diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index e3cb5e1..3b78632 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,6 @@
+- Make all interface parameters required.
+- Move boot_t, system_map_t, and modules_object_t to files module,
+ and move bootloader to admin layer.
- Add semanage policy for semodule from Dan Walsh.
- Remove allow_execmem from targeted policy domain_base_type().
- Add users_extra and seusers support.
diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te
index 4697a9a..8716138 100644
--- a/refpolicy/policy/modules/admin/acct.te
+++ b/refpolicy/policy/modules/admin/acct.te
@@ -57,7 +57,7 @@ files_list_usr(acct_t)
# for nscd
files_dontaudit_search_pids(acct_t)
-init_use_fd(acct_t)
+init_use_fds(acct_t)
init_use_script_ptys(acct_t)
init_exec_script_files(acct_t)
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 8d9cf0d..7157fb4 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -36,7 +36,7 @@ allow consoletype_t self:sem create_sem_perms;
allow consoletype_t self:msgq create_msgq_perms;
allow consoletype_t self:msg { send receive };
-kernel_use_fd(consoletype_t)
+kernel_use_fds(consoletype_t)
kernel_dontaudit_read_system_state(consoletype_t)
fs_getattr_all_fs(consoletype_t)
@@ -46,7 +46,7 @@ fs_write_nfs_files(consoletype_t)
term_use_console(consoletype_t)
term_use_unallocated_ttys(consoletype_t)
-init_use_fd(consoletype_t)
+init_use_fds(consoletype_t)
init_use_script_ptys(consoletype_t)
init_use_script_fds(consoletype_t)
init_write_script_pipes(consoletype_t)
@@ -68,7 +68,7 @@ ifdef(`distro_redhat',`
')
optional_policy(`apm',`
- apm_use_fd(consoletype_t)
+ apm_use_fds(consoletype_t)
apm_write_pipes(consoletype_t)
')
@@ -83,12 +83,12 @@ optional_policy(`cron',`
optional_policy(`firstboot',`
files_read_etc_files(consoletype_t)
- firstboot_use_fd(consoletype_t)
+ firstboot_use_fds(consoletype_t)
firstboot_write_pipes(consoletype_t)
')
optional_policy(`logrotate',`
- logrotate_dontaudit_use_fd(consoletype_t)
+ logrotate_dontaudit_use_fds(consoletype_t)
')
optional_policy(`lpd',`
diff --git a/refpolicy/policy/modules/admin/ddcprobe.te b/refpolicy/policy/modules/admin/ddcprobe.te
index c050341..67982aa 100644
--- a/refpolicy/policy/modules/admin/ddcprobe.te
+++ b/refpolicy/policy/modules/admin/ddcprobe.te
@@ -24,7 +24,7 @@ kernel_read_system_state(ddcprobe_t)
kernel_read_kernel_sysctls(ddcprobe_t)
kernel_change_ring_buffer_level(ddcprobe_t)
-bootloader_search_kernel_modules(ddcprobe_t)
+files_search_kernel_modules(ddcprobe_t)
corecmd_list_sbin(ddcprobe_t)
corecmd_list_bin(ddcprobe_t)
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 5c068a7..52413bd 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -50,7 +50,7 @@ ifdef(`strict_policy',`
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(dmesg_t)
- init_use_fd(dmesg_t)
+ init_use_fds(dmesg_t)
init_use_script_ptys(dmesg_t)
libs_use_ld_so(dmesg_t)
diff --git a/refpolicy/policy/modules/admin/dmidecode.te b/refpolicy/policy/modules/admin/dmidecode.te
index d638cfb..839896f 100644
--- a/refpolicy/policy/modules/admin/dmidecode.te
+++ b/refpolicy/policy/modules/admin/dmidecode.te
@@ -30,7 +30,7 @@ files_list_usr(dmidecode_t)
libs_use_ld_so(dmidecode_t)
libs_use_shared_libs(dmidecode_t)
-locallogin_use_fd(dmidecode_t)
+locallogin_use_fds(dmidecode_t)
ifdef(`targeted_policy',`
term_use_generic_ptys(dmidecode_t)
diff --git a/refpolicy/policy/modules/admin/firstboot.if b/refpolicy/policy/modules/admin/firstboot.if
index b545069..4214456 100644
--- a/refpolicy/policy/modules/admin/firstboot.if
+++ b/refpolicy/policy/modules/admin/firstboot.if
@@ -67,7 +67,7 @@ interface(`firstboot_run',`
##
##
#
-interface(`firstboot_use_fd',`
+interface(`firstboot_use_fds',`
gen_require(`
type firstboot_t;
')
@@ -86,7 +86,7 @@ interface(`firstboot_use_fd',`
##
##
#
-interface(`firstboot_dontaudit_use_fd',`
+interface(`firstboot_dontaudit_use_fds',`
gen_require(`
type firstboot_t;
')
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index 5ca6a16..85984d5 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -88,7 +88,7 @@ libs_use_shared_libs(firstboot_t)
libs_exec_ld_so(firstboot_t)
libs_exec_lib_files(firstboot_t)
-locallogin_use_fd(firstboot_t)
+locallogin_use_fds(firstboot_t)
logging_send_syslog_msg(firstboot_t)
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index 8425e54..600ee0b 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -35,7 +35,7 @@ files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
allow kudzu_t kudzu_var_run_t:file create_file_perms;
allow kudzu_t kudzu_var_run_t:dir create_dir_perms;
-files_pid_filetrans(kudzu_t,kudzu_var_run_t)
+files_pid_filetrans(kudzu_t,kudzu_var_run_t,file)
kernel_change_ring_buffer_level(kudzu_t)
kernel_list_proc(kudzu_t)
@@ -47,7 +47,7 @@ kernel_read_system_state(kudzu_t)
kernel_rw_hotplug_sysctls(kudzu_t)
kernel_rw_kernel_sysctl(kudzu_t)
-bootloader_read_kernel_modules(kudzu_t)
+files_read_kernel_modules(kudzu_t)
dev_list_sysfs(kudzu_t)
dev_read_usbfs(kudzu_t)
@@ -100,7 +100,7 @@ files_rw_etc_runtime_files(kudzu_t)
# for file systems that are not yet mounted
files_dontaudit_search_isid_type_dirs(kudzu_t)
-init_use_fd(kudzu_t)
+init_use_fds(kudzu_t)
init_use_script_ptys(kudzu_t)
init_stream_connect_script(kudzu_t)
diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if
index b9c680a..988ddfc 100644
--- a/refpolicy/policy/modules/admin/logrotate.if
+++ b/refpolicy/policy/modules/admin/logrotate.if
@@ -82,7 +82,7 @@ interface(`logrotate_exec',`
##
##
#
-interface(`logrotate_use_fd',`
+interface(`logrotate_use_fds',`
gen_require(`
type logrotate_t;
')
@@ -100,7 +100,7 @@ interface(`logrotate_use_fd',`
##
##
#
-interface(`logrotate_dontaudit_use_fd',`
+interface(`logrotate_dontaudit_use_fds',`
gen_require(`
type logrotate_t;
')
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 52b2926..61040ce 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -51,7 +51,7 @@ allow logrotate_t self:msgq create_msgq_perms;
allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file create_file_perms;
-files_lock_filetrans(logrotate_t,logrotate_lock_t)
+files_lock_filetrans(logrotate_t,logrotate_lock_t,file)
can_exec(logrotate_t, logrotate_tmp_t)
@@ -62,7 +62,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
# for /var/lib/logrotate.status and /var/lib/logcheck
allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms };
allow logrotate_t logrotate_var_lib_t:file create_file_perms;
-files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t)
+files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctls(logrotate_t)
diff --git a/refpolicy/policy/modules/admin/mrtg.te b/refpolicy/policy/modules/admin/mrtg.te
index 1389d4c..dcf042b 100644
--- a/refpolicy/policy/modules/admin/mrtg.te
+++ b/refpolicy/policy/modules/admin/mrtg.te
@@ -97,7 +97,7 @@ fs_getattr_xattr_fs(mrtg_t)
term_dontaudit_use_console(mrtg_t)
-init_use_fd(mrtg_t)
+init_use_fds(mrtg_t)
init_use_script_ptys(mrtg_t)
# for uptime
init_read_utmp(mrtg_t)
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index e707217..aa1edd9 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -64,7 +64,7 @@ files_read_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)
-init_use_fd(netutils_t)
+init_use_fds(netutils_t)
init_use_script_ptys(netutils_t)
libs_use_ld_so(netutils_t)
@@ -131,7 +131,7 @@ sysnet_dns_name_resolve(ping_t)
logging_send_syslog_msg(ping_t)
ifdef(`hide_broken_symptoms',`
- init_dontaudit_use_fd(ping_t)
+ init_dontaudit_use_fds(ping_t)
')
ifdef(`targeted_policy',`
@@ -159,7 +159,7 @@ optional_policy(`pcmcia',`
')
optional_policy(`hotplug',`
- hotplug_use_fd(ping_t)
+ hotplug_use_fds(ping_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te
index 2d33bf9..e83d18d 100644
--- a/refpolicy/policy/modules/admin/portage.te
+++ b/refpolicy/policy/modules/admin/portage.te
@@ -55,7 +55,7 @@ allow portage_fetch_t portage_t:fifo_file rw_file_perms;
allow portage_fetch_t portage_t:process sigchld;
allow portage_t portage_log_t:file create_file_perms;
-logging_log_filetrans(portage_t,portage_log_t)
+logging_log_filetrans(portage_t,portage_log_t,file)
# transition to sandbox for compiling
domain_trans(portage_t,portage_exec_t,portage_sandbox_t)
diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
index cff2919..93cfcb1 100644
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@@ -33,7 +33,7 @@ files_var_lib_filetrans(prelink_t, prelink_cache_t, file)
allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
allow prelink_t prelink_log_t:file { create ra_file_perms };
allow prelink_t prelink_log_t:lnk_file read;
-logging_log_filetrans(prelink_t, prelink_log_t)
+logging_log_filetrans(prelink_t, prelink_log_t, file)
# prelink misc objects that are not system
# libraries or entrypoints
diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te
index 0c740a3..dcc02b2 100644
--- a/refpolicy/policy/modules/admin/quota.te
+++ b/refpolicy/policy/modules/admin/quota.te
@@ -51,7 +51,7 @@ files_getattr_all_sockets(quota_t)
# Read /etc/mtab.
files_read_etc_runtime_files(quota_t)
-init_use_fd(quota_t)
+init_use_fds(quota_t)
init_use_script_ptys(quota_t)
libs_use_ld_so(quota_t)
diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te
index 8db168f..bba6ad6 100644
--- a/refpolicy/policy/modules/admin/readahead.te
+++ b/refpolicy/policy/modules/admin/readahead.te
@@ -23,7 +23,7 @@ allow readahead_t self:process signal_perms;
allow readahead_t readahead_var_run_t:file create_file_perms;
allow readahead_t readahead_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(readahead_t,readahead_var_run_t)
+files_pid_filetrans(readahead_t,readahead_var_run_t,file)
kernel_read_kernel_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
@@ -56,7 +56,7 @@ term_dontaudit_use_console(readahead_t)
auth_dontaudit_read_shadow(readahead_t)
-init_use_fd(readahead_t)
+init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index aef9391..a6fc3ff 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -91,7 +91,7 @@ interface(`rpm_run',`
##
##
#
-interface(`rpm_use_fd',`
+interface(`rpm_use_fds',`
gen_require(`
type rpm_t;
')
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 16570df..d38ab56 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -184,7 +184,7 @@ ifdef(`targeted_policy',`
# conflicts since rpm_t is an alias of
# unconfined in the targeted policy
allow rpm_t rpm_log_t:file create_file_perms;
- logging_log_filetrans(rpm_t,rpm_log_t)
+ logging_log_filetrans(rpm_t,rpm_log_t,file)
')
optional_policy(`cron',`
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 63baa2e..6cce4e9 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -49,7 +49,7 @@ template(`su_restricted_domain_template', `
domain_use_interactive_fds($1_su_t)
- init_dontaudit_use_fd($1_su_t)
+ init_dontaudit_use_fds($1_su_t)
init_dontaudit_use_script_ptys($1_su_t)
# Write to utmp.
init_rw_utmp($1_su_t)
@@ -168,7 +168,7 @@ template(`su_per_userdomain_template',`
files_search_var_lib($1_su_t)
files_dontaudit_getattr_tmp_dirs($1_su_t)
- init_dontaudit_use_fd($1_su_t)
+ init_dontaudit_use_fds($1_su_t)
# Write to utmp.
init_rw_utmp($1_su_t)
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index c3e32d1..b76f18a 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -20,7 +20,7 @@ dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
allow updfstab_t self:process signal_perms;
allow updfstab_t self:fifo_file { getattr read write ioctl };
-kernel_use_fd(updfstab_t)
+kernel_use_fds(updfstab_t)
kernel_read_kernel_sysctls(updfstab_t)
kernel_dontaudit_write_kernel_sysctl(updfstab_t)
# for /proc/partitions
@@ -66,7 +66,7 @@ files_dontaudit_search_home(updfstab_t)
# for /etc/mtab
files_read_etc_runtime_files(updfstab_t)
-init_use_fd(updfstab_t)
+init_use_fds(updfstab_t)
init_use_script_ptys(updfstab_t)
libs_use_ld_so(updfstab_t)
diff --git a/refpolicy/policy/modules/admin/usbmodules.te b/refpolicy/policy/modules/admin/usbmodules.te
index 46672a0..50a298d 100644
--- a/refpolicy/policy/modules/admin/usbmodules.te
+++ b/refpolicy/policy/modules/admin/usbmodules.te
@@ -19,7 +19,7 @@ role system_r types usbmodules_t;
kernel_list_proc(usbmodules_t)
-bootloader_list_kernel_modules(usbmodules_t)
+files_list_kernel_modules(usbmodules_t)
dev_list_usbfs(usbmodules_t)
# allow usb device access
@@ -32,7 +32,7 @@ files_read_etc_files(usbmodules_t)
term_read_console(usbmodules_t)
term_write_console(usbmodules_t)
-init_use_fd(usbmodules_t)
+init_use_fds(usbmodules_t)
libs_use_ld_so(usbmodules_t)
libs_use_shared_libs(usbmodules_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index f2efebf..6867ce0 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -217,7 +217,7 @@ selinux_compute_user_contexts(groupadd_t)
term_use_all_user_ttys(groupadd_t)
term_use_all_user_ptys(groupadd_t)
-init_use_fd(groupadd_t)
+init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
init_dontaudit_write_utmp(groupadd_t)
@@ -257,7 +257,7 @@ optional_policy(`nscd',`
')
optional_policy(`rpm',`
- rpm_use_fd(groupadd_t)
+ rpm_use_fds(groupadd_t)
rpm_rw_pipes(groupadd_t)
')
@@ -488,7 +488,7 @@ files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
files_relabel_etc_files(useradd_t)
-init_use_fd(useradd_t)
+init_use_fds(useradd_t)
init_rw_utmp(useradd_t)
libs_use_ld_so(useradd_t)
@@ -520,6 +520,6 @@ optional_policy(`nscd',`
')
optional_policy(`rpm',`
- rpm_use_fd(useradd_t)
+ rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te
index 42be63b..b659fa4 100644
--- a/refpolicy/policy/modules/admin/vpn.te
+++ b/refpolicy/policy/modules/admin/vpn.te
@@ -42,7 +42,7 @@ files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
allow vpnc_t vpnc_var_run_t:file create_file_perms;
allow vpnc_t vpnc_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(vpnc_t,vpnc_var_run_t)
+files_pid_filetrans(vpnc_t,vpnc_var_run_t,file)
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
@@ -91,7 +91,7 @@ libs_exec_lib_files(vpnc_t)
libs_use_ld_so(vpnc_t)
libs_use_shared_libs(vpnc_t)
-locallogin_use_fd(vpnc_t)
+locallogin_use_fds(vpnc_t)
logging_send_syslog_msg(vpnc_t)
diff --git a/refpolicy/policy/modules/apps/loadkeys.te b/refpolicy/policy/modules/apps/loadkeys.te
index 01fa47d..8e7daf3 100644
--- a/refpolicy/policy/modules/apps/loadkeys.te
+++ b/refpolicy/policy/modules/apps/loadkeys.te
@@ -42,7 +42,7 @@ ifdef(`targeted_policy',`
libs_use_ld_so(loadkeys_t)
libs_use_shared_libs(loadkeys_t)
- locallogin_use_fd(loadkeys_t)
+ locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
')
diff --git a/refpolicy/policy/modules/apps/lockdev.if b/refpolicy/policy/modules/apps/lockdev.if
index f2c078d..d0c4e73 100644
--- a/refpolicy/policy/modules/apps/lockdev.if
+++ b/refpolicy/policy/modules/apps/lockdev.if
@@ -68,7 +68,7 @@ template(`lockdev_per_userdomain_template',`
allow $1_lockdev_t $2:process sigchld;
allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms;
- files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t)
+ files_lock_filetrans($1_lockdev_t,$1_lockdev_lock_t,file)
files_read_all_locks($1_lockdev_t)
diff --git a/refpolicy/policy/modules/apps/uml.te b/refpolicy/policy/modules/apps/uml.te
index db58cf3..bd99059 100644
--- a/refpolicy/policy/modules/apps/uml.te
+++ b/refpolicy/policy/modules/apps/uml.te
@@ -47,7 +47,7 @@ fs_search_auto_mountpoints(uml_switch_t)
term_dontaudit_use_console(uml_switch_t)
-init_use_fd(uml_switch_t)
+init_use_fds(uml_switch_t)
init_use_script_ptys(uml_switch_t)
libs_use_ld_so(uml_switch_t)
diff --git a/refpolicy/policy/modules/apps/userhelper.if b/refpolicy/policy/modules/apps/userhelper.if
index ac9f205..e5aa700 100644
--- a/refpolicy/policy/modules/apps/userhelper.if
+++ b/refpolicy/policy/modules/apps/userhelper.if
@@ -41,6 +41,7 @@ template(`userhelper_per_userdomain_template',`
#
# Declarations
#
+
type $1_userhelper_t;
domain_type($1_userhelper_t)
domain_entry_file($1_userhelper_t,userhelper_exec_t)
@@ -105,7 +106,7 @@ template(`userhelper_per_userdomain_template',`
files_list_var_lib($1_userhelper_t)
# Write to utmp.
- files_pid_filetrans($1_userhelper_t,initrc_var_run_t)
+ files_pid_filetrans($1_userhelper_t,initrc_var_run_t,file)
# Read the /etc/security/default_type file
files_read_etc_files($1_userhelper_t)
# Read /var.
@@ -141,7 +142,7 @@ template(`userhelper_per_userdomain_template',`
auth_search_pam_console_data($1_userhelper_t)
