnet_read_config(ipsec_t) userdom_dontaudit_use_unpriv_user_fds(ipsec_t) -userdom_dontaudit_search_sysadm_home_dir(ipsec_t) +userdom_dontaudit_search_sysadm_home_dirs(ipsec_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(ipsec_t) @@ -156,17 +156,17 @@ allow ipsec_mgmt_t self:key_socket { create setopt }; allow ipsec_mgmt_t self:fifo_file rw_file_perms; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms; -files_filetrans_lock(ipsec_mgmt_t,ipsec_mgmt_lock_t) +files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms; -files_filetrans_pid(ipsec_mgmt_t,ipsec_mgmt_var_run_t) +files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t) allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms; allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms; allow ipsec_mgmt_t ipsec_var_run_t:lnk_file create_lnk_perms; allow ipsec_mgmt_t ipsec_var_run_t:sock_file create_file_perms; -files_filetrans_pid(ipsec_mgmt_t,ipsec_var_run_t,sock_file) +files_pid_filetrans(ipsec_mgmt_t,ipsec_var_run_t,sock_file) # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file @@ -182,7 +182,7 @@ allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms; allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms; # cjp: combo of file_type_auto_trans and rw_dir_create_file allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms; -files_filetrans_etc(ipsec_mgmt_t,ipsec_key_file_t) +files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t) # whack needs to connect to pluto allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write }; diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 437c2e9..c48dee8 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -27,13 +27,13 @@ dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t iptables_var_run_t:dir rw_dir_perms; -files_filetrans_pid(iptables_t,iptables_var_run_t) +files_pid_filetrans(iptables_t,iptables_var_run_t) can_exec(iptables_t,iptables_exec_t) allow iptables_t iptables_tmp_t:dir create_dir_perms; allow iptables_t iptables_tmp_t:file create_file_perms; -files_filetrans_tmp(iptables_t, iptables_tmp_t, { file dir }) +files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) allow iptables_t self:rawip_socket create_socket_perms; diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 2307e0b..18bbd24 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -52,7 +52,7 @@ init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; allow ldconfig_t ld_so_cache_t:file create_file_perms; -files_filetrans_etc(ldconfig_t,ld_so_cache_t,file) +files_etc_filetrans(ldconfig_t,ld_so_cache_t,file) allow ldconfig_t lib_t:dir rw_dir_perms; allow ldconfig_t lib_t:lnk_file { getattr create read unlink }; diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 4d838db..5c99514 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -52,11 +52,11 @@ allow local_login_t self:msgq create_msgq_perms; allow local_login_t self:msg { send receive }; allow local_login_t local_login_lock_t:file create_file_perms; -files_filetrans_lock(local_login_t,local_login_lock_t) +files_lock_filetrans(local_login_t,local_login_lock_t) allow local_login_t local_login_tmp_t:dir create_dir_perms; allow local_login_t local_login_tmp_t:file create_file_perms; -files_filetrans_tmp(local_login_t, local_login_tmp_t, { file dir }) +files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) kernel_read_kernel_sysctls(local_login_t) @@ -165,8 +165,8 @@ seutil_read_default_contexts(local_login_t) userdom_spec_domtrans_all_users(local_login_t) userdom_signal_all_users(local_login_t) -userdom_search_all_users_home(local_login_t) -userdom_use_unpriv_users_fd(local_login_t) +userdom_search_all_users_home_content(local_login_t) +userdom_use_unpriv_users_fds(local_login_t) userdom_sigchld_all_users(local_login_t) # Search for mail spool file. @@ -255,10 +255,10 @@ seutil_read_default_contexts(sulogin_t) auth_read_shadow(sulogin_t) userdom_shell_domtrans_sysadm(sulogin_t) -userdom_use_unpriv_users_fd(sulogin_t) +userdom_use_unpriv_users_fds(sulogin_t) userdom_use_sysadm_ptys(sulogin_t) -userdom_search_staff_home_dir(sulogin_t) -userdom_search_sysadm_home_dir(sulogin_t) +userdom_search_staff_home_dirs(sulogin_t) +userdom_search_sysadm_home_dirs(sulogin_t) # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index dc93191..163ada1 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -91,9 +91,9 @@ interface(`logging_domtrans_syslog',` ######################################## # -# logging_filetrans_log(domain,privatetype,[class(es)]) +# logging_log_filetrans(domain,privatetype,[class(es)]) # -interface(`logging_filetrans_log',` +interface(`logging_log_filetrans',` gen_require(` type var_log_t; ') diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 4b14048..c8cebad 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -131,7 +131,7 @@ allow auditd_t var_log_t:dir search; allow auditd_t auditd_var_run_t:file create_file_perms; allow auditd_t auditd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(auditd_t,auditd_var_run_t) +files_pid_filetrans(auditd_t,auditd_var_run_t) kernel_read_kernel_sysctls(auditd_t) kernel_list_proc(auditd_t) @@ -170,7 +170,7 @@ mls_rangetrans_target(auditd_t) seutil_dontaudit_read_config(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t) -userdom_dontaudit_search_sysadm_home_dir(auditd_t) +userdom_dontaudit_search_sysadm_home_dirs(auditd_t) # cjp: this is questionable userdom_use_sysadm_ttys(auditd_t) @@ -199,11 +199,11 @@ allow klogd_t self:process signal_perms; allow klogd_t klogd_tmp_t:file create_file_perms; allow klogd_t klogd_tmp_t:dir create_dir_perms; -files_filetrans_tmp(klogd_t,klogd_tmp_t,{ file dir }) +files_tmp_filetrans(klogd_t,klogd_tmp_t,{ file dir }) allow klogd_t klogd_var_run_t:file create_file_perms; allow klogd_t klogd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(klogd_t,klogd_var_run_t) +files_pid_filetrans(klogd_t,klogd_var_run_t) kernel_read_system_state(klogd_t) kernel_read_messages(klogd_t) @@ -240,7 +240,7 @@ miscfiles_read_localization(klogd_t) mls_file_read_up(klogd_t) -userdom_dontaudit_search_sysadm_home_dir(klogd_t) +userdom_dontaudit_search_sysadm_home_dirs(klogd_t) optional_policy(`udev',` udev_read_db(klogd_t) @@ -275,7 +275,7 @@ allow syslogd_t self:udp_socket { connected_socket_perms connect }; # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file create_file_perms; -files_filetrans_pid(syslogd_t,devlog_t,sock_file) +files_pid_filetrans(syslogd_t,devlog_t,sock_file) # create/append log files. allow syslogd_t var_log_t:dir rw_dir_perms; @@ -286,15 +286,15 @@ allow syslogd_t var_log_t:dir { create setattr }; # manage temporary files allow syslogd_t syslogd_tmp_t:file create_file_perms; allow syslogd_t syslogd_tmp_t:dir create_dir_perms; -files_filetrans_tmp(syslogd_t,syslogd_tmp_t,{ dir file }) +files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file }) allow syslogd_t syslogd_var_run_t:file create_file_perms; -files_filetrans_pid(syslogd_t,syslogd_var_run_t,file) +files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) # manage pid file allow syslogd_t syslogd_var_run_t:file create_file_perms; allow syslogd_t syslogd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(syslogd_t,syslogd_var_run_t) +files_pid_filetrans(syslogd_t,syslogd_var_run_t) kernel_read_kernel_sysctls(syslogd_t) kernel_read_proc_symlinks(syslogd_t) @@ -303,7 +303,7 @@ kernel_read_messages(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) -dev_filetrans_dev(syslogd_t,devlog_t,sock_file) +dev_filetrans(syslogd_t,devlog_t,sock_file) dev_read_sysfs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -350,11 +350,11 @@ sysnet_read_config(syslogd_t) miscfiles_read_localization(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) -userdom_dontaudit_search_sysadm_home_dir(syslogd_t) +userdom_dontaudit_search_sysadm_home_dirs(syslogd_t) ifdef(`distro_suse',` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel - files_filetrans_var_lib(syslogd_t,devlog_t,sock_file) + files_var_lib_filetrans(syslogd_t,devlog_t,sock_file) ') ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index feb536f..282f004 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -55,7 +55,7 @@ allow clvmd_t self:udp_socket create_socket_perms; allow clvmd_t clvmd_var_run_t:file create_file_perms; allow clvmd_t clvmd_var_run_t:dir rw_dir_perms; -files_filetrans_pid(clvmd_t,clvmd_var_run_t) +files_pid_filetrans(clvmd_t,clvmd_var_run_t) kernel_read_kernel_sysctls(clvmd_t) kernel_list_proc(clvmd_t) @@ -102,7 +102,7 @@ seutil_sigchld_newrole(clvmd_t) sysnet_read_config(clvmd_t) userdom_dontaudit_use_unpriv_user_fds(clvmd_t) -userdom_dontaudit_search_sysadm_home_dir(clvmd_t) +userdom_dontaudit_search_sysadm_home_dirs(clvmd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(clvmd_t) @@ -139,7 +139,7 @@ allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t lvm_tmp_t:dir create_dir_perms; allow lvm_t lvm_tmp_t:file create_file_perms; -files_filetrans_tmp(lvm_t, lvm_tmp_t, { file dir }) +files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) # /lib/lvm- holds the actual LVM binaries (and symlinks) allow lvm_t lvm_exec_t:dir search; @@ -151,11 +151,11 @@ can_exec(lvm_t, lvm_exec_t) # Creating lock files allow lvm_t lvm_lock_t:dir rw_dir_perms; allow lvm_t lvm_lock_t:file create_file_perms; -files_filetrans_lock(lvm_t,lvm_lock_t) +files_lock_filetrans(lvm_t,lvm_lock_t) allow lvm_t lvm_var_run_t:file create_file_perms; allow lvm_t lvm_var_run_t:dir create_dir_perms; -files_filetrans_pid(lvm_t,lvm_var_run_t) +files_pid_filetrans(lvm_t,lvm_var_run_t) allow lvm_t lvm_etc_t:file r_file_perms; allow lvm_t lvm_etc_t:lnk_file r_file_perms; @@ -164,7 +164,7 @@ allow lvm_t lvm_etc_t:dir rw_dir_perms; allow lvm_t lvm_metadata_t:file create_file_perms; allow lvm_t lvm_metadata_t:dir rw_dir_perms; type_transition lvm_t lvm_etc_t:file lvm_metadata_t; -files_filetrans_etc(lvm_t,lvm_metadata_t,file) +files_etc_filetrans(lvm_t,lvm_metadata_t,file) kernel_read_system_state(lvm_t) kernel_read_kernel_sysctls(lvm_t) diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 0b77d31..c50a9c2 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -166,7 +166,7 @@ can_exec(depmod_t, depmod_exec_t) allow depmod_t modules_conf_t:file r_file_perms; allow depmod_t modules_dep_t:file create_file_perms; -bootloader_filetrans_modules(depmod_t,modules_dep_t) +bootloader_modules_filetrans(depmod_t,modules_dep_t) kernel_read_system_state(depmod_t) @@ -196,8 +196,8 @@ libs_use_shared_libs(depmod_t) # Read System.map from home directories. files_list_home(depmod_t) -userdom_read_staff_home_files(depmod_t) -userdom_read_sysadm_home_files(depmod_t) +userdom_read_staff_home_content_files(depmod_t) +userdom_read_sysadm_home_content_files(depmod_t) ifdef(`targeted_policy', ` term_use_unallocated_ttys(depmod_t) @@ -228,8 +228,8 @@ can_exec(update_modules_t, update_modules_exec_t) # manage module loading configuration allow update_modules_t modules_conf_t:file create_file_perms; -bootloader_filetrans_modules(update_modules_t,modules_conf_t) -files_filetrans_etc(update_modules_t,modules_conf_t) +bootloader_modules_filetrans(update_modules_t,modules_conf_t) +files_etc_filetrans(update_modules_t,modules_conf_t) # transition to depmod domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) @@ -240,7 +240,7 @@ allow depmod_t update_modules_t:process sigchld; allow update_modules_t update_modules_tmp_t:dir create_dir_perms; allow