diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index c9b4e63..7b9647a 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -56,7 +56,7 @@ dev_read_sysfs(kudzu_t) dev_rx_raw_memory(kudzu_t) dev_wx_raw_memory(kudzu_t) dev_rw_mouse(kudzu_t) -dev_rwx_zero_dev(kudzu_t) +dev_rwx_zero(kudzu_t) fs_search_auto_mountpoints(kudzu_t) fs_search_ramfs(kudzu_t) diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index 193f34d..5a53646 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -30,8 +30,8 @@ kernel_read_system_state(readahead_t) kernel_dontaudit_getattr_core(readahead_t) dev_read_sysfs(readahead_t) -dev_getattr_generic_chr_file(readahead_t) -dev_getattr_generic_blk_file(readahead_t) +dev_getattr_generic_chr_files(readahead_t) +dev_getattr_generic_blk_files(readahead_t) dev_getattr_all_chr_files(readahead_t) dev_getattr_all_blk_files(readahead_t) dev_dontaudit_read_all_blk_files(readahead_t) diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 852982a..8ebe034 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -260,8 +260,8 @@ kernel_read_system_state(rpm_script_t) dev_list_sysfs(rpm_script_t) # ideally we would not need this -dev_manage_generic_blk_file(rpm_script_t) -dev_manage_generic_chr_file(rpm_script_t) +dev_manage_generic_blk_files(rpm_script_t) +dev_manage_generic_chr_files(rpm_script_t) dev_manage_all_blk_files(rpm_script_t) dev_manage_all_chr_files(rpm_script_t) diff --git a/refpolicy/policy/modules/admin/vbetool.te b/refpolicy/policy/modules/admin/vbetool.te index 15936eb..d4b9eea 100644 --- a/refpolicy/policy/modules/admin/vbetool.te +++ b/refpolicy/policy/modules/admin/vbetool.te @@ -19,7 +19,7 @@ allow vbetool_t self:process execmem; dev_wx_raw_memory(vbetool_t) dev_read_raw_memory(vbetool_t) -dev_rwx_zero_dev(vbetool_t) +dev_rwx_zero(vbetool_t) dev_read_sysfs(vbetool_t) libs_use_ld_so(vbetool_t) diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if index 213f514..e0e0e26 100644 --- a/refpolicy/policy/modules/apps/java.if +++ b/refpolicy/policy/modules/apps/java.if @@ -96,8 +96,8 @@ template(`java_per_userdomain_template',` corenet_udp_bind_all_nodes($1_javaplugin_t) corenet_tcp_connect_all_ports($1_javaplugin_t) - dev_read_snd_dev($1_javaplugin_t) - dev_write_snd_dev($1_javaplugin_t) + dev_read_sound($1_javaplugin_t) + dev_write_sound($1_javaplugin_t) dev_read_urand($1_javaplugin_t) dev_read_rand($1_javaplugin_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 49f0666..3f81d4c 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -110,7 +110,7 @@ dev_getattr_all_blk_files(bootloader_t) dev_dontaudit_rw_generic_dev_nodes(bootloader_t) dev_read_rand(bootloader_t) dev_read_urand(bootloader_t) -dev_getattr_sysfs_dir(bootloader_t) +dev_getattr_sysfs_dirs(bootloader_t) # for reading BIOS data dev_read_raw_memory(bootloader_t) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index e84ad5d..4413c65 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -96,7 +96,7 @@ interface(`dev_list_all_dev_nodes',` ## Domain allowed access. ## # -interface(`dev_setattr_dev_dir',` +interface(`dev_setattr_generic_dirs',` gen_require(` type device_t; ') @@ -128,7 +128,7 @@ interface(`dev_dontaudit_list_all_dev_nodes',` ## Domain allowed to create the directory. ## # -interface(`dev_create_dir',` +interface(`dev_create_generic_dirs',` gen_require(` type device_t; ') @@ -144,7 +144,7 @@ interface(`dev_create_dir',` ## Domain allowed to relabel. ## # -interface(`dev_relabel_dev_dirs',` +interface(`dev_relabel_generic_dev_dirs',` gen_require(` type device_t; ') @@ -160,7 +160,7 @@ interface(`dev_relabel_dev_dirs',` ## Domain allowed access. ## # -interface(`dev_rw_generic_file',` +interface(`dev_rw_generic_files',` gen_require(` type device_t; ') @@ -177,7 +177,7 @@ interface(`dev_rw_generic_file',` ## Domain allowed access. ## # -interface(`dev_delete_generic_file',` +interface(`dev_delete_generic_files',` gen_require(` type device_t; ') @@ -194,7 +194,7 @@ interface(`dev_delete_generic_file',` ## Domain to dontaudit. ## # -interface(`dev_dontaudit_getattr_generic_pipe',` +interface(`dev_dontaudit_getattr_generic_pipes',` gen_require(` type device_t; ') @@ -210,7 +210,7 @@ interface(`dev_dontaudit_getattr_generic_pipe',` ## Domain allowed