# Inherit descriptors from the current session.
- init_use_fd($1_userhelper_t)
+ init_use_fds($1_userhelper_t)
# Write to utmp.
init_manage_utmp($1_userhelper_t)
diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te
index 6200fae..a0aab80 100644
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ b/refpolicy/policy/modules/apps/webalizer.te
@@ -54,7 +54,7 @@ files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
allow webalizer_t webalizer_var_lib_t:file create_file_perms;
allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t)
+files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
diff --git a/refpolicy/policy/modules/kernel/bootloader.fc b/refpolicy/policy/modules/kernel/bootloader.fc
index 392176f..bcedf95 100644
--- a/refpolicy/policy/modules/kernel/bootloader.fc
+++ b/refpolicy/policy/modules/kernel/bootloader.fc
@@ -1,17 +1,9 @@
-/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
-/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
-
-/boot(/.*)? gen_context(system_u:object_r:boot_t,s0)
-/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
-
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/lib(64)?/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-
/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 9927a33..8f6707b 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -57,198 +57,6 @@ interface(`bootloader_run',`
########################################
##
-## Get attributes of the /boot directory.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`bootloader_getattr_boot_dirs',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir getattr;
-')
-
-########################################
-##
-## Do not audit attempts to get attributes
-## of the /boot directory.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`bootloader_dontaudit_getattr_boot_dirs',`
- gen_require(`
- type boot_t;
- ')
-
- dontaudit $1 boot_t:dir getattr;
-')
-
-########################################
-##
-## Search the /boot directory.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_search_boot',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir search_dir_perms;
-')
-
-########################################
-##
-## Do not audit attempts to search the /boot directory.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_dontaudit_search_boot',`
- gen_require(`
- type boot_t;
- ')
-
- dontaudit $1 boot_t:dir search;
-')
-
-########################################
-##
-## Read and write symbolic links
-## in the /boot directory.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_rw_boot_symlinks',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir r_dir_perms;
- allow $1 boot_t:lnk_file rw_file_perms;
-')
-
-########################################
-##
-## Install a kernel into the /boot directory.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_create_kernel_img',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir ra_dir_perms;
- allow $1 boot_t:file { getattr read write create };
- allow $1 boot_t:lnk_file { getattr read create unlink };
-')
-
-########################################
-##
-## Install a system.map into the /boot directory.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_create_kernel_symbol_table',`
- gen_require(`
- type boot_t, system_map_t;
- ')
-
- allow $1 boot_t:dir ra_dir_perms;
- allow $1 system_map_t:file { rw_file_perms create };
-')
-
-########################################
-##
-## Read system.map in the /boot directory.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_read_kernel_symbol_table',`
- gen_require(`
- type boot_t, system_map_t;
- ')
-
- allow $1 boot_t:dir r_dir_perms;
- allow $1 system_map_t:file r_file_perms;
-
- # cjp: this should be dropped:
- allow $1 boot_t:file { getattr read };
-')
-
-########################################
-##
-## Delete a kernel from /boot.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_delete_kernel',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir { r_dir_perms write remove_name };
- allow $1 boot_t:file { getattr unlink };
-')
-
-########################################
-##
-## Delete a system.map in the /boot directory.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_delete_kernel_symbol_table',`
- gen_require(`
- type boot_t, system_map_t;
- ')
-
- allow $1 boot_t:dir { r_dir_perms write remove_name };
- allow $1 system_map_t:file { getattr unlink };
-')
-
-########################################
-##
## Read the bootloader configuration file.
##
##
@@ -324,142 +132,3 @@ interface(`bootloader_create_runtime_file',`
allow $1 boot_runtime_t:file { rw_file_perms create unlink };
type_transition $1 boot_t:file boot_runtime_t;
')
-
-########################################
-##
-## Search the contents of the kernel module directories.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_search_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir search;
-')
-
-########################################
-##
-## List the contents of the kernel module directories.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_list_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir r_dir_perms;
-')
-
-########################################
-##
-## Get the attributes of kernel module files.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_getattr_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir search;
- allow $1 modules_object_t:dir getattr;
-')
-
-########################################
-##
-## Read kernel module files.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_read_kernel_modules',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir r_dir_perms;
- allow $1 modules_object_t:lnk_file r_file_perms;
- allow $1 modules_object_t:file r_file_perms;
-')
-
-########################################
-##
-## Write kernel module files.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_write_kernel_modules',`
- gen_require(`
- attribute rw_kern_modules;
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir r_dir_perms;
- allow $1 modules_object_t:file { write append };
-
- typeattribute $1 rw_kern_modules;
-')
-
-########################################
-##
-## Create, read, write, and delete
-## kernel module files.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_manage_kernel_modules',`
- gen_require(`
-# attribute rw_kern_modules;
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
- allow $1 modules_object_t:dir rw_dir_perms;
-
-# typeattribute $1 rw_kern_modules;
-')
-
-########################################
-#
-# bootloader_modules_filetrans(domain,privatetype,[class(es)])
-#
-interface(`bootloader_modules_filetrans',`
- gen_require(`
- type modules_object_t;
- ')
-
- allow $1 modules_object_t:dir rw_dir_perms;
-
- # if a class is specified use it, else use file as default
- ifelse(`$3',`',`
- type_transition $1 modules_object_t:file $2;
- ',`
- type_transition $1 modules_object_t:$3 $2;
- ')
-')
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 3a510c1..a0e3d9c 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -1,20 +1,11 @@
-policy_module(bootloader,1.1.3)
+policy_module(bootloader,1.1.4)
########################################
#
# Declarations
#
-attribute rw_kern_modules;
-
-#
-# boot_t is the type for files in /boot
-#
-type boot_t;
-files_type(boot_t)
-files_mountpoint(boot_t)
-
#
# boot_runtime_t is the type for /boot/kernel.h,
# which is automatically generated at boot time.
@@ -45,18 +36,6 @@ type bootloader_tmp_t;
files_tmp_file(bootloader_tmp_t)
dev_node(bootloader_tmp_t)
-# kernel modules
-type modules_object_t;
-files_type(modules_object_t)
-
-#neverallow ~rw_kern_modules modules_object_t:file { create append write };
-
-#
-# system_map_t is for the system.map files in /boot
-#
-type system_map_t;
-files_type(system_map_t)
-
#
# /var/log/ksyms
# cjp: this probably can be removed, I do not
@@ -73,14 +52,10 @@ allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin
allow bootloader_t self:process { sigkill sigstop signull signal };
allow bootloader_t self:fifo_file rw_file_perms;
-allow bootloader_t boot_t:dir { create rw_dir_perms };
-allow bootloader_t boot_t:file create_file_perms;
-allow bootloader_t boot_t:lnk_file create_lnk_perms;
-
allow bootloader_t bootloader_etc_t:file r_file_perms;
# uncomment the following lines if you use "lilo -p"
-#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-#files_etc_filetrans(bootloader_t,bootloader_etc_t)
+#allow bootloader_t bootloader_etc_t:file manage_file_perms;
+#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
allow bootloader_t bootloader_tmp_t:file create_file_perms;
@@ -89,11 +64,7 @@ allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?)
-files_root_filetrans(bootloader_t,bootloader_tmp_t)
-
-allow bootloader_t modules_object_t:dir r_dir_perms;
-allow bootloader_t modules_object_t:file r_file_perms;
-allow bootloader_t modules_object_t:lnk_file r_file_perms;
+files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
kernel_getattr_core_if(bootloader_t)
kernel_read_system_state(bootloader_t)
@@ -127,12 +98,16 @@ corecmd_exec_shell(bootloader_t)
domain_exec_all_entry_files(bootloader_t)
domain_use_interactive_fds(bootloader_t)
+files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
files_exec_etc_files(bootloader_t)
files_read_etc_runtime_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)
+files_read_kernel_modules(bootloader_t)
# for nscd
files_dontaudit_search_pids(bootloader_t)
@@ -157,11 +132,11 @@ seutil_dontaudit_search_config(bootloader_t)
ifdef(`distro_debian',`
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
- allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
- allow bootloader_t boot_t:file relabelfrom;
-
fs_list_tmpfs(bootloader_t)
+ files_relabel_kernel_modules(bootloader_t)
+ files_relabelfrom_boot_files(bootloader_t)
+ files_delete_kernel_modules(bootloader_t)
files_relabelto_usr_files(bootloader_t)
files_search_var_lib(bootloader_t)
# for /usr/share/initrd-tools/scripts
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
index 5d84f07..9b8c0f3 100644
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -77,7 +77,7 @@ interface(`domain_type',`
init_signull($1)
ifdef(`targeted_policy',`
- unconfined_use_fd($1)
+ unconfined_use_fds($1)
unconfined_sigchld($1)
')
@@ -88,7 +88,7 @@ interface(`domain_type',`
# these 3 seem highly questionable:
optional_policy(`rpm',`
- rpm_use_fd($1)
+ rpm_use_fds($1)
rpm_read_pipes($1)
')
diff --git a/refpolicy/policy/modules/kernel/files.fc b/refpolicy/policy/modules/kernel/files.fc
index f9032b4..fcc484f 100644
--- a/refpolicy/policy/modules/kernel/files.fc
+++ b/refpolicy/policy/modules/kernel/files.fc
@@ -5,6 +5,8 @@
/.* gen_context(system_u:object_r:default_t,s0)
/ -d gen_context(system_u:object_r:root_t,s0)
/\.journal <>
+/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
+/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
ifdef(`distro_redhat',`
/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -23,9 +25,11 @@ ifdef(`distro_suse',`
#
# /boot
#
+/boot(/.*)? gen_context(system_u:object_r:boot_t,s0)
/boot/\.journal <>
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/boot/lost\+found/.* <>
+/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
#
# /emul
@@ -101,6 +105,11 @@ HOME_ROOT/lost\+found/.* <>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
+# /lib(64)?
+#
+/lib(64)?/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+
+#
# /lost+found
#
/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 126f85d..8853e04 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -845,7 +845,7 @@ interface(`files_manage_all_files',`
# satisfy the assertions:
seutil_create_bin_policy($1)
- bootloader_manage_kernel_modules($1)
+ files_manage_kernel_modules($1)
')
########################################
@@ -953,7 +953,7 @@ interface(`files_list_root',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -961,10 +961,9 @@ interface(`files_list_root',`
## The type of the object to be created.
##
##
-##
+##
##
-## The object class of the object being created. If
-## no class is specified, file will be used.
+## The object class of the object being created.
##
##
#
@@ -974,12 +973,7 @@ interface(`files_root_filetrans',`
')
allow $1 root_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 root_t:file $2;
- ',`
- type_transition $1 root_t:$3 $2;
- ')
+ type_transition $1 root_t:$3 $2;
')
########################################
@@ -1044,6 +1038,244 @@ interface(`files_unmount_rootfs',`
########################################
##
+## Get attributes of the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_getattr_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir getattr;
+')
+
+########################################
+##
+## Do not audit attempts to get attributes
+## of the /boot directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`files_dontaudit_getattr_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ dontaudit $1 boot_t:dir getattr;
+')
+
+########################################
+##
+## Search the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_search_boot',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to search the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_dontaudit_search_boot',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ dontaudit $1 boot_t:dir search;
+')
+
+########################################
+##
+## Create directories in /boot
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_create_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir { create rw_dir_perms };
+')
+
+########################################
+##
+## Create a private type object in boot
+## with an automatic type transition
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+#
+interface(`files_boot_filetrans',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir rw_dir_perms;
+ type_transition $1 boot_t:$3 $2;
+')
+
+########################################
+##
+## Create, read, write, and delete files
+## in the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_boot_files',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir rw_dir_perms;
+ allow $1 boot_t:file manage_file_perms;
+')
+
+########################################
+##
+## Relabel from files in the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelfrom_boot_files',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:file relabelfrom;
+')
+
+########################################
+##
+## Read and write symbolic links
+## in the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_rw_boot_symlinks',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir r_dir_perms;
+ allow $1 boot_t:lnk_file rw_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete symbolic links
+## in the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_boot_symlinks',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir rw_dir_perms;
+ allow $1 boot_t:lnk_file manage_file_perms;
+')
+
+########################################
+##
+## Install a kernel into the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_create_kernel_img',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir ra_dir_perms;
+ allow $1 boot_t:file { getattr read write create };
+ allow $1 boot_t:lnk_file { getattr read create unlink };
+')
+
+########################################
+##
+## Delete a kernel from /boot.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_kernel',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir { r_dir_perms write remove_name };
+ allow $1 boot_t:file { getattr unlink };
+')
+
+########################################
+##
## Getattr of directories with the default file type.
##
##
@@ -1352,7 +1584,7 @@ interface(`files_manage_etc_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1500,7 +1732,7 @@ interface(`files_manage_etc_runtime_files',`
########################################
#
-# files_etc_filetrans(domain,privatetype,[class(es)])
+# files_etc_filetrans(domain,privatetype,class(es))
#
interface(`files_etc_filetrans',`
gen_require(`
@@ -1508,11 +1740,7 @@ interface(`files_etc_filetrans',`
')
allow $1 etc_t:dir rw_dir_perms;
- ifelse(`$3',`',`
- type_transition $1 etc_t:file $2;
- ',`
- type_transition $1 etc_t:$3 $2;
- ')
+ type_transition $1 etc_t:$3 $2;
')
########################################
@@ -1522,7 +1750,7 @@ interface(`files_etc_filetrans',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1541,7 +1769,7 @@ interface(`files_getattr_isid_type_dirs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1560,7 +1788,7 @@ interface(`files_dontaudit_search_isid_type_dirs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1579,7 +1807,7 @@ interface(`files_list_isid_type_dirs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1598,7 +1826,7 @@ interface(`files_rw_isid_type_dirs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1617,7 +1845,7 @@ interface(`files_manage_isid_type_dirs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1636,7 +1864,7 @@ interface(`files_mounton_isid_type_dirs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1656,7 +1884,7 @@ interface(`files_read_isid_type_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1676,7 +1904,7 @@ interface(`files_manage_isid_type_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1696,7 +1924,7 @@ interface(`files_manage_isid_type_symlinks',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1716,7 +1944,7 @@ interface(`files_rw_isid_type_blk_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1736,7 +1964,7 @@ interface(`files_manage_isid_type_blk_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1756,7 +1984,7 @@ interface(`files_manage_isid_type_chr_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1794,7 +2022,7 @@ interface(`files_dontaudit_getattr_home_dir',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1850,7 +2078,7 @@ interface(`files_dontaudit_list_home',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1868,7 +2096,7 @@ interface(`files_list_home',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -1876,10 +2104,9 @@ interface(`files_list_home',`
## The private type.
##
##
-##
+##
##
-## The object class of the object being created. If
-## no class is specified, dir will be used.
+## The class of the object being created.
##
##
#
@@ -1889,13 +2116,7 @@ interface(`files_home_filetrans',`
')
allow $1 home_root_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 home_root_t:dir $2;
- ',`
- type_transition $1 home_root_t:$3 $2;
- ')
-
+ type_transition $1 home_root_t:$3 $2;
')
########################################
@@ -1905,7 +2126,7 @@ interface(`files_home_filetrans',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2021,6 +2242,188 @@ interface(`files_manage_mnt_symlinks',`
########################################
##
+## Search the contents of the kernel module directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_search_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir search;
+')
+
+########################################
+##
+## List the contents of the kernel module directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_list_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir r_dir_perms;
+')
+
+########################################
+##
+## Get the attributes of kernel module files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_getattr_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir search;
+ allow $1 modules_object_t:dir getattr;
+')
+
+########################################
+##
+## Read kernel module files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir r_dir_perms;
+ allow $1 modules_object_t:lnk_file r_file_perms;
+ allow $1 modules_object_t:file r_file_perms;
+')
+
+########################################
+##
+## Write kernel module files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_write_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir r_dir_perms;
+ allow $1 modules_object_t:file { write append };
+')
+
+########################################
+##
+## Delete kernel module files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir { list_dir_perms write remove_name };
+ allow $1 modules_object_t:file unlink;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## kernel module files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
+ allow $1 modules_object_t:dir rw_dir_perms;
+')
+
+########################################
+##
+## Relabel from and to kernel module files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabel_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:file { relabelfrom relabelto };
+ allow $1 modules_object_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Create objects in the kernel module directories
+## with a private type via an automatic type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+#
+interface(`files_kernel_modules_filetrans',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir rw_dir_perms;
+ type_transition $1 modules_object_t:$3 $2;
+')
+
+########################################
+##
## List world-readable directories.
##
##
@@ -2154,7 +2557,7 @@ interface(`files_getattr_tmp_dirs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2172,7 +2575,7 @@ interface(`files_dontaudit_getattr_tmp_dirs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2190,7 +2593,7 @@ interface(`files_search_tmp',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2226,7 +2629,7 @@ interface(`files_dontaudit_list_tmp',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2245,7 +2648,7 @@ interface(`files_read_generic_tmp_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2264,7 +2667,7 @@ interface(`files_read_generic_tmp_symlinks',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2283,7 +2686,7 @@ interface(`files_rw_generic_tmp_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2297,7 +2700,7 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
#
-# files_tmp_filetrans(domain,private_type,[object class(es)])
+# files_tmp_filetrans(domain,private_type,object class(es))
#
interface(`files_tmp_filetrans',`
gen_require(`
@@ -2305,12 +2708,7 @@ interface(`files_tmp_filetrans',`
')
allow $1 tmp_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 tmp_t:file $2;
- ',`
- type_transition $1 tmp_t:$3 $2;
- ')
+ type_transition $1 tmp_t:$3 $2;
')
########################################
@@ -2395,7 +2793,7 @@ interface(`files_read_usr_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2461,9 +2859,9 @@ interface(`files_read_usr_symlinks',`
## The type of the object to be created
##
##
-##
+##
##
-## The object class. If not specified, file is used.
+## The object class.
##
##
#
@@ -2473,12 +2871,7 @@ interface(`files_usr_filetrans',`
')
allow $1 usr_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 usr_t:file $2;
- ',`
- type_transition $1 usr_t:$3 $2;
- ')
+ type_transition $1 usr_t:$3 $2;
')
########################################
@@ -2487,7 +2880,7 @@ interface(`files_usr_filetrans',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2530,6 +2923,66 @@ interface(`files_read_usr_src_files',`
########################################
##
+## Install a system.map into the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_create_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir ra_dir_perms;
+ allow $1 system_map_t:file { rw_file_perms create };
+')
+
+########################################
+##
+## Read system.map in the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_read_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir r_dir_perms;
+ allow $1 system_map_t:file r_file_perms;
+
+ # cjp: this should be dropped:
+ allow $1 boot_t:file { getattr read };
+')
+
+########################################
+##
+## Delete a system.map in the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir { r_dir_perms write remove_name };
+ allow $1 system_map_t:file { getattr unlink };
+')
+
+########################################
+##
## Search the contents of /var.
##
##
@@ -2626,7 +3079,7 @@ interface(`files_manage_var_dirs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2711,9 +3164,9 @@ interface(`files_manage_var_symlinks',`
## The type of the object to be created
##
##
-##
+##
##
-## The object class. If not specified, file is used.
+## The object class.
##
##
#
@@ -2723,12 +3176,7 @@ interface(`files_var_filetrans',`
')
allow $1 var_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 var_t:file $2;
- ',`
- type_transition $1 var_t:$3 $2;
- ')
+ type_transition $1 var_t:$3 $2;
')
########################################
@@ -2737,7 +3185,7 @@ interface(`files_var_filetrans',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2756,7 +3204,7 @@ interface(`files_getattr_var_lib_dirs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2801,9 +3249,9 @@ interface(`files_list_var_lib',`
## The type of the object to be created
##
##
-##
+##
##
-## The object class. If not specified, file is used.
+## The object class.