update_modules_t update_modules_tmp_t:file create_file_perms; -files_filetrans_tmp(update_modules_t, update_modules_tmp_t, { file dir }) +files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir }) kernel_read_kernel_sysctls(update_modules_t) kernel_read_system_state(update_modules_t) @@ -272,7 +272,7 @@ logging_send_syslog_msg(update_modules_t) miscfiles_read_localization(update_modules_t) -userdom_dontaudit_search_sysadm_home_dir(update_modules_t) +userdom_dontaudit_search_sysadm_home_dirs(update_modules_t) ifdef(`targeted_policy',` term_use_generic_ptys(update_modules_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index f71f77d..cde1b95 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -23,7 +23,7 @@ allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown allow mount_t mount_tmp_t:file create_file_perms; allow mount_t mount_tmp_t:dir create_dir_perms; -files_filetrans_tmp(mount_t,mount_tmp_t,{ file dir }) +files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) kernel_read_system_state(mount_t) diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 6f95942..6b57cf5 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -38,15 +38,15 @@ allow cardmgr_t self:unix_dgram_socket create_socket_perms; allow cardmgr_t self:unix_stream_socket create_socket_perms; allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms; -dev_filetrans_dev(cardmgr_t,cardmgr_lnk_t,lnk_file) +dev_filetrans(cardmgr_t,cardmgr_lnk_t,lnk_file) # Create stab file allow cardmgr_t cardmgr_var_lib_t:file create_file_perms; allow cardmgr_t cardmgr_var_lib_t:dir rw_dir_perms; -files_filetrans_var_lib(cardmgr_t,cardmgr_var_lib_t) +files_var_lib_filetrans(cardmgr_t,cardmgr_var_lib_t) allow cardmgr_t cardmgr_var_run_t:file create_file_perms; -files_filetrans_pid(cardmgr_t,cardmgr_var_run_t) +files_pid_filetrans(cardmgr_t,cardmgr_var_run_t) kernel_read_system_state(cardmgr_t) kernel_read_kernel_sysctls(cardmgr_t) @@ -114,11 +114,11 @@ modutils_domtrans_insmod(cardmgr_t) sysnet_domtrans_ifconfig(cardmgr_t) # for /etc/resolv.conf -sysnet_filetrans_config(cardmgr_t) +sysnet_etc_filetrans_config(cardmgr_t) sysnet_manage_config(cardmgr_t) userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) -userdom_dontaudit_search_sysadm_home_dir(cardmgr_t) +userdom_dontaudit_search_sysadm_home_dirs(cardmgr_t) ifdef(`targeted_policy',` term_use_unallocated_ttys(cardmgr_t) diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index d1149f0..ace3f78 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -24,7 +24,7 @@ dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; allow mdadm_t mdadm_var_run_t:file create_file_perms; -files_filetrans_pid(mdadm_t,mdadm_var_run_t) +files_pid_filetrans(mdadm_t,mdadm_var_run_t) kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctls(mdadm_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 3e18e2a..aeb7218 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -274,9 +274,9 @@ logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) -userdom_use_unpriv_users_fd(newrole_t) +userdom_use_unpriv_users_fds(newrole_t) # for some PAM modules and for cwd -userdom_dontaudit_search_all_users_home(newrole_t) +userdom_dontaudit_search_all_users_home_content(newrole_t) ifdef(`targeted_policy',` # newrole does not make any sense in @@ -527,7 +527,7 @@ miscfiles_read_localization(setfiles_t) userdom_use_all_users_fds(setfiles_t) # for config files in a home directory -userdom_read_all_users_home_files(setfiles_t) +userdom_read_all_users_home_content_files(setfiles_t) ifdef(`TODO',` # for upgrading glibc and other shared objects - without this the upgrade diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 0d5a065..ebf653c 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -251,12 +251,12 @@ interface(`sysnet_dontaudit_read_config',` ## ## # -interface(`sysnet_filetrans_config',` +interface(`sysnet_etc_filetrans_config',` gen_require(` type net_conf_t; ') - files_filetrans_etc($1,net_conf_t,file) + files_etc_filetrans($1,net_conf_t,file) ') ####################################### @@ -459,7 +459,7 @@ interface(`sysnet_search_dhcp_state',` ## ## # -interface(`sysnet_filetrans_dhcp_state',` +interface(`sysnet_dhcp_state_filetrans',` gen_require(` type dhcp_state_t; ') diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 04c2767..1568eb6 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -65,17 +65,17 @@ type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t; # create pid file allow dhcpc_t dhcpc_var_run_t:file create_file_perms; allow dhcpc_t dhcpc_var_run_t:dir rw_dir_perms; -files_filetrans_pid(dhcpc_t,dhcpc_var_run_t) +files_pid_filetrans(dhcpc_t,dhcpc_var_run_t) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. allow dhcpc_t net_conf_t:file create_file_perms; -files_filetrans_etc(dhcpc_t,net_conf_t,file) +files_etc_filetrans(dhcpc_t,net_conf_t,file) # create temp files allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms; allow dhcpc_t dhcpc_tmp_t:file create_file_perms; -files_filetrans_tmp(dhcpc_t, dhcpc_tmp_t, { file dir }) +files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir }) can_exec(dhcpc_t, dhcpc_exec_t) @@ -144,7 +144,7 @@ miscfiles_read_localization(dhcpc_t) modutils_domtrans_insmod(dhcpc_t) -userdom_dontaudit_search_staff_home_dir(dhcpc_t) +userdom_dontaudit_search_staff_home_dirs(dhcpc_t) ifdef(`distro_redhat', ` files_exec_etc_files(dhcpc_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 2adc630..329b2da 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -66,11 +66,11 @@ allow udev_t udev_etc_t:file r_file_perms; # create udev database in /dev/.udevdb allow udev_t udev_tbl_t:file create_file_perms; -dev_filetrans_dev(udev_t,udev_tbl_t,file) +dev_filetrans(udev_t,udev_tbl_t,file) allow udev_t udev_var_run_t:file create_file_perms; allow udev_t udev_var_run_t:dir rw_dir_perms; -files_filetrans_pid(udev_t,udev_var_run_t) +files_pid_filetrans(udev_t,udev_var_run_t) kernel_read_system_state(udev_t) kernel_getattr_core_if(udev_t) @@ -143,7 +143,7 @@ seutil_domtrans_restorecon(udev_t) sysnet_domtrans_ifconfig(udev_t) userdom_use_sysadm_ttys(udev_t) -userdom_dontaudit_search_all_users_home(udev_t) +userdom_dontaudit_search_all_users_home_content(udev_t) ifdef(`distro_redhat',` fs_manage_tmpfs_dirs(udev_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 2a768ca..9cb8e88 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -123,7 +123,7 @@ template(`base_user_template',` allow $1_t $1_tmp_t:dir create_dir_perms; allow $1_t $1_tmp_t:sock_file create_file_perms; allow $1_t $1_tmp_t:fifo_file create_file_perms; - files_filetrans_tmp($1_t, $1_tmp_t, { dir notdevfile_class_set }) + files_tmp_filetrans($1_t, $1_tmp_t, { dir notdevfile_class_set }) # Bind to a Unix domain socket in /tmp. # cjp: this is combination is not checked and should be removed @@ -134,7 +134,7 @@ template(`base_user_template',` allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms; allow $1_t $1_tmpfs_t:sock_file create_file_perms; allow $1_t $1_tmpfs_t:fifo_file create_file_perms; - fs_filetrans_tmpfs($1_t,$1_tmpfs_t, { dir notdevfile_class_set } ) + fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir notdevfile_class_set } ) allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; @@ -1001,7 +1001,7 @@ template(`admin_user_template',` ## ## # -template(`userdom_user_home_file',` +template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; ') @@ -1105,7 +1105,7 @@ template(`userdom_create_user_pty',` ## ## # -template(`userdom_search_user_home',` +template(`userdom_search_user_home_dirs',` gen_require(` type $1_home_dir_t; ') @@ -1139,7 +1139,7 @@ template(`userdom_search_user_home',` ## ## # -template(`userdom_list_user_home',` +template(`userdom_list_user_home_dirs',` gen_require(` type $1_home_dir_t; ') @@ -1222,7 +1222,7 @@ template(`userdom_user_home_domtrans',` ## ## # -template(`userdom_dontaudit_list_user_home_dir',` +template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type $1_home_dir_t; ') @@ -1257,7 +1257,7 @@ template(`userdom_dontaudit_list_user_home_dir',` ## ## # -template(`userdom_manage_user_home_subdirs',` +template(`userdom_manage_user_home_content_dirs',` gen_require(` type $1_home_dir_t, $1_home_t; ') @@ -1294,7 +1294,7 @@ template(`userdom_manage_user_home_subdirs',` ## ## # -template(`userdom_dontaudit_setattr_user_home_files',` +template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` type $1_home_dir_t, $1_home_t; ') @@ -1327,7 +1327,7 @@ template(`userdom_dontaudit_setattr_user_home_files',` ## ## # -template(`userdom_read_user_home_files',` +template(`userdom_read_user_home_content_files',` gen_require(` type $1_home_dir_t, $1_home_t; ') @@ -1363,7 +1363,7 @@ template(`userdom_read_user_home_files',` ## ## # -template(`userdom_dontaudit_read_user_home_files',` +template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` type $1_home_t; ') @@ -1397,7 +1397,7 @@ template(`userdom_dontaudit_read_user_home_files',` ## ## # -template(`userdom_dontaudit_write_user_home_files',` +template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` type $1_home_t; ') @@ -1430,7 +1430,7 @@ template(`userdom_dontaudit_write_user_home_files',` ## ## # -template(`userdom_read_user_home_symlinks',` +template(`userdom_read_user_home_content_symlinks',` gen_require(` type $1_home_dir_t, $1_home_t; ') @@ -1466,7 +1466,7 @@ template(`userdom_read_user_home_symlinks',` ## ## # -template(`userdom_exec_user_home_files',` +template(`userdom_exec_user_home_content_files',` gen_require(` type $1_home_dir_t, $1_home_t; ') @@ -1502,7 +1502,7 @@ template(`userdom_exec_user_home_files',` ## ## # -template(`userdom_dontaudit_exec_user_home_files',` +template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` type $1_home_t; ') @@ -1537,7 +1537,7 @@ template(`userdom_dontaudit_exec_user_home_files',` ## ## # -template(`userdom_manage_user_home_files',` +template(`userdom_manage_user_home_content_files',` gen_require(` type $1_home_dir_t, $1_home_t; ') @@ -1575,7 +1575,7 @@ template(`userdom_manage_user_home_files',` ## ## # -template(`userdom_manage_user_home_symlinks',` +template(`userdom_manage_user_home_content_symlinks',` gen_require(` type $1_home_dir_t, $1_home_t; ') @@ -1613,7 +1613,7 @@ template(`userdom_manage_user_home_symlinks',` ## ## # -template(`userdom_manage_user_home_pipes',` +template(`userdom_manage_user_home_content_pipes',` gen_require(` type $1_home_dir_t, $1_home_t; ') @@ -1651,7 +1651,7 @@ template(`userdom_manage_user_home_pipes',` ## ## # -template(`userdom_manage_user_home_sockets',` +template(`userdom_manage_user_home_content_sockets',` gen_require(` type $1_home_dir_t, $1_home_t; ') @@ -1702,7 +1702,7 @@ template(`userdom_manage_user_home_sockets',` ## ## # -template(`userdom_filetrans_user_home_dir',` +template(`userdom_user_home_dir_filetrans',` gen_require(` type $1_home_dir_t; ') @@ -1747,7 +1747,7 @@ template(`userdom_filetrans_user_home_dir',` ## ## # -template(`userdom_filetrans_user_home',` +template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` type $1_home_dir_t, $1_home_t; ') @@ -3104,7 +3104,7 @@ interface(`userdom_entry_spec_domtrans_sysadm',` ## ## # -interface(`userdom_search_staff_home_dir',` +interface(`userdom_search_staff_home_dirs',` gen_require(` type staff_home_dir_t; ') @@ -3124,7 +3124,7 @@ interface(`userdom_search_staff_home_dir',` ## ## # -interface(`userdom_dontaudit_search_staff_home_dir',` +interface(`userdom_dontaudit_search_staff_home_dirs',` gen_require(` type