access. ## # -interface(`dev_getattr_generic_blk_file',` +interface(`dev_getattr_generic_blk_files',` gen_require(` type device_t; ') @@ -227,7 +227,7 @@ interface(`dev_getattr_generic_blk_file',` ## Domain to dontaudit access. ## # -interface(`dev_dontaudit_getattr_generic_blk_file',` +interface(`dev_dontaudit_getattr_generic_blk_files',` gen_require(` type device_t; ') @@ -243,7 +243,7 @@ interface(`dev_dontaudit_getattr_generic_blk_file',` ## Domain to dontaudit access. ## # -interface(`dev_dontaudit_setattr_generic_blk_file',` +interface(`dev_dontaudit_setattr_generic_blk_files',` gen_require(` type device_t; ') @@ -259,7 +259,7 @@ interface(`dev_dontaudit_setattr_generic_blk_file',` ## Domain allowed access. ## # -interface(`dev_create_generic_chr_file',` +interface(`dev_create_generic_chr_files',` gen_require(` type device_t; ') @@ -278,7 +278,7 @@ interface(`dev_create_generic_chr_file',` ## Domain allowed access. ## # -interface(`dev_getattr_generic_chr_file',` +interface(`dev_getattr_generic_chr_files',` gen_require(` type device_t; ') @@ -295,7 +295,7 @@ interface(`dev_getattr_generic_chr_file',` ## Domain to dontaudit access. ## # -interface(`dev_dontaudit_getattr_generic_chr_file',` +interface(`dev_dontaudit_getattr_generic_chr_files',` gen_require(` type device_t; ') @@ -311,7 +311,7 @@ interface(`dev_dontaudit_getattr_generic_chr_file',` ## Domain to dontaudit access. ## # -interface(`dev_dontaudit_setattr_generic_chr_file',` +interface(`dev_dontaudit_setattr_generic_chr_files',` gen_require(` type device_t; ') @@ -328,7 +328,7 @@ interface(`dev_dontaudit_setattr_generic_chr_file',` ## Domain to not audit. ## # -interface(`dev_dontaudit_setattr_generic_symlink',` +interface(`dev_dontaudit_setattr_generic_symlinks',` gen_require(` type device_t; ') @@ -344,7 +344,7 @@ interface(`dev_dontaudit_setattr_generic_symlink',` ## Domain allowed access. ## # -interface(`dev_del_generic_symlinks',` +interface(`dev_delete_generic_symlinks',` gen_require(` type device_t; ') @@ -395,7 +395,7 @@ interface(`dev_relabel_generic_symlinks',` ## Domain allowed access. ## # -interface(`dev_manage_dev_nodes',` +interface(`dev_manage_all_dev_nodes',` gen_require(` attribute device_node, memory_raw_read, memory_raw_write; type device_t; @@ -442,7 +442,7 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',` ## Domain allowed access. ## # -interface(`dev_manage_generic_blk_file',` +interface(`dev_manage_generic_blk_files',` gen_require(` type device_t; ') @@ -459,7 +459,7 @@ interface(`dev_manage_generic_blk_file',` ## Domain allowed access. ## # -interface(`dev_manage_generic_chr_file',` +interface(`dev_manage_generic_chr_files',` gen_require(` type device_t; ') @@ -484,7 +484,7 @@ interface(`dev_manage_generic_chr_file',` ## the transition will occur. ## # -interface(`dev_filetrans_dev_node',` +interface(`dev_filetrans_dev',` gen_require(` type device_t; ') @@ -695,7 +695,7 @@ interface(`dev_getattr_agp_dev',` ## Domain allowed access. ## # -interface(`dev_rw_agp_dev',` +interface(`dev_rw_agp',` gen_require(` type device_t, agp_device_t; ') @@ -712,7 +712,7 @@ interface(`dev_rw_agp_dev',` ## Domain allowed access. ## # -interface(`dev_getattr_apm_bios',` +interface(`dev_getattr_apm_bios_dev',` gen_require(` type device_t, apm_bios_t; ') @@ -730,7 +730,7 @@ interface(`dev_getattr_apm_bios',` ## Domain to not audit. ## # -interface(`dev_dontaudit_getattr_apm_bios',` +interface(`dev_dontaudit_getattr_apm_bios_dev',` gen_require(` type apm_bios_t; ') @@ -746,7 +746,7 @@ interface(`dev_dontaudit_getattr_apm_bios',` ## Domain allowed access. ## # -interface(`dev_setattr_apm_bios',` +interface(`dev_setattr_apm_bios_dev',` gen_require(` type device_t, apm_bios_t; ') @@ -764,7 +764,7 @@ interface(`dev_setattr_apm_bios',` ## Domain to not audit. ## # -interface(`dev_dontaudit_setattr_apm_bios',` +interface(`dev_dontaudit_setattr_apm_bios_dev',` gen_require(` type apm_bios_t; ') @@ -832,7 +832,7 @@ interface(`dev_dontaudit_rw_cardmgr',` ## Domain allowed access. ## # -interface(`dev_manage_cardmgr',` +interface(`dev_manage_cardmgr_dev',` gen_require(` type device_t, cardmgr_dev_t; ') @@ -851,7 +851,7 @@ interface(`dev_manage_cardmgr',` ## Domain allowed access. ## # -interface(`dev_create_cardmgr',` +interface(`dev_create_cardmgr_dev',` gen_require(` type