##
##
#
@@ -2814,12 +3262,7 @@ interface(`files_var_lib_filetrans',`
allow $1 var_t:dir search_dir_perms;
allow $1 var_lib_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 var_lib_t:file $2;
- ',`
- type_transition $1 var_lib_t:$3 $2;
- ')
+ type_transition $1 var_lib_t:$3 $2;
')
########################################
@@ -3028,12 +3471,7 @@ interface(`files_lock_filetrans',`
allow $1 var_t:dir search;
allow $1 var_lock_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 var_lock_t:file $2;
- ',`
- type_transition $1 var_lock_t:$3 $2;
- ')
+ type_transition $1 var_lock_t:$3 $2;
')
########################################
@@ -3111,12 +3549,7 @@ interface(`files_pid_filetrans',`
allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 var_run_t:file $2;
- ',`
- type_transition $1 var_run_t:$3 $2;
- ')
+ type_transition $1 var_run_t:$3 $2;
')
########################################
@@ -3139,7 +3572,7 @@ interface(`files_rw_generic_pids',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -3157,7 +3590,7 @@ interface(`files_dontaudit_write_all_pids',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index b1d1756..a8968cf 100644
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.1.2)
+policy_module(files,1.1.3)
########################################
#
@@ -36,6 +36,13 @@ attribute security_file_type;
attribute tmpfile;
attribute tmpfsfile;
+#
+# boot_t is the type for files in /boot
+#
+type boot_t;
+files_type(boot_t)
+files_mountpoint(boot_t)
+
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
# other than the generic /.* specification.
@@ -93,6 +100,12 @@ type mnt_t, file_type, mountpoint;
fs_associate(mnt_t)
fs_associate_noxattr(mnt_t)
+#
+# modules_object_t is the type for kernel modules
+#
+type modules_object_t;
+files_type(modules_object_t)
+
type no_access_t, file_type;
fs_associate(no_access_t)
fs_associate_noxattr(no_access_t)
@@ -123,6 +136,12 @@ fs_associate(src_t)
fs_associate_noxattr(src_t)
#
+# system_map_t is for the system.map files in /boot
+#
+type system_map_t;
+files_type(system_map_t)
+
+#
# tmp_t is the type of the temporary directories
#
type tmp_t, mountpoint; #, polydir
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index c1d5981..d7b2f86 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -2425,7 +2425,7 @@ interface(`fs_manage_tmpfs_dirs',`
########################################
#
-# fs_tmpfs_filetrans(domain,derivedtype,[class])
+# fs_tmpfs_filetrans(domain,derivedtype,class)
#
interface(`fs_tmpfs_filetrans',`
gen_require(`
@@ -2434,12 +2434,7 @@ interface(`fs_tmpfs_filetrans',`
allow $2 tmpfs_t:filesystem associate;
allow $1 tmpfs_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 tmpfs_t:file $2;
- ',`
- type_transition $1 tmpfs_t:$3 $2;
- ')
+ type_transition $1 tmpfs_t:$3 $2;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 839d797..3ffe0cd 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -141,7 +141,7 @@ interface(`kernel_share_state',`
##
##
#
-interface(`kernel_use_fd',`
+interface(`kernel_use_fds',`
gen_require(`
type kernel_t;
')
@@ -160,7 +160,7 @@ interface(`kernel_use_fd',`
##
##
#
-interface(`kernel_dontaudit_use_fd',`
+interface(`kernel_dontaudit_use_fds',`
gen_require(`
type kernel_t;
')
@@ -250,7 +250,7 @@ interface(`kernel_tcp_recvfrom',`
##
##
#
-interface(`kernel_udp_sendto',`
+interface(`kernel_udp_send',`
gen_require(`
type kernel_t;
')
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 1033693..f8c62e4 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -168,27 +168,6 @@ interface(`storage_dontaudit_write_fixed_disk',`
########################################
##
-## Create block devices in /dev with the fixed disk type.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`storage_create_fixed_disk',`
- gen_require(`
- attribute fixed_disk_raw_read, fixed_disk_raw_write;
- type fixed_disk_device_t;
- ')
-
- allow $1 fixed_disk_device_t:blk_file create_file_perms;
- dev_filetrans($1,fixed_disk_device_t,blk_file)
- typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
-')
-
-########################################
-##
## Create, read, write, and delete fixed disk device nodes.
##
##
@@ -210,28 +189,6 @@ interface(`storage_manage_fixed_disk',`
########################################
##
-## Create fixed disk device nodes on a tmpfs filesystem.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`storage_create_fixed_disk_tmpfs',`
- gen_require(`
- attribute fixed_disk_raw_read, fixed_disk_raw_write;
- type fixed_disk_device_t;
- ')
-
- allow $1 fixed_disk_device_t:blk_file create_file_perms;
- fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file)
-
- typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
-')
-
-########################################
-##
## Create block devices in /dev with the fixed disk type
## via an automatic type transition.
##
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index efb84b4..5437131 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -401,7 +401,7 @@ interface(`apache_sigchld',`
##
##
#
-interface(`apache_use_fd',`
+interface(`apache_use_fds',`
gen_require(`
type httpd_t;
')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index bdd38b4..3fc702d 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -166,14 +166,14 @@ allow httpd_t httpd_config_t:lnk_file { getattr read };
can_exec(httpd_t, httpd_exec_t)
allow httpd_t httpd_lock_t:file create_file_perms;
-files_lock_filetrans(httpd_t,httpd_lock_t)
+files_lock_filetrans(httpd_t,httpd_lock_t,file)
allow httpd_t httpd_log_t:dir { setattr rw_dir_perms };
allow httpd_t httpd_log_t:file { create ra_file_perms };
allow httpd_t httpd_log_t:lnk_file read;
# cjp: need to refine create interfaces to
# cut this back to add_name only
-logging_log_filetrans(httpd_t,httpd_log_t)
+logging_log_filetrans(httpd_t,httpd_log_t,file)
allow httpd_t httpd_modules_t:file rx_file_perms;
allow httpd_t httpd_modules_t:dir r_dir_perms;
@@ -201,7 +201,7 @@ fs_tmpfs_filetrans(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file
allow httpd_t httpd_var_lib_t:file create_file_perms;
allow httpd_t httpd_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(httpd_t,httpd_var_lib_t)
+files_var_lib_filetrans(httpd_t,httpd_var_lib_t,file)
allow httpd_t httpd_var_run_t:file create_file_perms;
allow httpd_t httpd_var_run_t:sock_file create_file_perms;
@@ -262,7 +262,7 @@ files_read_etc_files(httpd_t)
# for tomcat
files_read_var_lib_symlinks(httpd_t)
-init_use_fd(httpd_t)
+init_use_fds(httpd_t)
init_use_script_ptys(httpd_t)
libs_use_ld_so(httpd_t)
diff --git a/refpolicy/policy/modules/services/apm.if b/refpolicy/policy/modules/services/apm.if
index 60a56f6..8fd6d54 100644
--- a/refpolicy/policy/modules/services/apm.if
+++ b/refpolicy/policy/modules/services/apm.if
@@ -34,7 +34,7 @@ interface(`apm_domtrans_client',`
##
##
#
-interface(`apm_use_fd',`
+interface(`apm_use_fds',`
gen_require(`
type apmd_t;
')
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index f0c11c0..19ec27c 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -72,7 +72,7 @@ allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
allow apmd_t apmd_log_t:file create_file_perms;
-logging_log_filetrans(apmd_t,apmd_log_t)
+logging_log_filetrans(apmd_t,apmd_log_t,file)
allow apmd_t apmd_tmp_t:dir create_dir_perms;
allow apmd_t apmd_tmp_t:file create_file_perms;
@@ -125,7 +125,7 @@ files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
init_domtrans_script(apmd_t)
-init_use_fd(apmd_t)
+init_use_fds(apmd_t)
init_use_script_ptys(apmd_t)
init_rw_utmp(apmd_t)
init_write_initctl(apmd_t)
@@ -151,7 +151,7 @@ userdom_dontaudit_search_all_users_home_content(apmd_t) # Excessive?
ifdef(`distro_redhat',`
allow apmd_t apmd_lock_t:file create_file_perms;
- files_lock_filetrans(apmd_t,apmd_lock_t)
+ files_lock_filetrans(apmd_t,apmd_lock_t,file)
can_exec(apmd_t, apmd_var_run_t)
@@ -176,7 +176,7 @@ ifdef(`distro_redhat',`
ifdef(`distro_suse',`
allow apmd_t apmd_var_lib_t:file create_file_perms;
allow apmd_t apmd_var_lib_t:dir create_dir_perms;
- files_var_lib_filetrans(apmd_t,apmd_var_lib_t)
+ files_var_lib_filetrans(apmd_t,apmd_var_lib_t,file)
')
ifdef(`targeted_policy',`
@@ -209,7 +209,7 @@ optional_policy(`dbus',`
')
optional_policy(`logrotate',`
- logrotate_use_fd(apmd_t)
+ logrotate_use_fds(apmd_t)
')
optional_policy(`mta',`
diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te
index c8c9209..a53702c 100644
--- a/refpolicy/policy/modules/services/arpwatch.te
+++ b/refpolicy/policy/modules/services/arpwatch.te
@@ -43,7 +43,7 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
allow arpwatch_t arpwatch_var_run_t:file create_file_perms;
allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(arpwatch_t,arpwatch_var_run_t)
+files_pid_filetrans(arpwatch_t,arpwatch_var_run_t,file)
kernel_read_kernel_sysctls(arpwatch_t)
kernel_list_proc(arpwatch_t)
@@ -76,7 +76,7 @@ files_read_etc_files(arpwatch_t)
files_read_usr_files(arpwatch_t)
files_search_var_lib(arpwatch_t)
-init_use_fd(arpwatch_t)
+init_use_fds(arpwatch_t)
init_use_script_ptys(arpwatch_t)
libs_use_ld_so(arpwatch_t)
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index acf8578..7d6e299 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -42,7 +42,7 @@ allow automount_t automount_etc_t:file { getattr read };
can_exec(automount_t, automount_etc_t)
allow automount_t automount_lock_t:file create_file_perms;
-files_lock_filetrans(automount_t,automount_lock_t)
+files_lock_filetrans(automount_t,automount_lock_t,file)
allow automount_t automount_tmp_t:dir create_dir_perms;
allow automount_t automount_tmp_t:file create_file_perms;
@@ -50,12 +50,12 @@ files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
# Allow automount to create and delete directories in / and /home
allow automount_t automount_tmp_t:dir create_dir_perms;
-files_home_filetrans(automount_t,automount_tmp_t)
+files_home_filetrans(automount_t,automount_tmp_t,dir)
files_root_filetrans(automount_t,automount_tmp_t,dir)
allow automount_t automount_var_run_t:file create_file_perms;
allow automount_t automount_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(automount_t,automount_var_run_t)
+files_pid_filetrans(automount_t,automount_var_run_t,file)
kernel_read_kernel_sysctls(automount_t)
kernel_read_fs_sysctls(automount_t)
@@ -63,7 +63,7 @@ kernel_read_proc_symlinks(automount_t)
kernel_read_system_state(automount_t)
kernel_list_proc(automount_t)
-bootloader_search_boot(automount_t)
+files_search_boot(automount_t)
corecmd_exec_sbin(automount_t)
corecmd_exec_bin(automount_t)
@@ -113,7 +113,7 @@ fs_manage_auto_mountpoints(automount_t)
term_dontaudit_use_console(automount_t)
term_dontaudit_getattr_pty_dirs(automount_t)
-init_use_fd(automount_t)
+init_use_fds(automount_t)
init_use_script_ptys(automount_t)
libs_use_ld_so(automount_t)
diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te
index 1ebdfcb..060f8ce 100644
--- a/refpolicy/policy/modules/services/avahi.te
+++ b/refpolicy/policy/modules/services/avahi.te
@@ -31,7 +31,7 @@ allow avahi_t self:udp_socket create_socket_perms;
allow avahi_t avahi_var_run_t:sock_file create_file_perms;
allow avahi_t avahi_var_run_t:file create_file_perms;
allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr };
-files_pid_filetrans(avahi_t,avahi_var_run_t)
+files_pid_filetrans(avahi_t,avahi_var_run_t,file)
kernel_read_kernel_sysctls(avahi_t)
kernel_list_proc(avahi_t)
@@ -65,7 +65,7 @@ domain_use_interactive_fds(avahi_t)
files_read_etc_files(avahi_t)
files_read_etc_runtime_files(avahi_t)
-init_use_fd(avahi_t)
+init_use_fds(avahi_t)
init_use_script_ptys(avahi_t)
init_signal_script(avahi_t)
init_signull_script(avahi_t)
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index f79ebe7..bd78248 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -130,7 +130,7 @@ domain_use_interactive_fds(named_t)
files_read_etc_files(named_t)
files_read_etc_runtime_files(named_t)
-init_use_fd(named_t)
+init_use_fds(named_t)
init_use_script_ptys(named_t)
libs_use_ld_so(named_t)
@@ -255,7 +255,7 @@ domain_use_interactive_fds(ndc_t)
files_read_etc_files(ndc_t)
files_search_pids(ndc_t)
-init_use_fd(ndc_t)
+init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)
libs_use_ld_so(ndc_t)
@@ -289,5 +289,5 @@ optional_policy(`nscd',`
')
optional_policy(`ppp',`
- ppp_dontaudit_use_fd(ndc_t)
+ ppp_dontaudit_use_fds(ndc_t)
')
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 4215207..0f05c05 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -69,7 +69,7 @@ allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
allow bluetooth_helper_t bluetooth_t:process sigchld;
allow bluetooth_t bluetooth_lock_t:file create_file_perms;
-files_lock_filetrans(bluetooth_t,bluetooth_lock_t)
+files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
@@ -77,7 +77,7 @@ files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
-files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t)
+files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,file)
allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
@@ -120,7 +120,7 @@ files_read_etc_files(bluetooth_t)
files_read_etc_runtime_files(bluetooth_t)
files_read_usr_files(bluetooth_t)
-init_use_fd(bluetooth_t)
+init_use_fds(bluetooth_t)
init_use_script_ptys(bluetooth_t)
libs_use_ld_so(bluetooth_t)
diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te
index e8dd2f8..acac47b 100644
--- a/refpolicy/policy/modules/services/canna.te
+++ b/refpolicy/policy/modules/services/canna.te
@@ -38,7 +38,7 @@ logging_log_filetrans(canna_t,canna_log_t,{ file dir })
allow canna_t canna_var_lib_t:dir create_dir_perms;
allow canna_t canna_var_lib_t:file create_file_perms;
allow canna_t canna_var_lib_t:lnk_file create_lnk_perms;
-files_var_lib_filetrans(canna_t,canna_var_lib_t)
+files_var_lib_filetrans(canna_t,canna_var_lib_t,file)
allow canna_t canna_var_run_t:dir rw_dir_perms;
allow canna_t canna_var_run_t:file create_file_perms;
@@ -72,7 +72,7 @@ files_read_usr_files(canna_t)
files_search_tmp(canna_t)
files_dontaudit_read_root_files(canna_t)
-init_use_fd(canna_t)
+init_use_fds(canna_t)
init_use_script_ptys(canna_t)
libs_use_ld_so(canna_t)
diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te
index 5728688..77512c8 100644
--- a/refpolicy/policy/modules/services/comsat.te
+++ b/refpolicy/policy/modules/services/comsat.te
@@ -37,7 +37,7 @@ files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir })
allow comsat_t comsat_var_run_t:file create_file_perms;
allow comsat_t comsat_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(comsat_t,comsat_var_run_t)
+files_pid_filetrans(comsat_t,comsat_var_run_t,file)
kernel_read_kernel_sysctls(comsat_t)
kernel_read_network_state(comsat_t)
diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te
index 92cbb0b..adf69e3 100644
--- a/refpolicy/policy/modules/services/cpucontrol.te
+++ b/refpolicy/policy/modules/services/cpucontrol.te
@@ -45,7 +45,7 @@ domain_use_interactive_fds(cpucontrol_t)
files_list_usr(cpucontrol_t)
-init_use_fd(cpucontrol_t)
+init_use_fds(cpucontrol_t)
init_use_script_ptys(cpucontrol_t)
libs_use_ld_so(cpucontrol_t)
@@ -97,7 +97,7 @@ files_read_etc_files(cpuspeed_t)
files_read_etc_runtime_files(cpuspeed_t)
files_list_usr(cpuspeed_t)
-init_use_fd(cpuspeed_t)
+init_use_fds(cpuspeed_t)
init_use_script_ptys(cpuspeed_t)
libs_use_ld_so(cpuspeed_t)
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 289c073..dd65944 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -89,7 +89,7 @@ template(`cron_per_userdomain_template',`
kernel_read_kernel_sysctls($1_crond_t)
# ps does not need to access /boot when run from cron
- bootloader_dontaudit_search_boot($1_crond_t)
+ files_dontaudit_search_boot($1_crond_t)
corenet_tcp_sendrecv_all_if($1_crond_t)
corenet_raw_sendrecv_all_if($1_crond_t)
@@ -352,7 +352,7 @@ interface(`cron_system_entry',`
##
##
#
-interface(`cron_use_fd',`
+interface(`cron_use_fds',`
gen_require(`
type crond_t;
')
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 12725ce..2696a16 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -80,7 +80,7 @@ allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
allow crond_t crond_var_run_t:file create_file_perms;
-files_pid_filetrans(crond_t,crond_var_run_t)
+files_pid_filetrans(crond_t,crond_var_run_t,file)
allow crond_t cron_spool_t:dir rw_dir_perms;
allow crond_t cron_spool_t:file r_file_perms;
@@ -119,7 +119,7 @@ files_list_usr(crond_t)
files_search_var_lib(crond_t)
files_search_default(crond_t)
-init_use_fd(crond_t)
+init_use_fds(crond_t)
init_use_script_ptys(crond_t)
init_rw_utmp(crond_t)
