diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index f37f8b3..0beb2c7 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -49,7 +49,7 @@ corecmd_search_sbin(acct_t) corecmd_exec_bin(acct_t) corecmd_exec_shell(acct_t) -domain_use_wide_inherit_fd(acct_t) +domain_use_interactive_fds(acct_t) files_read_etc_files(acct_t) files_read_etc_runtime_files(acct_t) @@ -69,7 +69,7 @@ logging_send_syslog_msg(acct_t) miscfiles_read_localization(acct_t) userdom_dontaudit_search_sysadm_home_dir(acct_t) -userdom_dontaudit_use_unpriv_user_fd(acct_t) +userdom_dontaudit_use_unpriv_user_fds(acct_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(acct_t) diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index df244b7..671397b 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -234,7 +234,7 @@ corenet_tcp_connect_amanda_port(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) -domain_use_wide_inherit_fd(amanda_recover_t) +domain_use_interactive_fds(amanda_recover_t) files_read_etc_files(amanda_recover_t) files_read_etc_runtime_files(amanda_recover_t) diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index 2c68fb7..e17e6df 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -48,10 +48,10 @@ term_use_unallocated_ttys(consoletype_t) init_use_fd(consoletype_t) init_use_script_ptys(consoletype_t) -init_use_script_fd(consoletype_t) +init_use_script_fds(consoletype_t) init_write_script_pipes(consoletype_t) -domain_use_wide_inherit_fd(consoletype_t) +domain_use_interactive_fds(consoletype_t) files_dontaudit_read_root_files(consoletype_t) files_list_usr(consoletype_t) @@ -60,7 +60,7 @@ libs_use_ld_so(consoletype_t) libs_use_shared_libs(consoletype_t) userdom_use_sysadm_terms(consoletype_t) -userdom_use_sysadm_fd(consoletype_t) +userdom_use_sysadm_fds(consoletype_t) userdom_rw_sysadm_pipes(consoletype_t) ifdef(`distro_redhat',` @@ -78,7 +78,7 @@ optional_policy(`authlogin', ` optional_policy(`cron',` cron_read_pipes(consoletype_t) - cron_use_system_job_fd(consoletype_t) + cron_use_system_job_fds(consoletype_t) ') optional_policy(`firstboot',` diff --git a/refpolicy/policy/modules/admin/ddcprobe.te b/refpolicy/policy/modules/admin/ddcprobe.te index b941142..c050341 100644 --- a/refpolicy/policy/modules/admin/ddcprobe.te +++ b/refpolicy/policy/modules/admin/ddcprobe.te @@ -49,7 +49,7 @@ miscfiles_read_localization(ddcprobe_t) modutils_read_module_deps(ddcprobe_t) -userdom_use_all_users_fd(ddcprobe_t) +userdom_use_all_users_fds(ddcprobe_t) #reh why? this does not seem even necessary to function properly kudzu_getattr_exec_files(ddcprobe_t) diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te index 8c7d894..5c068a7 100644 --- a/refpolicy/policy/modules/admin/dmesg.te +++ b/refpolicy/policy/modules/admin/dmesg.te @@ -44,7 +44,7 @@ ifdef(`strict_policy',` term_dontaudit_use_console(dmesg_t) - domain_use_wide_inherit_fd(dmesg_t) + domain_use_interactive_fds(dmesg_t) files_list_etc(dmesg_t) # for when /usr is not mounted: @@ -62,7 +62,7 @@ ifdef(`strict_policy',` miscfiles_read_localization(dmesg_t) userdom_use_sysadm_terms(dmesg_t) - userdom_dontaudit_use_unpriv_user_fd(dmesg_t) + userdom_dontaudit_use_unpriv_user_fds(dmesg_t) optional_policy(`selinuxutil',` seutil_sigchld_newrole(dmesg_t) diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index a970980..75cf926 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -84,7 +84,7 @@ corecmd_exec_sbin(kudzu_t) corecmd_exec_bin(kudzu_t) domain_exec_all_entry_files(kudzu_t) -domain_use_wide_inherit_fd(kudzu_t) +domain_use_interactive_fds(kudzu_t) files_search_var(kudzu_t) files_search_locks(kudzu_t) @@ -120,7 +120,7 @@ modutils_domtrans_insmod(kudzu_t) sysnet_read_config(kudzu_t) userdom_search_sysadm_home_dir(kudzu_t) -userdom_dontaudit_use_unpriv_user_fd(kudzu_t) +userdom_dontaudit_use_unpriv_user_fds(kudzu_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(kudzu_t) diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 2f4b613..b2395f0 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -88,7 +88,7 @@ corecmd_exec_shell(logrotate_t) corecmd_exec_ls(logrotate_t) domain_signal_all_domains(logrotate_t) -domain_use_wide_inherit_fd(logrotate_t) +domain_use_interactive_fds(logrotate_t) domain_getattr_all_entry_files(logrotate_t) # Read /proc/PID directories for all domains. domain_read_all_domains_state(logrotate_t) diff --git a/refpolicy/policy/modules/admin/mrtg.te b/refpolicy/policy/modules/admin/mrtg.te index 798fa6a..8badd19 100644 --- a/refpolicy/policy/modules/admin/mrtg.te +++ b/refpolicy/policy/modules/admin/mrtg.te @@ -81,7 +81,7 @@ corenet_tcp_connect_all_ports(mrtg_t) dev_read_sysfs(mrtg_t) dev_read_urand(mrtg_t) -domain_use_wide_inherit_fd(mrtg_t) +domain_use_interactive_fds(mrtg_t) files_read_usr_files(mrtg_t) files_search_var(mrtg_t) @@ -116,7 +116,7 @@ selinux_dontaudit_getattr_dir(mrtg_t) # Use the network. sysnet_read_config(mrtg_t) -userdom_dontaudit_use_unpriv_user_fd(mrtg_t) +userdom_dontaudit_use_unpriv_user_fds(mrtg_t) userdom_use_sysadm_terms(mrtg_t) ifdef(`distro_redhat',` diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index d978364..003a6a5 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -58,7 +58,7 @@ corenet_tcp_connect_all_ports(netutils_t) fs_getattr_xattr_fs(netutils_t) -domain_use_wide_inherit_fd(netutils_t) +domain_use_interactive_fds(netutils_t) files_read_etc_files(netutils_t) # for nscd @@ -76,7 +76,7 @@ miscfiles_read_localization(netutils_t) sysnet_read_config(netutils_t) -userdom_use_all_users_fd(netutils_t) +userdom_use_all_users_fds(netutils_t) ifdef(`targeted_policy',` term_use_generic_ptys(netutils_t) @@ -117,7 +117,7 @@ corenet_tcp_bind_all_nodes(ping_t) fs_dontaudit_getattr_xattr_fs(ping_t) -domain_use_wide_inherit_fd(ping_t) +domain_use_interactive_fds(ping_t) files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) @@ -155,7 +155,7 @@ optional_policy(`nscd',` ') optional_policy(`pcmcia',` - pcmcia_use_cardmgr_fd(ping_t) + pcmcia_use_cardmgr_fds(ping_t) ') optional_policy(`hotplug',` @@ -199,7 +199,7 @@ corenet_tcp_connect_all_ports(traceroute_t) fs_dontaudit_getattr_xattr_fs(traceroute_t) -domain_use_wide_inherit_fd(traceroute_t) +domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) files_dontaudit_search_var(traceroute_t) diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if index 3499865..279fd5b 100644 --- a/refpolicy/policy/modules/admin/portage.if +++ b/refpolicy/policy/modules/admin/portage.if @@ -170,7 +170,7 @@ template(`portage_compile_domain_template',` dev_read_urand($1_t) domain_exec_all_entry_files($1_t) - domain_use_wide_inherit_fd($1_t) + domain_use_interactive_fds($1_t) files_exec_etc_files($1_t) files_exec_usr_src_files($1_t) diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te index 4f887e1..4ab7df3 100644 --- a/refpolicy/policy/modules/admin/portage.te +++ b/refpolicy/policy/modules/admin/portage.te @@ -149,7 +149,7 @@ corenet_tcp_connect_generic_port(portage_fetch_t) dev_dontaudit_read_rand(portage_fetch_t) -domain_use_wide_inherit_fd(portage_fetch_t) +domain_use_interactive_fds(portage_fetch_t) files_read_etc_files(portage_fetch_t) files_read_etc_runtime_files(portage_fetch_t) diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te index a646312..0c740a3 100644 --- a/refpolicy/policy/modules/admin/quota.te +++ b/refpolicy/policy/modules/admin/quota.te @@ -41,7 +41,7 @@ storage_raw_read_fixed_disk(quota_t) term_dontaudit_use_console(quota_t) -domain_use_wide_inherit_fd(quota_t) +domain_use_interactive_fds(quota_t) files_list_all(quota_t) files_read_all_files(quota_t) @@ -59,7 +59,7 @@ libs_use_shared_libs(quota_t) logging_send_syslog_msg(quota_t) -userdom_dontaudit_use_unpriv_user_fd(quota_t) +userdom_dontaudit_use_unpriv_user_fds(quota_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(quota_t) diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index f7deda6..095c168 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -37,7 +37,7 @@ dev_getattr_all_blk_files(readahead_t) dev_dontaudit_read_all_blk_files(readahead_t) dev_dontaudit_getattr_memory_dev(readahead_t) -domain_use_wide_inherit_fd(readahead_t) +domain_use_interactive_fds(readahead_t) files_dontaudit_getattr_all_sockets(readahead_t) files_list_non_security(readahead_t) @@ -67,7 +67,7 @@ logging_send_syslog_msg(readahead_t) miscfiles_read_localization(readahead_t) -userdom_dontaudit_use_unpriv_user_fd(readahead_t) +userdom_dontaudit_use_unpriv_user_fds(readahead_t) userdom_dontaudit_search_sysadm_home_dir(readahead_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index 5141d03..aef9391 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -164,7 +164,7 @@ interface(`rpm_manage_log',` ## ## # -interface(`rpm_use_script_fd',` +interface(`rpm_use_script_fds',` gen_require(` type rpm_script_t; ') diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 1a22159..c9ebd15 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -12,7 +12,7 @@ init_system_domain(rpm_t,rpm_exec_t) domain_obj_id_change_exemption(rpm_t) domain_role_change_exemption(rpm_t) domain_system_change_exemption(rpm_t) -domain_wide_inherit_fd(rpm_t) +domain_interactive_fd(rpm_t) role system_r types rpm_t; type rpm_file_t; @@ -38,7 +38,7 @@ domain_system_change_exemption(rpm_script_t) corecmd_shell_entry_type(rpm_script_t) domain_type(rpm_script_t) domain_entry_file(rpm_t,rpm_script_exec_t) -domain_wide_inherit_fd(rpm_script_t) +domain_interactive_fd(rpm_script_t) role system_r types rpm_script_t; type rpm_script_tmp_t; @@ -144,7 +144,7 @@ domain_exec_all_entry_files(rpm_t) domain_read_all_domains_state(rpm_t) domain_getattr_all_domains(rpm_t) domain_dontaudit_ptrace_all_domains(rpm_t) -domain_use_wide_inherit_fd(rpm_t) +domain_use_interactive_fds(rpm_t) domain_dontaudit_getattr_all_pipes(rpm_t) domain_dontaudit_getattr_all_tcp_sockets(rpm_t) domain_dontaudit_getattr_all_udp_sockets(rpm_t) @@ -300,7 +300,7 @@ corecmd_exec_sbin(rpm_script_t) domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) domain_dontaudit_ptrace_all_domains(rpm_script_t) -domain_use_wide_inherit_fd(rpm_script_t) +domain_use_interactive_fds(rpm_script_t) domain_exec_all_entry_files(rpm_script_t) domain_signal_all_domains(rpm_script_t) domain_signull_all_domains(rpm_script_t) @@ -327,7 +327,7 @@ modutils_domtrans_insmod(rpm_script_t) seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_restorecon(rpm_script_t) -userdom_use_all_users_fd(rpm_script_t) +userdom_use_all_users_fds(rpm_script_t) ifdef(`distro_redhat',` unconfined_domain(rpm_script_t) diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if index a5f9bba..6a02a2e 100644 --- a/refpolicy/policy/modules/admin/su.if +++ b/refpolicy/policy/modules/admin/su.if @@ -8,7 +8,7 @@ template(`su_restricted_domain_template', ` type $1_su_t; domain_entry_file($1_su_t,su_exec_t) domain_type($1_su_t) - domain_wide_inherit_fd($1_su_t) + domain_interactive_fd($1_su_t) role $3 types $1_su_t; allow $2 $1_su_t:process signal; @@ -47,7 +47,7 @@ template(`su_restricted_domain_template', ` auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) - domain_use_wide_inherit_fd($1_su_t) + domain_use_interactive_fds($1_su_t) init_dontaudit_use_fd($1_su_t) init_dontaudit_use_script_ptys($1_su_t) @@ -121,7 +121,7 @@ template(`su_per_userdomain_template',` type $1_su_t; domain_entry_file($1_su_t,su_exec_t) domain_type($1_su_t) - domain_wide_inherit_fd($1_su_t) + domain_interactive_fd($1_su_t) role $3 types $1_su_t; allow $2 $1_su_t:process signal; @@ -161,7 +161,7 @@ template(`su_per_userdomain_template',` corecmd_search_bin($1_su_t) corecmd_search_sbin($1_su_t) - domain_use_wide_inherit_fd($1_su_t) + domain_use_interactive_fds($1_su_t) files_read_etc_files($1_su_t) files_read_etc_runtime_files($1_su_t) @@ -196,8 +196,8 @@ template(`su_per_userdomain_template',` allow $1_su_t self:process sigstop; corecmd_exec_bin($1_su_t) - userdom_manage_all_user_files($1_su_t) - userdom_manage_all_user_symlinks($1_su_t) + userdom_manage_all_users_home_files($1_su_t) + userdom_manage_all_users_home_symlinks($1_su_t) ') tunable_policy(`use_nfs_home_dirs',` diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if index d69cacb..95b96e9 100644 --- a/refpolicy/policy/modules/admin/sudo.if +++ b/refpolicy/policy/modules/admin/sudo.if @@ -48,7 +48,7 @@ template(`sudo_per_userdomain_template',` type $1_sudo_t; domain_type($1_sudo_t) domain_entry_file($1_sudo_t,sudo_exec_t) - domain_wide_inherit_fd($1_sudo_t) + domain_interactive_fd($1_sudo_t) role $3 types $1_sudo_t; ############################## @@ -100,8 +100,8 @@ template(`sudo_per_userdomain_template',` corecmd_read_sbin_symlinks($1_sudo_t) corecmd_getattr_sbin_files($1_sudo_t) - domain_use_wide_inherit_fd($1_sudo_t) - domain_sigchld_wide_inherit_fd($1_sudo_t) + domain_use_interactive_fds($1_sudo_t) + domain_sigchld_interactive_fds($1_sudo_t) domain_getattr_all_entry_files($1_sudo_t) files_read_etc_files($1_sudo_t) diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index 8832659..7991c6a 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -56,7 +56,7 @@ corecmd_exec_bin(updfstab_t) corecmd_exec_sbin(updfstab_t) corecmd_exec_ls(updfstab_t) -domain_use_wide_inherit_fd(updfstab_t) +domain_use_interactive_fds(updfstab_t) files_manage_mnt_files(updfstab_t) files_manage_mnt_dirs(updfstab_t) @@ -83,7 +83,7 @@ seutil_read_file_contexts(updfstab_t) userdom_use_sysadm_ttys(updfstab_t) userdom_dontaudit_search_all_users_home(updfstab_t) -userdom_dontaudit_use_unpriv_user_fd(updfstab_t) +userdom_dontaudit_use_unpriv_user_fds(updfstab_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(updfstab_t) diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 4b9339b..4f7f300 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -107,7 +107,7 @@ corecmd_search_sbin(chfn_t) # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) -domain_use_wide_inherit_fd(chfn_t) +domain_use_interactive_fds(chfn_t) files_manage_etc_files(chfn_t) files_read_etc_runtime_files(chfn_t) @@ -221,7 +221,7 @@ init_use_fd(groupadd_t) init_read_utmp(groupadd_t) init_dontaudit_write_utmp(groupadd_t) -domain_use_wide_inherit_fd(groupadd_t) +domain_use_interactive_fds(groupadd_t) files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) @@ -312,7 +312,7 @@ auth_relabel_shadow(passwd_t) # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) -domain_use_wide_inherit_fd(passwd_t) +domain_use_interactive_fds(passwd_t) files_read_etc_runtime_files(passwd_t) files_manage_etc_files(passwd_t) @@ -335,7 +335,7 @@ seutil_dontaudit_search_config(passwd_t) userdom_use_unpriv_users_fd(passwd_t) # make sure that getcon succeeds -userdom_getattr_all_userdomains(passwd_t) +userdom_getattr_all_users(passwd_t) userdom_read_all_users_state(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir @@ -406,7 +406,7 @@ corecmd_exec_bin(sysadm_passwd_t) corecmd_exec_shell(sysadm_passwd_t) files_read_usr_files(sysadm_passwd_t) -domain_use_wide_inherit_fd(sysadm_passwd_t) +domain_use_interactive_fds(sysadm_passwd_t) files_manage_etc_files(sysadm_passwd_t) files_relabel_etc_files(sysadm_passwd_t) @@ -482,7 +482,7 @@ corecmd_exec_shell(useradd_t) corecmd_exec_bin(useradd_t) corecmd_exec_sbin(useradd_t) -domain_use_wide_inherit_fd(useradd_t) +domain_use_interactive_fds(useradd_t) files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te index 60e0330..05fd317 100644 --- a/refpolicy/policy/modules/admin/vpn.te +++ b/refpolicy/policy/modules/admin/vpn.te @@ -101,7 +101,7 @@ sysnet_exec_ifconfig(vpnc_t) sysnet_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) -userdom_use_all_users_fd(vpnc_t) +userdom_use_all_users_fds(vpnc_t) userdom_dontaudit_search_all_users_home(vpnc_t) optional_policy(`dbus',` diff --git a/refpolicy/policy/modules/apps/cdrecord.if b/refpolicy/policy/modules/apps/cdrecord.if index a52302e..b532521 100644 --- a/refpolicy/policy/modules/apps/cdrecord.if +++ b/refpolicy/policy/modules/apps/cdrecord.if @@ -82,8 +82,8 @@ template(`cdrecord_per_userdomain_template', ` # allow searching for cdrom-drive dev_list_all_dev_nodes($1_cdrecord_t) - domain_wide_inherit_fd($1_cdrecord_t) - domain_use_wide_inherit_fd($1_cdrecord_t) + domain_interactive_fd($1_cdrecord_t) + domain_use_interactive_fds($1_cdrecord_t) files_read_etc_files($1_cdrecord_t) diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index d3733ec..f45a3e5 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -59,7 +59,7 @@ template(`gpg_per_userdomain_template',` files_tmp_file($1_gpg_agent_tmp_t) type $1_gpg_secret_t; - userdom_home_file($1,$1_gpg_secret_t) + userdom_user_home_file($1,$1_gpg_secret_t) type $1_gpg_helper_t; domain_type($1_gpg_helper_t) @@ -114,7 +114,7 @@ template(`gpg_per_userdomain_template',` fs_getattr_xattr_fs($1_gpg_t) - domain_use_wide_inherit_fd($1_gpg_t) + domain_use_interactive_fds($1_gpg_t) files_read_etc_files($1_gpg_t) files_read_usr_files($1_gpg_t) @@ -250,7 +250,7 @@ template(`gpg_per_userdomain_template',` # Transition from the user domain to the derived domain. domain_auto_trans($2, gpg_agent_exec_t, $1_gpg_agent_t) - domain_use_wide_inherit_fd($1_gpg_agent_t) + domain_use_interactive_fds($1_gpg_agent_t) libs_use_ld_so($1_gpg_agent_t) libs_use_shared_libs($1_gpg_agent_t) diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if index 87a6dcd..3f01ad3 100644 --- a/refpolicy/policy/modules/apps/irc.if +++ b/refpolicy/policy/modules/apps/irc.if @@ -48,14 +48,14 @@ template(`irc_per_userdomain_template',` role $3 types $1_irc_t; type $1_irc_exec_t; - userdom_home_file($1,$1_irc_exec_t) + userdom_user_home_file($1,$1_irc_exec_t) domain_entry_file($1_irc_t,$1_irc_exec_t) type $1_irc_home_t; - userdom_home_file($1,$1_irc_home_t) + userdom_user_home_file($1,$1_irc_home_t) type $1_irc_tmp_t; - userdom_home_file($1,$1_irc_tmp_t) + userdom_user_home_file($1,$1_irc_tmp_t) ######################################## # @@ -118,7 +118,7 @@ template(`irc_per_userdomain_template',` # cjp: this seems excessive: corenet_tcp_connect_all_ports($1_irc_t) - domain_use_wide_inherit_fd($1_irc_t) + domain_use_interactive_fds($1_irc_t) files_dontaudit_search_pids($1_irc_t) files_search_var($1_irc_t) @@ -141,7 +141,7 @@ template(`irc_per_userdomain_template',` miscfiles_read_localization($1_irc_t) # Inherit and use descriptors from newrole. - seutil_use_newrole_fd($1_irc_t) + seutil_use_newrole_fds($1_irc_t) sysnet_read_config($1_irc_t) diff --git a/refpolicy/policy/modules/apps/screen.if b/refpolicy/policy/modules/apps/screen.if index ff18fe9..e443859 100644 --- a/refpolicy/policy/modules/apps/screen.if +++ b/refpolicy/policy/modules/apps/screen.if @@ -45,7 +45,7 @@ template(`screen_per_userdomain_template',` type $1_screen_t; domain_type($1_screen_t) domain_entry_file($1_screen_t,screen_exec_t) - domain_wide_inherit_fd($1_screen_t) + domain_interactive_fd($1_screen_t) role $3 types $1_screen_t; type $1_screen_tmp_t; @@ -133,7 +133,7 @@ template(`screen_per_userdomain_template',` # for SSP dev_read_urand($1_screen_t) - domain_use_wide_inherit_fd($1_screen_t) + domain_use_interactive_fds($1_screen_t) files_search_tmp($1_screen_t) files_search_home($1_screen_t) @@ -164,7 +164,7 @@ template(`screen_per_userdomain_template',` userdom_use_user_terminals($1,$1_screen_t) userdom_create_user_pty($1,$1_screen_t) userdom_user_home_domtrans($1,$1_screen_t,$2) - userdom_setattr_user_pty($1,$1_screen_t) + userdom_setattr_user_ptys($1,$1_screen_t) tunable_policy(`read_default_t',` files_list_default($1_screen_t) diff --git a/refpolicy/policy/modules/apps/tvtime.if b/refpolicy/policy/modules/apps/tvtime.if index 7281785..49f02e5 100644 --- a/refpolicy/policy/modules/apps/tvtime.if +++ b/refpolicy/policy/modules/apps/tvtime.if @@ -45,7 +45,7 @@ template(`tvtime_per_userdomain_template',` role $3 types $1_tvtime_t; type $1_tvtime_home_t alias $1_tvtime_rw_t; - userdom_home_file($1,$1_tvtime_home_t) + userdom_user_home_file($1,$1_tvtime_home_t) files_poly_member($1_tvtime_home_t) type $1_tvtime_tmp_t; diff --git a/refpolicy/policy/modules/apps/uml.if b/refpolicy/policy/modules/apps/uml.if index c6d9e62..54ea479 100644 --- a/refpolicy/policy/modules/apps/uml.if +++ b/refpolicy/policy/modules/apps/uml.if @@ -161,7 +161,7 @@ template(`uml_per_userdomain_template',` corenet_tcp_connect_all_ports($1_uml_t) corenet_rw_tun_tap_dev($1_uml_t) - domain_use_wide_inherit_fd($1_uml_t) + domain_use_interactive_fds($1_uml_t) # for xterm files_read_etc_files($1_uml_t) @@ -180,7 +180,7 @@ template(`uml_per_userdomain_template',` libs_exec_lib_files($1_uml_t) # Inherit and use descriptors from newrole. - seutil_use_newrole_fd($1_uml_t) + seutil_use_newrole_fds($1_uml_t) # Use the network. sysnet_read_config($1_uml_t) diff --git a/refpolicy/policy/modules/apps/uml.te b/refpolicy/policy/modules/apps/uml.te index 576c1e8..3f54226 100644 --- a/refpolicy/policy/modules/apps/uml.te +++ b/refpolicy/policy/modules/apps/uml.te @@ -40,7 +40,7 @@ kernel_read_proc_symlinks(uml_switch_t) dev_read_sysfs(uml_switch_t) -domain_use_wide_inherit_fd(uml_switch_t) +domain_use_interactive_fds(uml_switch_t) fs_getattr_all_fs(uml_switch_t) fs_search_auto_mountpoints(uml_switch_t) @@ -57,7 +57,7 @@ logging_send_syslog_msg(uml_switch_t) miscfiles_read_localization(uml_switch_t) -userdom_dontaudit_use_unpriv_user_fd(uml_switch_t) +userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) userdom_dontaudit_search_sysadm_home_dir(uml_switch_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if index 4f0bbb8..0a1b067 100644 --- a/refpolicy/policy/modules/apps/userhelper.if +++ b/refpolicy/policy/modules/apps/userhelper.if @@ -46,7 +46,7 @@ template(`userhelper_per_userdomain_template',` domain_entry_file($1_userhelper_t,userhelper_exec_t) domain_role_change_exemption($1_userhelper_t) domain_obj_id_change_exemption($1_userhelper_t) - domain_wide_inherit_fd($1_userhelper_t) + domain_interactive_fd($1_userhelper_t) domain_subj_id_change_exemption($1_userhelper_t) role system_r types $1_userhelper_t; @@ -95,9 +95,9 @@ template(`userhelper_per_userdomain_template',` corecmd_sbin_domtrans($1_userhelper_t,$2) # Inherit descriptors from the current session. - domain_use_wide_inherit_fd($1_userhelper_t) + domain_use_interactive_fds($1_userhelper_t) # for when the user types "exec userhelper" at the command line - domain_sigchld_wide_inherit_fd($1_userhelper_t) + domain_sigchld_interactive_fds($1_userhelper_t) dev_read_urand($1_userhelper_t) # Read /dev directories and any symbolic links. diff --git a/refpolicy/policy/modules/apps/usernetctl.te b/refpolicy/policy/modules/apps/usernetctl.te index 4bb7741..6eb5ad7 100644 --- a/refpolicy/policy/modules/apps/usernetctl.te +++ b/refpolicy/policy/modules/apps/usernetctl.te @@ -10,7 +10,7 @@ type usernetctl_t; type usernetctl_exec_t; domain_type(usernetctl_t) domain_entry_file(usernetctl_t,usernetctl_exec_t) -domain_wide_inherit_fd(usernetctl_t) +domain_interactive_fd(usernetctl_t) ######################################## # diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 5da7b89..a432466 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -125,7 +125,7 @@ corecmd_exec_sbin(bootloader_t) corecmd_exec_shell(bootloader_t) domain_exec_all_entry_files(bootloader_t) -domain_use_wide_inherit_fd(bootloader_t) +domain_use_interactive_fds(bootloader_t) files_read_etc_files(bootloader_t) files_exec_etc_files(bootloader_t) @@ -138,7 +138,7 @@ files_dontaudit_search_pids(bootloader_t) init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) -init_use_script_fd(bootloader_t) +init_use_script_fds(bootloader_t) init_rw_script_pipes(bootloader_t) libs_use_ld_so(bootloader_t) diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if index 510a0dd..5d84f07 100644 --- a/refpolicy/policy/modules/kernel/domain.if +++ b/refpolicy/policy/modules/kernel/domain.if @@ -133,9 +133,9 @@ interface(`domain_entry_file',` ######################################## # -# domain_wide_inherit_fd(domain) +# domain_interactive_fd(domain) # -interface(`domain_wide_inherit_fd',` +interface(`domain_interactive_fd',` gen_require(` attribute privfd; ') @@ -339,9 +339,9 @@ interface(`domain_cron_exemption_target',` ######################################## # -# domain_use_wide_inherit_fd(domain) +# domain_use_interactive_fds(domain) # -interface(`domain_use_wide_inherit_fd',` +interface(`domain_use_interactive_fds',` gen_require(` attribute privfd; ') @@ -351,9 +351,9 @@ interface(`domain_use_wide_inherit_fd',` ######################################## # -# domain_dontaudit_use_wide_inherit_fd(domain) +# domain_dontaudit_use_interactive_fds(domain) # -interface(`domain_dontaudit_use_wide_inherit_fd',` +interface(`domain_dontaudit_use_interactive_fds',` gen_require(` attribute privfd; ') @@ -373,7 +373,7 @@ interface(`domain_dontaudit_use_wide_inherit_fd',` ## # # cjp: this was added because of newrole -interface(`domain_sigchld_wide_inherit_fd',` +interface(`domain_sigchld_interactive_fds',` gen_require(` attribute privfd; ') diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 2280a15..c5a1a7b 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -274,7 +274,7 @@ template(`apache_per_userdomain_template', ` apache_content_template($1) typeattribute httpd_$1_content_t httpd_script_domains; - userdom_home_file($1,httpd_$1_content_t) + userdom_user_home_file($1,httpd_$1_content_t) role $3 types httpd_$1_script_t; diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 67ef22b..9704b48 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -247,7 +247,7 @@ auth_use_nsswitch(httpd_t) corecmd_exec_bin(httpd_t) corecmd_exec_sbin(httpd_t) -domain_use_wide_inherit_fd(httpd_t) +domain_use_interactive_fds(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 0e2ba7f..79c914b 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -50,7 +50,7 @@ fs_getattr_xattr_fs(apm_t) term_use_all_terms(apm_t) -domain_use_wide_inherit_fd(apm_t) +domain_use_interactive_fds(apm_t) libs_use_ld_so(apm_t) libs_use_shared_libs(apm_t) @@ -112,7 +112,7 @@ corecmd_exec_ls(apmd_t) domain_exec_all_entry_files(apmd_t) domain_read_all_domains_state(apmd_t) -domain_use_wide_inherit_fd(apmd_t) +domain_use_interactive_fds(apmd_t) domain_dontaudit_getattr_all_sockets(apmd_t) domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive? domain_dontaudit_list_all_domains_state(apmd_t) # Excessive? @@ -145,7 +145,7 @@ modutils_read_module_config(apmd_t) seutil_dontaudit_read_config(apmd_t) -userdom_dontaudit_use_unpriv_user_fd(apmd_t) +userdom_dontaudit_use_unpriv_user_fds(apmd_t) userdom_dontaudit_search_sysadm_home_dir(apmd_t) userdom_dontaudit_search_all_users_home(apmd_t) # Excessive? diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te index bd3a651..871afbd 100644 --- a/refpolicy/policy/modules/services/arpwatch.te +++ b/refpolicy/policy/modules/services/arpwatch.te @@ -70,7 +70,7 @@ term_dontaudit_use_console(arpwatch_t) corecmd_read_sbin_symlinks(arpwatch_t) -domain_use_wide_inherit_fd(arpwatch_t) +domain_use_interactive_fds(arpwatch_t) files_read_etc_files(arpwatch_t) files_read_usr_files(arpwatch_t) @@ -88,7 +88,7 @@ miscfiles_read_localization(arpwatch_t) sysnet_read_config(arpwatch_t) -userdom_dontaudit_use_unpriv_user_fd(arpwatch_t) +userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) userdom_dontaudit_search_sysadm_home_dir(arpwatch_t) mta_send_mail(arpwatch_t) diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index ecc8e84..ff2d8f6 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -88,7 +88,7 @@ dev_read_sysfs(automount_t) # for SSP dev_read_urand(automount_t) -domain_use_wide_inherit_fd(automount_t) +domain_use_interactive_fds(automount_t) files_dontaudit_write_var_dirs(automount_t) files_search_var_lib(automount_t) @@ -128,7 +128,7 @@ sysnet_dns_name_resolve(automount_t) sysnet_use_ldap(automount_t) sysnet_read_config(automount_t) -userdom_dontaudit_use_unpriv_user_fd(automount_t) +userdom_dontaudit_use_unpriv_user_fds(automount_t) userdom_dontaudit_search_sysadm_home_dir(automount_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te index 7065f36..9dcfe25 100644 --- a/refpolicy/policy/modules/services/avahi.te +++ b/refpolicy/policy/modules/services/avahi.te @@ -60,7 +60,7 @@ fs_search_auto_mountpoints(avahi_t) term_dontaudit_use_console(avahi_t) -domain_use_wide_inherit_fd(avahi_t) +domain_use_interactive_fds(avahi_t) files_read_etc_files(avahi_t) files_read_etc_runtime_files(avahi_t) @@ -79,7 +79,7 @@ miscfiles_read_localization(avahi_t) sysnet_read_config(avahi_t) -userdom_dontaudit_use_unpriv_user_fd(avahi_t) +userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_sysadm_home_dir(avahi_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index 286760e..db63aa8 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -125,7 +125,7 @@ term_dontaudit_use_console(named_t) corecmd_search_sbin(named_t) -domain_use_wide_inherit_fd(named_t) +domain_use_interactive_fds(named_t) files_read_etc_files(named_t) files_read_etc_runtime_files(named_t) @@ -142,7 +142,7 @@ miscfiles_read_localization(named_t) sysnet_read_config(named_t) -userdom_dontaudit_use_unpriv_user_fd(named_t) +userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_sysadm_home_dir(named_t) ifdef(`targeted_policy',` @@ -250,7 +250,7 @@ corenet_tcp_connect_rndc_port(ndc_t) fs_getattr_xattr_fs(ndc_t) -domain_use_wide_inherit_fd(ndc_t) +domain_use_interactive_fds(ndc_t) files_read_etc_files(ndc_t) files_search_pids(ndc_t) diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 706f5d3..3a2d2e6 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -114,7 +114,7 @@ term_use_unallocated_ttys(bluetooth_t) corecmd_exec_bin(bluetooth_t) corecmd_exec_shell(bluetooth_t) -domain_use_wide_inherit_fd(bluetooth_t) +domain_use_interactive_fds(bluetooth_t) files_read_etc_files(bluetooth_t) files_read_etc_runtime_files(bluetooth_t) @@ -133,7 +133,7 @@ miscfiles_read_fonts(bluetooth_t) sysnet_read_config(bluetooth_t) -userdom_dontaudit_use_unpriv_user_fd(bluetooth_t) +userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) userdom_dontaudit_use_sysadm_ptys(bluetooth_t) userdom_dontaudit_search_sysadm_home_dir(bluetooth_t) diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index 57843e8..92f4304 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -64,7 +64,7 @@ fs_search_auto_mountpoints(canna_t) term_dontaudit_use_console(canna_t) -domain_use_wide_inherit_fd(canna_t) +domain_use_interactive_fds(canna_t) files_read_etc_files(canna_t) files_read_etc_runtime_files(canna_t) @@ -84,7 +84,7 @@ miscfiles_read_localization(canna_t) sysnet_read_config(canna_t) -userdom_dontaudit_use_unpriv_user_fd(canna_t) +userdom_dontaudit_use_unpriv_user_fds(canna_t) userdom_dontaudit_search_sysadm_home_dir(canna_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te index fc3a485..92cbb0b 100644 --- a/refpolicy/policy/modules/services/cpucontrol.te +++ b/refpolicy/policy/modules/services/cpucontrol.te @@ -41,7 +41,7 @@ fs_search_auto_mountpoints(cpucontrol_t) term_dontaudit_use_console(cpucontrol_t) -domain_use_wide_inherit_fd(cpucontrol_t) +domain_use_interactive_fds(cpucontrol_t) files_list_usr(cpucontrol_t) @@ -53,7 +53,7 @@ libs_use_shared_libs(cpucontrol_t) logging_send_syslog_msg(cpucontrol_t) -userdom_dontaudit_use_unpriv_user_fd(cpucontrol_t) +userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(cpucontrol_t) @@ -91,7 +91,7 @@ fs_search_auto_mountpoints(cpuspeed_t) term_dontaudit_use_console(cpuspeed_t) -domain_use_wide_inherit_fd(cpuspeed_t) +domain_use_interactive_fds(cpuspeed_t) files_read_etc_files(cpuspeed_t) files_read_etc_runtime_files(cpuspeed_t) @@ -107,7 +107,7 @@ logging_send_syslog_msg(cpuspeed_t) miscfiles_read_localization(cpuspeed_t) -userdom_dontaudit_use_unpriv_user_fd(cpuspeed_t) +userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(cpuspeed_t) diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index ea8d9e8..12318aa 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -223,7 +223,7 @@ template(`cron_per_userdomain_template',` corecmd_sbin_domtrans($1_crontab_t,$2) corecmd_shell_domtrans($1_crontab_t,$2) - domain_use_wide_inherit_fd($1_crontab_t) + domain_use_interactive_fds($1_crontab_t) files_read_etc_files($1_crontab_t) files_dontaudit_search_pids($1_crontab_t) @@ -503,7 +503,7 @@ interface(`cron_anacron_domtrans_system_job',` ## ## # -interface(`cron_use_system_job_fd',` +interface(`cron_use_system_job_fds',` gen_require(` type system_crond_t; ') diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index c80201c..5dea9e5 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -24,7 +24,7 @@ gen_require(` type crond_exec_t; ') init_daemon_domain(crond_t,crond_exec_t) -domain_wide_inherit_fd(crond_t) +domain_interactive_fd(crond_t) domain_cron_exemption_source(crond_t) type crond_tmp_t; @@ -110,7 +110,7 @@ corecmd_exec_shell(crond_t) corecmd_list_sbin(crond_t) corecmd_read_sbin_symlinks(crond_t) -domain_use_wide_inherit_fd(crond_t) +domain_use_interactive_fds(crond_t) files_read_etc_files(crond_t) files_read_generic_spool(crond_t) @@ -315,7 +315,7 @@ ifdef(`targeted_policy',` files_manage_generic_spool(system_crond_t) init_use_fd(system_crond_t) - init_use_script_fd(system_crond_t) + init_use_script_fds(system_crond_t) init_use_script_ptys(system_crond_t) init_read_utmp(system_crond_t) init_dontaudit_rw_utmp(system_crond_t) diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 9d7fc4a..7c30ba5 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -158,7 +158,7 @@ corecmd_exec_shell(cupsd_t) corecmd_exec_bin(cupsd_t) corecmd_exec_sbin(cupsd_t) -domain_use_wide_inherit_fd(cupsd_t) +domain_use_interactive_fds(cupsd_t) files_read_etc_files(cupsd_t) files_read_etc_runtime_files(cupsd_t) @@ -189,7 +189,7 @@ seutil_dontaudit_read_config(cupsd_t) sysnet_read_config(cupsd_t) -userdom_dontaudit_use_unpriv_user_fd(cupsd_t) +userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_all_users_home(cupsd_t) # Write to /var/spool/cups. @@ -327,7 +327,7 @@ fs_search_auto_mountpoints(ptal_t) term_dontaudit_use_console(ptal_t) -domain_use_wide_inherit_fd(ptal_t) +domain_use_interactive_fds(ptal_t) files_read_etc_files(ptal_t) files_read_etc_runtime_files(ptal_t) @@ -344,7 +344,7 @@ miscfiles_read_localization(ptal_t) sysnet_read_config(ptal_t) -userdom_dontaudit_use_unpriv_user_fd(ptal_t) +userdom_dontaudit_use_unpriv_user_fds(ptal_t) userdom_dontaudit_search_all_users_home(ptal_t) ifdef(`targeted_policy', ` @@ -423,7 +423,7 @@ term_dontaudit_use_console(hplip_t) corecmd_exec_bin(hplip_t) corecmd_search_sbin(hplip_t) -domain_use_wide_inherit_fd(hplip_t) +domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) @@ -441,7 +441,7 @@ miscfiles_read_localization(hplip_t) sysnet_read_config(hplip_t) -userdom_dontaudit_use_unpriv_user_fd(hplip_t) +userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_sysadm_home_dir(hplip_t) lpd_read_config(cupsd_t) @@ -540,7 +540,7 @@ corecmd_exec_bin(cupsd_config_t) corecmd_exec_sbin(cupsd_config_t) corecmd_exec_shell(cupsd_config_t) -domain_use_wide_inherit_fd(cupsd_config_t) +domain_use_interactive_fds(cupsd_config_t) # killall causes the following domain_dontaudit_search_all_domains_state(cupsd_config_t) @@ -562,7 +562,7 @@ seutil_dontaudit_search_config(cupsd_config_t) sysnet_read_config(cupsd_config_t) -userdom_dontaudit_use_unpriv_user_fd(cupsd_config_t) +userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_sysadm_home_dir(cupsd_config_t) ifdef(`distro_redhat',` diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te index 5478fa9..7ca391f 100644 --- a/refpolicy/policy/modules/services/cyrus.te +++ b/refpolicy/policy/modules/services/cyrus.te @@ -85,7 +85,7 @@ term_dontaudit_use_console(cyrus_t) corecmd_exec_bin(cyrus_t) -domain_use_wide_inherit_fd(cyrus_t) +domain_use_interactive_fds(cyrus_t) files_list_var_lib(cyrus_t) files_read_etc_files(cyrus_t) @@ -105,7 +105,7 @@ miscfiles_read_certs(cyrus_t) sysnet_read_config(cyrus_t) -userdom_dontaudit_use_unpriv_user_fd(cyrus_t) +userdom_dontaudit_use_unpriv_user_fds(cyrus_t) userdom_dontaudit_search_sysadm_home_dir(cyrus_t) userdom_use_unpriv_users_fd(cyrus_t) userdom_use_sysadm_ptys(cyrus_t) diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index b1ac037..6e80243 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -87,7 +87,7 @@ corecmd_read_sbin_pipes(system_dbusd_t) corecmd_read_sbin_sockets(system_dbusd_t) corecmd_exec_sbin(system_dbusd_t) -domain_use_wide_inherit_fd(system_dbusd_t) +domain_use_interactive_fds(system_dbusd_t) files_read_etc_files(system_dbusd_t) files_list_home(system_dbusd_t) @@ -107,7 +107,7 @@ seutil_read_config(system_dbusd_t) seutil_read_default_contexts(system_dbusd_t) seutil_sigchld_newrole(system_dbusd_t) -userdom_dontaudit_use_unpriv_user_fd(system_dbusd_t) +userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_sysadm_home_dir(system_dbusd_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index 18a570f..6f12f4c 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -82,7 +82,7 @@ term_dontaudit_use_console(dhcpd_t) corecmd_exec_bin(dhcpd_t) corecmd_exec_sbin(dhcpd_t) -domain_use_wide_inherit_fd(dhcpd_t) +domain_use_interactive_fds(dhcpd_t) files_read_etc_files(dhcpd_t) files_read_usr_files(dhcpd_t) @@ -102,7 +102,7 @@ miscfiles_read_localization(dhcpd_t) sysnet_read_config(dhcpd_t) sysnet_read_dhcp_config(dhcpd_t) -userdom_dontaudit_use_unpriv_user_fd(dhcpd_t) +userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) userdom_dontaudit_search_sysadm_home_dir(dhcpd_t) ifdef(`distro_gentoo',` diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te index 0095f29..d79bf4f 100644 --- a/refpolicy/policy/modules/services/dictd.te +++ b/refpolicy/policy/modules/services/dictd.te @@ -58,7 +58,7 @@ fs_search_auto_mountpoints(dictd_t) term_dontaudit_use_console(dictd_t) -domain_use_wide_inherit_fd(dictd_t) +domain_use_interactive_fds(dictd_t) files_read_etc_files(dictd_t) files_read_etc_runtime_files(dictd_t) @@ -79,7 +79,7 @@ miscfiles_read_localization(dictd_t) sysnet_read_config(dictd_t) -userdom_dontaudit_use_unpriv_user_fd(dictd_t) +userdom_dontaudit_use_unpriv_user_fds(dictd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(dictd_t) diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te index ed88675..b4abd00 100644 --- a/refpolicy/policy/modules/services/distcc.te +++ b/refpolicy/policy/modules/services/distcc.te @@ -68,7 +68,7 @@ term_dontaudit_use_console(distccd_t) corecmd_exec_bin(distccd_t) corecmd_read_sbin_symlinks(distccd_t) -domain_use_wide_inherit_fd(distccd_t) +domain_use_interactive_fds(distccd_t) files_read_etc_files(distccd_t) files_read_etc_runtime_files(distccd_t) @@ -86,7 +86,7 @@ miscfiles_read_localization(distccd_t) sysnet_read_config(distccd_t) -userdom_dontaudit_use_unpriv_user_fd(distccd_t) +userdom_dontaudit_use_unpriv_user_fds(distccd_t) userdom_dontaudit_search_sysadm_home_dir(distccd_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index 6dd4f3d..d1d8add 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -90,7 +90,7 @@ term_dontaudit_use_console(dovecot_t) corecmd_exec_bin(dovecot_t) -domain_use_wide_inherit_fd(dovecot_t) +domain_use_interactive_fds(dovecot_t) files_read_etc_files(dovecot_t) files_search_spool(dovecot_t) @@ -112,7 +112,7 @@ miscfiles_read_localization(dovecot_t) sysnet_read_config(dovecot_t) sysnet_use_ldap(dovecot_auth_t) -userdom_dontaudit_use_unpriv_user_fd(dovecot_t) +userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_dontaudit_search_sysadm_home_dir(dovecot_t) userdom_priveleged_home_dir_manager(dovecot_t) diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te index bd72615..07fc423 100644 --- a/refpolicy/policy/modules/services/fetchmail.te +++ b/refpolicy/policy/modules/services/fetchmail.te @@ -74,7 +74,7 @@ fs_search_auto_mountpoints(fetchmail_t) term_dontaudit_use_console(fetchmail_t) -domain_use_wide_inherit_fd(fetchmail_t) +domain_use_interactive_fds(fetchmail_t) init_use_fd(fetchmail_t) init_use_script_ptys(fetchmail_t) @@ -89,7 +89,7 @@ miscfiles_read_certs(fetchmail_t) sysnet_read_config(fetchmail_t) -userdom_dontaudit_use_unpriv_user_fd(fetchmail_t) +userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) userdom_dontaudit_search_sysadm_home_dir(fetchmail_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index 4f65524..0764b3f 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -75,7 +75,7 @@ corecmd_exec_bin(fingerd_t) corecmd_exec_sbin(fingerd_t) corecmd_exec_shell(fingerd_t) -domain_use_wide_inherit_fd(fingerd_t) +domain_use_interactive_fds(fingerd_t) files_search_home(fingerd_t) files_read_etc_files(fingerd_t) @@ -97,12 +97,12 @@ sysnet_read_config(fingerd_t) miscfiles_read_localization(fingerd_t) -userdom_read_unpriv_user_home_files(fingerd_t) -userdom_dontaudit_use_unpriv_user_fd(fingerd_t) +userdom_read_unpriv_users_home_files(fingerd_t) +userdom_dontaudit_use_unpriv_user_fds(fingerd_t) userdom_dontaudit_search_sysadm_home_dir(fingerd_t) # stop it accessing sub-directories, prevents checking a Maildir for new mail, # have to change this when we create a type for Maildir -userdom_dontaudit_search_user_home_dirs(fingerd_t) +userdom_dontaudit_search_generic_user_home_dirs(fingerd_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(fingerd_t) diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index 54001cc..bb23ecb 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -92,7 +92,7 @@ corenet_tcp_bind_ftp_data_port(ftpd_t) corenet_tcp_bind_generic_port(ftpd_t) corenet_tcp_connect_all_ports(ftpd_t) -domain_use_wide_inherit_fd(ftpd_t) +domain_use_interactive_fds(ftpd_t) files_search_etc(ftpd_t) files_read_etc_files(ftpd_t) @@ -127,7 +127,7 @@ seutil_dontaudit_search_config(ftpd_t) sysnet_read_config(ftpd_t) userdom_dontaudit_search_sysadm_home_dir(ftpd_t) -userdom_dontaudit_use_unpriv_user_fd(ftpd_t) +userdom_dontaudit_use_unpriv_user_fds(ftpd_t) ifdef(`targeted_policy',` files_dontaudit_read_root_files(ftpd_t) @@ -153,10 +153,10 @@ tunable_policy(`allow_ftpd_anon_write',` tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) - userdom_read_all_user_files(ftpd_t) - userdom_manage_all_user_dirs(ftpd_t) - userdom_manage_all_user_files(ftpd_t) - userdom_manage_all_user_symlinks(ftpd_t) + userdom_read_all_users_home_files(ftpd_t) + userdom_manage_all_users_home_dirs(ftpd_t) + userdom_manage_all_users_home_files(ftpd_t) + userdom_manage_all_users_home_symlinks(ftpd_t) ifdef(`targeted_policy',` userdom_filetrans_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file }) diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index 8000c4e..a485568 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -63,7 +63,7 @@ fs_search_auto_mountpoints(gpm_t) term_use_unallocated_ttys(gpm_t) term_dontaudit_use_console(gpm_t) -domain_use_wide_inherit_fd(gpm_t) +domain_use_interactive_fds(gpm_t) init_use_fd(gpm_t) init_use_script_ptys(gpm_t) @@ -75,7 +75,7 @@ logging_send_syslog_msg(gpm_t) miscfiles_read_localization(gpm_t) -userdom_dontaudit_use_unpriv_user_fd(gpm_t) +userdom_dontaudit_use_unpriv_user_fds(gpm_t) userdom_dontaudit_search_sysadm_home_dir(gpm_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index a060299..29ba45d 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -78,7 +78,7 @@ dev_manage_generic_chr_files(hald_t) # hal is now execing pm-suspend dev_rw_sysfs(hald_t) -domain_use_wide_inherit_fd(hald_t) +domain_use_interactive_fds(hald_t) domain_exec_all_entry_files(hald_t) files_exec_etc_files(hald_t) @@ -140,7 +140,7 @@ seutil_read_default_contexts(hald_t) sysnet_read_config(hald_t) -userdom_dontaudit_use_unpriv_user_fd(hald_t) +userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_sysadm_home_dir(hald_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index 8f7e2e4..fb388d1 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -56,7 +56,7 @@ fs_search_auto_mountpoints(howl_t) term_dontaudit_use_console(howl_t) -domain_use_wide_inherit_fd(howl_t) +domain_use_interactive_fds(howl_t) files_read_etc_files(howl_t) @@ -73,7 +73,7 @@ miscfiles_read_localization(howl_t) sysnet_read_config(howl_t) -userdom_dontaudit_use_unpriv_user_fd(howl_t) +userdom_dontaudit_use_unpriv_user_fds(howl_t) userdom_dontaudit_search_sysadm_home_dir(howl_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te index 200b14e..d279f8f 100644 --- a/refpolicy/policy/modules/services/i18n_input.te +++ b/refpolicy/policy/modules/services/i18n_input.te @@ -63,7 +63,7 @@ corecmd_search_sbin(i18n_input_t) corecmd_search_bin(i18n_input_t) corecmd_exec_bin(i18n_input_t) -domain_use_wide_inherit_fd(i18n_input_t) +domain_use_interactive_fds(i18n_input_t) files_read_etc_files(i18n_input_t) files_read_etc_runtime_files(i18n_input_t) @@ -82,9 +82,9 @@ miscfiles_read_localization(i18n_input_t) sysnet_read_config(i18n_input_t) -userdom_dontaudit_use_unpriv_user_fd(i18n_input_t) +userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) userdom_dontaudit_search_sysadm_home_dir(i18n_input_t) -userdom_read_unpriv_user_home_files(i18n_input_t) +userdom_read_unpriv_users_home_files(i18n_input_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(i18n_input_t) diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 883e913..3bfecd8 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -102,7 +102,7 @@ term_dontaudit_use_console(inetd_t) corecmd_search_bin(inetd_t) corecmd_read_sbin_symlinks(inetd_t) -domain_use_wide_inherit_fd(inetd_t) +domain_use_interactive_fds(inetd_t) files_read_etc_files(inetd_t) @@ -118,7 +118,7 @@ miscfiles_read_localization(inetd_t) sysnet_read_config(inetd_t) -userdom_dontaudit_use_unpriv_user_fd(inetd_t) +userdom_dontaudit_use_unpriv_user_fds(inetd_t) userdom_dontaudit_search_sysadm_home_dir(inetd_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index c857d67..5a65b0d 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -90,7 +90,7 @@ corecmd_exec_shell(innd_t) corecmd_search_sbin(innd_t) corecmd_read_sbin_symlinks(innd_t) -domain_use_wide_inherit_fd(innd_t) +domain_use_interactive_fds(innd_t) files_list_spool(innd_t) files_read_etc_files(innd_t) @@ -111,7 +111,7 @@ seutil_dontaudit_search_config(innd_t) sysnet_read_config(innd_t) -userdom_dontaudit_use_unpriv_user_fd(innd_t) +userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_sysadm_home_dir(innd_t) mta_send_mail(innd_t) diff --git a/refpolicy/policy/modules/services/irqbalance.te b/refpolicy/policy/modules/services/irqbalance.te index 5bd6bb8..9273682 100644 --- a/refpolicy/policy/modules/services/irqbalance.te +++ b/refpolicy/policy/modules/services/irqbalance.te @@ -39,7 +39,7 @@ fs_search_auto_mountpoints(irqbalance_t) term_dontaudit_use_console(irqbalance_t) -domain_use_wide_inherit_fd(irqbalance_t) +domain_use_interactive_fds(irqbalance_t) init_use_fd(irqbalance_t) init_use_script_ptys(irqbalance_t) @@ -51,7 +51,7 @@ logging_send_syslog_msg(irqbalance_t) miscfiles_read_localization(irqbalance_t) -userdom_dontaudit_use_unpriv_user_fd(irqbalance_t) +userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) userdom_dontaudit_search_sysadm_home_dir(irqbalance_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index 21e2f0c..482827d 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -112,7 +112,7 @@ fs_search_auto_mountpoints(kadmind_t) term_dontaudit_use_console(kadmind_t) -domain_use_wide_inherit_fd(kadmind_t) +domain_use_interactive_fds(kadmind_t) files_read_etc_files(kadmind_t) @@ -128,7 +128,7 @@ miscfiles_read_localization(kadmind_t) sysnet_read_config(kadmind_t) -userdom_dontaudit_use_unpriv_user_fd(kadmind_t) +userdom_dontaudit_use_unpriv_user_fds(kadmind_t) userdom_dontaudit_search_sysadm_home_dir(kadmind_t) ifdef(`targeted_policy', ` @@ -212,7 +212,7 @@ fs_search_auto_mountpoints(krb5kdc_t) term_dontaudit_use_console(krb5kdc_t) -domain_use_wide_inherit_fd(krb5kdc_t) +domain_use_interactive_fds(krb5kdc_t) files_read_etc_files(krb5kdc_t) @@ -228,7 +228,7 @@ miscfiles_read_localization(krb5kdc_t) sysnet_read_config(krb5kdc_t) -userdom_dontaudit_use_unpriv_user_fd(krb5kdc_t) +userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) userdom_dontaudit_search_sysadm_home_dir(krb5kdc_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index b8e97f7..6c4ddfc 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -100,7 +100,7 @@ fs_search_auto_mountpoints(slapd_t) term_dontaudit_use_console(slapd_t) -domain_use_wide_inherit_fd(slapd_t) +domain_use_interactive_fds(slapd_t) files_read_etc_files(slapd_t) files_read_etc_runtime_files(slapd_t) @@ -120,7 +120,7 @@ miscfiles_read_localization(slapd_t) sysnet_read_config(slapd_t) -userdom_dontaudit_use_unpriv_user_fd(slapd_t) +userdom_dontaudit_use_unpriv_user_fds(slapd_t) userdom_dontaudit_search_sysadm_home_dir(slapd_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/lpd.if b/refpolicy/policy/modules/services/lpd.if index 7dbb55d..7f22955 100644 --- a/refpolicy/policy/modules/services/lpd.if +++ b/refpolicy/policy/modules/services/lpd.if @@ -125,7 +125,7 @@ template(`lpd_per_userdomain_template',` # for /dev/null dev_list_all_dev_nodes($1_lpr_t) - domain_use_wide_inherit_fd($1_lpr_t) + domain_use_interactive_fds($1_lpr_t) files_search_spool($1_lpr_t) # for lpd config files (should have a new type) @@ -234,7 +234,7 @@ template(`lpr_admin_template',` type $1_lpr_t; ') - userdom_read_all_user_files($1_lpr_t) + userdom_read_all_users_home_files($1_lpr_t) # Allow per user lpr domain read acces for specific user. tunable_policy(`read_untrusted_content',` diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index 856bbd5..265095c 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -85,7 +85,7 @@ corecmd_exec_shell(checkpc_t) corecmd_exec_bin(checkpc_t) corecmd_search_sbin(checkpc_t) -domain_use_wide_inherit_fd(checkpc_t) +domain_use_interactive_fds(checkpc_t) files_read_etc_files(checkpc_t) files_read_etc_runtime_files(checkpc_t) @@ -187,7 +187,7 @@ corecmd_exec_bin(lpd_t) corecmd_exec_sbin(lpd_t) corecmd_exec_shell(lpd_t) -domain_use_wide_inherit_fd(lpd_t) +domain_use_interactive_fds(lpd_t) files_read_etc_runtime_files(lpd_t) files_read_usr_files(lpd_t) @@ -214,7 +214,7 @@ miscfiles_read_localization(lpd_t) sysnet_read_config(lpd_t) -userdom_dontaudit_use_unpriv_user_fd(lpd_t) +userdom_dontaudit_use_unpriv_user_fds(lpd_t) userdom_dontaudit_search_sysadm_home_dir(lpd_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index ced22de..6b60171 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -208,7 +208,7 @@ template(`mta_per_userdomain_template',` allow $2 mailserver_domain:tcp_socket { connectto recvfrom }; allow mailserver_domain $2:tcp_socket { acceptfrom recvfrom }; - domain_use_wide_inherit_fd($1_mail_t) + domain_use_interactive_fds($1_mail_t) userdom_use_user_terminals($1,$1_mail_t) # Write to the user domain tty. cjp: why? @@ -279,7 +279,7 @@ template(`mta_admin_template',` ifdef(`strict_policy',` # allow the sysadmin to do "mail someone < /home/user/whatever" - userdom_read_unpriv_user_home_files($1_mail_t) + userdom_read_unpriv_users_home_files($1_mail_t) ') optional_policy(`postfix',` diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 7312d55..b7f2cf1 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -142,7 +142,7 @@ optional_policy(`postfix',` allow system_mail_t etc_aliases_t:fifo_file create_file_perms; files_filetrans_etc(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) - domain_use_wide_inherit_fd(system_mail_t) + domain_use_interactive_fds(system_mail_t) # postfix needs this for newaliases files_getattr_tmp_dirs(system_mail_t) diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index 49ef70f..aa6dc58 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -86,7 +86,7 @@ fs_search_auto_mountpoints(mysqld_t) term_dontaudit_use_console(mysqld_t) -domain_use_wide_inherit_fd(mysqld_t) +domain_use_interactive_fds(mysqld_t) files_getattr_var_lib_dirs(mysqld_t) files_read_etc_runtime_files(mysqld_t) @@ -106,7 +106,7 @@ miscfiles_read_localization(mysqld_t) sysnet_read_config(mysqld_t) -userdom_dontaudit_use_unpriv_user_fd(mysqld_t) +userdom_dontaudit_use_unpriv_user_fds(mysqld_t) # for /root/.my.cnf - should not be needed: userdom_read_sysadm_home_files(mysqld_t) diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index 6613400..189b266 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -72,7 +72,7 @@ corecmd_exec_bin(NetworkManager_t) corecmd_exec_sbin(NetworkManager_t) corecmd_exec_ls(NetworkManager_t) -domain_use_wide_inherit_fd(NetworkManager_t) +domain_use_interactive_fds(NetworkManager_t) domain_read_confined_domains_state(NetworkManager_t) files_read_etc_files(NetworkManager_t) @@ -105,7 +105,7 @@ sysnet_search_dhcp_state(NetworkManager_t) sysnet_manage_config(NetworkManager_t) sysnet_filetrans_config(NetworkManager_t) -userdom_dontaudit_use_unpriv_user_fd(NetworkManager_t) +userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_search_sysadm_home_dir(NetworkManager_t) userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t) diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index 8492ba4..590597a 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -94,7 +94,7 @@ fs_search_auto_mountpoints(ypbind_t) term_dontaudit_use_console(ypbind_t) -domain_use_wide_inherit_fd(ypbind_t) +domain_use_interactive_fds(ypbind_t) files_read_etc_files(ypbind_t) files_list_var(ypbind_t) @@ -112,7 +112,7 @@ miscfiles_read_localization(ypbind_t) sysnet_read_config(ypbind_t) -userdom_dontaudit_use_unpriv_user_fd(ypbind_t) +userdom_dontaudit_use_unpriv_user_fds(ypbind_t) userdom_dontaudit_search_sysadm_home_dir(ypbind_t) portmap_udp_send(ypbind_t) @@ -194,7 +194,7 @@ corecmd_exec_bin(yppasswdd_t) corecmd_exec_shell(yppasswdd_t) corecmd_search_sbin(yppasswdd_t) -domain_use_wide_inherit_fd(yppasswdd_t) +domain_use_interactive_fds(yppasswdd_t) files_read_etc_files(yppasswdd_t) files_read_etc_runtime_files(yppasswdd_t) @@ -213,7 +213,7 @@ miscfiles_read_localization(yppasswdd_t) sysnet_read_config(yppasswdd_t) -userdom_dontaudit_use_unpriv_user_fd(yppasswdd_t) +userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t) userdom_dontaudit_search_sysadm_home_dir(yppasswdd_t) portmap_udp_send(yppasswdd_t) @@ -291,7 +291,7 @@ term_dontaudit_use_console(ypserv_t) corecmd_exec_bin(ypserv_t) -domain_use_wide_inherit_fd(ypserv_t) +domain_use_interactive_fds(ypserv_t) files_read_var_files(ypserv_t) @@ -308,7 +308,7 @@ miscfiles_read_localization(ypserv_t) sysnet_read_config(ypserv_t) -userdom_dontaudit_use_unpriv_user_fd(ypserv_t) +userdom_dontaudit_use_unpriv_user_fds(ypserv_t) userdom_dontaudit_search_sysadm_home_dir(ypserv_t) portmap_udp_send(ypserv_t) diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 557259c..1fbb726 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -88,7 +88,7 @@ selinux_compute_access_vector(nscd_t) selinux_compute_create_context(nscd_t) selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) -domain_use_wide_inherit_fd(nscd_t) +domain_use_interactive_fds(nscd_t) files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) @@ -110,7 +110,7 @@ seutil_sigchld_newrole(nscd_t) sysnet_read_config(nscd_t) -userdom_dontaudit_use_unpriv_user_fd(nscd_t) +userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_sysadm_home_dir(nscd_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index 4b8bcb3..990ff20 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -91,7 +91,7 @@ corecmd_exec_sbin(ntpd_t) corecmd_exec_ls(ntpd_t) corecmd_exec_shell(ntpd_t) -domain_use_wide_inherit_fd(ntpd_t) +domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) files_read_etc_files(ntpd_t) @@ -112,7 +112,7 @@ miscfiles_read_localization(ntpd_t) sysnet_read_config(ntpd_t) -userdom_dontaudit_use_unpriv_user_fd(ntpd_t) +userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_sysadm_home_dir(ntpd_t) userdom_dontaudit_list_sysadm_home_dir(ntpd_t) diff --git a/refpolicy/policy/modules/services/openct.te b/refpolicy/policy/modules/services/openct.te index 6e87759..3c10585 100644 --- a/refpolicy/policy/modules/services/openct.te +++ b/refpolicy/policy/modules/services/openct.te @@ -33,7 +33,7 @@ dev_read_sysfs(openct_t) # openct asks for this dev_rw_usbfs(openct_t) -domain_use_wide_inherit_fd(openct_t) +domain_use_interactive_fds(openct_t) # openct asks for this files_read_etc_files(openct_t) @@ -53,7 +53,7 @@ logging_send_syslog_msg(openct_t) miscfiles_read_localization(openct_t) -userdom_dontaudit_use_unpriv_user_fd(openct_t) +userdom_dontaudit_use_unpriv_user_fds(openct_t) userdom_dontaudit_search_sysadm_home_dir(openct_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te index a98889b..a7805de 100644 --- a/refpolicy/policy/modules/services/pegasus.te +++ b/refpolicy/policy/modules/services/pegasus.te @@ -89,7 +89,7 @@ term_dontaudit_use_console(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) -domain_use_wide_inherit_fd(pegasus_t) +domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) files_read_etc_files(pegasus_t) @@ -108,7 +108,7 @@ miscfiles_read_localization(pegasus_t) sysnet_read_config(pegasus_t) -userdom_dontaudit_use_unpriv_user_fd(pegasus_t) +userdom_dontaudit_use_unpriv_user_fds(pegasus_t) userdom_dontaudit_search_sysadm_home_dir(pegasus_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index db41eac..aca993b 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -76,7 +76,7 @@ fs_search_auto_mountpoints(portmap_t) term_dontaudit_use_console(portmap_t) -domain_use_wide_inherit_fd(portmap_t) +domain_use_interactive_fds(portmap_t) files_read_etc_files(portmap_t) @@ -94,7 +94,7 @@ miscfiles_read_localization(portmap_t) sysnet_read_config(portmap_t) -userdom_dontaudit_use_unpriv_user_fd(portmap_t) +userdom_dontaudit_use_unpriv_user_fds(portmap_t) userdom_dontaudit_search_sysadm_home_dir(portmap_t) ifdef(`targeted_policy', ` @@ -181,7 +181,7 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t) corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t) corenet_tcp_connect_all_ports(portmap_helper_t) -domain_dontaudit_use_wide_inherit_fd(portmap_helper_t) +domain_dontaudit_use_interactive_fds(portmap_helper_t) files_read_etc_files(portmap_helper_t) files_rw_generic_pids(portmap_helper_t) @@ -195,7 +195,7 @@ logging_send_syslog_msg(portmap_helper_t) sysnet_read_config(portmap_helper_t) -userdom_dontaudit_use_all_user_fd(portmap_helper_t) +userdom_dontaudit_use_all_users_fds(portmap_helper_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(portmap_helper_t) diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index 446282e..d3c86c2 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -83,7 +83,7 @@ template(`postfix_domain_template',` miscfiles_read_localization(postfix_$1_t) miscfiles_read_certs(postfix_$1_t) - userdom_dontaudit_use_unpriv_user_fd(postfix_$1_t) + userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(postfix_$1_t) @@ -151,7 +151,7 @@ template(`postfix_user_domain_template',` allow postfix_$1_t postfix_user_domtrans:fifo_file rw_file_perms; allow postfix_$1_t postfix_user_domtrans:process sigchld; - domain_use_wide_inherit_fd(postfix_$1_t) + domain_use_interactive_fds(postfix_$1_t) ') template(`postfix_per_userdomain_template',` diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index b323e6d..31794c4 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -157,7 +157,7 @@ corecmd_exec_sbin(postfix_master_t) corecmd_exec_shell(postfix_master_t) corecmd_exec_bin(postfix_master_t) -domain_use_wide_inherit_fd(postfix_master_t) +domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -440,7 +440,7 @@ ifdef(`targeted_policy', ` optional_policy(`crond',` cron_use_fd(postfix_postdrop_t) cron_rw_pipes(postfix_postdrop_t) - cron_use_system_job_fd(postfix_postdrop_t) + cron_use_system_job_fds(postfix_postdrop_t) cron_rw_system_job_pipes(postfix_postdrop_t) ') @@ -482,7 +482,7 @@ term_use_all_user_ptys(postfix_postqueue_t) term_use_all_user_ttys(postfix_postqueue_t) init_sigchld_script(postfix_postqueue_t) -init_use_script_fd(postfix_postqueue_t) +init_use_script_fds(postfix_postqueue_t) sysnet_dontaudit_read_config(postfix_postqueue_t) diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te index 06769c8..477b642 100644 --- a/refpolicy/policy/modules/services/postgresql.te +++ b/refpolicy/policy/modules/services/postgresql.te @@ -113,7 +113,7 @@ corecmd_exec_sbin(postgresql_t) corecmd_exec_shell(postgresql_t) domain_dontaudit_list_all_domains_state(postgresql_t) -domain_use_wide_inherit_fd(postgresql_t) +domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) files_manage_etc_files(postgresql_t) @@ -138,7 +138,7 @@ sysnet_read_config(postgresql_t) userdom_dontaudit_search_sysadm_home_dir(postgresql_t) userdom_dontaudit_use_sysadm_ttys(postgresql_t) -userdom_dontaudit_use_unpriv_user_fd(postgresql_t) +userdom_dontaudit_use_unpriv_user_fds(postgresql_t) mta_getattr_spool(postgresql_t) diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index 93ebf4d..941f901 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -146,7 +146,7 @@ corecmd_exec_bin(pppd_t) corecmd_exec_sbin(pppd_t) corecmd_exec_shell(pppd_t) -domain_use_wide_inherit_fd(pppd_t) +domain_use_interactive_fds(pppd_t) files_exec_etc_files(pppd_t) files_read_etc_runtime_files(pppd_t) @@ -169,12 +169,12 @@ sysnet_read_config(pppd_t) sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) -userdom_dontaudit_use_unpriv_user_fd(pppd_t) +userdom_dontaudit_use_unpriv_user_fds(pppd_t) userdom_dontaudit_search_sysadm_home_dir(pppd_t) # for ~/.ppprc - if it actually exists then you need some policy to read it #allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; userdom_search_sysadm_home_dir(pppd_t) -userdom_search_unpriv_user_home_dirs(pppd_t) +userdom_search_unpriv_users_home_dirs(pppd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(pppd_t) @@ -279,7 +279,7 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) -domain_use_wide_inherit_fd(pptp_t) +domain_use_interactive_fds(pptp_t) init_use_fd(pptp_t) init_use_script_ptys(pptp_t) @@ -293,7 +293,7 @@ miscfiles_read_localization(pptp_t) sysnet_read_config(pptp_t) -userdom_dontaudit_use_unpriv_user_fd(pptp_t) +userdom_dontaudit_use_unpriv_user_fds(pptp_t) userdom_dontaudit_search_sysadm_home_dir(pptp_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index c007c93..00d5514 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -59,7 +59,7 @@ fs_search_auto_mountpoints(privoxy_t) term_dontaudit_use_console(privoxy_t) -domain_use_wide_inherit_fd(privoxy_t) +domain_use_interactive_fds(privoxy_t) files_read_etc_files(privoxy_t) @@ -75,7 +75,7 @@ miscfiles_read_localization(privoxy_t) sysnet_dns_name_resolve(privoxy_t) -userdom_dontaudit_use_unpriv_user_fd(privoxy_t) +userdom_dontaudit_use_unpriv_user_fds(privoxy_t) userdom_dontaudit_search_sysadm_home_dir(privoxy_t) # cjp: this should really not be needed userdom_use_sysadm_terms(privoxy_t) diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te index e116279..6ee1d51 100644 --- a/refpolicy/policy/modules/services/radius.te +++ b/refpolicy/policy/modules/services/radius.te @@ -80,7 +80,7 @@ corecmd_exec_bin(radiusd_t) corecmd_exec_shell(radiusd_t) corecmd_search_sbin(radiusd_t) -domain_use_wide_inherit_fd(radiusd_t) +domain_use_interactive_fds(radiusd_t) files_read_usr_files(radiusd_t) files_read_etc_files(radiusd_t) @@ -99,7 +99,7 @@ miscfiles_read_localization(radiusd_t) sysnet_read_config(radiusd_t) -userdom_dontaudit_use_unpriv_user_fd(radiusd_t) +userdom_dontaudit_use_unpriv_user_fds(radiusd_t) userdom_dontaudit_search_sysadm_home_dir(radiusd_t) userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t) diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te index f97dfe7..7a6fb7c 100644 --- a/refpolicy/policy/modules/services/radvd.te +++ b/refpolicy/policy/modules/services/radvd.te @@ -58,7 +58,7 @@ fs_search_auto_mountpoints(radvd_t) term_dontaudit_use_console(radvd_t) -domain_use_wide_inherit_fd(radvd_t) +domain_use_interactive_fds(radvd_t) files_read_etc_files(radvd_t) files_list_usr(radvd_t) @@ -75,7 +75,7 @@ miscfiles_read_localization(radvd_t) sysnet_read_config(radvd_t) -userdom_dontaudit_use_unpriv_user_fd(radvd_t) +userdom_dontaudit_use_unpriv_user_fds(radvd_t) userdom_dontaudit_search_sysadm_home_dir(radvd_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/rdisc.te b/refpolicy/policy/modules/services/rdisc.te index c24f18b..913ad87 100644 --- a/refpolicy/policy/modules/services/rdisc.te +++ b/refpolicy/policy/modules/services/rdisc.te @@ -40,7 +40,7 @@ fs_search_auto_mountpoints(rdisc_t) term_dontaudit_use_console(rdisc_t) -domain_use_wide_inherit_fd(rdisc_t) +domain_use_interactive_fds(rdisc_t) files_read_etc_files(rdisc_t) @@ -54,7 +54,7 @@ logging_send_syslog_msg(rdisc_t) sysnet_read_config(rdisc_t) -userdom_dontaudit_use_unpriv_user_fd(rdisc_t) +userdom_dontaudit_use_unpriv_user_fds(rdisc_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(rdisc_t) diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 8aa512e..675e8f5 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -11,7 +11,7 @@ domain_obj_id_change_exemption(remote_login_t) domain_subj_id_change_exemption(remote_login_t) domain_role_change_exemption(remote_login_t) domain_type(remote_login_t) -domain_wide_inherit_fd(remote_login_t) +domain_interactive_fd(remote_login_t) auth_login_entry_type(remote_login_t) role system_r types remote_login_t; diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te index fe539fc..31655e7 100644 --- a/refpolicy/policy/modules/services/rlogin.te +++ b/refpolicy/policy/modules/services/rlogin.te @@ -88,9 +88,9 @@ seutil_dontaudit_search_config(rlogind_t) sysnet_read_config(rlogind_t) -userdom_setattr_unpriv_user_pty(rlogind_t) +userdom_setattr_unpriv_users_ptys(rlogind_t) # cjp: this is egregious -userdom_read_all_user_files(rlogind_t) +userdom_read_all_users_home_files(rlogind_t) remotelogin_domtrans(rlogind_t) diff --git a/refpolicy/policy/modules/services/roundup.te b/refpolicy/policy/modules/services/roundup.te index 2cbbba7..1a04c2e 100644 --- a/refpolicy/policy/modules/services/roundup.te +++ b/refpolicy/policy/modules/services/roundup.te @@ -62,7 +62,7 @@ corenet_tcp_connect_smtp_port(roundup_t) # /usr/share/mysql/charsets/Index.xml dev_read_urand(roundup_t) -domain_use_wide_inherit_fd(roundup_t) +domain_use_interactive_fds(roundup_t) # /usr/share/mysql/charsets/Index.xml files_read_usr_files(roundup_t) @@ -85,7 +85,7 @@ miscfiles_read_localization(roundup_t) sysnet_read_config(roundup_t) -userdom_dontaudit_use_unpriv_user_fd(roundup_t) +userdom_dontaudit_use_unpriv_user_fds(roundup_t) userdom_dontaudit_search_sysadm_home_dir(roundup_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if index 5aa7fb8..7beabd4 100644 --- a/refpolicy/policy/modules/services/rpc.if +++ b/refpolicy/policy/modules/services/rpc.if @@ -25,7 +25,7 @@ template(`rpc_domain_template', ` type $1_t; type $1_exec_t; init_daemon_domain($1_t,$1_exec_t) - domain_use_wide_inherit_fd($1_t) + domain_use_interactive_fds($1_t) #################################### # @@ -93,7 +93,7 @@ template(`rpc_domain_template', ` sysnet_read_config($1_t) - userdom_dontaudit_use_unpriv_user_fd($1_t) + userdom_dontaudit_use_unpriv_user_fds($1_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys($1_t) diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te index cf3114b..2611e71 100644 --- a/refpolicy/policy/modules/services/rpc.te +++ b/refpolicy/policy/modules/services/rpc.te @@ -143,9 +143,9 @@ files_read_generic_tmp_files(gssd_t) files_read_generic_tmp_symlinks(gssd_t) tunable_policy(`allow_gssd_read_tmp',` - userdom_list_unpriv_user_tmp(gssd_t) - userdom_read_unpriv_user_tmp_files(gssd_t) - userdom_read_unpriv_user_tmp_symlinks(gssd_t) + userdom_list_unpriv_users_tmp(gssd_t) + userdom_read_unpriv_users_tmp_files(gssd_t) + userdom_read_unpriv_users_tmp_symlinks(gssd_t) ') optional_policy(`kerberos',` diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 070be06..25dc988 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -126,7 +126,7 @@ corenet_tcp_connect_smbd_port(samba_net_t) dev_read_urand(samba_net_t) -domain_use_wide_inherit_fd(samba_net_t) +domain_use_interactive_fds(samba_net_t) files_read_etc_files(samba_net_t) @@ -258,7 +258,7 @@ term_dontaudit_use_console(smbd_t) auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) -domain_use_wide_inherit_fd(smbd_t) +domain_use_interactive_fds(smbd_t) files_list_var_lib(smbd_t) files_read_etc_files(smbd_t) @@ -285,7 +285,7 @@ mount_send_nfs_client_request(smbd_t) sysnet_read_config(smbd_t) userdom_dontaudit_search_sysadm_home_dir(smbd_t) -userdom_dontaudit_use_unpriv_user_fd(smbd_t) +userdom_dontaudit_use_unpriv_user_fds(smbd_t) userdom_use_unpriv_users_fd(smbd_t) ifdef(`targeted_policy', ` @@ -397,7 +397,7 @@ fs_search_auto_mountpoints(nmbd_t) term_dontaudit_use_console(nmbd_t) -domain_use_wide_inherit_fd(nmbd_t) +domain_use_interactive_fds(nmbd_t) files_read_usr_files(nmbd_t) files_read_etc_files(nmbd_t) @@ -416,7 +416,7 @@ miscfiles_read_localization(nmbd_t) sysnet_read_config(nmbd_t) userdom_dontaudit_search_sysadm_home_dir(nmbd_t) -userdom_dontaudit_use_unpriv_user_fd(nmbd_t) +userdom_dontaudit_use_unpriv_user_fds(nmbd_t) userdom_use_unpriv_users_fd(nmbd_t) ifdef(`targeted_policy', ` @@ -512,7 +512,7 @@ logging_search_logs(smbmount_t) sysnet_read_config(smbmount_t) -userdom_use_all_users_fd(smbmount_t) +userdom_use_all_users_fds(smbmount_t) userdom_use_sysadm_ttys(smbmount_t) optional_policy(`nis',` @@ -690,7 +690,7 @@ term_dontaudit_use_console(winbind_t) auth_domtrans_chk_passwd(winbind_t) -domain_use_wide_inherit_fd(winbind_t) +domain_use_interactive_fds(winbind_t) files_read_etc_files(winbind_t) @@ -707,7 +707,7 @@ miscfiles_read_localization(winbind_t) sysnet_read_config(winbind_t) sysnet_dns_name_resolve(winbind_t) -userdom_dontaudit_use_unpriv_user_fd(winbind_t) +userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dir(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) @@ -757,7 +757,7 @@ allow winbind_helper_t winbind_t:unix_stream_socket connectto; term_list_ptys(winbind_helper_t) -domain_use_wide_inherit_fd(winbind_helper_t) +domain_use_interactive_fds(winbind_helper_t) libs_use_ld_so(winbind_helper_t) libs_use_shared_libs(winbind_helper_t) diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index 56fc9de..c3fe9f6 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -54,7 +54,7 @@ term_dontaudit_use_console(saslauthd_t) auth_domtrans_chk_passwd(saslauthd_t) auth_use_nsswitch(saslauthd_t) -domain_use_wide_inherit_fd(saslauthd_t) +domain_use_interactive_fds(saslauthd_t) files_read_etc_files(saslauthd_t) files_dontaudit_read_etc_runtime_files(saslauthd_t) @@ -78,7 +78,7 @@ seutil_dontaudit_read_config(saslauthd_t) sysnet_read_config(saslauthd_t) -userdom_dontaudit_use_unpriv_user_fd(saslauthd_t) +userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) userdom_dontaudit_search_sysadm_home_dir(saslauthd_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 1aa7495..c47c717 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -67,7 +67,7 @@ term_dontaudit_use_console(sendmail_t) corecmd_exec_shell(sendmail_t) corecmd_search_sbin(sendmail_t) -domain_use_wide_inherit_fd(sendmail_t) +domain_use_interactive_fds(sendmail_t) files_read_etc_files(sendmail_t) files_search_spool(sendmail_t) @@ -91,7 +91,7 @@ miscfiles_read_localization(sendmail_t) sysnet_read_config(sendmail_t) -userdom_dontaudit_use_unpriv_user_fd(sendmail_t) +userdom_dontaudit_use_unpriv_user_fds(sendmail_t) userdom_dontaudit_search_sysadm_home_dir(sendmail_t) mta_read_config(sendmail_t) diff --git a/refpolicy/policy/modules/services/slrnpull.te b/refpolicy/policy/modules/services/slrnpull.te index 4cdda12..1c5679e 100644 --- a/refpolicy/policy/modules/services/slrnpull.te +++ b/refpolicy/policy/modules/services/slrnpull.te @@ -46,7 +46,7 @@ kernel_read_proc_symlinks(slrnpull_t) dev_read_sysfs(slrnpull_t) -domain_use_wide_inherit_fd(slrnpull_t) +domain_use_interactive_fds(slrnpull_t) files_read_etc_files(slrnpull_t) @@ -65,7 +65,7 @@ logging_send_syslog_msg(slrnpull_t) miscfiles_read_localization(slrnpull_t) -userdom_dontaudit_use_unpriv_user_fd(slrnpull_t) +userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) userdom_dontaudit_search_sysadm_home_dir(slrnpull_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te index 9a3a1cc..dffd659 100644 --- a/refpolicy/policy/modules/services/smartmon.te +++ b/refpolicy/policy/modules/services/smartmon.te @@ -55,7 +55,7 @@ corenet_udp_bind_all_nodes(fsdaemon_t) dev_read_sysfs(fsdaemon_t) domain_exec_all_entry_files(fsdaemon_t) -domain_use_wide_inherit_fd(fsdaemon_t) +domain_use_interactive_fds(fsdaemon_t) files_exec_etc_files(fsdaemon_t) files_read_etc_runtime_files(fsdaemon_t) @@ -85,7 +85,7 @@ miscfiles_read_localization(fsdaemon_t) sysnet_read_config(fsdaemon_t) -userdom_dontaudit_use_unpriv_user_fd(fsdaemon_t) +userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) userdom_dontaudit_search_sysadm_home_dir(fsdaemon_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index 50c3343..8da42d7 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -79,7 +79,7 @@ dev_read_sysfs(snmpd_t) dev_read_urand(snmpd_t) dev_read_rand(snmpd_t) -domain_use_wide_inherit_fd(snmpd_t) +domain_use_interactive_fds(snmpd_t) domain_signull_all_domains(snmpd_t) domain_read_all_domains_state(snmpd_t) @@ -113,7 +113,7 @@ seutil_dontaudit_search_config(snmpd_t) sysnet_read_config(snmpd_t) -userdom_dontaudit_use_unpriv_user_fd(snmpd_t) +userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_sysadm_home_dir(snmpd_t) ifdef(`distro_redhat', ` diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if index 00564f5..f041eb6 100644 --- a/refpolicy/policy/modules/services/spamassassin.if +++ b/refpolicy/policy/modules/services/spamassassin.if @@ -54,7 +54,7 @@ template(`spamassassin_per_userdomain_template',` role $3 types $1_spamassassin_t; type $1_spamassassin_home_t alias $1_spamassassin_rw_t; - userdom_home_file($1,$1_spamassassin_home_t) + userdom_user_home_file($1,$1_spamassassin_home_t) files_poly_member($1_spamassassin_home_t) type $1_spamassassin_tmp_t; @@ -126,7 +126,7 @@ template(`spamassassin_per_userdomain_template',` corecmd_read_sbin_pipes($1_spamc_t) corecmd_read_sbin_sockets($1_spamc_t) - domain_use_wide_inherit_fd($1_spamc_t) + domain_use_interactive_fds($1_spamc_t) files_read_etc_files($1_spamc_t) files_read_etc_runtime_files($1_spamc_t) @@ -242,7 +242,7 @@ template(`spamassassin_per_userdomain_template',` corecmd_read_sbin_pipes($1_spamassassin_t) corecmd_read_sbin_sockets($1_spamassassin_t) - domain_use_wide_inherit_fd($1_spamassassin_t) + domain_use_interactive_fds($1_spamassassin_t) files_read_etc_files($1_spamassassin_t) files_read_etc_runtime_files($1_spamassassin_t) diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index b5f6f5e..eed5758 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -93,7 +93,7 @@ auth_dontaudit_read_shadow(spamd_t) corecmd_exec_bin(spamd_t) corecmd_search_sbin(spamd_t) -domain_use_wide_inherit_fd(spamd_t) +domain_use_interactive_fds(spamd_t) files_read_usr_files(spamd_t) files_read_etc_files(spamd_t) @@ -116,7 +116,7 @@ sysnet_read_config(spamd_t) sysnet_use_ldap(spamd_t) userdom_use_unpriv_users_fd(spamd_t) -userdom_search_unpriv_user_home_dirs(spamd_t) +userdom_search_unpriv_users_home_dirs(spamd_t) userdom_dontaudit_search_sysadm_home_dir(spamd_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index 95cafc0..f11e92a 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -107,7 +107,7 @@ corecmd_exec_bin(squid_t) corecmd_exec_sbin(squid_t) corecmd_exec_shell(squid_t) -domain_use_wide_inherit_fd(squid_t) +domain_use_interactive_fds(squid_t) files_read_etc_files(squid_t) files_read_etc_runtime_files(squid_t) @@ -132,7 +132,7 @@ miscfiles_read_localization(squid_t) sysnet_read_config(squid_t) userdom_use_unpriv_users_fd(squid_t) -userdom_dontaudit_use_unpriv_user_fd(squid_t) +userdom_dontaudit_use_unpriv_user_fds(squid_t) userdom_dontaudit_search_sysadm_home_dir(squid_t) ifdef(`targeted_policy', ` @@ -148,7 +148,7 @@ tunable_policy(`squid_connect_any',` optional_policy(`logrotate',` allow squid_t self:capability kill; cron_use_fd(squid_t) - cron_use_system_job_fd(squid_t) + cron_use_system_job_fds(squid_t) cron_rw_pipes(squid_t) cron_write_system_job_pipes(squid_t) ') diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index c12cc52..337db11 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -47,7 +47,7 @@ template(`ssh_per_userdomain_template',` # type $1_home_ssh_t; - userdom_home_file($1,$1_home_ssh_t) + userdom_user_home_file($1,$1_home_ssh_t) role $3 types $1_ssh_t; type $1_ssh_t; @@ -160,7 +160,7 @@ template(`ssh_per_userdomain_template',` corecmd_read_sbin_pipes($1_ssh_t) corecmd_read_sbin_sockets($1_ssh_t) - domain_use_wide_inherit_fd($1_ssh_t) + domain_use_interactive_fds($1_ssh_t) files_list_home($1_ssh_t) files_read_usr_files($1_ssh_t) @@ -313,7 +313,7 @@ template(`ssh_per_userdomain_template',` corecmd_shell_domtrans($1_ssh_agent_t,$1_t) corecmd_bin_domtrans($1_ssh_agent_t, $1_t) - domain_use_wide_inherit_fd($1_ssh_agent_t) + domain_use_interactive_fds($1_ssh_agent_t) files_read_etc_files($1_ssh_agent_t) files_read_etc_runtime_files($1_ssh_agent_t) @@ -484,7 +484,7 @@ template(`ssh_server_template', ` # for sshd subsystems, such as sftp-server. corecmd_getattr_bin_files($1_t) - domain_wide_inherit_fd($1_t) + domain_interactive_fd($1_t) domain_subj_id_change_exemption($1_t) domain_role_change_exemption($1_t) domain_obj_id_change_exemption($1_t) diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 0253278..a52fc49 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -112,8 +112,8 @@ ifdef(`targeted_policy',`',` userdom_spec_domtrans_unpriv_users(sshd_t) userdom_signal_unpriv_users(sshd_t) - userdom_setattr_unpriv_user_pty(sshd_t) - userdom_relabelto_unpriv_user_pty(sshd_t) + userdom_setattr_unpriv_users_ptys(sshd_t) + userdom_relabelto_unpriv_users_ptys(sshd_t) userdom_use_unpriv_users_ptys(sshd_t) ') @@ -122,7 +122,7 @@ ifdef(`targeted_policy',`',` ') optional_policy(`rpm',` - rpm_use_script_fd(sshd_t) + rpm_use_script_fds(sshd_t) ') ifdef(`TODO',` @@ -228,7 +228,7 @@ ifdef(`targeted_policy',`',` term_dontaudit_use_console(ssh_keygen_t) - domain_use_wide_inherit_fd(ssh_keygen_t) + domain_use_interactive_fds(ssh_keygen_t) files_read_etc_files(ssh_keygen_t) @@ -244,7 +244,7 @@ ifdef(`targeted_policy',`',` allow ssh_keygen_t proc_t:lnk_file read; userdom_use_sysadm_ttys(ssh_keygen_t) - userdom_dontaudit_use_unpriv_user_fd(ssh_keygen_t) + userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) # cjp: with the old daemon_(base_)domain being broken up into # a daemon and system interface, this probably is not needed: diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te index e851f18..6bf3ecc 100644 --- a/refpolicy/policy/modules/services/stunnel.te +++ b/refpolicy/policy/modules/services/stunnel.te @@ -89,12 +89,12 @@ ifdef(`distro_gentoo', ` term_dontaudit_use_console(stunnel_t) - domain_use_wide_inherit_fd(stunnel_t) + domain_use_interactive_fds(stunnel_t) init_use_fd(stunnel_t) init_use_script_ptys(stunnel_t) - userdom_dontaudit_use_unpriv_user_fd(stunnel_t) + userdom_dontaudit_use_unpriv_user_fds(stunnel_t) userdom_dontaudit_search_sysadm_home_dir(stunnel_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te index 0cb4f6b..829137b 100644 --- a/refpolicy/policy/modules/services/tftp.te +++ b/refpolicy/policy/modules/services/tftp.te @@ -61,7 +61,7 @@ fs_search_auto_mountpoints(tftpd_t) term_dontaudit_use_console(tftpd_t) -domain_use_wide_inherit_fd(tftpd_t) +domain_use_interactive_fds(tftpd_t) files_read_etc_files(tftpd_t); files_read_var_files(tftpd_t) @@ -80,7 +80,7 @@ miscfiles_read_localization(tftpd_t) sysnet_read_config(tftpd_t) -userdom_dontaudit_use_unpriv_user_fd(tftpd_t) +userdom_dontaudit_use_unpriv_user_fds(tftpd_t) userdom_dontaudit_use_sysadm_ttys(tftpd_t) userdom_dontaudit_search_sysadm_home_dir(tftpd_t) diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te index e89ff56..945716e 100644 --- a/refpolicy/policy/modules/services/timidity.te +++ b/refpolicy/policy/modules/services/timidity.te @@ -59,7 +59,7 @@ fs_search_auto_mountpoints(timidity_t) term_dontaudit_use_console(timidity_t) -domain_use_wide_inherit_fd(timidity_t) +domain_use_interactive_fds(timidity_t) files_search_tmp(timidity_t) # read /usr/share/alsa/alsa.conf @@ -79,7 +79,7 @@ logging_send_syslog_msg(timidity_t) sysnet_read_config(timidity_t) -userdom_dontaudit_use_unpriv_user_fd(timidity_t) +userdom_dontaudit_use_unpriv_user_fds(timidity_t) # stupid timidity won't start if it can't search its current directory. # allow this so /etc/init.d/alsasound start works from /root # cjp: this should be fixed if possible so this rule can be removed. diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te index 6e1e30a..0e76f13 100644 --- a/refpolicy/policy/modules/services/xfs.te +++ b/refpolicy/policy/modules/services/xfs.te @@ -49,7 +49,7 @@ fs_search_auto_mountpoints(xfs_t) term_dontaudit_use_console(xfs_t) -domain_use_wide_inherit_fd(xfs_t) +domain_use_interactive_fds(xfs_t) files_read_etc_files(xfs_t) files_read_etc_runtime_files(xfs_t) @@ -65,7 +65,7 @@ logging_send_syslog_msg(xfs_t) miscfiles_read_localization(xfs_t) miscfiles_read_fonts(xfs_t) -userdom_dontaudit_use_unpriv_user_fd(xfs_t) +userdom_dontaudit_use_unpriv_user_fds(xfs_t) userdom_dontaudit_search_sysadm_home_dir(xfs_t) ifdef(`distro_debian',` diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index 0c92946..5b4b838 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -235,7 +235,7 @@ template(`xserver_per_userdomain_template',` type $1_iceauth_home_t alias $1_iceauth_rw_t; files_poly_member($1_iceauth_home_t) - userdom_home_file($1,$1_iceauth_home_t) + userdom_user_home_file($1,$1_iceauth_home_t) type $1_xauth_t; domain_type($1_xauth_t) @@ -243,7 +243,7 @@ template(`xserver_per_userdomain_template',` type $1_xauth_home_t alias $1_xauth_rw_t; files_poly_member($1_xauth_home_t) - userdom_home_file($1,$1_xauth_home_t) + userdom_user_home_file($1,$1_xauth_home_t) type $1_xauth_tmp_t; files_tmp_file($1_xauth_tmp_t) @@ -284,8 +284,8 @@ template(`xserver_per_userdomain_template',` locallogin_use_fd($1_xserver_t) userdom_search_user_home($1,$1_xserver_t) - userdom_use_user_tty($1,$1_xserver_t) - userdom_setattr_user_tty($1,$1_xserver_t) + userdom_use_user_ttys($1,$1_xserver_t) + userdom_setattr_user_ttys($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t) optional_policy(`userhelper',` @@ -344,7 +344,7 @@ template(`xserver_per_userdomain_template',` allow xdm_t $1_xauth_home_t:file manage_file_perms; userdom_filetrans_user_home_dir($1,xdm_t,$1_xauth_home_t,file) - domain_use_wide_inherit_fd($1_xauth_t) + domain_use_interactive_fds($1_xauth_t) files_read_etc_files($1_xauth_t) files_search_pids($1_xauth_t) diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index a7998e9..06423fc 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -137,7 +137,7 @@ dev_setattr_sound_dev(xdm_t) dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) -domain_use_wide_inherit_fd(xdm_t) +domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. domain_dontaudit_read_all_domains_state(xdm_t) @@ -201,10 +201,10 @@ seutil_read_default_contexts(xdm_t) sysnet_read_config(xdm_t) -userdom_dontaudit_use_unpriv_user_fd(xdm_t) +userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_search_sysadm_home_dir(xdm_t) # for .dmrc -userdom_read_unpriv_user_home_files(xdm_t) +userdom_read_unpriv_users_home_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -412,7 +412,7 @@ ifdef(`strict_policy',` # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) - userdom_read_unpriv_user_home_files(xdm_xserver_t) + userdom_read_unpriv_users_home_files(xdm_xserver_t) ifdef(`TODO',` # Read all global and per user fonts diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index 117d11d..f23c3d9 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -86,7 +86,7 @@ fs_search_auto_mountpoints(zebra_t) term_dontaudit_use_console(zebra_t) term_list_ptys(zebra_t) -domain_use_wide_inherit_fd(zebra_t) +domain_use_interactive_fds(zebra_t) files_search_etc(zebra_t) files_read_etc_files(zebra_t) @@ -104,7 +104,7 @@ miscfiles_read_localization(zebra_t) sysnet_read_config(zebra_t) -userdom_dontaudit_use_unpriv_user_fd(zebra_t) +userdom_dontaudit_use_unpriv_user_fds(zebra_t) userdom_dontaudit_search_sysadm_home_dir(zebra_t) ifdef(`targeted_policy', ` diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 02b692c..34ba8a2 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -131,9 +131,9 @@ template(`authlogin_per_userdomain_template',` allow $1_chkpwd_t $2:fifo_file rw_file_perms; allow $1_chkpwd_t $2:process sigchld; - domain_use_wide_inherit_fd($1_chkpwd_t) + domain_use_interactive_fds($1_chkpwd_t) - seutil_use_newrole_fd($1_chkpwd_t) + seutil_use_newrole_fds($1_chkpwd_t) # Write to the user domain tty. userdom_use_user_terminals($1,$1_chkpwd_t) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 0581c91..5f5fa7b 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -186,7 +186,7 @@ term_setattr_unallocated_ttys(pam_console_t) auth_use_nsswitch(pam_console_t) -domain_use_wide_inherit_fd(pam_console_t) +domain_use_interactive_fds(pam_console_t) files_read_etc_files(pam_console_t) files_search_pids(pam_console_t) @@ -207,7 +207,7 @@ mls_file_write_down(pam_console_t) seutil_read_file_contexts(pam_console_t) -userdom_dontaudit_use_unpriv_user_fd(pam_console_t) +userdom_dontaudit_use_unpriv_user_fds(pam_console_t) # cjp: with the old daemon_(base_)domain being broken up into # a daemon and system interface, this probably is not needed: @@ -260,7 +260,7 @@ allow system_chkpwd_t shadow_t:file { getattr read }; corecmd_search_sbin(system_chkpwd_t) -domain_dontaudit_use_wide_inherit_fd(system_chkpwd_t) +domain_dontaudit_use_interactive_fds(system_chkpwd_t) term_dontaudit_use_unallocated_ttys(system_chkpwd_t) term_dontaudit_use_generic_ptys(system_chkpwd_t) @@ -289,7 +289,7 @@ init_rw_utmp(utempter_t) files_read_etc_files(utempter_t) -domain_use_wide_inherit_fd(utempter_t) +domain_use_interactive_fds(utempter_t) libs_use_ld_so(utempter_t) libs_use_shared_libs(utempter_t) @@ -297,7 +297,7 @@ libs_use_shared_libs(utempter_t) logging_search_logs(utempter_t) # Allow utemper to write to /tmp/.xses-* -userdom_write_unpriv_user_tmp(utempter_t) +userdom_write_unpriv_users_tmp_files(utempter_t) optional_policy(`nscd',` nscd_socket_use(utempter_t) diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 25bd938..845dc05 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -45,7 +45,7 @@ term_use_unallocated_ttys(hwclock_t) term_use_all_user_ttys(hwclock_t) term_use_all_user_ptys(hwclock_t) -domain_use_wide_inherit_fd(hwclock_t) +domain_use_interactive_fds(hwclock_t) init_use_fd(hwclock_t) init_use_script_ptys(hwclock_t) @@ -85,5 +85,5 @@ optional_policy(`udev',` ') optional_policy(`userdomain',` - userdom_dontaudit_use_unpriv_user_fd(hwclock_t) + userdom_dontaudit_use_unpriv_user_fds(hwclock_t) ') diff --git a/refpolicy/policy/modules/system/daemontools.te b/refpolicy/policy/modules/system/daemontools.te index a933e78..73c32d0 100644 --- a/refpolicy/policy/modules/system/daemontools.te +++ b/refpolicy/policy/modules/system/daemontools.te @@ -81,7 +81,7 @@ files_read_etc_runtime_files(svc_run_t) files_search_pids(svc_run_t) files_search_var_lib(svc_run_t) -init_use_script_fd(svc_run_t) +init_use_script_fds(svc_run_t) init_use_fd(svc_run_t) libs_use_ld_so(svc_run_t) diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 7edd190..89c2d44 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -108,7 +108,7 @@ corecmd_read_sbin_files(fsadm_t) corecmd_read_sbin_pipes(fsadm_t) corecmd_read_sbin_sockets(fsadm_t) -domain_use_wide_inherit_fd(fsadm_t) +domain_use_interactive_fds(fsadm_t) files_list_home(fsadm_t) files_read_usr_files(fsadm_t) diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index f58810f..3afcb6a 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -13,7 +13,7 @@ gen_require(` ') type getty_exec_t; init_domain(getty_t,getty_exec_t) -domain_wide_inherit_fd(getty_t) +domain_interactive_fd(getty_t) type getty_etc_t; typealias getty_etc_t alias etc_getty_t; diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index 59eb546..2f7b48a 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -36,10 +36,10 @@ term_use_all_user_ttys(hostname_t) term_use_all_user_ptys(hostname_t) init_use_fd(hostname_t) -init_use_script_fd(hostname_t) +init_use_script_fds(hostname_t) init_use_script_ptys(hostname_t) -domain_use_wide_inherit_fd(hostname_t) +domain_use_interactive_fds(hostname_t) files_read_etc_files(hostname_t) files_dontaudit_search_var(hostname_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 31d008f..481ebf3 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -84,7 +84,7 @@ corecmd_exec_shell(hotplug_t) corecmd_exec_sbin(hotplug_t) corecmd_exec_ls(hotplug_t) -domain_use_wide_inherit_fd(hotplug_t) +domain_use_interactive_fds(hotplug_t) # for ps domain_dontaudit_read_all_domains_state(hotplug_t) domain_dontaudit_getattr_all_domains(hotplug_t) @@ -122,7 +122,7 @@ seutil_dontaudit_search_config(hotplug_t) sysnet_read_config(hotplug_t) -userdom_dontaudit_use_unpriv_user_fd(hotplug_t) +userdom_dontaudit_use_unpriv_user_fds(hotplug_t) userdom_dontaudit_search_sysadm_home_dir(hotplug_t) ifdef(`distro_redhat', ` diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index cf400b4..e04bdb8 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -473,9 +473,9 @@ interface(`init_read_script_state',` ######################################## # -# init_use_script_fd(domain) +# init_use_script_fds(domain) # -interface(`init_use_script_fd',` +interface(`init_use_script_fds',` gen_require(` type initrc_t; ') @@ -485,9 +485,9 @@ interface(`init_use_script_fd',` ######################################## # -# init_dontaudit_use_script_fd(domain) +# init_dontaudit_use_script_fds(domain) # -interface(`init_dontaudit_use_script_fd',` +interface(`init_dontaudit_use_script_fds',` gen_require(` type initrc_t; ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index ed05cac..9cf5c54 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -318,7 +318,7 @@ domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) domain_dontaudit_ptrace_all_domains(initrc_t) domain_getsession_all_domains(initrc_t) -domain_use_wide_inherit_fd(initrc_t) +domain_use_interactive_fds(initrc_t) domain_exec_all_entry_files(initrc_t) # for lsof which is used by alsa shutdown: domain_dontaudit_getattr_all_udp_sockets(initrc_t) @@ -382,7 +382,7 @@ sysnet_read_config(initrc_t) udev_rw_db(initrc_t) -userdom_read_all_user_files(initrc_t) +userdom_read_all_users_home_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index e028185..06a1537 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -105,7 +105,7 @@ term_dontaudit_use_all_user_ttys(ipsec_t) corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) -domain_use_wide_inherit_fd(ipsec_t) +domain_use_interactive_fds(ipsec_t) files_read_etc_files(ipsec_t) @@ -121,7 +121,7 @@ miscfiles_read_localization(ipsec_t) sysnet_read_config(ipsec_t) -userdom_dontaudit_use_unpriv_user_fd(ipsec_t) +userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_sysadm_home_dir(ipsec_t) ifdef(`targeted_policy', ` @@ -225,7 +225,7 @@ corecmd_exec_sbin(ipsec_mgmt_t) # it in its own domain?) corecmd_exec_bin(ipsec_mgmt_t) -domain_use_wide_inherit_fd(ipsec_mgmt_t) +domain_use_interactive_fds(ipsec_mgmt_t) # denials when ps tries to search /proc. Do not audit these denials. domain_dontaudit_list_all_domains_state(ipsec_mgmt_t) # suppress audit messages about unnecessary socket access diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index 919d173..437c2e9 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -52,7 +52,7 @@ mls_file_read_up(iptables_t) term_dontaudit_use_console(iptables_t) -domain_use_wide_inherit_fd(iptables_t) +domain_use_interactive_fds(iptables_t) files_read_etc_files(iptables_t) @@ -73,7 +73,7 @@ miscfiles_read_localization(iptables_t) sysnet_domtrans_ifconfig(iptables_t) sysnet_dns_name_resolve(iptables_t) -userdom_use_all_users_fd(iptables_t) +userdom_use_all_users_fds(iptables_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(iptables_t) diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index 30052b2..2307e0b 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -66,7 +66,7 @@ kernel_read_system_state(ldconfig_t) fs_getattr_xattr_fs(ldconfig_t) -domain_use_wide_inherit_fd(ldconfig_t) +domain_use_interactive_fds(ldconfig_t) files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) @@ -79,7 +79,7 @@ init_use_script_ptys(ldconfig_t) logging_send_syslog_msg(ldconfig_t) -userdom_use_all_users_fd(ldconfig_t) +userdom_use_all_users_fds(ldconfig_t) ifdef(`hide_broken_symptoms',` optional_policy(`unconfined',` diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index fce565b..4d838db 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -12,7 +12,7 @@ domain_type(local_login_t) domain_obj_id_change_exemption(local_login_t) domain_subj_id_change_exemption(local_login_t) domain_role_change_exemption(local_login_t) -domain_wide_inherit_fd(local_login_t) +domain_interactive_fd(local_login_t) role system_r types local_login_t; type local_login_lock_t; @@ -26,7 +26,7 @@ type sulogin_exec_t; domain_obj_id_change_exemption(sulogin_t) domain_subj_id_change_exemption(sulogin_t) domain_role_change_exemption(sulogin_t) -domain_wide_inherit_fd(sulogin_t) +domain_interactive_fd(sulogin_t) init_domain(sulogin_t,sulogin_exec_t) init_system_domain(sulogin_t,sulogin_exec_t) role system_r types sulogin_t; diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 6e039f8..4b14048 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -76,7 +76,7 @@ kernel_read_kernel_sysctls(auditctl_t) kernel_read_proc_symlinks(auditctl_t) domain_read_all_domains_state(auditctl_t) -domain_use_wide_inherit_fd(auditctl_t) +domain_use_interactive_fds(auditctl_t) mls_file_read_up(auditctl_t) @@ -147,7 +147,7 @@ term_dontaudit_use_console(auditd_t) # cjp: why? corecmd_exec_sbin(auditd_t) -domain_use_wide_inherit_fd(auditd_t) +domain_use_interactive_fds(auditd_t) files_read_etc_files(auditd_t) files_list_usr(auditd_t) @@ -169,7 +169,7 @@ mls_rangetrans_target(auditd_t) seutil_dontaudit_read_config(auditd_t) -userdom_dontaudit_use_unpriv_user_fd(auditd_t) +userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_sysadm_home_dir(auditd_t) # cjp: this is questionable userdom_use_sysadm_ttys(auditd_t) @@ -222,7 +222,7 @@ fs_search_auto_mountpoints(klogd_t) term_dontaudit_use_console(klogd_t) -domain_use_wide_inherit_fd(klogd_t) +domain_use_interactive_fds(klogd_t) files_read_etc_runtime_files(klogd_t) # read /etc/nsswitch.conf @@ -332,7 +332,7 @@ fs_getattr_all_fs(syslogd_t) init_use_fd(syslogd_t) init_use_script_ptys(syslogd_t) -domain_use_wide_inherit_fd(syslogd_t) +domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) files_read_etc_runtime_files(syslogd_t) @@ -349,7 +349,7 @@ sysnet_read_config(syslogd_t) miscfiles_read_localization(syslogd_t) -userdom_dontaudit_use_unpriv_user_fd(syslogd_t) +userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_search_sysadm_home_dir(syslogd_t) ifdef(`distro_suse',` diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index c06d05f..feb536f 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -82,7 +82,7 @@ fs_search_auto_mountpoints(clvmd_t) term_dontaudit_use_console(clvmd_t) -domain_use_wide_inherit_fd(clvmd_t) +domain_use_interactive_fds(clvmd_t) files_list_usr(clvmd_t) @@ -101,7 +101,7 @@ seutil_sigchld_newrole(clvmd_t) sysnet_read_config(clvmd_t) -userdom_dontaudit_use_unpriv_user_fd(clvmd_t) +userdom_dontaudit_use_unpriv_user_fds(clvmd_t) userdom_dontaudit_search_sysadm_home_dir(clvmd_t) ifdef(`targeted_policy', ` @@ -220,7 +220,7 @@ term_dontaudit_getattr_pty_dirs(lvm_t) corecmd_search_sbin(lvm_t) corecmd_dontaudit_getattr_sbin_files(lvm_t) -domain_use_wide_inherit_fd(lvm_t) +domain_use_interactive_fds(lvm_t) files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 94a1b59..0b77d31 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -89,7 +89,7 @@ corecmd_exec_sbin(insmod_t) corecmd_exec_shell(insmod_t) domain_signal_all_domains(insmod_t) -domain_use_wide_inherit_fd(insmod_t) +domain_use_interactive_fds(insmod_t) files_read_etc_runtime_files(insmod_t) files_read_etc_files(insmod_t) @@ -102,7 +102,7 @@ files_dontaudit_search_isid_type_dirs(insmod_t) init_rw_initctl(insmod_t) init_use_fd(insmod_t) -init_use_script_fd(insmod_t) +init_use_script_fds(insmod_t) init_use_script_ptys(insmod_t) libs_use_ld_so(insmod_t) @@ -180,10 +180,10 @@ term_use_console(depmod_t) corecmd_search_bin(depmod_t) corecmd_search_sbin(depmod_t) -domain_use_wide_inherit_fd(depmod_t) +domain_use_interactive_fds(depmod_t) init_use_fd(depmod_t) -init_use_script_fd(depmod_t) +init_use_script_fds(depmod_t) init_use_script_ptys(depmod_t) files_read_etc_runtime_files(depmod_t) @@ -252,10 +252,10 @@ fs_getattr_xattr_fs(update_modules_t) term_use_console(update_modules_t) init_use_fd(update_modules_t) -init_use_script_fd(update_modules_t) +init_use_script_fds(update_modules_t) init_use_script_ptys(update_modules_t) -domain_use_wide_inherit_fd(update_modules_t) +domain_use_interactive_fds(update_modules_t) files_read_etc_runtime_files(update_modules_t) files_read_etc_files(update_modules_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 