device_t, cardmgr_dev_t; ') @@ -870,7 +870,7 @@ interface(`dev_create_cardmgr',` ## Domain allowed access. ## # -interface(`dev_getattr_cpu',` +interface(`dev_getattr_cpu_dev',` gen_require(` type device_t, cpu_device_t; ') @@ -939,7 +939,7 @@ interface(`dev_rw_crypto',` ## Domain allowed access. ## # -interface(`dev_rw_dri_dev',` +interface(`dev_rw_dri',` gen_require(` type device_t, dri_device_t; ') @@ -956,7 +956,7 @@ interface(`dev_rw_dri_dev',` ## Domain to dontaudit access. ## # -interface(`dev_dontaudit_rw_dri_dev',` +interface(`dev_dontaudit_rw_dri',` gen_require(` type dri_device_t; ') @@ -1024,7 +1024,7 @@ interface(`dev_rw_input_dev',` ## Domain allowed access. ## # -interface(`dev_getattr_framebuffer',` +interface(`dev_getattr_framebuffer_dev',` gen_require(` type device_t, framebuf_device_t; ') @@ -1041,7 +1041,7 @@ interface(`dev_getattr_framebuffer',` ## Domain allowed access. ## # -interface(`dev_setattr_framebuffer',` +interface(`dev_setattr_framebuffer_dev',` gen_require(` type device_t, framebuf_device_t; ') @@ -1059,7 +1059,7 @@ interface(`dev_setattr_framebuffer',` ## Domain to not audit. ## # -interface(`dev_dontaudit_setattr_framebuffer',` +interface(`dev_dontaudit_setattr_framebuffer_dev',` gen_require(` type framebuf_device_t; ') @@ -1176,7 +1176,7 @@ interface(`dev_rw_lvm_control',` ## Domain allowed access. ## # -interface(`dev_delete_lvm_control',` +interface(`dev_delete_lvm_control_dev',` gen_require(` type device_t, lvm_control_t; ') @@ -1285,7 +1285,7 @@ interface(`dev_wx_raw_memory',` ## Domain allowed access. ## # -interface(`dev_getattr_misc',` +interface(`dev_getattr_misc_dev',` gen_require(` type device_t, misc_device_t; ') @@ -1303,7 +1303,7 @@ interface(`dev_getattr_misc',` ## Domain allowed access. ## # -interface(`dev_dontaudit_getattr_misc',` +interface(`dev_dontaudit_getattr_misc_dev',` gen_require(` type misc_device_t; ') @@ -1319,7 +1319,7 @@ interface(`dev_dontaudit_getattr_misc',` ## Domain allowed access. ## # -interface(`dev_setattr_misc',` +interface(`dev_setattr_misc_dev',` gen_require(` type device_t, misc_device_t; ') @@ -1337,7 +1337,7 @@ interface(`dev_setattr_misc',` ## Domain allowed access. ## # -interface(`dev_dontaudit_setattr_misc',` +interface(`dev_dontaudit_setattr_misc_dev',` gen_require(` type misc_device_t; ') @@ -1403,7 +1403,7 @@ interface(`dev_dontaudit_rw_misc',` ## Domain allowed access. ## # -interface(`dev_getattr_mouse',` +interface(`dev_getattr_mouse_dev',` gen_require(` type device_t, mouse_device_t; ') @@ -1420,7 +1420,7 @@ interface(`dev_getattr_mouse',` ## Domain allowed access. ## # -interface(`dev_setattr_mouse',` +interface(`dev_setattr_mouse_dev',` gen_require(` type device_t, mouse_device_t; ') @@ -1471,7 +1471,7 @@ interface(`dev_rw_mouse',` ## Domain allowed access. ## # -interface(`dev_getattr_mtrr',` +interface(`dev_getattr_mtrr_dev',` gen_require(` type device_t, mtrr_device_t; ') @@ -1537,7 +1537,7 @@ interface(`dev_rw_mtrr',` ## Domain allowed access. ## # -interface(`dev_rw_null_dev',` +interface(`dev_rw_null',` gen_require(` type device_t, null_device_t; ') @@ -1554,7 +1554,7 @@ interface(`dev_rw_null_dev',` ## Domain allowed access. ## # -interface(`dev_setattr_printer',` +interface(`dev_setattr_printer_dev',` gen_require(` type device_t, printer_device_t; ') @@ -1707,7 +1707,7 @@ interface(`dev_rw_realtime_clock',` ## Domain allowed access. ## # -interface(`dev_getattr_scanner',` +interface(`dev_getattr_scanner_dev',` gen_require(` type device_t, scanner_device_t; ') @@ -1725,7 +1725,7 @@ interface(`dev_getattr_scanner',` ## Domain to not audit. ## # -interface(`dev_dontaudit_getattr_scanner',` +interface(`dev_dontaudit_getattr_scanner_dev',` gen_require(` type scanner_device_t; ') @@ -1741,7 +1741,7 @@ interface(`dev_dontaudit_getattr_scanner',` ## Domain allowed access. ## # -interface(`dev_setattr_scanner',` +interface(`dev_setattr_scanner_dev',` gen_require(` type device_t, scanner_device_t; ') @@ -1759,7 +1759,7 @@ interface(`dev_setattr_scanner',` ## Domain to not audit. ## # -interface(`dev_dontaudit_setattr_scanner',` +interface(`dev_dontaudit_setattr_scanner_dev',` gen_require(` type scanner_device_t; ') @@ -1792,7 +1792,7 @@ interface(`dev_rw_scanner',` ## Domain allowed