@@ -247,11 +247,11 @@ ifdef(`targeted_policy',`
# Write /var/lock/makewhatis.lock.
allow system_crond_t system_crond_lock_t:file create_file_perms;
- files_lock_filetrans(system_crond_t,system_crond_lock_t)
+ files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
# write temporary files
allow system_crond_t system_crond_tmp_t:file create_file_perms;
- files_tmp_filetrans(system_crond_t,system_crond_tmp_t)
+ files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
# write temporary files in crond tmp dir:
allow system_crond_t crond_tmp_t:dir rw_dir_perms;
@@ -266,7 +266,7 @@ ifdef(`targeted_policy',`
kernel_read_software_raid_state(system_crond_t)
# ps does not need to access /boot when run from cron
- bootloader_dontaudit_search_boot(system_crond_t)
+ files_dontaudit_search_boot(system_crond_t)
corenet_tcp_sendrecv_all_if(system_crond_t)
corenet_raw_sendrecv_all_if(system_crond_t)
@@ -314,7 +314,7 @@ ifdef(`targeted_policy',`
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_crond_t)
- init_use_fd(system_crond_t)
+ init_use_fds(system_crond_t)
init_use_script_fds(system_crond_t)
init_use_script_ptys(system_crond_t)
init_read_utmp(system_crond_t)
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 8429050..13163e1 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -110,7 +110,7 @@ files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
allow cupsd_t cupsd_var_run_t:file create_file_perms;
allow cupsd_t cupsd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cupsd_t,cupsd_var_run_t)
+files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
allow cupsd_t hplip_var_run_t:file { read getattr };
@@ -170,7 +170,7 @@ files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-init_use_fd(cupsd_t)
+init_use_fds(cupsd_t)
init_use_script_ptys(cupsd_t)
init_exec_script_files(cupsd_t)
@@ -303,7 +303,7 @@ files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_fil
allow ptal_t ptal_var_run_t:file create_file_perms;
allow ptal_t ptal_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ptal_t,ptal_var_run_t)
+files_pid_filetrans(ptal_t,ptal_var_run_t,file)
kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
@@ -332,7 +332,7 @@ domain_use_interactive_fds(ptal_t)
files_read_etc_files(ptal_t)
files_read_etc_runtime_files(ptal_t)
-init_use_fd(ptal_t)
+init_use_fds(ptal_t)
init_use_script_ptys(ptal_t)
libs_use_ld_so(ptal_t)
@@ -390,7 +390,7 @@ files_search_etc(hplip_t)
allow hplip_t hplip_var_run_t:file create_file_perms;
allow hplip_t hplip_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(hplip_t,hplip_var_run_t)
+files_pid_filetrans(hplip_t,hplip_var_run_t,file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
@@ -429,7 +429,7 @@ files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
-init_use_fd(hplip_t)
+init_use_fds(hplip_t)
init_use_script_ptys(hplip_t)
libs_use_ld_so(hplip_t)
@@ -497,7 +497,7 @@ dontaudit cupsd_config_t cupsd_t:process ptrace;
allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms;
allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t)
+files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
can_exec(cupsd_config_t, cupsd_config_exec_t)
@@ -511,7 +511,7 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms;
allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
-files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t)
+files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
@@ -548,7 +548,7 @@ files_read_usr_files(cupsd_config_t)
files_read_etc_files(cupsd_config_t)
files_read_etc_runtime_files(cupsd_config_t)
-init_use_fd(cupsd_config_t)
+init_use_fds(cupsd_config_t)
init_use_script_ptys(cupsd_config_t)
libs_use_ld_so(cupsd_config_t)
@@ -602,7 +602,7 @@ optional_policy(`hostname',`
')
optional_policy(`logrotate',`
- logrotate_use_fd(cupsd_config_t)
+ logrotate_use_fds(cupsd_config_t)
')
optional_policy(`nis',`
@@ -682,7 +682,7 @@ files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms;
allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t)
+files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file)
allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te
index f2a985e..d2ec4d0 100644
--- a/refpolicy/policy/modules/services/cvs.te
+++ b/refpolicy/policy/modules/services/cvs.te
@@ -42,7 +42,7 @@ files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
allow cvs_t cvs_var_run_t:file create_file_perms;
allow cvs_t cvs_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(cvs_t,cvs_var_run_t)
+files_pid_filetrans(cvs_t,cvs_var_run_t,file)
kernel_read_kernel_sysctls(cvs_t)
kernel_read_system_state(cvs_t)
diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te
index 7462a07..171a7e7 100644
--- a/refpolicy/policy/modules/services/cyrus.te
+++ b/refpolicy/policy/modules/services/cyrus.te
@@ -48,7 +48,7 @@ files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
-files_pid_filetrans(cyrus_t,cyrus_var_run_t)
+files_pid_filetrans(cyrus_t,cyrus_var_run_t,file)
allow cyrus_t cyrus_var_run_t:dir rw_dir_perms;
allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
@@ -91,7 +91,7 @@ files_list_var_lib(cyrus_t)
files_read_etc_files(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
-init_use_fd(cyrus_t)
+init_use_fds(cyrus_t)
init_use_script_ptys(cyrus_t)
libs_use_ld_so(cyrus_t)
diff --git a/refpolicy/policy/modules/services/dbskk.te b/refpolicy/policy/modules/services/dbskk.te
index de7dffa..090a661 100644
--- a/refpolicy/policy/modules/services/dbskk.te
+++ b/refpolicy/policy/modules/services/dbskk.te
@@ -43,7 +43,7 @@ files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir })
allow dbskkd_t dbskkd_var_run_t:file create_file_perms;
allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dbskkd_t,dbskkd_var_run_t)
+files_pid_filetrans(dbskkd_t,dbskkd_var_run_t,file)
kernel_read_kernel_sysctls(dbskkd_t)
kernel_read_system_state(dbskkd_t)
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 817e0b8..e969d8a 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -52,7 +52,7 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms;
allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t)
+files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
@@ -93,7 +93,7 @@ files_read_etc_files(system_dbusd_t)
files_list_home(system_dbusd_t)
files_read_usr_files(system_dbusd_t)
-init_use_fd(system_dbusd_t)
+init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
libs_use_ld_so(system_dbusd_t)
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
index 501a064..d9e0cb9 100644
--- a/refpolicy/policy/modules/services/dhcp.te
+++ b/refpolicy/policy/modules/services/dhcp.te
@@ -41,7 +41,7 @@ can_exec(dhcpd_t,dhcpd_exec_t)
allow dhcpd_t dhcpd_state_t:dir rw_dir_perms;
allow dhcpd_t dhcpd_state_t:file create_file_perms;
-sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t)
+sysnet_dhcp_state_filetrans(dhcpd_t,dhcpd_state_t,file)
allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms;
allow dhcpd_t dhcpd_tmp_t:file create_file_perms;
@@ -49,7 +49,7 @@ files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
allow dhcpd_t dhcpd_var_run_t:file create_file_perms;
allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dhcpd_t,dhcpd_var_run_t)
+files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file)
kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
@@ -89,7 +89,7 @@ files_read_usr_files(dhcpd_t)
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)
-init_use_fd(dhcpd_t)
+init_use_fds(dhcpd_t)
init_use_script_ptys(dhcpd_t)
libs_use_ld_so(dhcpd_t)
diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te
index d79bf4f..f00e31d 100644
--- a/refpolicy/policy/modules/services/dictd.te
+++ b/refpolicy/policy/modules/services/dictd.te
@@ -67,7 +67,7 @@ files_search_var_lib(dictd_t)
# for checking for nscd
files_dontaudit_search_pids(dictd_t)
-init_use_fd(dictd_t)
+init_use_fds(dictd_t)
init_use_script_ptys(dictd_t)
libs_use_ld_so(dictd_t)
diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te
index 5ba39e2..2a491e4 100644
--- a/refpolicy/policy/modules/services/distcc.te
+++ b/refpolicy/policy/modules/services/distcc.te
@@ -32,7 +32,7 @@ allow distccd_t self:tcp_socket create_stream_socket_perms;
allow distccd_t self:udp_socket create_socket_perms;
allow distccd_t distccd_log_t:file create_file_perms;
-logging_log_filetrans(distccd_t,distccd_log_t)
+logging_log_filetrans(distccd_t,distccd_log_t,file)
allow distccd_t distccd_tmp_t:dir create_dir_perms;
allow distccd_t distccd_tmp_t:file create_file_perms;
@@ -40,7 +40,7 @@ files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir })
allow distccd_t distccd_var_run_t:file create_file_perms;
allow distccd_t distccd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(distccd_t,distccd_var_run_t)
+files_pid_filetrans(distccd_t,distccd_var_run_t,file)
kernel_read_system_state(distccd_t)
kernel_read_kernel_sysctls(distccd_t)
@@ -73,7 +73,7 @@ domain_use_interactive_fds(distccd_t)
files_read_etc_files(distccd_t)
files_read_etc_runtime_files(distccd_t)
-init_use_fd(distccd_t)
+init_use_fds(distccd_t)
init_use_script_ptys(distccd_t)
libs_use_ld_so(distccd_t)
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index f1703b4..3eff293 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -65,7 +65,7 @@ allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms;
allow dovecot_t dovecot_var_run_t:file create_file_perms;
allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
allow dovecot_t dovecot_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dovecot_t,dovecot_var_run_t)
+files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
@@ -97,7 +97,7 @@ files_search_spool(dovecot_t)
files_search_tmp(dovecot_t)
files_dontaudit_list_default(dovecot_t)
-init_use_fd(dovecot_t)
+init_use_fds(dovecot_t)
init_use_script_ptys(dovecot_t)
init_getattr_utmp(dovecot_t)
diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te
index bda2585..2a722e6 100644
--- a/refpolicy/policy/modules/services/fetchmail.te
+++ b/refpolicy/policy/modules/services/fetchmail.te
@@ -34,11 +34,11 @@ allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
allow fetchmail_t fetchmail_etc_t:file r_file_perms;
allow fetchmail_t fetchmail_uidl_cache_t:file create_file_perms;
-mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t)
+mta_spool_filetrans(fetchmail_t,fetchmail_uidl_cache_t,file)
allow fetchmail_t fetchmail_var_run_t:file create_file_perms;
allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(fetchmail_t,fetchmail_var_run_t)
+files_pid_filetrans(fetchmail_t,fetchmail_var_run_t,file)
kernel_read_kernel_sysctls(fetchmail_t)
kernel_list_proc(fetchmail_t)
@@ -76,7 +76,7 @@ term_dontaudit_use_console(fetchmail_t)
domain_use_interactive_fds(fetchmail_t)
-init_use_fd(fetchmail_t)
+init_use_fds(fetchmail_t)
init_use_script_ptys(fetchmail_t)
libs_use_ld_so(fetchmail_t)
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index c6bae03..fad79af 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -34,14 +34,14 @@ allow fingerd_t self:unix_stream_socket create_socket_perms;
allow fingerd_t fingerd_var_run_t:file create_file_perms;
allow fingerd_t fingerd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(fingerd_t,fingerd_var_run_t)
+files_pid_filetrans(fingerd_t,fingerd_var_run_t,file)
allow fingerd_t fingerd_etc_t:file r_file_perms;
allow fingerd_t fingerd_etc_t:dir r_dir_perms;
allow fingerd_t fingerd_etc_t:lnk_file { getattr read };
allow fingerd_t fingerd_log_t:file create_file_perms;
-logging_log_filetrans(fingerd_t,fingerd_log_t)
+logging_log_filetrans(fingerd_t,fingerd_log_t,file)
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
@@ -83,7 +83,7 @@ files_read_etc_runtime_files(fingerd_t)
init_read_utmp(fingerd_t)
init_dontaudit_write_utmp(fingerd_t)
-init_use_fd(fingerd_t)
+init_use_fds(fingerd_t)
init_use_script_ptys(fingerd_t)
libs_use_ld_so(fingerd_t)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index eccdf54..252024e 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -59,11 +59,11 @@ fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }
allow ftpd_t ftpd_var_run_t:file create_file_perms;
allow ftpd_t ftpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ftpd_t,ftpd_var_run_t)
+files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
# Create and modify /var/log/xferlog.
allow ftpd_t xferlog_t:file create_file_perms;
-logging_log_filetrans(ftpd_t,xferlog_t)
+logging_log_filetrans(ftpd_t,xferlog_t,file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
@@ -111,7 +111,7 @@ auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
-init_use_fd(ftpd_t)
+init_use_fds(ftpd_t)
init_use_script_ptys(ftpd_t)
libs_use_ld_so(ftpd_t)
@@ -165,7 +165,7 @@ tunable_policy(`ftp_home_dir',`
tunable_policy(`ftpd_is_daemon',`
allow ftpd_t ftpd_lock_t:file create_file_perms;
- files_lock_filetrans(ftpd_t,ftpd_lock_t)
+ files_lock_filetrans(ftpd_t,ftpd_lock_t,file)
corenet_tcp_bind_ftp_port(ftpd_t)
')
diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te
index 37fa597..4fae74d 100644
--- a/refpolicy/policy/modules/services/gpm.te
+++ b/refpolicy/policy/modules/services/gpm.te
@@ -39,7 +39,7 @@ allow gpm_t gpm_tmp_t:file create_file_perms;
files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
allow gpm_t gpm_var_run_t:file create_file_perms;
-files_pid_filetrans(gpm_t,gpm_var_run_t)
+files_pid_filetrans(gpm_t,gpm_var_run_t,file)
allow gpm_t gpmctl_t:sock_file create_file_perms;
allow gpm_t gpmctl_t:fifo_file create_file_perms;
@@ -65,7 +65,7 @@ term_dontaudit_use_console(gpm_t)
domain_use_interactive_fds(gpm_t)
-init_use_fd(gpm_t)
+init_use_fds(gpm_t)
init_use_script_ptys(gpm_t)
libs_use_ld_so(gpm_t)
diff --git a/refpolicy/policy/modules/services/hal.if b/refpolicy/policy/modules/services/hal.if
index f4ee962..f4f54f9 100644
--- a/refpolicy/policy/modules/services/hal.if
+++ b/refpolicy/policy/modules/services/hal.if
@@ -34,7 +34,7 @@ interface(`hal_domtrans',`
##
##
#
-interface(`hal_dgram_sendto',`
+interface(`hal_dgram_send',`
gen_require(`
type hald_t;
')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 83cc600..c8f5882 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -42,7 +42,7 @@ files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
allow hald_t hald_var_run_t:file create_file_perms;
allow hald_t hald_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(hald_t,hald_var_run_t)
+files_pid_filetrans(hald_t,hald_var_run_t,file)
kernel_read_system_state(hald_t)
kernel_read_network_state(hald_t)
@@ -50,7 +50,7 @@ kernel_read_kernel_sysctls(hald_t)
kernel_read_fs_sysctls(hald_t)
kernel_write_proc_files(hald_t)
-bootloader_search_boot(hald_t)
+files_search_boot(hald_t)
corecmd_exec_bin(hald_t)
corecmd_exec_sbin(hald_t)
@@ -114,7 +114,7 @@ term_dontaudit_ioctl_unallocated_ttys(hald_t)
term_dontaudit_use_unallocated_ttys(hald_t)
term_dontaudit_use_generic_ptys(hald_t)
-init_use_fd(hald_t)
+init_use_fds(hald_t)
init_use_script_ptys(hald_t)
init_domtrans_script(hald_t)
init_write_initctl(hald_t)
diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te
index d49c0be..c174c49 100644
--- a/refpolicy/policy/modules/services/howl.te
+++ b/refpolicy/policy/modules/services/howl.te
@@ -27,7 +27,7 @@ allow howl_t self:udp_socket create_socket_perms;
allow howl_t howl_var_run_t:file create_file_perms;
allow howl_t howl_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(howl_t,howl_var_run_t)
+files_pid_filetrans(howl_t,howl_var_run_t,file)
kernel_read_network_state(howl_t)
kernel_read_kernel_sysctls(howl_t)
@@ -60,7 +60,7 @@ domain_use_interactive_fds(howl_t)
files_read_etc_files(howl_t)
-init_use_fd(howl_t)
+init_use_fds(howl_t)
init_use_script_ptys(howl_t)
init_rw_utmp(howl_t)
diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te
index 8e7904a..76b204d 100644
--- a/refpolicy/policy/modules/services/i18n_input.te
+++ b/refpolicy/policy/modules/services/i18n_input.te
@@ -30,7 +30,7 @@ allow i18n_input_t self:udp_socket create_socket_perms;
allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
allow i18n_input_t i18n_input_var_run_t:file create_file_perms;
allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(i18n_input_t,i18n_input_var_run_t)
+files_pid_filetrans(i18n_input_t,i18n_input_var_run_t,file)
can_exec(i18n_input_t, i18n_input_exec_t)
@@ -69,7 +69,7 @@ files_read_etc_files(i18n_input_t)
files_read_etc_runtime_files(i18n_input_t)
files_read_usr_files(i18n_input_t)
-init_use_fd(i18n_input_t)
+init_use_fds(i18n_input_t)
init_use_script_ptys(i18n_input_t)
init_stream_connect_script(i18n_input_t)
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index 9c0b1dd..5974b1c 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -165,7 +165,7 @@ interface(`inetd_service_domain',`
##
##
#
-interface(`inetd_use_fd',`
+interface(`inetd_use_fds',`
gen_require(`
type inetd_t;
')
@@ -227,7 +227,7 @@ interface(`inetd_domtrans_child',`
##
##
#
-interface(`inetd_udp_sendto',`
+interface(`inetd_udp_send',`
gen_require(`
type inetd_t;
')
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 767e5df..2df83f3 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -43,14 +43,14 @@ allow inetd_t self:tcp_socket create_stream_socket_perms;
allow inetd_t self:udp_socket { connect connected_socket_perms };
allow inetd_t inetd_log_t:file create_file_perms;
-logging_log_filetrans(inetd_t,inetd_log_t)
+logging_log_filetrans(inetd_t,inetd_log_t,file)
allow inetd_t inetd_tmp_t:dir create_dir_perms;
allow inetd_t inetd_tmp_t:file create_file_perms;
files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir })
allow inetd_t inetd_var_run_t:file create_file_perms;
-files_pid_filetrans(inetd_t,inetd_var_run_t)
+files_pid_filetrans(inetd_t,inetd_var_run_t,file)
kernel_read_kernel_sysctls(inetd_t)
kernel_list_proc(inetd_t)
@@ -106,7 +106,7 @@ domain_use_interactive_fds(inetd_t)
files_read_etc_files(inetd_t)
-init_use_fd(inetd_t)
+init_use_fds(inetd_t)
init_use_script_ptys(inetd_t)
libs_use_ld_so(inetd_t)
@@ -179,7 +179,7 @@ files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir })
allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(inetd_child_t,inetd_child_var_run_t)
+files_pid_filetrans(inetd_child_t,inetd_child_var_run_t,file)
kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_system_state(inetd_child_t)
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index af05b80..a83d9d2 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -45,16 +45,16 @@ can_exec(innd_t, innd_exec_t)
allow innd_t innd_log_t:file manage_file_perms;
allow innd_t innd_log_t:dir { setattr rw_dir_perms };
-logging_log_filetrans(innd_t,innd_log_t)
+logging_log_filetrans(innd_t,innd_log_t,file)
allow innd_t innd_var_lib_t:dir create_dir_perms;
allow innd_t innd_var_lib_t:file create_file_perms;
-files_var_lib_filetrans(innd_t,innd_var_lib_t)
+files_var_lib_filetrans(innd_t,innd_var_lib_t,file)
allow innd_t innd_var_run_t:dir create_dir_perms;
allow innd_t innd_var_run_t:file create_file_perms;
allow innd_t innd_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(innd_t,innd_var_run_t)
+files_pid_filetrans(innd_t,innd_var_run_t,file)
allow innd_t news_spool_t:dir create_dir_perms;
allow innd_t news_spool_t:file create_file_perms;
@@ -97,7 +97,7 @@ files_read_etc_files(innd_t)
files_read_etc_runtime_files(innd_t)
files_read_usr_files(innd_t)
-init_use_fd(innd_t)
+init_use_fds(innd_t)
init_use_script_ptys(innd_t)
libs_use_ld_so(innd_t)
diff --git a/refpolicy/policy/modules/services/irqbalance.te b/refpolicy/policy/modules/services/irqbalance.te
index 477dcd9..f470ec4 100644
--- a/refpolicy/policy/modules/services/irqbalance.te
+++ b/refpolicy/policy/modules/services/irqbalance.te
@@ -23,7 +23,7 @@ allow irqbalance_t self:process signal_perms;
allow irqbalance_t irqbalance_var_run_t:file create_file_perms;
allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(irqbalance_t,irqbalance_var_run_t)
+files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file)
kernel_read_system_state(irqbalance_t)
kernel_read_kernel_sysctls(irqbalance_t)
@@ -41,7 +41,7 @@ term_dontaudit_use_console(irqbalance_t)
domain_use_interactive_fds(irqbalance_t)
-init_use_fd(irqbalance_t)
+init_use_fds(irqbalance_t)
init_use_script_ptys(irqbalance_t)
libs_use_ld_so(irqbalance_t)
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index 3a22cbf..2374b88 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -62,7 +62,7 @@ allow kadmind_t self:tcp_socket connected_stream_socket_perms;
allow kadmind_t self:udp_socket create_socket_perms;
allow kadmind_t kadmind_log_t:file create_file_perms;
-logging_log_filetrans(kadmind_t,kadmind_log_t)
+logging_log_filetrans(kadmind_t,kadmind_log_t,file)
allow kadmind_t krb5_conf_t:file r_file_perms;
dontaudit kadmind_t krb5_conf_t:file write;
@@ -81,7 +81,7 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
allow kadmind_t kadmind_var_run_t:file create_file_perms;
allow kadmind_t kadmind_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(kadmind_t,kadmind_var_run_t)
+files_pid_filetrans(kadmind_t,kadmind_var_run_t,file)
kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
@@ -116,7 +116,7 @@ domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
-init_use_fd(kadmind_t)
+init_use_fds(kadmind_t)
init_use_script_ptys(kadmind_t)
libs_use_ld_so(kadmind_t)
@@ -172,7 +172,7 @@ allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
allow krb5kdc_t krb5kdc_log_t:file create_file_perms;
-logging_log_filetrans(krb5kdc_t,krb5kdc_log_t)
+logging_log_filetrans(krb5kdc_t,krb5kdc_log_t,file)
allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
dontaudit krb5kdc_t krb5kdc_principal_t:file write;
@@ -183,7 +183,7 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms;
allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t)
+files_pid_filetrans(krb5kdc_t,krb5kdc_var_run_t,file)
kernel_read_system_state(krb5kdc_t)
kernel_read_kernel_sysctls(krb5kdc_t)
@@ -216,7 +216,7 @@ domain_use_interactive_fds(krb5kdc_t)
files_read_etc_files(krb5kdc_t)
-init_use_fd(krb5kdc_t)
+init_use_fds(krb5kdc_t)
init_use_script_ptys(krb5kdc_t)
libs_use_ld_so(krb5kdc_t)
diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te
index 7e2ee1a..5bdf774 100644
--- a/refpolicy/policy/modules/services/ktalk.te
+++ b/refpolicy/policy/modules/services/ktalk.te
@@ -44,7 +44,7 @@ files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
allow ktalkd_t ktalkd_var_run_t:file create_file_perms;
allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ktalkd_t,ktalkd_var_run_t)
+files_pid_filetrans(ktalkd_t,ktalkd_var_run_t,file)
kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index ac2a356..290da67 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -59,7 +59,7 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
allow slapd_t slapd_etc_t:file { getattr read };
allow slapd_t slapd_lock_t:file create_file_perms;
-files_lock_filetrans(slapd_t,slapd_lock_t)
+files_lock_filetrans(slapd_t,slapd_lock_t,file)
# Allow access to write the replication log (should tighten this)
allow slapd_t slapd_replog_t:dir create_dir_perms;
@@ -72,7 +72,7 @@ files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
allow slapd_t slapd_var_run_t:file create_file_perms;
allow slapd_t slapd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(slapd_t,slapd_var_run_t)
+files_pid_filetrans(slapd_t,slapd_var_run_t,file)
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
@@ -107,7 +107,7 @@ files_read_etc_runtime_files(slapd_t)
files_read_usr_files(slapd_t)
files_list_var_lib(slapd_t)
-init_use_fd(slapd_t)
+init_use_fds(slapd_t)
init_use_script_ptys(slapd_t)
libs_use_ld_so(slapd_t)
diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te
index ef2913c..0a79ccb 100644
--- a/refpolicy/policy/modules/services/lpd.te
+++ b/refpolicy/policy/modules/services/lpd.te
@@ -49,7 +49,7 @@ allow checkpc_t self:process { fork signal_perms };
allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t checkpc_log_t:file create_file_perms;
-logging_log_filetrans(checkpc_t,checkpc_log_t)
+logging_log_filetrans(checkpc_t,checkpc_log_t,file)
allow checkpc_t lpd_var_run_t:dir { search getattr };
files_search_pids(checkpc_t)
@@ -92,7 +92,7 @@ files_read_etc_runtime_files(checkpc_t)
init_use_script_ptys(checkpc_t)
# Allow access to /dev/console through the fd:
-init_use_fd(checkpc_t)
+init_use_fds(checkpc_t)
libs_use_ld_so(checkpc_t)
libs_use_shared_libs(checkpc_t)
@@ -135,7 +135,7 @@ files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
allow lpd_t lpd_var_run_t:dir rw_dir_perms;
allow lpd_t lpd_var_run_t:file create_file_perms;
allow lpd_t lpd_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(lpd_t,lpd_var_run_t)
+files_pid_filetrans(lpd_t,lpd_var_run_t,file)
