diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 3f26371..1480a75 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -80,10 +80,10 @@ allow chfn_t self:msg { send receive }; kernel_read_system_state(chfn_t) kernel_get_selinuxfs_mount_point(chfn_t) kernel_validate_selinux_context(chfn_t) -kernel_compute_selinux_av(chfn_t) -kernel_compute_create(chfn_t) -kernel_compute_relabel(chfn_t) -kernel_compute_reachable_user_contexts(chfn_t) +kernel_compute_selinux_access_vector(chfn_t) +kernel_compute_selinux_create_context(chfn_t) +kernel_compute_selinux_relabel_context(chfn_t) +kernel_compute_selinux_reachable_user_contexts(chfn_t) terminal_use_all_private_physical_terminals(chfn_t) terminal_use_all_private_pseudoterminals(chfn_t) @@ -213,10 +213,10 @@ allow groupadd_t self:msg { send receive }; # Allow access to context for shadow file kernel_get_selinuxfs_mount_point(groupadd_t) kernel_validate_selinux_context(groupadd_t) -kernel_compute_selinux_av(groupadd_t) -kernel_compute_create(groupadd_t) -kernel_compute_relabel(groupadd_t) -kernel_compute_reachable_user_contexts(groupadd_t) +kernel_compute_selinux_access_vector(groupadd_t) +kernel_compute_selinux_create_context(groupadd_t) +kernel_compute_selinux_relabel_context(groupadd_t) +kernel_compute_selinux_reachable_user_contexts(groupadd_t) filesystem_get_persistent_filesystem_attributes(groupadd_t) @@ -288,10 +288,10 @@ allow passwd_t self:msg { send receive }; kernel_get_selinuxfs_mount_point(passwd_t) kernel_validate_selinux_context(passwd_t) -kernel_compute_selinux_av(passwd_t) -kernel_compute_create(passwd_t) -kernel_compute_relabel(passwd_t) -kernel_compute_reachable_user_contexts(passwd_t) +kernel_compute_selinux_access_vector(passwd_t) +kernel_compute_selinux_create_context(passwd_t) +kernel_compute_selinux_relabel_context(passwd_t) +kernel_compute_selinux_reachable_user_contexts(passwd_t) # for SSP devices_get_pseudorandom_data(passwd_t) @@ -386,10 +386,10 @@ files_search_system_state_data_directory(sysadm_passwd_t) kernel_get_selinuxfs_mount_point(sysadm_passwd_t) kernel_validate_selinux_context(sysadm_passwd_t) -kernel_compute_selinux_av(sysadm_passwd_t) -kernel_compute_create(sysadm_passwd_t) -kernel_compute_relabel(sysadm_passwd_t) -kernel_compute_reachable_user_contexts(sysadm_passwd_t) +kernel_compute_selinux_access_vector(sysadm_passwd_t) +kernel_compute_selinux_create_context(sysadm_passwd_t) +kernel_compute_selinux_relabel_context(sysadm_passwd_t) +kernel_compute_selinux_reachable_user_contexts(sysadm_passwd_t) # for /proc/meminfo kernel_read_system_state(sysadm_passwd_t) @@ -478,10 +478,10 @@ allow useradd_t self:msg { send receive }; # Allow access to context for shadow file kernel_get_selinuxfs_mount_point(useradd_t) kernel_validate_selinux_context(useradd_t) -kernel_compute_selinux_av(useradd_t) -kernel_compute_create(useradd_t) -kernel_compute_relabel(useradd_t) -kernel_compute_reachable_user_contexts(useradd_t) +kernel_compute_selinux_access_vector(useradd_t) +kernel_compute_selinux_create_context(useradd_t) +kernel_compute_selinux_relabel_context(useradd_t) +kernel_compute_selinux_reachable_user_contexts(useradd_t) # for getting the number of groups kernel_read_kernel_sysctl(useradd_t) diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 79ba5db..2d799f1 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -247,9 +247,9 @@ class security setbool; ######################################## # -# kernel_setsecparam(domain) +# kernel_set_selinux_security_parameters(domain) # -define(`kernel_setsecparam',` +define(`kernel_set_selinux_security_parameters',` requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; @@ -258,7 +258,7 @@ auditallow $1 security_t:security setsecparam; typeattribute $1 can_setsecparam; ') -define(`kernel_setsecparam_depend',` +define(`kernel_set_selinux_security_parameters_depend',` type security_t; attribute can_setsecparam; class dir { read search getattr }; @@ -286,16 +286,16 @@ class security check_context; ######################################## # -# kernel_compute_selinux_av(domain) +# kernel_compute_selinux_access_vector(domain) # -define(`kernel_compute_selinux_av',` +define(`kernel_compute_selinux_access_vector',` requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_av; ') -define(`kernel_compute_selinux_av_depend',` +define(`kernel_compute_selinux_access_vector_depend',` type security_t; class dir { read search getattr }; class file { getattr read write }; @@ -304,16 +304,16 @@ class security compute_av; ######################################## # -# kernel_compute_selinux_create(domain) +# kernel_compute_selinux_create_context(domain) # -define(`kernel_compute_create',` +define(`kernel_compute_selinux_create_context',` requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_create; ') -define(`kernel_compute_create_depend',` +define(`kernel_compute_selinux_create_context_depend',` type security_t; class dir { read search getattr }; class file { getattr read write }; @@ -322,16 +322,16 @@ class security compute_create; ######################################## # -# kernel_compute_relabel(domain) +# kernel_compute_selinux_relabel_context(domain) # -define(`kernel_compute_relabel',` +define(`kernel_compute_selinux_relabel_context',` requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_relabel; ') -define(`kernel_compute_relabel_depend',` +define(`kernel_compute_selinux_relabel_context_depend',` type security_t; class dir { read search getattr }; class file { getattr read write }; @@ -340,16 +340,16 @@ class security compute_relabel; ######################################## # -# kernel_compute_reachable_user_contexts(domain) +# kernel_compute_selinux_reachable_user_contexts(domain) # -define(`kernel_compute_reachable_user_contexts',` +define(`kernel_compute_selinux_reachable_user_contexts',` requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_user; ') -define(`kernel_compute_reachable_user_contexts_depend',` +define(`kernel_compute_selinux_reachable_user_contexts_depend',` type security_t; class dir { read search getattr }; class file { getattr read write }; diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index b960cbd..8c3e775 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -83,10 +83,10 @@ kernel_read_kernel_sysctl(crond_t) kernel_read_hardware_state(crond_t) kernel_get_selinuxfs_mount_point(crond_t) kernel_validate_selinux_context(crond_t) -kernel_compute_selinux_av(crond_t) -kernel_compute_create(crond_t) -kernel_compute_relabel(crond_t) -kernel_compute_reachable_user_contexts(crond_t) +kernel_compute_selinux_access_vector(crond_t) +kernel_compute_selinux_create_context(crond_t) +kernel_compute_selinux_relabel_context(crond_t) +kernel_compute_selinux_reachable_user_contexts(crond_t) devices_get_pseudorandom_data(crond_t) @@ -292,10 +292,10 @@ selinux_setfiles_transition(system_crond_t) } else { kernel_get_selinuxfs_mount_point(system_crond_t) kernel_validate_selinux_context(system_crond_t) -kernel_compute_selinux_av(system_crond_t) -kernel_compute_create(system_crond_t) -kernel_compute_relabel(system_crond_t) -kernel_compute_reachable_user_contexts(system_crond_t) +kernel_compute_selinux_access_vector(system_crond_t) +kernel_compute_selinux_create_context(system_crond_t) +kernel_compute_selinux_relabel_context(system_crond_t) +kernel_compute_selinux_reachable_user_contexts(system_crond_t) selinux_read_file_contexts(system_crond_t) } diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 1955937..0e2adc9 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -46,10 +46,10 @@ kernel_read_system_state(remote_login_t) kernel_read_kernel_sysctl(remote_login_t) kernel_get_selinuxfs_mount_point(remote_login_t) kernel_validate_selinux_context(remote_login_t) -kernel_compute_selinux_av(remote_login_t) -kernel_compute_create(remote_login_t) -kernel_compute_relabel(remote_login_t) -kernel_compute_reachable_user_contexts(remote_login_t) +kernel_compute_selinux_access_vector(remote_login_t) +kernel_compute_selinux_create_context(remote_login_t) +kernel_compute_selinux_relabel_context(remote_login_t) +kernel_compute_selinux_reachable_user_contexts(remote_login_t) # for