access. ## # -interface(`dev_getattr_snd_dev',` +interface(`dev_getattr_sound_dev',` gen_require(` type device_t, sound_device_t; ') @@ -1809,7 +1809,7 @@ interface(`dev_getattr_snd_dev',` ## Domain allowed access. ## # -interface(`dev_setattr_snd_dev',` +interface(`dev_setattr_sound_dev',` gen_require(` type device_t, sound_device_t; ') @@ -1826,7 +1826,7 @@ interface(`dev_setattr_snd_dev',` ## Domain allowed access. ## # -interface(`dev_read_snd_dev',` +interface(`dev_read_sound',` gen_require(` type device_t, sound_device_t; ') @@ -1843,7 +1843,7 @@ interface(`dev_read_snd_dev',` ## Domain allowed access. ## # -interface(`dev_write_snd_dev',` +interface(`dev_write_sound',` gen_require(` type device_t, sound_device_t; ') @@ -1860,7 +1860,7 @@ interface(`dev_write_snd_dev',` ## Domain allowed access. ## # -interface(`dev_read_snd_mixer_dev',` +interface(`dev_read_sound_mixer',` gen_require(` type device_t, sound_device_t; ') @@ -1877,7 +1877,7 @@ interface(`dev_read_snd_mixer_dev',` ## Domain allowed access. ## # -interface(`dev_write_snd_mixer_dev',` +interface(`dev_write_sound_mixer',` gen_require(` type device_t, sound_device_t; ') @@ -1894,7 +1894,7 @@ interface(`dev_write_snd_mixer_dev',` ## Domain allowed access. ## # -interface(`dev_getattr_power_management',` +interface(`dev_getattr_power_mgmt_dev',` gen_require(` type device_t, power_device_t; ') @@ -1911,7 +1911,7 @@ interface(`dev_getattr_power_management',` ## Domain allowed access. ## # -interface(`dev_setattr_power_management',` +interface(`dev_setattr_power_mgmt_dev',` gen_require(` type device_t, power_device_t; ') @@ -1945,7 +1945,7 @@ interface(`dev_rw_power_management',` ## The type of the process performing this action. ## # -interface(`dev_getattr_sysfs_dir',` +interface(`dev_getattr_sysfs_dirs',` gen_require(` type sysfs_t; ') @@ -2111,7 +2111,7 @@ interface(`dev_associate_usbfs',` ## Domain allowed access. ## # -interface(`dev_getattr_usbfs_dir',` +interface(`dev_getattr_usbfs_dirs',` gen_require(` type usbfs_t; ') @@ -2128,7 +2128,7 @@ interface(`dev_getattr_usbfs_dir',` ## Domain to not audit. ## # -interface(`dev_dontaudit_getattr_usbfs_dir',` +interface(`dev_dontaudit_getattr_usbfs_dirs',` gen_require(` type usbfs_t; ') @@ -2316,7 +2316,7 @@ interface(`dev_setattr_xserver_misc_dev',` ## Domain allowed access. ## # -interface(`dev_rw_xserver_misc_dev',` +interface(`dev_rw_xserver_misc',` gen_require(` type device_t, xserver_misc_device_t; ') @@ -2333,7 +2333,7 @@ interface(`dev_rw_xserver_misc_dev',` ## Domain allowed access. ## # -interface(`dev_rw_zero_dev',` +interface(`dev_rw_zero',` gen_require(` type device_t, zero_device_t; ') @@ -2350,12 +2350,12 @@ interface(`dev_rw_zero_dev',` ## Domain allowed access. ## # -interface(`dev_rwx_zero_dev',` +interface(`dev_rwx_zero',` gen_require(` type zero_device_t; ') - dev_rw_zero_dev($1) + dev_rw_zero($1) allow $1 zero_device_t:chr_file execute; ') diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if index 563a422..4514f5d 100644 --- a/refpolicy/policy/modules/kernel/domain.if +++ b/refpolicy/policy/modules/kernel/domain.if @@ -65,8 +65,8 @@ interface(`domain_type',` domain_base_type($1) # Use trusted objects in /dev - dev_rw_null_dev($1) - dev_rw_zero_dev($1) + dev_rw_null($1) + dev_rw_zero($1) term_use_controlling_term($1) # read the root directory diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index df6f2b2..9c38239 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -165,7 +165,7 @@ interface(`storage_create_fixed_disk',` ') allow $1 fixed_disk_device_t:blk_file create_file_perms; - dev_filetrans_dev_node($1,fixed_disk_device_t,blk_file) + dev_filetrans_dev($1,fixed_disk_device_t,blk_file) typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index cc018ae..0f516ee 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -181,7 +181,7 @@ template(`apache_content_template',` miscfiles_read_localization(httpd_$1_script_t) # added back to make sediff nicer - dev_rw_null_dev(httpd_$1_script_t) + dev_rw_null(httpd_$1_script_t) term_use_controlling_term(httpd_$1_script_t) allow httpd_$1_script_t self:dir r_dir_perms; allow httpd_$1_script_t self:file r_file_perms; diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index 3c01cf1..d254885 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -43,7 +43,7 @@ files_filetrans_pid(gpm_t,gpm_var_run_t) allow gpm_t gpmctl_t:sock_file create_file_perms; allow gpm_t gpmctl_t:fifo_file create_file_perms; -dev_filetrans_dev_node(gpm_t,gpmctl_t,{ sock_file fifo_file }) +dev_filetrans_dev(gpm_t,gpmctl_t,{ sock_file fifo_file }) # cjp: this has no effect allow gpm_t gpmctl_t:unix_stream_socket name_bind; diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 8c476b2..1a609e8 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -74,7 +74,7 @@ dev_read_mouse(hald_t) dev_rw_printer(hald_t) dev_read_lvm_control(hald_t) dev_getattr_all_chr_files(hald_t) -dev_manage_generic_chr_file(hald_t) +dev_manage_generic_chr_files(hald_t) # hal is now execing pm-suspend dev_rw_sysfs(hald_t) diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index 238f761..cd58cc5 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -149,7 +149,7 @@ can_exec(lpd_t, printconf_t) # Create and bind to /dev/printer. allow lpd_t printer_t:lnk_file create_lnk_perms; -dev_filetrans_dev_node(lpd_t,printer_t,lnk_file) +dev_filetrans_dev(lpd_t,printer_t,lnk_file) # cjp: I believe these have no effect: allow lpd_t printer_t:unix_stream_socket name_bind; allow lpd_t printer_t:unix_dgram_socket name_bind; diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 759a478..1e76716 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -45,8 +45,8 @@ files_filetrans_tmp(remote_login_t, remote_login_tmp_t, { file dir }) kernel_read_system_state(remote_login_t) kernel_read_kernel_sysctl(remote_login_t) -dev_getattr_mouse(remote_login_t) -dev_setattr_mouse(remote_login_t) +dev_getattr_mouse_dev(remote_login_t) +dev_setattr_mouse_dev(remote_login_t) dev_dontaudit_search_sysfs(remote_login_t) # for SSP/ProPolice dev_read_urand(remote_login_t) diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 6197168..ee36494 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -247,7 +247,7 @@ corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) -dev_dontaudit_getattr_usbfs_dir(smbd_t) +dev_dontaudit_getattr_usbfs_dirs(smbd_t) fs_getattr_all_fs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) @@ -390,7 +390,7 @@ corenet_udp_bind_all_nodes(nmbd_t) corenet_udp_bind_nmbd_port(nmbd_t) dev_read_sysfs(nmbd_t) -dev_getattr_mtrr(nmbd_t) +dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) fs_search_auto_mountpoints(nmbd_t) diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te index 0b236cd..a6ca08f 100644 --- a/refpolicy/policy/modules/services/timidity.te +++ b/refpolicy/policy/modules/services/timidity.te @@ -52,8 +52,8 @@ corenet_tcp_bind_all_nodes(timidity_t) corenet_udp_bind_all_nodes(timidity_t) dev_read_sysfs(timidity_t) -dev_read_snd_dev(timidity_t) -dev_write_snd_dev(timidity_t) +dev_read_sound(timidity_t) +dev_write_sound(timidity_t) fs_search_auto_mountpoints(timidity_t) diff --git a/refpolicy/policy/modules/services/xserver.if b/refpolicy/policy/modules/services/xserver.if index 37ac35e..c088991 100644 --- a/refpolicy/policy/modules/services/xserver.if +++ b/refpolicy/policy/modules/services/xserver.if @@ -98,16 +98,16 @@ template(`xserver_common_domain_template',` dev_rw_mouse($1_xserver_t) dev_rw_mtrr($1_xserver_t) dev_rw_apm_bios($1_xserver_t) - dev_rw_agp_dev($1_xserver_t) + dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) dev_manage_dri_dev($1_xserver_t) - dev_create_dir($1_xserver_t) - dev_setattr_dev_dir($1_xserver_t) + dev_create_generic_dirs($1_xserver_t) + dev_setattr_generic_dirs($1_xserver_t) # raw memory access is needed if not using the frame buffer dev_read_raw_memory($1_xserver_t) dev_write_raw_memory($1_xserver_t) # for other device nodes such as the NVidia binary-only driver - dev_rw_xserver_misc_dev($1_xserver_t) + dev_rw_xserver_misc($1_xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index 623f759..d089091 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -117,27 +117,27 @@ corenet_dontaudit_tcp_bind_all_ports(xdm_t) dev_read_rand(xdm_t) dev_read_urand(xdm_t) dev_read_sysfs(xdm_t) -dev_getattr_framebuffer(xdm_t) -dev_setattr_framebuffer(xdm_t) -dev_getattr_mouse(xdm_t) -dev_setattr_mouse(xdm_t) +dev_getattr_framebuffer_dev(xdm_t) +dev_setattr_framebuffer_dev(xdm_t) +dev_getattr_mouse_dev(xdm_t) +dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) -dev_setattr_apm_bios(xdm_t) -dev_rw_dri_dev(xdm_t) -dev_rw_agp_dev(xdm_t) +dev_setattr_apm_bios_dev(xdm_t) +dev_rw_dri(xdm_t) +dev_rw_agp(xdm_t) dev_getattr_xserver_misc_dev(xdm_t) dev_setattr_xserver_misc_dev(xdm_t) -dev_getattr_misc(xdm_t) -dev_setattr_misc(xdm_t) +dev_getattr_misc_dev(xdm_t) +dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) dev_getattr_video_dev(xdm_t) dev_setattr_video_dev(xdm_t) -dev_getattr_scanner(xdm_t) -dev_setattr_scanner(xdm_t) -dev_getattr_snd_dev(xdm_t) -dev_setattr_snd_dev(xdm_t) -dev_getattr_power_management(xdm_t) -dev_setattr_power_management(xdm_t) +dev_getattr_scanner_dev(xdm_t) +dev_setattr_scanner_dev(xdm_t) +dev_getattr_sound_dev(xdm_t) +dev_setattr_sound_dev(xdm_t) +dev_getattr_power_mgmt_dev(xdm_t) +dev_setattr_power_mgmt_dev(xdm_t) domain_use_wide_inherit_fd(xdm_t) # Do not audit denied probes of /proc. diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index 3c379fb..c493c45 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -77,7 +77,7 @@ corenet_tcp_bind_zebra_port(zebra_t) dev_associate_usbfs(zebra_var_run_t) dev_list_all_dev_nodes(zebra_t) dev_read_sysfs(zebra_t) -dev_rw_zero_dev(zebra_t) +dev_rw_zero(zebra_t) fs_getattr_all_fs(zebra_t) fs_search_auto_mountpoints(zebra_t) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index b2208fb..a734e22 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -151,20 +151,20 @@ kernel_use_fd(pam_console_t) kernel_read_system_state(pam_console_t) dev_read_sysfs(pam_console_t) -dev_getattr_apm_bios(pam_console_t) -dev_setattr_apm_bios(pam_console_t) -dev_getattr_framebuffer(pam_console_t) -dev_setattr_framebuffer(pam_console_t) -dev_getattr_misc(pam_console_t) -dev_setattr_misc(pam_console_t) -dev_getattr_mouse(pam_console_t) -dev_setattr_mouse(pam_console_t) -dev_getattr_power_management(pam_console_t) -dev_setattr_power_management(pam_console_t) -dev_getattr_scanner(pam_console_t) -dev_setattr_scanner(pam_console_t) -dev_getattr_snd_dev(pam_console_t) -dev_setattr_snd_dev(pam_console_t) +dev_getattr_apm_bios_dev(pam_console_t) +dev_setattr_apm_bios_dev(pam_console_t) +dev_getattr_framebuffer_dev(pam_console_t) +dev_setattr_framebuffer_dev(pam_console_t) +dev_getattr_misc_dev(pam_console_t) +dev_setattr_misc_dev(pam_console_t) +dev_getattr_mouse_dev(pam_console_t) +dev_setattr_mouse_dev(pam_console_t) +dev_getattr_power_mgmt_dev(pam_console_t) +dev_setattr_power_mgmt_dev(pam_console_t) +dev_getattr_scanner_dev(pam_console_t) +dev_setattr_scanner_dev(pam_console_t) +dev_getattr_sound_dev(pam_console_t) +dev_setattr_sound_dev(pam_console_t) dev_getattr_video_dev(pam_console_t) dev_setattr_video_dev(pam_console_t) dev_getattr_xserver_misc_dev(pam_console_t) diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 8a5e37b..070e38e 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -68,7 +68,7 @@ dev_search_usbfs(fsadm_t) # for swapon dev_read_sysfs(fsadm_t) # Access to /initrd devices -dev_getattr_usbfs_dir(fsadm_t) +dev_getattr_usbfs_dirs(fsadm_t) # Access to /dev/mapper/control dev_rw_lvm_control(fsadm_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index de64e15..c0ed117 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -66,8 +66,8 @@ corenet_udp_bind_all_nodes(hotplug_t) dev_rw_sysfs(hotplug_t) dev_read_usbfs(hotplug_t) -dev_setattr_printer(hotplug_t) -dev_setattr_snd_dev(hotplug_t) +dev_setattr_printer_dev(hotplug_t) +dev_setattr_sound_dev(hotplug_t) # for SSP: dev_read_urand(hotplug_t) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 60754d0..07b7198 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -108,7 +108,7 @@ files_filetrans_pid(init_t,init_var_run_t) allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink }; fs_associate_tmpfs(initctl_t) -dev_filetrans_dev_node(init_t,initctl_t,fifo_file) +dev_filetrans_dev(init_t,initctl_t,fifo_file) # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; @@ -264,14 +264,14 @@ dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) -dev_read_snd_mixer_dev(initrc_t) -dev_write_snd_mixer_dev(initrc_t) +dev_read_sound_mixer(initrc_t) +dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_read_lvm_control(initrc_t) -dev_delete_lvm_control(initrc_t) +dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) # Wants to remove udev.tbl: -dev_del_generic_symlinks(initrc_t) +dev_delete_generic_symlinks(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs @@ -382,7 +382,7 @@ userdom_read_all_user_files(initrc_t) userdom_use_sysadm_terms(initrc_t) ifdef(`distro_debian',` - dev_setattr_dev_dir(initrc_t) + dev_setattr_generic_dirs(initrc_t) fs_filetrans_tmpfs(initrc_t,initrc_var_run_t,dir) @@ -421,8 +421,8 @@ ifdef(`distro_redhat',` # These seem to be from the initrd # during device initialization: - dev_create_dir(initrc_t) - dev_rwx_zero_dev(initrc_t) + dev_create_generic_dirs(initrc_t) + dev_rwx_zero(initrc_t) dev_rx_raw_memory(initrc_t) dev_wx_raw_memory(initrc_t) storage_raw_read_fixed_disk(initrc_t) @@ -500,7 +500,7 @@ optional_policy(`bluetooth',` optional_policy(`cpucontrol',` cpucontrol_stub(initrc_t) - dev_getattr_cpu(initrc_t) + dev_getattr_cpu_dev(initrc_t) ') optional_policy(`cups',` @@ -576,7 +576,7 @@ optional_policy(`lvm',` #allow initrc_t lvm_control_t:chr_file unlink; dev_read_lvm_control(initrc_t) - dev_create_generic_chr_file(initrc_t) + dev_create_generic_chr_files(initrc_t) lvm_read_config(initrc_t) ') diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 1d68157..1b53bc8 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -61,25 +61,25 @@ files_filetrans_tmp(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) kernel_read_kernel_sysctl(local_login_t) -dev_setattr_mouse(local_login_t) -dev_getattr_mouse(local_login_t) -dev_getattr_power_management(local_login_t) -dev_setattr_power_management(local_login_t) -dev_getattr_snd_dev(local_login_t) -dev_setattr_snd_dev(local_login_t) -dev_dontaudit_getattr_apm_bios(local_login_t) -dev_dontaudit_setattr_apm_bios(local_login_t) +dev_setattr_mouse_dev(local_login_t) +dev_getattr_mouse_dev(local_login_t) +dev_getattr_power_mgmt_dev(local_login_t) +dev_setattr_power_mgmt_dev(local_login_t) +dev_getattr_sound_dev(local_login_t) +dev_setattr_sound_dev(local_login_t) +dev_dontaudit_getattr_apm_bios_dev(local_login_t) +dev_dontaudit_setattr_apm_bios_dev(local_login_t) dev_dontaudit_read_framebuffer(local_login_t) -dev_dontaudit_setattr_framebuffer(local_login_t) -dev_dontaudit_getattr_generic_blk_file(local_login_t) -dev_dontaudit_setattr_generic_blk_file(local_login_t) -dev_dontaudit_getattr_generic_chr_file(local_login_t) -dev_dontaudit_setattr_generic_chr_file(local_login_t) -dev_dontaudit_setattr_generic_symlink(local_login_t) -dev_dontaudit_getattr_misc(local_login_t) -dev_dontaudit_setattr_misc(local_login_t) -dev_dontaudit_getattr_scanner(local_login_t) -dev_dontaudit_setattr_scanner(local_login_t) +dev_dontaudit_setattr_framebuffer_dev(local_login_t) +dev_dontaudit_getattr_generic_blk_files(local_login_t) +dev_dontaudit_setattr_generic_blk_files(local_login_t) +dev_dontaudit_getattr_generic_chr_files(local_login_t) +dev_dontaudit_setattr_generic_chr_files(local_login_t) +dev_dontaudit_setattr_generic_symlinks(local_login_t) +dev_dontaudit_getattr_misc_dev(local_login_t) +dev_dontaudit_setattr_misc_dev(local_login_t) +dev_dontaudit_getattr_scanner_dev(local_login_t) +dev_dontaudit_setattr_scanner_dev(local_login_t) dev_dontaudit_search_sysfs(local_login_t) dev_dontaudit_getattr_video_dev(local_login_t) dev_dontaudit_setattr_video_dev(local_login_t) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 4a49c91..6c6795f 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -301,7 +301,7 @@ kernel_read_messages(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) -dev_filetrans_dev_node(syslogd_t,devlog_t,sock_file) +dev_filetrans_dev(syslogd_t,devlog_t,sock_file) dev_read_sysfs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 331dd1e..b72beaf 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -176,13 +176,13 @@ selinux_compute_create_context(lvm_t) selinux_compute_relabel_context(lvm_t) selinux_compute_user_contexts(lvm_t) -dev_create_generic_chr_file(lvm_t) +dev_create_generic_chr_files(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) dev_manage_generic_symlinks(lvm_t) -dev_relabel_dev_dirs(lvm_t) -dev_manage_generic_blk_file(lvm_t) +dev_relabel_generic_dev_dirs(lvm_t) +dev_manage_generic_blk_files(lvm_t) # Read /sys/block. Device mapper metadata is kept there. dev_read_sysfs(lvm_t) # cjp: this has no effect since LVM does not @@ -192,9 +192,9 @@ dev_relabel_generic_symlinks(lvm_t) # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... dev_dontaudit_read_all_chr_files(lvm_t) dev_dontaudit_read_all_blk_files(lvm_t) -dev_dontaudit_getattr_generic_chr_file(lvm_t) -dev_dontaudit_getattr_generic_blk_file(lvm_t) -dev_dontaudit_getattr_generic_pipe(lvm_t) +dev_dontaudit_getattr_generic_chr_files(lvm_t) +dev_dontaudit_getattr_generic_blk_files(lvm_t) +dev_dontaudit_getattr_generic_pipes(lvm_t) fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 7ae0e5d..deb0179 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -74,9 +74,9 @@ dev_search_sysfs(insmod_t) dev_search_usbfs(insmod_t) dev_write_mtrr(insmod_t) dev_read_urand(insmod_t) -dev_rw_agp_dev(insmod_t) -dev_read_snd_dev(insmod_t) -dev_write_snd_dev(insmod_t) +dev_rw_agp(insmod_t) +dev_read_sound(insmod_t) +dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) # cjp: why is this needed? insmod cannot mounton any dir # and it also transitions to mount diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index e13d742..d9299a7 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -38,7 +38,7 @@ allow cardmgr_t self:unix_dgram_socket create_socket_perms; allow cardmgr_t self:unix_stream_socket create_socket_perms; allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms; -dev_filetrans_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file) +dev_filetrans_dev(cardmgr_t,cardmgr_lnk_t,lnk_file) # Create stab file allow cardmgr_t cardmgr_var_lib_t:file create_file_perms; @@ -55,8 +55,8 @@ kernel_dontaudit_getattr_message_if(cardmgr_t) bootloader_search_kernel_modules(cardmgr_t) dev_read_sysfs(cardmgr_t) -dev_manage_cardmgr(cardmgr_t) -dev_create_cardmgr(cardmgr_t) +dev_manage_cardmgr_dev(cardmgr_t) +dev_create_cardmgr_dev(cardmgr_t) dev_getattr_all_chr_files(cardmgr_t) dev_getattr_all_blk_files(cardmgr_t) # for SSP diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 3bc1b79..56af088 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -323,7 +323,7 @@ kernel_rw_pipe(restorecon_t) kernel_read_system_state(restorecon_t) # cjp: why is this needed? -dev_rw_generic_file(restorecon_t) +dev_rw_generic_files(restorecon_t) fs_getattr_xattr_fs(restorecon_t) fs_search_auto_mountpoints(restorecon_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index cc1be10..da2d3d8 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -66,7 +66,7 @@ allow udev_t udev_etc_t:file r_file_perms; # create udev database in /dev/.udevdb allow udev_t udev_tbl_t:file create_file_perms; -dev_filetrans_dev_node(udev_t,udev_tbl_t,file) +dev_filetrans_dev(udev_t,udev_tbl_t,file) allow udev_t udev_var_run_t:file create_file_perms; allow udev_t udev_var_run_t:dir rw_dir_perms; @@ -85,9 +85,9 @@ kernel_sendto_unix_dgram_socket(udev_t) kernel_signal(udev_t) dev_rw_sysfs(udev_t) -dev_manage_dev_nodes(udev_t) -dev_rw_generic_file(udev_t) -dev_delete_generic_file(udev_t) +dev_manage_all_dev_nodes(udev_t) +dev_rw_generic_files(udev_t) +dev_delete_generic_files(udev_t) fs_getattr_all_fs(udev_t) fs_search_inotifyfs(udev_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 863c3be..b04ca52 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -176,15 +176,15 @@ template(`base_user_template',` dev_read_input($1_t) dev_read_misc($1_t) dev_write_misc($1_t) - dev_write_snd_dev($1_t) - dev_read_snd_dev($1_t) - dev_read_snd_mixer_dev($1_t) - dev_write_snd_mixer_dev($1_t) + dev_write_sound($1_t) + dev_read_sound($1_t) + dev_read_sound_mixer($1_t) + dev_write_sound_mixer($1_t) dev_read_rand($1_t) dev_read_urand($1_t) # open office is looking for the following dev_getattr_agp_dev($1_t) - dev_dontaudit_rw_dri_dev($1_t) + dev_dontaudit_rw_dri($1_t) fs_get_all_fs_quotas($1_t) fs_getattr_all_fs($1_t) @@ -437,7 +437,7 @@ template(`base_user_template',` ') optional_policy(`xserver',` - dev_rw_xserver_misc_dev($1_t) + dev_rw_xserver_misc($1_t) xserver_xsession_entry_type($1_t) xserver_dontaudit_write_log($1_t) xserver_stream_connect_xdm($1_t) @@ -838,8 +838,8 @@ template(`admin_user_template',` # allow setting up tunnels corenet_use_tun_tap_device($1_t) - dev_getattr_generic_blk_file($1_t) - dev_getattr_generic_chr_file($1_t) + dev_getattr_generic_blk_files($1_t) + dev_getattr_generic_chr_files($1_t) dev_getattr_all_blk_files($1_t) dev_getattr_all_chr_files($1_t)