# Write to /var/spool/lpd.
allow lpd_t print_spool_t:dir rw_dir_perms;
@@ -201,7 +201,7 @@ files_read_var_lib_symlinks(lpd_t)
# config files for lpd are of type etc_t, probably should change this
files_read_etc_files(lpd_t)
-init_use_fd(lpd_t)
+init_use_fds(lpd_t)
init_use_script_ptys(lpd_t)
libs_use_ld_so(lpd_t)
diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if
index b63b610..750ff55 100644
--- a/refpolicy/policy/modules/services/mailman.if
+++ b/refpolicy/policy/modules/services/mailman.if
@@ -37,11 +37,11 @@ template(`mailman_domain_template', `
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
allow mailman_$1_t mailman_lock_t:file create_file_perms;
- files_lock_filetrans(mailman_$1_t,mailman_lock_t)
+ files_lock_filetrans(mailman_$1_t,mailman_lock_t,file)
allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
allow mailman_$1_t mailman_log_t:file create_file_perms;
- logging_log_filetrans(mailman_$1_t,mailman_log_t)
+ logging_log_filetrans(mailman_$1_t,mailman_log_t,file)
allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms;
allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te
index de1c248..b81fb4d 100644
--- a/refpolicy/policy/modules/services/mailman.te
+++ b/refpolicy/policy/modules/services/mailman.te
@@ -49,7 +49,7 @@ optional_policy(`apache',`
mta_tcp_connect_all_mailservers(mailman_cgi_t)
apache_sigchld(mailman_cgi_t)
- apache_use_fd(mailman_cgi_t)
+ apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
apache_search_sys_script_state(mailman_cgi_t)
')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 3888dce..ec6a483 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -654,10 +654,9 @@ interface(`mta_dontaudit_getattr_spool_files',`
## The type of the object to be created.
##
##
-##
+##
##
-## The object class of the object being created. If
-## no class is specified, file will be used.
+## The object class of the object being created.
##
##
#
@@ -668,12 +667,7 @@ interface(`mta_spool_filetrans',`
files_search_spool($1)
allow $1 mail_spool_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 mail_spool_t:file $2;
- ',`
- type_transition $1 mail_spool_t:$3 $2;
- ')
+ type_transition $1 mail_spool_t:$3 $2;
')
#######################################
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index 0e3f1cd..af86f54 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -49,7 +49,7 @@ allow mysqld_t mysqld_etc_t:lnk_file { getattr read };
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file create_file_perms;
-logging_log_filetrans(mysqld_t,mysqld_log_t)
+logging_log_filetrans(mysqld_t,mysqld_log_t,file)
allow mysqld_t mysqld_tmp_t:dir create_dir_perms;
allow mysqld_t mysqld_tmp_t:file create_file_perms;
@@ -58,7 +58,7 @@ files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
allow mysqld_t mysqld_var_run_t:dir rw_dir_perms;
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
allow mysqld_t mysqld_var_run_t:file create_file_perms;
-files_pid_filetrans(mysqld_t,mysqld_var_run_t)
+files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)
kernel_list_proc(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
@@ -94,7 +94,7 @@ files_read_etc_files(mysqld_t)
files_read_usr_files(mysqld_t)
files_search_var_lib(mysqld_t)
-init_use_fd(mysqld_t)
+init_use_fds(mysqld_t)
init_use_script_ptys(mysqld_t)
libs_use_ld_so(mysqld_t)
diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te
index 7529c39..4787e34 100644
--- a/refpolicy/policy/modules/services/networkmanager.te
+++ b/refpolicy/policy/modules/services/networkmanager.te
@@ -79,7 +79,7 @@ files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
-init_use_fd(NetworkManager_t)
+init_use_fds(NetworkManager_t)
init_use_script_ptys(NetworkManager_t)
init_read_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index f2a9f22..b5d97a9 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -58,7 +58,7 @@ files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
allow ypbind_t ypbind_var_run_t:file manage_file_perms;
allow ypbind_t ypbind_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ypbind_t,ypbind_var_run_t)
+files_pid_filetrans(ypbind_t,ypbind_var_run_t,file)
allow ypbind_t var_yp_t:dir rw_dir_perms;
allow ypbind_t var_yp_t:file create_file_perms;
@@ -99,7 +99,7 @@ domain_use_interactive_fds(ypbind_t)
files_read_etc_files(ypbind_t)
files_list_var(ypbind_t)
-init_use_fd(ypbind_t)
+init_use_fds(ypbind_t)
init_use_script_ptys(ypbind_t)
init_udp_send_script(ypbind_t)
@@ -151,7 +151,7 @@ allow yppasswdd_t self:udp_socket create_socket_perms;
allow yppasswdd_t yppasswdd_var_run_t:file create_file_perms;
allow yppasswdd_t yppasswdd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t)
+files_pid_filetrans(yppasswdd_t,yppasswdd_var_run_t,file)
allow yppasswdd_t var_yp_t:dir rw_dir_perms;
allow yppasswdd_t var_yp_t:file create_file_perms;
@@ -200,7 +200,7 @@ files_read_etc_files(yppasswdd_t)
files_read_etc_runtime_files(yppasswdd_t)
files_relabel_etc_files(yppasswdd_t)
-init_use_fd(yppasswdd_t)
+init_use_fds(yppasswdd_t)
init_use_script_ptys(yppasswdd_t)
init_udp_send_script(yppasswdd_t)
@@ -260,7 +260,7 @@ files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
allow ypserv_t ypserv_var_run_t:dir rw_dir_perms;
allow ypserv_t ypserv_var_run_t:file manage_file_perms;
-files_pid_filetrans(ypserv_t,ypserv_var_run_t)
+files_pid_filetrans(ypserv_t,ypserv_var_run_t,file)
kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
@@ -295,7 +295,7 @@ domain_use_interactive_fds(ypserv_t)
files_read_var_files(ypserv_t)
-init_use_fd(ypserv_t)
+init_use_fds(ypserv_t)
init_use_script_ptys(ypserv_t)
init_udp_send_script(ypserv_t)
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 9604862..1f1230d 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -45,7 +45,7 @@ allow nscd_t self:udp_socket create_socket_perms;
allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_log_t:file create_file_perms;
-logging_log_filetrans(nscd_t,nscd_log_t)
+logging_log_filetrans(nscd_t,nscd_log_t,file)
allow nscd_t nscd_var_run_t:file create_file_perms;
allow nscd_t nscd_var_run_t:sock_file create_file_perms;
@@ -93,7 +93,7 @@ domain_use_interactive_fds(nscd_t)
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
-init_use_fd(nscd_t)
+init_use_fds(nscd_t)
init_use_script_ptys(nscd_t)
libs_use_ld_so(nscd_t)
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index 1bc5d90..7492501 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -58,7 +58,7 @@ files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
allow ntpd_t ntpd_var_run_t:file create_file_perms;
allow ntpd_t ntpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(ntpd_t,ntpd_var_run_t)
+files_pid_filetrans(ntpd_t,ntpd_var_run_t,file)
kernel_read_kernel_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
@@ -100,7 +100,7 @@ files_read_usr_files(ntpd_t)
files_list_var_lib(ntpd_t)
init_exec_script_files(ntpd_t)
-init_use_fd(ntpd_t)
+init_use_fds(ntpd_t)
init_use_script_ptys(ntpd_t)
libs_use_ld_so(ntpd_t)
@@ -128,7 +128,7 @@ optional_policy(`cron',`
')
optional_policy(`firstboot',`
- firstboot_dontaudit_use_fd(ntpd_t)
+ firstboot_dontaudit_use_fds(ntpd_t)
')
optional_policy(`logrotate',`
diff --git a/refpolicy/policy/modules/services/openct.te b/refpolicy/policy/modules/services/openct.te
index 57bf22b..b6ccdd8 100644
--- a/refpolicy/policy/modules/services/openct.te
+++ b/refpolicy/policy/modules/services/openct.te
@@ -23,7 +23,7 @@ allow openct_t self:process signal_perms;
allow openct_t openct_var_run_t:file create_file_perms;
allow openct_t openct_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(openct_t,openct_var_run_t)
+files_pid_filetrans(openct_t,openct_var_run_t,file)
kernel_read_kernel_sysctls(openct_t)
kernel_list_proc(openct_t)
@@ -43,7 +43,7 @@ fs_search_auto_mountpoints(openct_t)
term_dontaudit_use_console(openct_t)
-init_use_fd(openct_t)
+init_use_fds(openct_t)
init_use_script_ptys(openct_t)
libs_use_ld_so(openct_t)
diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te
index e1eb171..6c44a03 100644
--- a/refpolicy/policy/modules/services/pegasus.te
+++ b/refpolicy/policy/modules/services/pegasus.te
@@ -59,7 +59,7 @@ files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
allow pegasus_t pegasus_var_run_t:file create_file_perms;
allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink };
allow pegasus_t pegasus_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(pegasus_t,pegasus_var_run_t)
+files_pid_filetrans(pegasus_t,pegasus_var_run_t,file)
kernel_read_kernel_sysctls(pegasus_t)
kernel_read_fs_sysctls(pegasus_t)
@@ -97,7 +97,7 @@ files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
-init_use_fd(pegasus_t)
+init_use_fds(pegasus_t)
init_use_script_ptys(pegasus_t)
init_rw_utmp(pegasus_t)
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
index 46bddd5..6284f4d 100644
--- a/refpolicy/policy/modules/services/portmap.te
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -40,7 +40,7 @@ files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
allow portmap_t portmap_var_run_t:file create_file_perms;
allow portmap_t portmap_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(portmap_t,portmap_var_run_t)
+files_pid_filetrans(portmap_t,portmap_var_run_t,file)
kernel_read_kernel_sysctls(portmap_t)
kernel_list_proc(portmap_t)
@@ -80,7 +80,7 @@ domain_use_interactive_fds(portmap_t)
files_read_etc_files(portmap_t)
-init_use_fd(portmap_t)
+init_use_fds(portmap_t)
init_use_script_ptys(portmap_t)
init_udp_send(portmap_t)
init_udp_send_script(portmap_t)
@@ -104,7 +104,7 @@ ifdef(`targeted_policy', `
')
optional_policy(`inetd',`
- inetd_udp_sendto(portmap_t)
+ inetd_udp_send(portmap_t)
')
optional_policy(`mount',`
@@ -162,7 +162,7 @@ allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
allow portmap_helper_t self:udp_socket create_socket_perms;
allow portmap_helper_t portmap_var_run_t:file create_file_perms;
-files_pid_filetrans(portmap_helper_t,portmap_var_run_t)
+files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
corenet_tcp_sendrecv_all_if(portmap_helper_t)
corenet_udp_sendrecv_all_if(portmap_helper_t)
diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if
index fe36911..2202fc7 100644
--- a/refpolicy/policy/modules/services/postfix.if
+++ b/refpolicy/policy/modules/services/postfix.if
@@ -45,7 +45,7 @@ template(`postfix_domain_template',`
allow postfix_$1_t postfix_spool_t:dir r_dir_perms;
allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
- files_pid_filetrans(postfix_$1_t,postfix_var_run_t)
+ files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file)
kernel_read_system_state(postfix_$1_t)
kernel_read_network_state(postfix_$1_t)
@@ -72,7 +72,7 @@ template(`postfix_domain_template',`
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
- init_use_fd(postfix_$1_t)
+ init_use_fds(postfix_$1_t)
init_sigchld(postfix_$1_t)
libs_use_ld_so(postfix_$1_t)
@@ -209,10 +209,9 @@ interface(`postfix_read_config',`
## The type of the object to be created.
##
##
-##
+##
##
-## The object class of the object being created. If
-## no class is specified, file will be used.
+## The object class of the object being created.