7ff39ff..f71f77d 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -56,7 +56,7 @@ term_use_all_terms(mount_t) corecmd_exec_sbin(mount_t) corecmd_exec_bin(mount_t) -domain_use_wide_inherit_fd(mount_t) +domain_use_interactive_fds(mount_t) files_search_all(mount_t) files_read_etc_files(mount_t) @@ -86,7 +86,7 @@ mls_file_write_down(mount_t) sysnet_use_portmap(mount_t) -userdom_use_all_users_fd(mount_t) +userdom_use_all_users_fds(mount_t) ifdef(`distro_redhat',` optional_policy(`authlogin',` diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if index 5492a2b..15155f4 100644 --- a/refpolicy/policy/modules/system/pcmcia.if +++ b/refpolicy/policy/modules/system/pcmcia.if @@ -49,7 +49,7 @@ interface(`pcmcia_domtrans_cardmgr',` ## ## # -interface(`pcmcia_use_cardmgr_fd',` +interface(`pcmcia_use_cardmgr_fds',` gen_require(` type cardmgr_t; ') diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 4fb62a2..6f95942 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -74,7 +74,7 @@ corecmd_exec_bin(cardmgr_t) corecmd_exec_sbin(cardmgr_t) corecmd_exec_ls(cardmgr_t) -domain_use_wide_inherit_fd(cardmgr_t) +domain_use_interactive_fds(cardmgr_t) domain_exec_all_entry_files(cardmgr_t) # Read /proc/PID directories for all domains (for fuser). domain_read_confined_domains_state(cardmgr_t) @@ -117,7 +117,7 @@ sysnet_domtrans_ifconfig(cardmgr_t) sysnet_filetrans_config(cardmgr_t) sysnet_manage_config(cardmgr_t) -userdom_dontaudit_use_unpriv_user_fd(cardmgr_t) +userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) userdom_dontaudit_search_sysadm_home_dir(cardmgr_t) ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index 2620d8c..d1149f0 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -48,7 +48,7 @@ term_dontaudit_list_ptys(mdadm_t) corecmd_exec_bin(mdadm_t) corecmd_exec_sbin(mdadm_t) -domain_use_wide_inherit_fd(mdadm_t) +domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) files_read_etc_runtime_files(mdadm_t) @@ -64,7 +64,7 @@ logging_send_syslog_msg(mdadm_t) miscfiles_read_localization(mdadm_t) -userdom_dontaudit_use_unpriv_user_fd(mdadm_t) +userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_use_sysadm_ttys(mdadm_t) mta_send_mail(mdadm_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 70792e9..357c888 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -258,9 +258,9 @@ interface(`seutil_sigchld_newrole',` ####################################### # -# seutil_use_newrole_fd(domain) +# seutil_use_newrole_fds(domain) # -interface(`seutil_use_newrole_fd',` +interface(`seutil_use_newrole_fds',` gen_require(` type newrole_t; ') @@ -398,9 +398,9 @@ interface(`seutil_run_runinit',` ######################################## # -# seutil_use_runinit_fd(domain) +# seutil_use_runinit_fds(domain) # -interface(`seutil_use_runinit_fd',` +interface(`seutil_use_runinit_fds',` gen_require(` type run_init_t; ') diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 02db437..7e54792 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -55,7 +55,7 @@ type newrole_t; domain_role_change_exemption(newrole_t) domain_obj_id_change_exemption(newrole_t) domain_type(newrole_t) -domain_wide_inherit_fd(newrole_t) +domain_interactive_fd(newrole_t) type newrole_exec_t; domain_entry_file(newrole_t,newrole_exec_t) @@ -126,7 +126,7 @@ fs_getattr_xattr_fs(checkpolicy_t) term_use_console(checkpolicy_t) -domain_use_wide_inherit_fd(checkpolicy_t) +domain_use_interactive_fds(checkpolicy_t) files_list_usr(checkpolicy_t) # directory search permissions for path to source and binary policy files @@ -138,7 +138,7 @@ init_use_script_ptys(checkpolicy_t) libs_use_ld_so(checkpolicy_t) libs_use_shared_libs(checkpolicy_t) -userdom_use_all_users_fd(checkpolicy_t) +userdom_use_all_users_fds(checkpolicy_t) ifdef(`targeted_policy',` term_use_generic_ptys(checkpolicy_t) @@ -171,10 +171,10 @@ selinux_set_boolean(load_policy_t) term_use_console(load_policy_t) term_list_ptys(load_policy_t) -init_use_script_fd(load_policy_t) +init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) -domain_use_wide_inherit_fd(load_policy_t) +domain_use_interactive_fds(load_policy_t) # for mcs.conf files_read_etc_files(load_policy_t) @@ -185,7 +185,7 @@ libs_use_shared_libs(load_policy_t) miscfiles_read_localization(load_policy_t) -userdom_use_all_users_fd(load_policy_t) +userdom_use_all_users_fds(load_policy_t) ifdef(`hide_broken_symptoms',` # cjp: cover up stray file descriptors. @@ -256,9 +256,9 @@ auth_domtrans_chk_passwd(newrole_t) corecmd_list_bin(newrole_t) corecmd_read_bin_symlinks(newrole_t) -domain_use_wide_inherit_fd(newrole_t) +domain_use_interactive_fds(newrole_t) # for when the user types "exec newrole" at the command line: -domain_sigchld_wide_inherit_fd(newrole_t) +domain_sigchld_interactive_fds(newrole_t) # Write to utmp. init_rw_utmp(newrole_t) @@ -354,7 +354,7 @@ term_use_all_user_ptys(restorecon_t) init_use_fd(restorecon_t) init_use_script_ptys(restorecon_t) -domain_use_wide_inherit_fd(restorecon_t) +domain_use_interactive_fds(restorecon_t) domain_dontaudit_search_all_domains_state(restorecon_t) files_read_etc_runtime_files(restorecon_t) @@ -365,7 +365,7 @@ libs_use_shared_libs(restorecon_t) logging_send_syslog_msg(restorecon_t) -userdom_use_all_users_fd(restorecon_t) +userdom_use_all_users_fds(restorecon_t) files_relabel_all_files(restorecon_t) files_list_all(restorecon_t) @@ -433,7 +433,7 @@ ifdef(`targeted_policy',`',` corecmd_exec_bin(run_init_t) corecmd_exec_shell(run_init_t) - domain_use_wide_inherit_fd(run_init_t) + domain_use_interactive_fds(run_init_t) files_read_etc_files(run_init_t) files_dontaudit_search_all_dirs(run_init_t) @@ -509,10 +509,10 @@ term_use_unallocated_ttys(setfiles_t) auth_relabelto_shadow(setfiles_t) init_use_fd(setfiles_t) -init_use_script_fd(setfiles_t) +init_use_script_fds(setfiles_t) init_use_script_ptys(setfiles_t) -domain_use_wide_inherit_fd(setfiles_t) +domain_use_interactive_fds(setfiles_t) libs_use_ld_so(setfiles_t) libs_use_shared_libs(setfiles_t) @@ -526,9 +526,9 @@ logging_send_syslog_msg(setfiles_t) miscfiles_read_localization(setfiles_t) -userdom_use_all_users_fd(setfiles_t) +userdom_use_all_users_fds(setfiles_t) # for config files in a home directory -userdom_read_all_user_files(setfiles_t) +userdom_read_all_users_home_files(setfiles_t) ifdef(`TODO',` # for upgrading glibc and other shared objects - without this the upgrade diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index e8a4eee..04c2767 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -122,7 +122,7 @@ corecmd_exec_bin(dhcpc_t) corecmd_exec_sbin(dhcpc_t) corecmd_exec_shell(dhcpc_t) -domain_use_wide_inherit_fd(dhcpc_t) +domain_use_interactive_fds(dhcpc_t) domain_dontaudit_list_all_domains_state(dhcpc_t) files_read_etc_files(dhcpc_t) @@ -243,7 +243,7 @@ optional_policy(`udev',` ') optional_policy(`userdomain',` - userdom_use_all_users_fd(dhcpc_t) + userdom_use_all_users_fds(dhcpc_t) ') ######################################## @@ -292,7 +292,7 @@ fs_search_auto_mountpoints(ifconfig_t) term_dontaudit_use_all_user_ttys(ifconfig_t) term_dontaudit_use_all_user_ptys(ifconfig_t) -domain_use_wide_inherit_fd(ifconfig_t) +domain_use_interactive_fds(ifconfig_t) files_dontaudit_read_root_files(ifconfig_t) @@ -309,9 +309,9 @@ miscfiles_read_localization(ifconfig_t) modutils_domtrans_insmod(ifconfig_t) -seutil_use_runinit_fd(ifconfig_t) +seutil_use_runinit_fds(ifconfig_t) -userdom_use_all_users_fd(ifconfig_t) +userdom_use_all_users_fds(ifconfig_t) ifdef(`hide_broken_symptoms',` optional_policy(`pcmcia',` diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index c729e05..2adc630 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -17,7 +17,7 @@ type udev_helper_exec_t; kernel_domtrans_to(udev_t,udev_exec_t) domain_obj_id_change_exemption(udev_t) domain_entry_file(udev_t,udev_helper_exec_t) -domain_wide_inherit_fd(udev_t) +domain_interactive_fd(udev_t) init_daemon_domain(udev_t,udev_exec_t) type udev_etc_t alias etc_udev_t; diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 2b73a7f..2a768ca 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -214,7 +214,7 @@ template(`base_user_template',` corecmd_exec_sbin($1_t) corecmd_exec_ls($1_t) - domain_use_wide_inherit_fd($1_t) + domain_use_interactive_fds($1_t) # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. domain_dontaudit_read_all_domains_state($1_t) @@ -509,7 +509,7 @@ template(`unpriv_user_template', ` base_user_template($1) typeattribute $1_t unpriv_userdomain; - domain_wide_inherit_fd($1_t) + domain_interactive_fd($1_t) domain_exec_all_entry_files($1_t) typeattribute $1_devpts_t user_ptynode; @@ -572,7 +572,7 @@ template(`unpriv_user_template', ` init_dontaudit_write_utmp($1_t) # Stop warnings about access to /dev/console init_dontaudit_use_fd($1_t) - init_dontaudit_use_script_fd($1_t) + init_dontaudit_use_script_fds($1_t) miscfiles_read_man_pages($1_t) @@ -1001,7 +1001,7 @@ template(`admin_user_template',` ## ## # -template(`userdom_home_file',` +template(`userdom_user_home_file',` gen_require(` attribute $1_file_type; ') @@ -1035,7 +1035,7 @@ template(`userdom_home_file',` ## ## # -template(`userdom_setattr_user_pty',` +template(`userdom_setattr_user_ptys',` ifdef(`strict_policy',` gen_require(` type $1_devpts_t; @@ -2662,7 +2662,7 @@ interface(`userdom_read_all_tmp_untrusted_content',` ## ## # -template(`userdom_setattr_user_tty',` +template(`userdom_setattr_user_ttys',` ifdef(`targeted_policy',` term_setattr_unallocated_ttys($2) ',` @@ -2699,7 +2699,7 @@ template(`userdom_setattr_user_tty',` ## ## # -template(`userdom_use_user_tty',` +template(`userdom_use_user_ttys',` ifdef(`targeted_policy',` term_use_unallocated_ttys($2) ',` @@ -3355,7 +3355,7 @@ interface(`userdom_dontaudit_use_sysadm_terms',` ## ## # -interface(`userdom_use_sysadm_fd',` +interface(`userdom_use_sysadm_fds',` ifdef(`targeted_policy',` #cjp: need to doublecheck this one unconfined_use_fd($1) @@ -3684,7 +3684,7 @@ interface(`userdom_dontaudit_search_all_users_home',` ## ## # -interface(`userdom_read_all_user_files',` +interface(`userdom_read_all_users_home_files',` gen_require(` attribute home_type; ') @@ -3705,7 +3705,7 @@ interface(`userdom_read_all_user_files',` ## ## # -interface(`userdom_manage_all_user_dirs',` +interface(`userdom_manage_all_users_home_dirs',` gen_require(` attribute home_type; ') @@ -3725,7 +3725,7 @@ interface(`userdom_manage_all_user_dirs',` ## ## # -interface(`userdom_manage_all_user_files',` +interface(`userdom_manage_all_users_home_files',` gen_require(` attribute home_type; ') @@ -3746,7 +3746,7 @@ interface(`userdom_manage_all_user_files',` ## ## # -interface(`userdom_manage_all_user_symlinks',` +interface(`userdom_manage_all_users_home_symlinks',` gen_require(` attribute home_type; ') @@ -3832,7 +3832,7 @@ interface(`userdom_use_unpriv_users_fd',` ## ## # -interface(`userdom_dontaudit_use_unpriv_user_fd',` +interface(`userdom_dontaudit_use_unpriv_user_fds',` gen_require(` attribute unpriv_userdomain; ') @@ -3919,7 +3919,7 @@ interface(`userdom_filetrans_generic_user_home',` ## ## # -interface(`userdom_dontaudit_search_user_home_dirs',` +interface(`userdom_dontaudit_search_generic_user_home_dirs',` gen_require(` type user_home_t; ') @@ -4037,7 +4037,7 @@ interface(`userdom_manage_generic_user_home_sockets',` ## ## # -interface(`userdom_search_unpriv_user_home_dirs',` +interface(`userdom_search_unpriv_users_home_dirs',` gen_require(` attribute user_home_dir_type; ') @@ -4057,7 +4057,7 @@ interface(`userdom_search_unpriv_user_home_dirs',` ## ## # -interface(`userdom_read_unpriv_user_home_files',` +interface(`userdom_read_unpriv_users_home_files',` gen_require(` attribute user_home_dir_type, user_home_type; ') @@ -4079,7 +4079,7 @@ interface(`userdom_read_unpriv_user_home_files',` ## ## # -interface(`userdom_setattr_unpriv_user_pty',` +interface(`userdom_setattr_unpriv_users_ptys',` gen_require(` attribute user_ptynode; ') @@ -4143,7 +4143,7 @@ interface(`userdom_dontaudit_use_unpriv_users_ptys',` ## ## # -interface(`userdom_relabelto_unpriv_user_pty',` +interface(`userdom_relabelto_unpriv_users_ptys',` gen_require(` attribute user_ptynode; ') @@ -4180,7 +4180,7 @@ interface(`userdom_dontaudit_relabelfrom_unpriv_users_ptys',` ## ## # -interface(`userdom_list_unpriv_user_tmp',` +interface(`userdom_list_unpriv_users_tmp',` ifdef(`targeted_policy',` files_list_tmp($1) ',` @@ -4202,7 +4202,7 @@ interface(`userdom_list_unpriv_user_tmp',` ## ## # -interface(`userdom_read_unpriv_user_tmp_files',` +interface(`userdom_read_unpriv_users_tmp_files',` ifdef(`targeted_policy',` files_read_generic_tmp_files($1) ',` @@ -4224,7 +4224,7 @@ interface(`userdom_read_unpriv_user_tmp_files',` ## ## # -interface(`userdom_read_unpriv_user_tmp_symlinks',` +interface(`userdom_read_unpriv_users_tmp_symlinks',` ifdef(`targeted_policy',` files_read_generic_tmp_symlinks($1) ',` @@ -4246,7 +4246,7 @@ interface(`userdom_read_unpriv_user_tmp_symlinks',` ## ## # -interface(`userdom_write_unpriv_user_tmp',` +interface(`userdom_write_unpriv_users_tmp_files',` gen_require(` attribute user_tmpfile; ') @@ -4307,7 +4307,7 @@ interface(`userdom_read_all_users_state',` ## ## # -interface(`userdom_getattr_all_userdomains',` +interface(`userdom_getattr_all_users',` gen_require(` attribute userdomain; ') @@ -4325,7 +4325,7 @@ interface(`userdom_getattr_all_userdomains',` ## ## # -interface(`userdom_use_all_users_fd',` +interface(`userdom_use_all_users_fds',` gen_require(` attribute userdomain; ') @@ -4344,7 +4344,7 @@ interface(`userdom_use_all_users_fd',` ## ## # -interface(`userdom_dontaudit_use_all_user_fd',` +interface(`userdom_dontaudit_use_all_users_fds',` gen_require(` attribute userdomain; ')