SSP/ProPolice devices_get_pseudorandom_data(remote_login_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 22ce48d..92e6db7 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -370,10 +370,10 @@ dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } kernel_get_selinuxfs_mount_point(run_init_t) kernel_validate_selinux_context(run_init_t) -kernel_compute_selinux_av(run_init_t) -kernel_compute_create(run_init_t) -kernel_compute_relabel(run_init_t) -kernel_compute_reachable_user_contexts(run_init_t) +kernel_compute_selinux_access_vector(run_init_t) +kernel_compute_selinux_create_context(run_init_t) +kernel_compute_selinux_relabel_context(run_init_t) +kernel_compute_selinux_reachable_user_contexts(run_init_t) tunable_policy(`targeted_policy',` # targeted/unconfined stuff diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 2e2281f..38d8207 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -57,10 +57,10 @@ kernel_read_system_state(local_login_t) kernel_read_kernel_sysctl(local_login_t) kernel_get_selinuxfs_mount_point(local_login_t) kernel_validate_selinux_context(local_login_t) -kernel_compute_selinux_av(local_login_t) -kernel_compute_create(local_login_t) -kernel_compute_relabel(local_login_t) -kernel_compute_reachable_user_contexts(local_login_t) +kernel_compute_selinux_access_vector(local_login_t) +kernel_compute_selinux_create_context(local_login_t) +kernel_compute_selinux_relabel_context(local_login_t) +kernel_compute_selinux_reachable_user_contexts(local_login_t) # for SSP/ProPolice devices_get_pseudorandom_data(local_login_t) @@ -254,10 +254,10 @@ init_get_process_group(sulogin_t) allow sulogin_t self:process setexec; kernel_get_selinuxfs_mount_point(sulogin_t) kernel_validate_selinux_context(sulogin_t) -kernel_compute_selinux_av(sulogin_t) -kernel_compute_create(sulogin_t) -kernel_compute_relabel(sulogin_t) -kernel_compute_reachable_user_contexts(sulogin_t) +kernel_compute_selinux_access_vector(sulogin_t) +kernel_compute_selinux_create_context(sulogin_t) +kernel_compute_selinux_relabel_context(sulogin_t) +kernel_compute_selinux_reachable_user_contexts(sulogin_t) #domain_trans(sulogin_t, shell_exec_t, sysadm_t) ') diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index a4bcb90..9c8d0b4 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -72,10 +72,10 @@ files_create_private_config(lvm_t,lvm_metadata_t,file) kernel_read_system_state(lvm_t) kernel_get_selinuxfs_mount_point(lvm_t) kernel_validate_selinux_context(lvm_t) -kernel_compute_selinux_av(lvm_t) -kernel_compute_create(lvm_t) -kernel_compute_relabel(lvm_t) -kernel_compute_reachable_user_contexts(lvm_t) +kernel_compute_selinux_access_vector(lvm_t) +kernel_compute_selinux_create_context(lvm_t) +kernel_compute_selinux_relabel_context(lvm_t) +kernel_compute_selinux_reachable_user_contexts(lvm_t) kernel_read_kernel_sysctl(lvm_t) kernel_read_hardware_state(lvm_t) # Read /sys/block. Device mapper metadata is kept there. diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 7489a96..8f9b472 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -210,10 +210,10 @@ kernel_read_system_state(newrole_t) kernel_read_kernel_sysctl(newrole_t) kernel_get_selinuxfs_mount_point(newrole_t) kernel_validate_selinux_context(newrole_t) -kernel_compute_selinux_av(newrole_t) -kernel_compute_create(newrole_t) -kernel_compute_relabel(newrole_t) -kernel_compute_reachable_user_contexts(newrole_t) +kernel_compute_selinux_access_vector(newrole_t) +kernel_compute_selinux_create_context(newrole_t) +kernel_compute_selinux_relabel_context(newrole_t) +kernel_compute_selinux_reachable_user_contexts(newrole_t) devices_get_pseudorandom_data(newrole_t) @@ -299,10 +299,10 @@ kernel_use_file_descriptors(restorecon_t) kernel_read_system_state(restorecon_t) kernel_get_selinuxfs_mount_point(restorecon_t) kernel_validate_selinux_context(restorecon_t) -kernel_compute_selinux_av(restorecon_t) -kernel_compute_create(restorecon_t) -kernel_compute_relabel(restorecon_t) -kernel_compute_reachable_user_contexts(restorecon_t) +kernel_compute_selinux_access_vector(restorecon_t) +kernel_compute_selinux_create_context(restorecon_t) +kernel_compute_selinux_relabel_context(restorecon_t) +kernel_compute_selinux_reachable_user_contexts(restorecon_t) filesystem_get_persistent_filesystem_attributes(restorecon_t) @@ -367,10 +367,10 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t kernel_read_system_state(setfiles_t) kernel_get_selinuxfs_mount_point(setfiles_t) kernel_validate_selinux_context(setfiles_t) -kernel_compute_selinux_av(setfiles_t) -kernel_compute_create(setfiles_t) -kernel_compute_relabel(setfiles_t) -kernel_compute_reachable_user_contexts(setfiles_t) +kernel_compute_selinux_access_vector(setfiles_t) +kernel_compute_selinux_create_context(setfiles_t) +kernel_compute_selinux_relabel_context(setfiles_t) +kernel_compute_selinux_reachable_user_contexts(setfiles_t) filesystem_get_persistent_filesystem_attributes(setfiles_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 7489a96..8f9b472 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -210,10 +210,10 @@ kernel_read_system_state(newrole_t) kernel_read_kernel_sysctl(newrole_t) kernel_get_selinuxfs_mount_point(newrole_t) kernel_validate_selinux_context(newrole_t) -kernel_compute_selinux_av(newrole_t) -kernel_compute_create(newrole_t) -kernel_compute_relabel(newrole_t) -kernel_compute_reachable_user_contexts(newrole_t) +kernel_compute_selinux_access_vector(newrole_t) +kernel_compute_selinux_create_context(newrole_t) +kernel_compute_selinux_relabel_context(newrole_t) +kernel_compute_selinux_reachable_user_contexts(newrole_t) devices_get_pseudorandom_data(newrole_t) @@ -299,10 +299,10 @@ kernel_use_file_descriptors(restorecon_t) kernel_read_system_state(restorecon_t) kernel_get_selinuxfs_mount_point(restorecon_t) kernel_validate_selinux_context(restorecon_t) -kernel_compute_selinux_av(restorecon_t) -kernel_compute_create(restorecon_t) -kernel_compute_relabel(restorecon_t) -kernel_compute_reachable_user_contexts(restorecon_t) +kernel_compute_selinux_access_vector(restorecon_t) +kernel_compute_selinux_create_context(restorecon_t) +kernel_compute_selinux_relabel_context(restorecon_t) +kernel_compute_selinux_reachable_user_contexts(restorecon_t) filesystem_get_persistent_filesystem_attributes(restorecon_t) @@ -367,10 +367,10 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t kernel_read_system_state(setfiles_t) kernel_get_selinuxfs_mount_point(setfiles_t) kernel_validate_selinux_context(setfiles_t) -kernel_compute_selinux_av(setfiles_t) -kernel_compute_create(setfiles_t) -kernel_compute_relabel(setfiles_t) -kernel_compute_reachable_user_contexts(setfiles_t) +kernel_compute_selinux_access_vector(setfiles_t) +kernel_compute_selinux_create_context(setfiles_t) +kernel_compute_selinux_relabel_context(setfiles_t) +kernel_compute_selinux_reachable_user_contexts(setfiles_t) filesystem_get_persistent_filesystem_attributes(setfiles_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 974b819..19e6574 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -71,10 +71,10 @@ kernel_read_kernel_sysctl(udev_t) kernel_read_hardware_state(udev_t) kernel_get_selinuxfs_mount_point(udev_t) kernel_validate_selinux_context(udev_t) -kernel_compute_selinux_av(udev_t) -kernel_compute_create(udev_t) -kernel_compute_relabel(udev_t) -kernel_compute_reachable_user_contexts(udev_t) +kernel_compute_selinux_access_vector(udev_t) +kernel_compute_selinux_create_context(udev_t) +kernel_compute_selinux_relabel_context(udev_t) +kernel_compute_selinux_reachable_user_contexts(udev_t) devices_manage_device_nodes(udev_t)