##
##
#
@@ -223,12 +222,7 @@ interface(`postfix_config_filetrans',`
files_search_etc($1)
allow $1 postfix_etc_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 postfix_etc_t:file $2;
- ',`
- type_transition $1 postfix_etc_t:$3 $2;
- ')
+ type_transition $1 postfix_etc_t:$3 $2;
')
########################################
@@ -263,7 +257,7 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
##
##
#
-interface(`postfix_dontaudit_use_fd',`
+interface(`postfix_dontaudit_use_fds',`
gen_require(`
type postfix_master_t;
')
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
index b38aeee..7e92467 100644
--- a/refpolicy/policy/modules/services/postfix.te
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -361,7 +361,7 @@ tunable_policy(`read_default_t',`
')
optional_policy(`locallogin',`
- locallogin_dontaudit_use_fd(postfix_map_t)
+ locallogin_dontaudit_use_fds(postfix_map_t)
')
# a "run" interface needs to be
@@ -438,14 +438,14 @@ ifdef(`targeted_policy', `
')
optional_policy(`crond',`
- cron_use_fd(postfix_postdrop_t)
+ cron_use_fds(postfix_postdrop_t)
cron_rw_pipes(postfix_postdrop_t)
cron_use_system_job_fds(postfix_postdrop_t)
cron_rw_system_job_pipes(postfix_postdrop_t)
')
optional_policy(`ppp',`
- ppp_use_fd(postfix_postqueue_t)
+ ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
')
diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te
index 4a9ca6e..faf817a 100644
--- a/refpolicy/policy/modules/services/postgresql.te
+++ b/refpolicy/policy/modules/services/postgresql.te
@@ -58,7 +58,7 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
can_exec(postgresql_t, postgresql_exec_t )
allow postgresql_t postgresql_lock_t:file create_file_perms;
-files_lock_filetrans(postgresql_t,postgresql_lock_t)
+files_lock_filetrans(postgresql_t,postgresql_lock_t,file)
allow postgresql_t postgresql_log_t:dir rw_dir_perms;
allow postgresql_t postgresql_log_t:file create_file_perms;
@@ -75,7 +75,7 @@ fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file
allow postgresql_t postgresql_var_run_t:dir rw_dir_perms;
allow postgresql_t postgresql_var_run_t:file create_file_perms;
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(postgresql_t,postgresql_var_run_t)
+files_pid_filetrans(postgresql_t,postgresql_var_run_t,file)
kernel_read_kernel_sysctls(postgresql_t)
kernel_read_system_state(postgresql_t)
@@ -122,7 +122,7 @@ files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
init_read_utmp(postgresql_t)
-init_use_fd(postgresql_t)
+init_use_fds(postgresql_t)
init_use_script_ptys(postgresql_t)
libs_use_ld_so(postgresql_t)
diff --git a/refpolicy/policy/modules/services/ppp.if b/refpolicy/policy/modules/services/ppp.if
index 76a4fe4..aa2bc56 100644
--- a/refpolicy/policy/modules/services/ppp.if
+++ b/refpolicy/policy/modules/services/ppp.if
@@ -10,7 +10,7 @@
##
##
#
-interface(`ppp_use_fd',`
+interface(`ppp_use_fds',`
gen_require(`
type pppd_t;
')
@@ -29,7 +29,7 @@ interface(`ppp_use_fd',`
##
##
#
-interface(`ppp_dontaudit_use_fd',`
+interface(`ppp_dontaudit_use_fds',`
gen_require(`
type pppd_t;
')
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index 864bdc3..62f156d 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -80,15 +80,15 @@ allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr };
allow pppd_t pppd_etc_t:dir rw_dir_perms;
allow pppd_t pppd_etc_t:file r_file_perms;
allow pppd_t pppd_etc_t:lnk_file { getattr read };
-files_etc_filetrans(pppd_t,pppd_etc_t)
+files_etc_filetrans(pppd_t,pppd_etc_t,file)
allow pppd_t pppd_etc_rw_t:file create_file_perms;
allow pppd_t pppd_lock_t:file create_file_perms;
-files_lock_filetrans(pppd_t,pppd_lock_t)
+files_lock_filetrans(pppd_t,pppd_lock_t,file)
allow pppd_t pppd_log_t:file create_file_perms;
-logging_log_filetrans(pppd_t,pppd_log_t)
+logging_log_filetrans(pppd_t,pppd_log_t,file)
allow pppd_t pppd_tmp_t:dir create_dir_perms;
allow pppd_t pppd_tmp_t:file create_file_perms;
@@ -96,7 +96,7 @@ files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
allow pppd_t pppd_var_run_t:dir rw_dir_perms;
allow pppd_t pppd_var_run_t:file create_file_perms;
-files_pid_filetrans(pppd_t,pppd_var_run_t)
+files_pid_filetrans(pppd_t,pppd_var_run_t,file)
allow pppd_t pptp_t:process signal;
@@ -155,7 +155,7 @@ files_read_etc_files(pppd_t)
init_read_utmp(pppd_t)
init_dontaudit_write_utmp(pppd_t)
-init_use_fd(pppd_t)
+init_use_fds(pppd_t)
init_use_script_ptys(pppd_t)
libs_use_ld_so(pppd_t)
@@ -248,12 +248,12 @@ can_exec(pptp_t, pppd_etc_rw_t)
allow pptp_t pppd_log_t:file append;
allow pptp_t pptp_log_t:file create_file_perms;
-logging_log_filetrans(pptp_t,pptp_log_t)
+logging_log_filetrans(pptp_t,pptp_log_t,file)
allow pptp_t pptp_var_run_t:file create_file_perms;
allow pptp_t pptp_var_run_t:dir rw_dir_perms;
allow pptp_t pptp_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(pptp_t,pptp_var_run_t)
+files_pid_filetrans(pptp_t,pptp_var_run_t,file)
kernel_list_proc(pptp_t)
kernel_read_kernel_sysctls(pptp_t)
@@ -281,7 +281,7 @@ term_use_ptmx(pptp_t)
domain_use_interactive_fds(pptp_t)
-init_use_fd(pptp_t)
+init_use_fds(pptp_t)
init_use_script_ptys(pptp_t)
libs_use_ld_so(pptp_t)
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index df6d6e4..8146e06 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -32,11 +32,11 @@ allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
allow privoxy_t privoxy_log_t:file create_file_perms;
allow privoxy_t privoxy_log_t:dir rw_dir_perms;
-logging_log_filetrans(privoxy_t,privoxy_log_t)
+logging_log_filetrans(privoxy_t,privoxy_log_t,file)
allow privoxy_t privoxy_var_run_t:file create_file_perms;
allow privoxy_t privoxy_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(privoxy_t,privoxy_var_run_t)
+files_pid_filetrans(privoxy_t,privoxy_var_run_t,file)
kernel_read_kernel_sysctls(privoxy_t)
kernel_list_proc(privoxy_t)
@@ -63,7 +63,7 @@ domain_use_interactive_fds(privoxy_t)
files_read_etc_files(privoxy_t)
-init_use_fd(privoxy_t)
+init_use_fds(privoxy_t)
init_use_script_ptys(privoxy_t)
libs_use_ld_so(privoxy_t)
diff --git a/refpolicy/policy/modules/services/procmail.te b/refpolicy/policy/modules/services/procmail.te
index a5fd87c..495fa90 100644
--- a/refpolicy/policy/modules/services/procmail.te
+++ b/refpolicy/policy/modules/services/procmail.te
@@ -90,7 +90,7 @@ optional_policy(`nscd',`
optional_policy(`postfix',`
# for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
- postfix_dontaudit_use_fd(procmail_t)
+ postfix_dontaudit_use_fds(procmail_t)
')
optional_policy(`sendmail',`
diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te
index 01ebb54..5955b4d 100644
--- a/refpolicy/policy/modules/services/radius.te
+++ b/refpolicy/policy/modules/services/radius.te
@@ -45,7 +45,7 @@ logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
allow radiusd_t radiusd_var_run_t:file create_file_perms;
allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(radiusd_t,radiusd_var_run_t)
+files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
kernel_read_kernel_sysctls(radiusd_t)
kernel_read_system_state(radiusd_t)
@@ -86,7 +86,7 @@ files_read_usr_files(radiusd_t)
files_read_etc_files(radiusd_t)
files_read_etc_runtime_files(radiusd_t)
-init_use_fd(radiusd_t)
+init_use_fds(radiusd_t)
init_use_script_ptys(radiusd_t)
libs_use_ld_so(radiusd_t)
diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te
index c80d3bf..ab311e8 100644
--- a/refpolicy/policy/modules/services/radvd.te
+++ b/refpolicy/policy/modules/services/radvd.te
@@ -32,7 +32,7 @@ allow radvd_t radvd_etc_t:file { getattr read };
allow radvd_t radvd_var_run_t:file create_file_perms;
allow radvd_t radvd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(radvd_t,radvd_var_run_t)
+files_pid_filetrans(radvd_t,radvd_var_run_t,file)
kernel_read_kernel_sysctls(radvd_t)
kernel_read_net_sysctls(radvd_t)
@@ -63,7 +63,7 @@ domain_use_interactive_fds(radvd_t)
files_read_etc_files(radvd_t)
files_list_usr(radvd_t)
-init_use_fd(radvd_t)
+init_use_fds(radvd_t)
init_use_script_ptys(radvd_t)
libs_use_ld_so(radvd_t)
diff --git a/refpolicy/policy/modules/services/rdisc.te b/refpolicy/policy/modules/services/rdisc.te
index 913ad87..1a734f7 100644
--- a/refpolicy/policy/modules/services/rdisc.te
+++ b/refpolicy/policy/modules/services/rdisc.te
@@ -44,7 +44,7 @@ domain_use_interactive_fds(rdisc_t)
files_read_etc_files(rdisc_t)
-init_use_fd(rdisc_t)
+init_use_fds(rdisc_t)
init_use_script_ptys(rdisc_t)
libs_use_ld_so(rdisc_t)
diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te
index 3ad6d0c..3c93e1a 100644
--- a/refpolicy/policy/modules/services/rlogin.te
+++ b/refpolicy/policy/modules/services/rlogin.te
@@ -45,7 +45,7 @@ files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })
allow rlogind_t rlogind_var_run_t:file create_file_perms;
allow rlogind_t rlogind_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(rlogind_t,rlogind_var_run_t)
+files_pid_filetrans(rlogind_t,rlogind_var_run_t,file)
kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
diff --git a/refpolicy/policy/modules/services/roundup.te b/refpolicy/policy/modules/services/roundup.te
index 50168fb..d1ab3af 100644
--- a/refpolicy/policy/modules/services/roundup.te
+++ b/refpolicy/policy/modules/services/roundup.te
@@ -30,11 +30,11 @@ allow roundup_t self:udp_socket create_socket_perms;
allow roundup_t roundup_var_run_t:file create_file_perms;
allow roundup_t roundup_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(roundup_t,roundup_var_run_t)
+files_pid_filetrans(roundup_t,roundup_var_run_t,file)
allow roundup_t roundup_var_lib_t:file create_file_perms;
allow roundup_t roundup_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(roundup_t,roundup_var_lib_t)
+files_var_lib_filetrans(roundup_t,roundup_var_lib_t,file)
kernel_read_kernel_sysctls(roundup_t)
kernel_list_proc(roundup_t)
@@ -73,7 +73,7 @@ fs_search_auto_mountpoints(roundup_t)
term_dontaudit_use_console(roundup_t)
-init_use_fd(roundup_t)
+init_use_fds(roundup_t)
init_use_script_ptys(roundup_t)
libs_use_ld_so(roundup_t)
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
index 7beabd4..6083364 100644
--- a/refpolicy/policy/modules/services/rpc.if
+++ b/refpolicy/policy/modules/services/rpc.if
@@ -81,7 +81,7 @@ template(`rpc_domain_template', `
files_search_var($1_t)
files_search_var_lib($1_t)
- init_use_fd($1_t)
+ init_use_fds($1_t)
init_use_script_ptys($1_t)
libs_use_ld_so($1_t)
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 741c612..7fa0f46 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -43,7 +43,7 @@ allow rpcd_t self:file { getattr read };
allow rpcd_t rpcd_var_run_t:file manage_file_perms;
allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr };
-files_pid_filetrans(rpcd_t,rpcd_var_run_t)
+files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
kernel_search_network_state(rpcd_t)
# for rpc.rquotad
@@ -84,7 +84,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
-kernel_udp_sendto(nfsd_t)
+kernel_udp_send(nfsd_t)
kernel_tcp_recvfrom(nfsd_t)
corenet_udp_bind_generic_port(nfsd_t)
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index 2939b65..240ce5b 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -48,7 +48,7 @@ files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
allow rsync_t rsync_var_run_t:file create_file_perms;
allow rsync_t rsync_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(rsync_t,rsync_var_run_t)
+files_pid_filetrans(rsync_t,rsync_var_run_t,file)
kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 9d72348..ee4dc11 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -219,7 +219,7 @@ allow smbd_t nmbd_var_run_t:file rw_file_perms;
allow smbd_t smbd_var_run_t:dir create_dir_perms;
allow smbd_t smbd_var_run_t:file create_file_perms;
allow smbd_t smbd_var_run_t:sock_file create_file_perms;
-files_pid_filetrans(smbd_t,smbd_var_run_t)
+files_pid_filetrans(smbd_t,smbd_var_run_t,file)
allow smbd_t winbind_var_run_t:sock_file { read write getattr };
@@ -268,7 +268,7 @@ files_search_spool(smbd_t)
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-init_use_fd(smbd_t)
+init_use_fds(smbd_t)
init_use_script_ptys(smbd_t)
libs_use_ld_so(smbd_t)
@@ -356,7 +356,7 @@ allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow nmbd_t nmbd_var_run_t:file create_file_perms;
allow nmbd_t nmbd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(nmbd_t,nmbd_var_run_t)
+files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
allow nmbd_t samba_etc_t:dir { search getattr };
allow nmbd_t samba_etc_t:file { getattr read };
@@ -402,7 +402,7 @@ domain_use_interactive_fds(nmbd_t)
files_read_usr_files(nmbd_t)
files_read_etc_files(nmbd_t)
-init_use_fd(nmbd_t)
+init_use_fds(nmbd_t)
init_use_script_ptys(nmbd_t)
libs_use_ld_so(nmbd_t)
@@ -500,13 +500,13 @@ files_read_etc_files(smbmount_t)
miscfiles_read_localization(smbmount_t)
-mount_use_fd(smbmount_t)
+mount_use_fds(smbmount_t)
mount_send_nfs_client_request(smbmount_t)
libs_use_ld_so(smbmount_t)
libs_use_shared_libs(smbmount_t)
-locallogin_use_fd(smbmount_t)
+locallogin_use_fds(smbmount_t)
logging_search_logs(smbmount_t)
@@ -563,7 +563,7 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
allow swat_t swat_var_run_t:file create_file_perms;
allow swat_t swat_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(swat_t,swat_var_run_t)
+files_pid_filetrans(swat_t,swat_var_run_t,file)
allow swat_t winbind_exec_t:file execute;
@@ -652,7 +652,7 @@ allow winbind_t samba_var_t:file create_file_perms;
allow winbind_t samba_var_t:lnk_file create_lnk_perms;
allow winbind_t winbind_log_t:file create_file_perms;
-logging_log_filetrans(winbind_t,winbind_log_t)
+logging_log_filetrans(winbind_t,winbind_log_t,file)
allow winbind_t winbind_tmp_t:dir create_dir_perms;
allow winbind_t winbind_tmp_t:file create_file_perms;
@@ -661,7 +661,7 @@ files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
allow winbind_t winbind_var_run_t:file create_file_perms;
allow winbind_t winbind_var_run_t:sock_file create_file_perms;
allow winbind_t winbind_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(winbind_t,winbind_var_run_t)
+files_pid_filetrans(winbind_t,winbind_var_run_t,file)
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
@@ -694,7 +694,7 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
-init_use_fd(winbind_t)
+init_use_fds(winbind_t)
init_use_script_ptys(winbind_t)
libs_use_ld_so(winbind_t)
diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te
index f45f555..44719ba 100644
--- a/refpolicy/policy/modules/services/sasl.te
+++ b/refpolicy/policy/modules/services/sasl.te
@@ -29,7 +29,7 @@ allow saslauthd_t self:tcp_socket create_socket_perms;
allow saslauthd_t saslauthd_var_run_t:file create_file_perms;
allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(saslauthd_t,saslauthd_var_run_t)
+files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file)
kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
@@ -62,7 +62,7 @@ files_search_var_lib(saslauthd_t)
files_dontaudit_getattr_home_dir(saslauthd_t)
files_dontaudit_getattr_tmp_dirs(saslauthd_t)
-init_use_fd(saslauthd_t)
+init_use_fds(saslauthd_t)
init_use_script_ptys(saslauthd_t)
init_dontaudit_stream_connect_script(saslauthd_t)
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index a03daf5..f6a15db 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -74,7 +74,7 @@ files_search_spool(sendmail_t)
# for piping mail to a command
files_read_etc_runtime_files(sendmail_t)
-init_use_fd(sendmail_t)
+init_use_fds(sendmail_t)
init_use_script_ptys(sendmail_t)
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
init_read_utmp(sendmail_t)
@@ -113,7 +113,7 @@ ifdef(`targeted_policy',`
files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock };
- files_pid_filetrans(sendmail_t,sendmail_var_run_t)
+ files_pid_filetrans(sendmail_t,sendmail_var_run_t,file)
')
optional_policy(`nis',`
diff --git a/refpolicy/policy/modules/services/slrnpull.te b/refpolicy/policy/modules/services/slrnpull.te
index da215c1..e25afb6 100644
--- a/refpolicy/policy/modules/services/slrnpull.te
+++ b/refpolicy/policy/modules/services/slrnpull.te
@@ -28,7 +28,7 @@ dontaudit slrnpull_t self:capability sys_tty_config;
allow slrnpull_t self:process signal_perms;
allow slrnpull_t slrnpull_log_t:file create_file_perms;
-logging_log_filetrans(slrnpull_t,slrnpull_log_t)
+logging_log_filetrans(slrnpull_t,slrnpull_log_t,file)
allow slrnpull_t slrnpull_spool_t:dir rw_dir_perms;
allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
@@ -38,7 +38,7 @@ files_search_spool(slrnpull_t)
allow slrnpull_t slrnpull_var_run_t:file create_file_perms;
allow slrnpull_t slrnpull_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(slrnpull_t,slrnpull_var_run_t)
+files_pid_filetrans(slrnpull_t,slrnpull_var_run_t,file)
kernel_list_proc(slrnpull_t)
kernel_read_kernel_sysctls(slrnpull_t)
@@ -55,7 +55,7 @@ fs_search_auto_mountpoints(slrnpull_t)
term_dontaudit_use_console(slrnpull_t)
-init_use_fd(slrnpull_t)
+init_use_fds(slrnpull_t)
init_use_script_ptys(slrnpull_t)
libs_use_ld_so(slrnpull_t)
diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te
index d0b84a1..5791d1e 100644
--- a/refpolicy/policy/modules/services/smartmon.te
+++ b/refpolicy/policy/modules/services/smartmon.te
@@ -35,7 +35,7 @@ files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir })
allow fsdaemon_t fsdaemon_var_run_t:file create_file_perms;
allow fsdaemon_t fsdaemon_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(fsdaemon_t,fsdaemon_var_run_t)
+files_pid_filetrans(fsdaemon_t,fsdaemon_var_run_t,file)
kernel_read_kernel_sysctls(fsdaemon_t)
kernel_read_software_raid_state(fsdaemon_t)
@@ -71,7 +71,7 @@ storage_raw_write_fixed_disk(fsdaemon_t)
term_dontaudit_use_console(fsdaemon_t)
term_dontaudit_search_ptys(fsdaemon_t)
-init_use_fd(fsdaemon_t)
+init_use_fds(fsdaemon_t)
init_use_script_ptys(fsdaemon_t)
libs_use_ld_so(fsdaemon_t)
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index db1fd25..d547023 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -36,18 +36,18 @@ allow snmpd_t self:udp_socket connected_stream_socket_perms;
allow snmpd_t snmpd_etc_t:file { getattr read };
allow snmpd_t snmpd_log_t:file create_file_perms;
-logging_log_filetrans(snmpd_t,snmpd_log_t)
+logging_log_filetrans(snmpd_t,snmpd_log_t,file)
allow snmpd_t snmpd_var_lib_t:file create_file_perms;
allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
allow snmpd_t snmpd_var_lib_t:dir create_dir_perms;
-files_usr_filetrans(snmpd_t,snmpd_var_lib_t)
+files_usr_filetrans(snmpd_t,snmpd_var_lib_t,file)
files_var_filetrans(snmpd_t,snmpd_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(snmpd_t,snmpd_var_lib_t)
+files_var_lib_filetrans(snmpd_t,snmpd_var_lib_t,file)
allow snmpd_t snmpd_var_run_t:file create_file_perms;
allow snmpd_t snmpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(snmpd_t,snmpd_var_run_t)
+files_pid_filetrans(snmpd_t,snmpd_var_run_t,file)
kernel_read_kernel_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
@@ -98,7 +98,7 @@ storage_dontaudit_read_removable_device(snmpd_t)
term_dontaudit_use_console(snmpd_t)
init_read_utmp(snmpd_t)
-init_use_fd(snmpd_t)
+init_use_fds(snmpd_t)
init_use_script_ptys(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index 11f974f..287f496 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -55,7 +55,7 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
allow spamd_t spamd_var_run_t:file create_file_perms;
allow spamd_t spamd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(spamd_t,spamd_var_run_t)
+files_pid_filetrans(spamd_t,spamd_var_run_t,file)
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
@@ -99,7 +99,7 @@ files_read_usr_files(spamd_t)
files_read_etc_files(spamd_t)
files_read_etc_runtime_files(spamd_t)
-init_use_fd(spamd_t)
+init_use_fds(spamd_t)
init_use_script_ptys(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
index 07f819d..8037fc7 100644
--- a/refpolicy/policy/modules/services/squid.te
+++ b/refpolicy/policy/modules/services/squid.te
@@ -62,13 +62,13 @@ logging_log_filetrans(squid_t,squid_log_t,{ file dir })
allow squid_t squid_var_run_t:file create_file_perms;
allow squid_t squid_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(squid_t,squid_var_run_t)
+files_pid_filetrans(squid_t,squid_var_run_t,file)
kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)
kernel_tcp_recvfrom(squid_t)
-bootloader_dontaudit_getattr_boot_dirs(squid_t)
+files_dontaudit_getattr_boot_dirs(squid_t)
corenet_tcp_sendrecv_all_if(squid_t)
corenet_raw_sendrecv_all_if(squid_t)
@@ -116,7 +116,7 @@ files_search_spool(squid_t)
files_dontaudit_getattr_tmp_dirs(squid_t)
files_getattr_home_dir(squid_t)
-init_use_fd(squid_t)
+init_use_fds(squid_t)
init_use_script_ptys(squid_t)
libs_use_ld_so(squid_t)
@@ -147,7 +147,7 @@ tunable_policy(`squid_connect_any',`
optional_policy(`logrotate',`
allow squid_t self:capability kill;
- cron_use_fd(squid_t)
+ cron_use_fds(squid_t)
cron_use_system_job_fds(squid_t)
cron_rw_pipes(squid_t)
cron_write_system_job_pipes(squid_t)
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 813060c..a89a355 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -536,14 +536,14 @@ template(`ssh_server_template', `
# files_list_pids($1_t)
# ',`
# corenet_tcp_bind_ssh_port($1_t)
- # init_use_fd($1_t)
+ # init_use_fds($1_t)
# init_use_script_ptys($1_t)
# ')
#',`
# These rules should match the else block
# of the run_ssh_inetd tunable directly above
corenet_tcp_bind_ssh_port($1_t)
- init_use_fd($1_t)
+ init_use_fds($1_t)
init_use_script_ptys($1_t)
#')
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 79cae69..9b812ee 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -232,7 +232,7 @@ ifdef(`targeted_policy',`',`
files_read_etc_files(ssh_keygen_t)
- init_use_fd(ssh_keygen_t)
+ init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
libs_use_ld_so(ssh_keygen_t)
diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te
index 47a194b..14e6a0f 100644
--- a/refpolicy/policy/modules/services/stunnel.te
+++ b/refpolicy/policy/modules/services/stunnel.te
@@ -49,7 +49,7 @@ files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
allow stunnel_t stunnel_var_run_t:file create_file_perms;
allow stunnel_t stunnel_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(stunnel_t,stunnel_var_run_t)
+files_pid_filetrans(stunnel_t,stunnel_var_run_t,file)
kernel_read_kernel_sysctls(stunnel_t)
kernel_read_system_state(stunnel_t)
@@ -91,7 +91,7 @@ ifdef(`distro_gentoo', `
domain_use_interactive_fds(stunnel_t)
- init_use_fd(stunnel_t)
+ init_use_fds(stunnel_t)
init_use_script_ptys(stunnel_t)
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
diff --git a/refpolicy/policy/modules/services/sysstat.te b/refpolicy/policy/modules/services/sysstat.te
index a3b3844..620c380 100644
--- a/refpolicy/policy/modules/services/sysstat.te
+++ b/refpolicy/policy/modules/services/sysstat.te
@@ -51,7 +51,7 @@ fs_getattr_xattr_fs(sysstat_t)
term_use_console(sysstat_t)
-init_use_fd(sysstat_t)
+init_use_fds(sysstat_t)
init_use_script_ptys(sysstat_t)
libs_use_ld_so(sysstat_t)
diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te
index e682d0d..a36dfc7 100644
--- a/refpolicy/policy/modules/services/telnet.te
+++ b/refpolicy/policy/modules/services/telnet.te
@@ -43,7 +43,7 @@ files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
allow telnetd_t telnetd_var_run_t:file create_file_perms;
allow telnetd_t telnetd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(telnetd_t,telnetd_var_run_t)
+files_pid_filetrans(telnetd_t,telnetd_var_run_t,file)
kernel_read_kernel_sysctls(telnetd_t)
kernel_read_system_state(telnetd_t)
diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te
index 33c0b16..3e1f202 100644
--- a/refpolicy/policy/modules/services/tftp.te
+++ b/refpolicy/policy/modules/services/tftp.te
@@ -35,7 +35,7 @@ allow tftpd_t tftpdir_t:lnk_file { getattr read };
allow tftpd_t tftpd_var_run_t:file create_file_perms;
allow tftpd_t tftpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(tftpd_t,tftpd_var_run_t)
+files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
kernel_read_kernel_sysctls(tftpd_t)
kernel_list_proc(tftpd_t)
@@ -68,7 +68,7 @@ files_read_var_files(tftpd_t)
files_read_var_symlinks(tftpd_t)
files_search_var(tftpd_t)
-init_use_fd(tftpd_t)
+init_use_fds(tftpd_t)
init_use_script_ptys(tftpd_t)
libs_use_ld_so(tftpd_t)
diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te
index 45d5f26..50d4a38 100644
--- a/refpolicy/policy/modules/services/timidity.te
+++ b/refpolicy/policy/modules/services/timidity.te
@@ -67,7 +67,7 @@ files_read_usr_files(timidity_t)
# read /etc/esd.conf
files_read_etc_files(timidity_t)
-init_use_fd(timidity_t)
+init_use_fds(timidity_t)
init_use_script_ptys(timidity_t)
libs_use_ld_so(timidity_t)
diff --git a/refpolicy/policy/modules/services/uucp.te b/refpolicy/policy/modules/services/uucp.te
index 73dc366..20d12d9 100644
--- a/refpolicy/policy/modules/services/uucp.te
+++ b/refpolicy/policy/modules/services/uucp.te
@@ -61,7 +61,7 @@ files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })
allow uucpd_t uucpd_var_run_t:file create_file_perms;
allow uucpd_t uucpd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(uucpd_t,uucpd_var_run_t)
+files_pid_filetrans(uucpd_t,uucpd_var_run_t,file)
kernel_read_kernel_sysctls(uucpd_t)
kernel_read_system_state(uucpd_t)
diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te
index 916d0a5..d52a3ff 100644
--- a/refpolicy/policy/modules/services/xfs.te
+++ b/refpolicy/policy/modules/services/xfs.te
@@ -33,7 +33,7 @@ files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir })
allow xfs_t xfs_var_run_t:file create_file_perms;
allow xfs_t xfs_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(xfs_t,xfs_var_run_t)
+files_pid_filetrans(xfs_t,xfs_var_run_t,file)