staff_home_dir_t; ') @@ -3143,7 +3143,7 @@ interface(`userdom_dontaudit_search_staff_home_dir',` ## ## # -interface(`userdom_dontaudit_append_staff_home_files',` +interface(`userdom_dontaudit_append_staff_home_content_files',` gen_require(` type staff_home_t; ') @@ -3161,7 +3161,7 @@ interface(`userdom_dontaudit_append_staff_home_files',` ## ## # -interface(`userdom_read_staff_home_files',` +interface(`userdom_read_staff_home_content_files',` gen_require(` type staff_home_dir_t, staff_home_t; ') @@ -3402,7 +3402,7 @@ interface(`userdom_rw_sysadm_pipes',` ## ## # -interface(`userdom_getattr_sysadm_home_dir',` +interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` type sysadm_home_dir_t; ') @@ -3448,7 +3448,7 @@ interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` ## ## # -interface(`userdom_search_sysadm_home_dir',` +interface(`userdom_search_sysadm_home_dirs',` gen_require(` type sysadm_home_dir_t; ') @@ -3467,7 +3467,7 @@ interface(`userdom_search_sysadm_home_dir',` ## ## # -interface(`userdom_dontaudit_search_sysadm_home_dir',` +interface(`userdom_dontaudit_search_sysadm_home_dirs',` ifdef(`targeted_policy',` gen_require(` type user_home_dir_t; @@ -3493,7 +3493,7 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',` ## ## # -interface(`userdom_list_sysadm_home_dir',` +interface(`userdom_list_sysadm_home_dirs',` gen_require(` type sysadm_home_dir_t; ') @@ -3512,7 +3512,7 @@ interface(`userdom_list_sysadm_home_dir',` ## ## # -interface(`userdom_dontaudit_list_sysadm_home_dir',` +interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` type sysadm_home_dir_t; ') @@ -3531,7 +3531,7 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',` ## ## # -interface(`userdom_dontaudit_read_sysadm_home_files',` +interface(`userdom_dontaudit_read_sysadm_home_content_files',` ifdef(`targeted_policy',` gen_require(` type user_home_dir_t, user_home_t; @@ -3571,7 +3571,7 @@ interface(`userdom_dontaudit_read_sysadm_home_files',` ## ## # -interface(`userdom_filetrans_sysadm_home_dir',` +interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` type sysadm_home_dir_t; ') @@ -3590,7 +3590,7 @@ interface(`userdom_filetrans_sysadm_home_dir',` ## ## # -interface(`userdom_search_sysadm_home_subdirs',` +interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` type sysadm_home_dir_t, sysadm_home_t; ') @@ -3608,7 +3608,7 @@ interface(`userdom_search_sysadm_home_subdirs',` ## ## # -interface(`userdom_read_sysadm_home_files',` +interface(`userdom_read_sysadm_home_content_files',` gen_require(` type sysadm_home_dir_t, sysadm_home_t; ') @@ -3628,7 +3628,7 @@ interface(`userdom_read_sysadm_home_files',` ## ## # -interface(`userdom_list_all_users_home_dir',` +interface(`userdom_list_all_users_home_dirs',` gen_require(` attribute home_dir_type; ') @@ -3647,7 +3647,7 @@ interface(`userdom_list_all_users_home_dir',` ## ## # -interface(`userdom_search_all_users_home',` +interface(`userdom_search_all_users_home_content',` gen_require(` attribute home_dir_type, home_type; ') @@ -3666,7 +3666,7 @@ interface(`userdom_search_all_users_home',` ## ## # -interface(`userdom_dontaudit_search_all_users_home',` +interface(`userdom_dontaudit_search_all_users_home_content',` gen_require(` attribute home_dir_type, home_type; ') @@ -3684,7 +3684,7 @@ interface(`userdom_dontaudit_search_all_users_home',` ## ## # -interface(`userdom_read_all_users_home_files',` +interface(`userdom_read_all_users_home_content_files',` gen_require(` attribute home_type; ') @@ -3705,7 +3705,7 @@ interface(`userdom_read_all_users_home_files',` ## ## # -interface(`userdom_manage_all_users_home_dirs',` +interface(`userdom_manage_all_users_home_content_dirs',` gen_require(` attribute home_type; ') @@ -3725,7 +3725,7 @@ interface(`userdom_manage_all_users_home_dirs',` ## ## # -interface(`userdom_manage_all_users_home_files',` +interface(`userdom_manage_all_users_home_content_files',` gen_require(` attribute home_type; ') @@ -3746,7 +3746,7 @@ interface(`userdom_manage_all_users_home_files',` ## ## # -interface(`userdom_manage_all_users_home_symlinks',` +interface(`userdom_manage_all_users_home_content_symlinks',` gen_require(` attribute home_type; ') @@ -3813,7 +3813,7 @@ interface(`userdom_signal_unpriv_users',` ## ## # -interface(`userdom_use_unpriv_users_fd',` +interface(`userdom_use_unpriv_users_fds',` gen_require(` attribute unpriv_userdomain; ') @@ -3851,12 +3851,12 @@ interface(`userdom_dontaudit_use_unpriv_user_fds',` ## ## # -interface(`userdom_filetrans_generic_user_home_dir',` +interface(`userdom_home_filetrans_generic_user_home_dir',` gen_require(` type user_home_dir_t; ') - files_filetrans_home($1,user_home_dir_t) + files_home_filetrans($1,user_home_dir_t) ') ######################################## @@ -3869,7 +3869,7 @@ interface(`userdom_filetrans_generic_user_home_dir',` ## ## # -interface(`userdom_search_generic_user_home_dir',` +interface(`userdom_search_generic_user_home_dirs',` gen_require(` type user_home_dir_t; ') @@ -3894,7 +3894,7 @@ interface(`userdom_search_generic_user_home_dir',` ## ## # -interface(`userdom_filetrans_generic_user_home',` +interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',` gen_require(` type user_home_dir_t, user_home_t; ') @@ -3939,7 +3939,7 @@ interface(`userdom_dontaudit_search_generic_user_home_dirs',` ## ## # -interface(`userdom_manage_generic_user_home_dirs',` +interface(`userdom_manage_generic_user_home_content_dirs',` gen_require(` type user_home_t; ') @@ -3958,7 +3958,7 @@ interface(`userdom_manage_generic_user_home_dirs',` ## ## # -interface(`userdom_manage_generic_user_home_files',` +interface(`userdom_manage_generic_user_home_content_files',` gen_require(` type user_home_t; ') @@ -3978,7 +3978,7 @@ interface(`userdom_manage_generic_user_home_files',` ## ## # -interface(`userdom_manage_generic_user_home_symlinks',` +interface(`userdom_manage_generic_user_home_content_symlinks',` gen_require(` type user_home_t; ') @@ -3998,7 +3998,7 @@ interface(`userdom_manage_generic_user_home_symlinks',` ## ## # -interface(`userdom_manage_generic_user_home_pipes',` +interface(`userdom_manage_generic_user_home_content_pipes',` gen_require(` type user_home_t; ') @@ -4018,7 +4018,7 @@ interface(`userdom_manage_generic_user_home_pipes',` ## ## # -interface(`userdom_manage_generic_user_home_sockets',` +interface(`userdom_manage_generic_user_home_content_sockets',` gen_require(` type user_home_t; ') @@ -4057,7 +4057,7 @@ interface(`userdom_search_unpriv_users_home_dirs',` ## ## # -interface(`userdom_read_unpriv_users_home_files',` +interface(`userdom_read_unpriv_users_home_content_files',` gen_require(` attribute user_home_dir_type, user_home_type; ') @@ -4423,5 +4423,5 @@ interface(`userdom_unconfined',` ') allow $1 user_home_dir_t:dir create_dir_perms; - files_filetrans_home($1,user_home_dir_t) + files_home_filetrans($1,user_home_dir_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 61b0826..6f8a6e2 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -150,7 +150,7 @@ ifdef(`targeted_policy',` # Add/remove user home directories allow sysadm_t user_home_dir_t:dir create_dir_perms; - files_filetrans_home(sysadm_t,user_home_dir_t) + files_home_filetrans(sysadm_t,user_home_dir_t) corecmd_exec_shell(sysadm_t) @@ -178,7 +178,7 @@ ifdef(`targeted_policy',` mls_file_downgrade(secadm_t) logging_read_audit_log(secadm_t) logging_domtrans_auditctl(secadm_t) - userdom_dontaudit_append_staff_home_files(secadm_t) + userdom_dontaudit_append_staff_home_content_files(secadm_t) ', ` logging_domtrans_auditctl(sysadm_t) logging_read_audit_log(sysadm_t)