# Bind to /tmp/.font-unix/fs-1.
# cjp: I do not believe this has an effect.
@@ -54,7 +54,7 @@ domain_use_interactive_fds(xfs_t)
files_read_etc_files(xfs_t)
files_read_etc_runtime_files(xfs_t)
-init_use_fd(xfs_t)
+init_use_fds(xfs_t)
init_use_script_ptys(xfs_t)
libs_use_ld_so(xfs_t)
diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if
index 9572d18..01c85c1 100644
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@@ -180,7 +180,7 @@ template(`xserver_common_domain_template',`
ifdef(`rpm.te', `
allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
allow $1_xserver_t rpm_tmpfs_t:file { read write };
- rpm_use_fd($1_xserver_t)
+ rpm_use_fds($1_xserver_t)
')
')
') dnl end TODO
@@ -279,9 +279,9 @@ template(`xserver_per_userdomain_template',`
allow $1_xserver_t $2:shm rw_shm_perms;
allow $2 $1_xserver_t:shm rw_shm_perms;
- getty_use_fd($1_xserver_t)
+ getty_use_fds($1_xserver_t)
- locallogin_use_fd($1_xserver_t)
+ locallogin_use_fds($1_xserver_t)
userdom_search_user_home_dirs($1,$1_xserver_t)
userdom_use_user_ttys($1,$1_xserver_t)
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index 1f68311..eb2182e 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -216,7 +216,7 @@ ifdef(`enable_polyinstantiation',`
ifdef(`strict_policy',`
allow xdm_t xdm_lock_t:file create_file_perms;
- files_lock_filetrans(xdm_t,xdm_lock_t)
+ files_lock_filetrans(xdm_t,xdm_lock_t,file)
allow xdm_t xdm_tmp_t:dir create_dir_perms;
allow xdm_t xdm_tmp_t:file create_file_perms;
@@ -232,7 +232,7 @@ ifdef(`strict_policy',`
allow xdm_t xdm_var_lib_t:file create_file_perms;
allow xdm_t xdm_var_lib_t:dir create_dir_perms;
- files_var_lib_filetrans(xdm_t,xdm_var_lib_t)
+ files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
allow xdm_t xdm_var_run_t:dir manage_dir_perms;
allow xdm_t xdm_var_run_t:fifo_file manage_file_perms;
@@ -393,7 +393,7 @@ corenet_tcp_bind_vnc_port(xdm_xserver_t)
fs_search_auto_mountpoints(xdm_xserver_t)
-init_use_fd(xdm_xserver_t)
+init_use_fds(xdm_xserver_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te
index b606499..c579620 100644
--- a/refpolicy/policy/modules/services/zebra.te
+++ b/refpolicy/policy/modules/services/zebra.te
@@ -92,7 +92,7 @@ files_search_etc(zebra_t)
files_read_etc_files(zebra_t)
files_read_etc_runtime_files(zebra_t)
-init_use_fd(zebra_t)
+init_use_fds(zebra_t)
init_use_script_ptys(zebra_t)
libs_use_ld_so(zebra_t)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 69d9c27..107313a 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -118,7 +118,7 @@ logging_send_syslog_msg(pam_t)
userdom_use_unpriv_users_fds(pam_t)
optional_policy(`locallogin',`
- locallogin_use_fd(pam_t)
+ locallogin_use_fds(pam_t)
')
optional_policy(`nis',`
@@ -146,7 +146,7 @@ dontaudit pam_console_t pam_var_console_t:file write;
allow pam_console_t pam_var_console_t:lnk_file { getattr read };
kernel_read_kernel_sysctls(pam_console_t)
-kernel_use_fd(pam_console_t)
+kernel_use_fds(pam_console_t)
# Read /proc/meminfo
kernel_read_system_state(pam_console_t)
@@ -196,7 +196,7 @@ files_list_mnt(pam_console_t)
# read /etc/mtab
files_read_etc_runtime_files(pam_console_t)
-init_use_fd(pam_console_t)
+init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)
libs_use_ld_so(pam_console_t)
@@ -229,7 +229,7 @@ optional_policy(`gpm',`
')
optional_policy(`hotplug',`
- hotplug_use_fd(pam_console_t)
+ hotplug_use_fds(pam_console_t)
hotplug_dontaudit_search_config(pam_console_t)
')
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 845dc05..eae12da 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -47,7 +47,7 @@ term_use_all_user_ptys(hwclock_t)
domain_use_interactive_fds(hwclock_t)
-init_use_fd(hwclock_t)
+init_use_fds(hwclock_t)
init_use_script_ptys(hwclock_t)
files_read_etc_files(hwclock_t)
diff --git a/refpolicy/policy/modules/system/daemontools.te b/refpolicy/policy/modules/system/daemontools.te
index 73c32d0..0c61729 100644
--- a/refpolicy/policy/modules/system/daemontools.te
+++ b/refpolicy/policy/modules/system/daemontools.te
@@ -42,7 +42,7 @@ files_type(svc_svc_t)
allow svc_multilog_t svc_svc_t:dir rw_dir_perms;
allow svc_multilog_t svc_svc_t:file create_file_perms;
-init_use_fd(svc_multilog_t)
+init_use_fds(svc_multilog_t)
libs_use_ld_so(svc_multilog_t)
libs_use_shared_libs(svc_multilog_t)
@@ -82,7 +82,7 @@ files_search_pids(svc_run_t)
files_search_var_lib(svc_run_t)
init_use_script_fds(svc_run_t)
-init_use_fd(svc_run_t)
+init_use_fds(svc_run_t)
libs_use_ld_so(svc_run_t)
libs_use_shared_libs(svc_run_t)
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 34bc157..0d069a6 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -57,7 +57,7 @@ kernel_getattr_proc(fsadm_t)
kernel_rw_unlabeled_dirs(fsadm_t)
kernel_rw_unlabeled_blk_files(fsadm_t)
-bootloader_getattr_boot_dirs(fsadm_t)
+files_getattr_boot_dirs(fsadm_t)
dev_getattr_all_chr_files(fsadm_t)
# mkreiserfs and other programs need this for UUID
@@ -125,7 +125,7 @@ files_manage_mnt_dirs(fsadm_t)
# for tune2fs
files_search_all(fsadm_t)
-init_use_fd(fsadm_t)
+init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
libs_use_ld_so(fsadm_t)
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
index ed6cf36..79a89e7 100644
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@@ -34,7 +34,7 @@ interface(`getty_domtrans',`
##
##
#
-interface(`getty_use_fd',`
+interface(`getty_use_fds',`
gen_require(`
type getty_t;
')
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index bebab10..456e3b5 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -47,10 +47,10 @@ allow getty_t getty_etc_t:lnk_file { getattr read };
files_etc_filetrans(getty_t,getty_etc_t,{ file dir })
allow getty_t getty_lock_t:file create_file_perms;
-files_lock_filetrans(getty_t,getty_lock_t)
+files_lock_filetrans(getty_t,getty_lock_t,file)
allow getty_t getty_log_t:file create_file_perms;
-logging_log_filetrans(getty_t,getty_log_t)
+logging_log_filetrans(getty_t,getty_log_t,file)
allow getty_t getty_tmp_t:file create_file_perms;
allow getty_t getty_tmp_t:dir create_dir_perms;
@@ -58,7 +58,7 @@ files_tmp_filetrans(getty_t,getty_tmp_t,{ file dir })
allow getty_t getty_var_run_t:file create_file_perms;
allow getty_t getty_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(getty_t,getty_var_run_t)
+files_pid_filetrans(getty_t,getty_var_run_t,file)
kernel_list_proc(getty_t)
kernel_read_proc_symlinks(getty_t)
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 2f7b48a..dbe028b 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -35,7 +35,7 @@ term_dontaudit_use_console(hostname_t)
term_use_all_user_ttys(hostname_t)
term_use_all_user_ptys(hostname_t)
-init_use_fd(hostname_t)
+init_use_fds(hostname_t)
init_use_script_fds(hostname_t)
init_use_script_ptys(hostname_t)
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index 6b8abaf..3aa11c9 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -36,9 +36,9 @@ interface(`hotplug_exec',`
#######################################
#
-# hotplug_use_fd(domain)
+# hotplug_use_fds(domain)
#
-interface(`hotplug_use_fd',`
+interface(`hotplug_use_fds',`
gen_require(`
type hotplug_t;
')
@@ -48,9 +48,9 @@ interface(`hotplug_use_fd',`
#######################################
#
-# hotplug_dontaudit_use_fd(domain)
+# hotplug_dontaudit_use_fds(domain)
#
-interface(`hotplug_dontaudit_use_fd',`
+interface(`hotplug_dontaudit_use_fds',`
gen_require(`
type hotplug_t;
')
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 723bd71..b5d6377 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -42,7 +42,7 @@ can_exec(hotplug_t,hotplug_exec_t)
allow hotplug_t hotplug_var_run_t:file manage_file_perms;
allow hotplug_t hotplug_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(hotplug_t,hotplug_var_run_t)
+files_pid_filetrans(hotplug_t,hotplug_var_run_t,file)
kernel_sigchld(hotplug_t)
kernel_setpgid(hotplug_t)
@@ -50,7 +50,7 @@ kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctls(hotplug_t)
kernel_read_net_sysctls(hotplug_t)
-bootloader_read_kernel_modules(hotplug_t)
+files_read_kernel_modules(hotplug_t)
corenet_tcp_sendrecv_all_if(hotplug_t)
corenet_udp_sendrecv_all_if(hotplug_t)
@@ -95,7 +95,7 @@ files_exec_etc_files(hotplug_t)
# for when filesystems are not mounted early in the boot:
files_dontaudit_search_isid_type_dirs(hotplug_t)
-init_use_fd(hotplug_t)
+init_use_fds(hotplug_t)
init_use_script_ptys(hotplug_t)
init_read_script_state(hotplug_t)
# Allow hotplug (including /sbin/ifup-local) to start/stop services and
@@ -152,7 +152,7 @@ optional_policy(`fstools',`
')
optional_policy(`hal',`
- hal_dgram_sendto(hotplug_t)
+ hal_dgram_send(hotplug_t)
')
optional_policy(`hostname',`
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 1da9f70..dad3d96 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -297,9 +297,9 @@ interface(`init_sigchld',`
########################################
#
-# init_use_fd(domain)
+# init_use_fds(domain)
#
-interface(`init_use_fd',`
+interface(`init_use_fds',`
gen_require(`
type init_t;
')
@@ -309,9 +309,9 @@ interface(`init_use_fd',`
########################################
#
-# init_dontaudit_use_fd(domain)
+# init_dontaudit_use_fds(domain)
#
-interface(`init_dontaudit_use_fd',`
+interface(`init_dontaudit_use_fds',`
gen_require(`
type init_t;
')
@@ -810,9 +810,9 @@ interface(`init_rw_script_tmp_files',`
## The type of the object to be created
##
##
-##
+##
##
-## The object class. If not specified, file is used.
+## The object class.
##
##
#
@@ -824,12 +824,7 @@ interface(`init_script_tmp_filetrans',`
files_search_tmp($1)
allow $1 initrc_tmp_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 initrc_tmp_t:file $2;
- ',`
- type_transition $1 initrc_tmp_t:$3 $2;
- ')
+ type_transition $1 initrc_tmp_t:$3 $2;
')
########################################
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index d83d909..e3d9055 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -104,7 +104,7 @@ allow init_t initrc_t:unix_stream_socket connectto;
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
-files_pid_filetrans(init_t,init_var_run_t)
+files_pid_filetrans(init_t,init_var_run_t,file)
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
fs_associate_tmpfs(initctl_t)
@@ -224,7 +224,7 @@ allow initrc_t initrc_state_t:file create_file_perms;
allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
allow initrc_t initrc_var_run_t:file create_file_perms;
-files_pid_filetrans(initrc_t,initrc_var_run_t)
+files_pid_filetrans(initrc_t,initrc_var_run_t,file)
can_exec(initrc_t,initrc_tmp_t)
allow initrc_t initrc_tmp_t:file create_file_perms;
@@ -245,7 +245,7 @@ kernel_rw_all_sysctls(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
-bootloader_read_kernel_symbol_table(initrc_t)
+files_read_kernel_symbol_table(initrc_t)
corenet_tcp_sendrecv_all_if(initrc_t)
corenet_raw_sendrecv_all_if(initrc_t)
@@ -395,7 +395,8 @@ ifdef(`distro_debian',`
# for storing state under /dev/shm
fs_setattr_tmpfs_dirs(initrc_t)
- storage_create_fixed_disk_tmpfs(initrc_t)
+ storage_manage_fixed_disk(initrc_t)
+ storage_tmpfs_filetrans_fixed_disk(initrc_t)
files_setattr_etc_dirs(initrc_t)
')
@@ -416,7 +417,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
- kernel_dontaudit_use_fd(initrc_t)
+ kernel_dontaudit_use_fds(initrc_t)
files_dontaudit_read_root_files(initrc_t)
selinux_set_enforce_mode(initrc_t)
@@ -424,7 +425,7 @@ ifdef(`distro_redhat',`
# Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time.
bootloader_create_runtime_file(initrc_t)
- bootloader_rw_boot_symlinks(initrc_t)
+ files_rw_boot_symlinks(initrc_t)
# These seem to be from the initrd
# during device initialization:
@@ -442,7 +443,8 @@ ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(initrc_t)
- storage_create_fixed_disk(initrc_t)
+ storage_manage_fixed_disk(initrc_t)
+ storage_dev_filetrans_fixed_disk(initrc_t)
storage_getattr_removable_dev(initrc_t)
# readahead asks for these
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
index 9010cfe..dd4ee28 100644
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@@ -109,7 +109,7 @@ domain_use_interactive_fds(ipsec_t)
files_read_etc_files(ipsec_t)
-init_use_fd(ipsec_t)
+init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
libs_use_ld_so(ipsec_t)
@@ -156,10 +156,10 @@ allow ipsec_mgmt_t self:key_socket { create setopt };
allow ipsec_mgmt_t self:fifo_file rw_file_perms;
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms;
-files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t)
+files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms;
-files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t)
+files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms;
allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms;
@@ -180,9 +180,8 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms;
allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms;
-# cjp: combo of file_type_auto_trans and rw_dir_create_file
allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms;
-files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t)
+files_etc_filetrans(ipsec_mgmt_t,ipsec_key_file_t,file)
# whack needs to connect to pluto
allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
@@ -207,8 +206,8 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
-bootloader_read_kernel_symbol_table(ipsec_mgmt_t)
-bootloader_getattr_kernel_modules(ipsec_mgmt_t)
+files_read_kernel_symbol_table(ipsec_mgmt_t)
+files_getattr_kernel_modules(ipsec_mgmt_t)
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
@@ -241,7 +240,7 @@ files_dontaudit_getattr_default_files(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
-init_use_fd(ipsec_mgmt_t)
+init_use_fds(ipsec_mgmt_t)
libs_use_ld_so(ipsec_mgmt_t)
libs_use_shared_libs(ipsec_mgmt_t)
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index c48dee8..d81e6f1 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -27,7 +27,7 @@ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t iptables_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(iptables_t,iptables_var_run_t)
+files_pid_filetrans(iptables_t,iptables_var_run_t,file)
can_exec(iptables_t,iptables_exec_t)
@@ -41,7 +41,7 @@ kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
kernel_read_kernel_sysctls(iptables_t)
kernel_read_modprobe_sysctls(iptables_t)
-kernel_use_fd(iptables_t)
+kernel_use_fds(iptables_t)
dev_read_sysfs(iptables_t)
@@ -56,7 +56,7 @@ domain_use_interactive_fds(iptables_t)
files_read_etc_files(iptables_t)
-init_use_fd(iptables_t)
+init_use_fds(iptables_t)
init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
@@ -82,7 +82,7 @@ ifdef(`targeted_policy', `
')
optional_policy(`firstboot',`
- firstboot_use_fd(iptables_t)
+ firstboot_use_fds(iptables_t)
firstboot_write_pipes(iptables_t)
')
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index bba2c99..801aa12 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -28,7 +28,7 @@ interface(`locallogin_domtrans',`
##
##
#
-interface(`locallogin_use_fd',`
+interface(`locallogin_use_fds',`
gen_require(`
type local_login_t;
')
@@ -46,7 +46,7 @@ interface(`locallogin_use_fd',`
##
##
#
-interface(`locallogin_dontaudit_use_fd',`
+interface(`locallogin_dontaudit_use_fds',`
gen_require(`
type local_login_t;
')
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 5c99514..b3eeb23 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -52,7 +52,7 @@ allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive };
allow local_login_t local_login_lock_t:file create_file_perms;
-files_lock_filetrans(local_login_t,local_login_lock_t)
+files_lock_filetrans(local_login_t,local_login_lock_t,file)
allow local_login_t local_login_tmp_t:dir create_dir_perms;
allow local_login_t local_login_tmp_t:file create_file_perms;
@@ -145,7 +145,7 @@ files_read_var_symlinks(local_login_t)
files_polyinstantiate_all(local_login_t)
init_rw_utmp(local_login_t)
-init_dontaudit_use_fd(local_login_t)
+init_dontaudit_use_fds(local_login_t)
libs_use_ld_so(local_login_t)
libs_use_shared_libs(local_login_t)
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 163ada1..10d4d26 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -98,13 +98,9 @@ interface(`logging_log_filetrans',`
type var_log_t;
')
+ files_search_var($1)
allow $1 var_log_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 var_log_t:file $2;
- ',`
- type_transition $1 var_log_t:$3 $2;
- ')
+ type_transition $1 var_log_t:$3 $2;
')
#######################################
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index c8cebad..161a82f 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -83,9 +83,9 @@ mls_file_read_up(auditctl_t)
term_use_all_terms(auditctl_t)
init_use_script_ptys(auditctl_t)
-init_dontaudit_use_fd(auditctl_t)
+init_dontaudit_use_fds(auditctl_t)
-locallogin_dontaudit_use_fd(auditctl_t)
+locallogin_dontaudit_use_fds(auditctl_t)
logging_send_syslog_msg(auditctl_t)
@@ -131,7 +131,7 @@ allow auditd_t var_log_t:dir search;
allow auditd_t auditd_var_run_t:file create_file_perms;
allow auditd_t auditd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(auditd_t,auditd_var_run_t)
+files_pid_filetrans(auditd_t,auditd_var_run_t,file)
kernel_read_kernel_sysctls(auditd_t)
kernel_list_proc(auditd_t)
@@ -152,7 +152,7 @@ domain_use_interactive_fds(auditd_t)
files_read_etc_files(auditd_t)
files_list_usr(auditd_t)
-init_use_fd(auditd_t)
+init_use_fds(auditd_t)
init_exec(auditd_t)
init_write_initctl(auditd_t)
init_use_script_ptys(auditd_t)
@@ -203,7 +203,7 @@ files_tmp_filetrans(klogd_t,klogd_tmp_t,{ file dir })
allow klogd_t klogd_var_run_t:file create_file_perms;
allow klogd_t klogd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(klogd_t,klogd_var_run_t)
+files_pid_filetrans(klogd_t,klogd_var_run_t,file)
kernel_read_system_state(klogd_t)
kernel_read_messages(klogd_t)
@@ -212,7 +212,7 @@ kernel_read_kernel_sysctls(klogd_t)
kernel_clear_ring_buffer(klogd_t)
kernel_change_ring_buffer_level(klogd_t)
-bootloader_read_kernel_symbol_table(klogd_t)
+files_read_kernel_symbol_table(klogd_t)
dev_read_raw_memory(klogd_t)
dev_read_sysfs(klogd_t)
@@ -228,7 +228,7 @@ files_read_etc_runtime_files(klogd_t)
# read /etc/nsswitch.conf
files_read_etc_files(klogd_t)
-init_use_fd(klogd_t)
+init_use_fds(klogd_t)
init_use_script_ptys(klogd_t)
libs_use_ld_so(klogd_t)
@@ -294,7 +294,7 @@ files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
# manage pid file
allow syslogd_t syslogd_var_run_t:file create_file_perms;
allow syslogd_t syslogd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(syslogd_t,syslogd_var_run_t)
+files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
@@ -329,7 +329,7 @@ corenet_udp_bind_syslogd_port(syslogd_t)
fs_getattr_all_fs(syslogd_t)
-init_use_fd(syslogd_t)
+init_use_fds(syslogd_t)
init_use_script_ptys(syslogd_t)
domain_use_interactive_fds(syslogd_t)
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 282f004..6264099 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -55,7 +55,7 @@ allow clvmd_t self:udp_socket create_socket_perms;
allow clvmd_t clvmd_var_run_t:file create_file_perms;
allow clvmd_t clvmd_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(clvmd_t,clvmd_var_run_t)
+files_pid_filetrans(clvmd_t,clvmd_var_run_t,file)
kernel_read_kernel_sysctls(clvmd_t)
kernel_list_proc(clvmd_t)
@@ -86,7 +86,7 @@ domain_use_interactive_fds(clvmd_t)
files_list_usr(clvmd_t)
-init_use_fd(clvmd_t)
+init_use_fds(clvmd_t)
init_use_script_ptys(clvmd_t)
libs_use_ld_so(clvmd_t)
@@ -151,11 +151,11 @@ can_exec(lvm_t, lvm_exec_t)
# Creating lock files
allow lvm_t lvm_lock_t:dir rw_dir_perms;
allow lvm_t lvm_lock_t:file create_file_perms;
-files_lock_filetrans(lvm_t,lvm_lock_t)
+files_lock_filetrans(lvm_t,lvm_lock_t,file)
allow lvm_t lvm_var_run_t:file create_file_perms;
allow lvm_t lvm_var_run_t:dir create_dir_perms;
-files_pid_filetrans(lvm_t,lvm_var_run_t)
+files_pid_filetrans(lvm_t,lvm_var_run_t,file)
allow lvm_t lvm_etc_t:file r_file_perms;
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
@@ -210,7 +210,8 @@ storage_relabel_fixed_disk(lvm_t)
# depending on its version
# LVM(2) needs to create directores (/dev/mapper, /dev/)
# and links from /dev/ to /dev/mapper/-
-storage_create_fixed_disk(lvm_t)
+# cjp: need create interface here for fixed disk create
+storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -227,7 +228,7 @@ files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
-init_use_fd(lvm_t)
+init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index ddd0e8c..0523843 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -15,7 +15,7 @@ interface(`modutils_read_module_deps',`
type modules_dep_t;
')
- bootloader_list_kernel_modules($1)
+ files_list_kernel_modules($1)
allow $1 modules_dep_t:file r_file_perms;
')
@@ -38,7 +38,7 @@ interface(`modutils_read_module_config',`
# This file type can be in /etc or
# /lib(64)?/modules
files_search_etc($1)
- bootloader_search_boot($1)
+ files_search_boot($1)
allow $1 modules_conf_t:{ file lnk_file } r_file_perms;
')
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index c50a9c2..64d21e2 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -66,9 +66,9 @@ kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
-bootloader_read_kernel_modules(insmod_t)
+files_read_kernel_modules(insmod_t)
# for locking: (cjp: ????)
-bootloader_write_kernel_modules(insmod_t)
+files_write_kernel_modules(insmod_t)
dev_search_sysfs(insmod_t)
dev_search_usbfs(insmod_t)
@@ -101,7 +101,7 @@ files_dontaudit_search_pids(insmod_t)
files_dontaudit_search_isid_type_dirs(insmod_t)
init_rw_initctl(insmod_t)
-init_use_fd(insmod_t)
+init_use_fds(insmod_t)
init_use_script_fds(insmod_t)
init_use_script_ptys(insmod_t)
@@ -166,12 +166,12 @@ can_exec(depmod_t, depmod_exec_t)
allow depmod_t modules_conf_t:file r_file_perms;
allow depmod_t modules_dep_t:file create_file_perms;
-bootloader_modules_filetrans(depmod_t,modules_dep_t)
+files_kernel_modules_filetrans(depmod_t,modules_dep_t,file)
kernel_read_system_state(depmod_t)
-bootloader_read_kernel_symbol_table(depmod_t)
-bootloader_read_kernel_modules(depmod_t)
+files_read_kernel_symbol_table(depmod_t)
+files_read_kernel_modules(depmod_t)
fs_getattr_xattr_fs(depmod_t)
@@ -182,7 +182,7 @@ corecmd_search_sbin(depmod_t)
domain_use_interactive_fds(depmod_t)
-init_use_fd(depmod_t)
+init_use_fds(depmod_t)
init_use_script_fds(depmod_t)
init_use_script_ptys(depmod_t)
@@ -228,8 +228,8 @@ can_exec(update_modules_t, update_modules_exec_t)
# manage module loading configuration
allow update_modules_t modules_conf_t:file create_file_perms;
-bootloader_modules_filetrans(update_modules_t,modules_conf_t)
-files_etc_filetrans(update_modules_t,modules_conf_t)
+files_kernel_modules_filetrans(update_modules_t,modules_conf_t,file)
+files_etc_filetrans(update_modules_t,modules_conf_t,file)
# transition to depmod
domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
@@ -251,7 +251,7 @@ fs_getattr_xattr_fs(update_modules_t)
term_use_console(update_modules_t)
-init_use_fd(update_modules_t)
+init_use_fds(update_modules_t)
init_use_script_fds(update_modules_t)
init_use_script_ptys(update_modules_t)
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index b4ad149..ce71126 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -86,7 +86,7 @@ interface(`mount_exec',`
##
##
#
-interface(`mount_use_fd',`
+interface(`mount_use_fds',`
gen_require(`
type mount_t;
')
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 400a3c0..19ef36e 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -71,7 +71,7 @@ files_unmount_all_file_type_fs(mount_t)
# cjp: this seems wrong, the type should probably be etc
files_read_isid_type_files(mount_t)
-init_use_fd(mount_t)
+init_use_fds(mount_t)
init_use_script_ptys(mount_t)
libs_use_ld_so(mount_t)
@@ -125,7 +125,7 @@ optional_policy(`portmap',`
')
optional_policy(`apm',`
- apm_use_fd(mount_t)
+ apm_use_fds(mount_t)
')
# for kernel package installation
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 6b57cf5..df17b40 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -43,16 +43,16 @@ dev_filetrans(cardmgr_t,cardmgr_lnk_t,lnk_file)
# Create stab file
allow cardmgr_t cardmgr_var_lib_t:file create_file_perms;
allow cardmgr_t cardmgr_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans(cardmgr_t,cardmgr_var_lib_t)
+files_var_lib_filetrans(cardmgr_t,cardmgr_var_lib_t,file)
allow cardmgr_t cardmgr_var_run_t:file create_file_perms;
-files_pid_filetrans(cardmgr_t,cardmgr_var_run_t)
+files_pid_filetrans(cardmgr_t,cardmgr_var_run_t,file)
kernel_read_system_state(cardmgr_t)
kernel_read_kernel_sysctls(cardmgr_t)
kernel_dontaudit_getattr_message_if(cardmgr_t)
-bootloader_search_kernel_modules(cardmgr_t)
+files_search_kernel_modules(cardmgr_t)
dev_read_sysfs(cardmgr_t)
dev_manage_cardmgr_dev(cardmgr_t)
@@ -98,7 +98,7 @@ files_dontaudit_getattr_all_symlinks(cardmgr_t)
files_dontaudit_getattr_all_pipes(cardmgr_t)
files_dontaudit_getattr_all_sockets(cardmgr_t)
-init_use_fd(cardmgr_t)
+init_use_fds(cardmgr_t)
init_use_script_ptys(cardmgr_t)
libs_use_ld_so(cardmgr_t)
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
index ace3f78..f6ad01f 100644
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@@ -24,7 +24,7 @@ dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t mdadm_var_run_t:file create_file_perms;
-files_pid_filetrans(mdadm_t,mdadm_var_run_t)
+files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
@@ -53,7 +53,7 @@ domain_use_interactive_fds(mdadm_t)
files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
-init_use_fd(mdadm_t)
+init_use_fds(mdadm_t)
init_use_script_ptys(mdadm_t)
init_dontaudit_getattr_initctl(mdadm_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index b30c1c9..c6e02c4 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -148,7 +148,7 @@ files_list_usr(checkpolicy_t)
# directory search permissions for path to source and binary policy files
files_search_etc(checkpolicy_t)
-init_use_fd(checkpolicy_t)
+init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
libs_use_ld_so(checkpolicy_t)
@@ -333,7 +333,7 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
-kernel_use_fd(restorecon_t)
+kernel_use_fds(restorecon_t)
kernel_rw_pipes(restorecon_t)
kernel_read_system_state(restorecon_t)
kernel_relabelfrom_unlabeled_dirs(restorecon_t)
@@ -365,7 +365,7 @@ term_use_unallocated_ttys(restorecon_t)
term_use_all_user_ttys(restorecon_t)
term_use_all_user_ptys(restorecon_t)
-init_use_fd(restorecon_t)
+init_use_fds(restorecon_t)
init_use_script_ptys(restorecon_t)
domain_use_interactive_fds(restorecon_t)
@@ -398,7 +398,7 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`hotplug',`
- hotplug_use_fd(restorecon_t)
+ hotplug_use_fds(restorecon_t)
')
ifdef(`TODO',`
@@ -562,7 +562,7 @@ term_use_unallocated_ttys(setfiles_t)
# this is to satisfy the assertion:
auth_relabelto_shadow(setfiles_t)
-init_use_fd(setfiles_t)
+init_use_fds(setfiles_t)
init_use_script_fds(setfiles_t)
init_use_script_ptys(setfiles_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index ebf653c..91809a5 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -453,9 +453,9 @@ interface(`sysnet_search_dhcp_state',`
## The type of the object to be created
##
##
-##
+##
##
-## The object class. If not specified, file is used.
+## The object class.
##
##
#
@@ -466,12 +466,7 @@ interface(`sysnet_dhcp_state_filetrans',`
files_search_var_lib($1)
allow $1 dhcp_state_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 dhcp_state_t:file $2;
- ',`
- type_transition $1 dhcp_state_t:$3 $2;
- ')
+ type_transition $1 dhcp_state_t:$3 $2;
')
########################################
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 1568eb6..2401646 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -65,7 +65,7 @@ type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
# create pid file
allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
allow dhcpc_t dhcpc_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(dhcpc_t,dhcpc_var_run_t)
+files_pid_filetrans(dhcpc_t,dhcpc_var_run_t,file)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -89,7 +89,7 @@ allow ifconfig_t dhcpc_t:process sigchld;
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
kernel_read_kernel_sysctls(dhcpc_t)
-kernel_use_fd(dhcpc_t)
+kernel_use_fds(dhcpc_t)
corenet_tcp_sendrecv_all_if(dhcpc_t)
corenet_raw_sendrecv_all_if(dhcpc_t)
@@ -131,7 +131,7 @@ files_search_home(dhcpc_t)
files_search_var_lib(dhcpc_t)
files_dontaudit_search_locks(dhcpc_t)
-init_use_fd(dhcpc_t)
+init_use_fds(dhcpc_t)
init_use_script_ptys(dhcpc_t)
init_rw_utmp(dhcpc_t)
@@ -277,7 +277,7 @@ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
files_read_etc_files(ifconfig_t);
-kernel_use_fd(ifconfig_t)
+kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
kernel_search_network_sysctl(ifconfig_t)
@@ -296,7 +296,7 @@ domain_use_interactive_fds(ifconfig_t)
files_dontaudit_read_root_files(ifconfig_t)
-init_use_fd(ifconfig_t)
+init_use_fds(ifconfig_t)
init_use_script_ptys(ifconfig_t)
libs_use_ld_so(ifconfig_t)
@@ -337,5 +337,5 @@ optional_policy(`nis',`
')
optional_policy(`ppp',`
- ppp_use_fd(ifconfig_t)
+ ppp_use_fds(ifconfig_t)
')
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index 1e4175a..6aa57ce 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -77,7 +77,7 @@ interface(`udev_read_state',`
##
##
#
-interface(`udev_dontaudit_use_fd',`
+interface(`udev_dontaudit_use_fds',`
gen_require(`
type udev_t;
')
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 329b2da..d7c825f 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -70,11 +70,11 @@ dev_filetrans(udev_t,udev_tbl_t,file)
allow udev_t udev_var_run_t:file create_file_perms;
allow udev_t udev_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(udev_t,udev_var_run_t)
+files_pid_filetrans(udev_t,udev_var_run_t,file)
kernel_read_system_state(udev_t)
kernel_getattr_core_if(udev_t)
-kernel_use_fd(udev_t)
+kernel_use_fds(udev_t)
kernel_read_device_sysctls(udev_t)
kernel_read_hotplug_sysctls(udev_t)
kernel_read_modprobe_sysctls(udev_t)
@@ -115,7 +115,7 @@ files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
-init_use_fd(udev_t)
+init_use_fds(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
@@ -180,7 +180,7 @@ optional_policy(`dbus',`
')
optional_policy(`hal',`
- hal_dgram_sendto(udev_t)
+ hal_dgram_send(udev_t)
')
optional_policy(`hotplug',`
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index bc32cd7..68a09fd 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -67,10 +67,6 @@ interface(`unconfined_domain_noaudit',`
auth_unconfined($1)
')
- optional_policy(`bootloader',`
- bootloader_manage_kernel_modules($1)
- ')
-
optional_policy(`dbus',`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
@@ -208,7 +204,7 @@ interface(`unconfined_shell_domtrans',`
##
##
#
-interface(`unconfined_use_fd',`
+interface(`unconfined_use_fds',`
gen_require(`
type unconfined_t;
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 4738506..c00a0ba 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -367,8 +367,8 @@ template(`base_user_template',`
optional_policy(`inetd',`
inetd_tcp_connect($1_t)
- inetd_udp_sendto($1_t)
- inetd_use_fd($1_t)
+ inetd_udp_send($1_t)
+ inetd_use_fds($1_t)
inetd_rw_tcp_sockets($1_t)
')
@@ -551,7 +551,7 @@ template(`unpriv_user_template', `
dev_read_sysfs($1_t)
# cjp: why?
- bootloader_read_kernel_symbol_table($1_t)
+ files_read_kernel_symbol_table($1_t)
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
@@ -574,7 +574,7 @@ template(`unpriv_user_template', `
# then fall back to read-only if it fails.
init_dontaudit_write_utmp($1_t)
# Stop warnings about access to /dev/console
- init_dontaudit_use_fd($1_t)
+ init_dontaudit_use_fds($1_t)
init_dontaudit_use_script_fds($1_t)
miscfiles_read_man_pages($1_t)
@@ -3360,8 +3360,7 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
#
interface(`userdom_use_sysadm_fds',`
ifdef(`targeted_policy',`
- #cjp: need to doublecheck this one
- unconfined_use_fd($1)
+ unconfined_use_fds($1)
',`
gen_require(`
type sysadm_t;
@@ -3859,7 +3858,7 @@ interface(`userdom_home_filetrans_generic_user_home_dir',`
type user_home_dir_t;
')
- files_home_filetrans($1,user_home_dir_t)
+ files_home_filetrans($1,user_home_dir_t,dir)
')
########################################
@@ -3890,7 +3889,7 @@ interface(`userdom_search_generic_user_home_dirs',`
## Domain allowed access.
##
##
-##
+##
##
## The class of the object to be created.
## If not specified, file is used.
@@ -3903,13 +3902,8 @@ interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
')
files_search_home($1)
-
allow $1 user_home_dir_t:dir rw_dir_perms;
- ifelse(`$2',`',`
- type_transition $1 user_home_dir_t:file user_home_t;
- ',`
- type_transition $1 user_home_dir_t:$2 user_home_t;
- ')
+ type_transition $1 user_home_dir_t:$2 user_home_t;
')
########################################
@@ -4436,5 +4430,5 @@ interface(`userdom_unconfined',`
')
allow $1 user_home_dir_t:dir create_dir_perms;
- files_home_filetrans($1,user_home_dir_t)
+ files_home_filetrans($1,user_home_dir_t,dir)
')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 6db0b1b..71ad4da 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -150,7 +150,7 @@ ifdef(`targeted_policy',`
# Add/remove user home directories
allow sysadm_t user_home_dir_t:dir create_dir_perms;
- files_home_filetrans(sysadm_t,user_home_dir_t)
+ files_home_filetrans(sysadm_t,user_home_dir_t,dir)
corecmd_exec_shell(sysadm_t)
diff --git a/refpolicy/policy/support/obj_perm_sets.spt b/refpolicy/policy/support/obj_perm_sets.spt
index ecc755a..d487080 100644
--- a/refpolicy/policy/support/obj_perm_sets.spt
+++ b/refpolicy/policy/support/obj_perm_sets.spt
@@ -210,7 +210,8 @@ define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
-define(`rw_file_perms', `{ getattr read write append ioctl lock }')
+define(`rw_file_perms',`{ getattr read write append ioctl lock }')
+define(`delete_file_perms',`{ getattr unlink }')
define(`manage_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
#