diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index bc7dd8b..893e3e6 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -64,7 +64,7 @@ userdom_use_sysadm_fd(consoletype_t)
userdom_rw_sysadm_pipe(consoletype_t)
ifdef(`distro_redhat',`
- fs_use_tmpfs_chr_dev(consoletype_t)
+ fs_rw_tmpfs_chr_files(consoletype_t)
')
optional_policy(`apm',`
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index c69ecf4..dad3a07 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -60,7 +60,7 @@ dev_rwx_zero(kudzu_t)
fs_search_auto_mountpoints(kudzu_t)
fs_search_ramfs(kudzu_t)
-fs_write_ramfs_socket(kudzu_t)
+fs_write_ramfs_sockets(kudzu_t)
mls_file_read_up(kudzu_t)
mls_file_write_down(kudzu_t)
diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te
index 672c1ee..cdb87b7 100644
--- a/refpolicy/policy/modules/admin/quota.te
+++ b/refpolicy/policy/modules/admin/quota.te
@@ -31,8 +31,8 @@ dev_read_sysfs(quota_t)
dev_getattr_all_blk_files(quota_t)
dev_getattr_all_chr_files(quota_t)
-fs_get_xattr_fs_quota(quota_t)
-fs_set_xattr_fs_quota(quota_t)
+fs_get_xattr_fs_quotas(quota_t)
+fs_set_xattr_fs_quotas(quota_t)
fs_getattr_xattr_fs(quota_t)
fs_remount_xattr_fs(quota_t)
fs_search_auto_mountpoints(quota_t)
diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te
index e429bfc..7ebcc13 100644
--- a/refpolicy/policy/modules/admin/updfstab.te
+++ b/refpolicy/policy/modules/admin/updfstab.te
@@ -33,7 +33,7 @@ dev_manage_generic_symlinks(updfstab_t)
fs_getattr_xattr_fs(updfstab_t)
fs_getattr_tmpfs(updfstab_t)
-fs_getattr_tmpfs_dir(updfstab_t)
+fs_getattr_tmpfs_dirs(updfstab_t)
fs_search_auto_mountpoints(updfstab_t)
selinux_get_fs_mount(updfstab_t)
diff --git a/refpolicy/policy/modules/apps/cdrecord.if b/refpolicy/policy/modules/apps/cdrecord.if
index caadac5..8202d42 100644
--- a/refpolicy/policy/modules/apps/cdrecord.if
+++ b/refpolicy/policy/modules/apps/cdrecord.if
@@ -138,14 +138,14 @@ template(`cdrecord_per_userdomain_template', `
ifdef(`enable_mls',`
',`
- fs_search_removable_dirs($1_cdrecord_t)
+ fs_search_removable($1_cdrecord_t)
fs_read_removable_files($1_cdrecord_t)
fs_read_removable_symlinks($1_cdrecord_t)
')
',`
files_dontaudit_list_tmp($1_cdrecord_t)
files_dontaudit_list_home($1_cdrecord_t)
- fs_dontaudit_list_removable_dirs($1_cdrecord_t)
+ fs_dontaudit_list_removable($1_cdrecord_t)
fs_donaudit_read_removable_files($1_cdrecord_t)
userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 6b324c0..c5cc6ea 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -155,7 +155,7 @@ dev_node(urandom_device_t)
#
type usbfs_t alias usbdevfs_t;
files_mountpoint(usbfs_t)
-fs_make_noxattr_fs(usbfs_t)
+fs_noxattr_type(usbfs_t)
genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 756b542..fe21fa6 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -31,7 +31,7 @@ interface(`fs_type',`
## The type of the process performing this action.
##
#
-interface(`fs_make_noxattr_fs',`
+interface(`fs_noxattr_type',`
gen_require(`
attribute noxattrfs;
')
@@ -173,24 +173,6 @@ interface(`fs_getattr_xattr_fs',`
########################################
##
-## Get the quotas of a persistent
-## filesystem which has extended
-## attributes, such as ext3, JFS, or XFS.
-##
-##
-## The type of the domain getting quotas.
-##
-#
-interface(`fs_get_xattr_fs_quotas',`
- gen_require(`
- type fs_t;
- ')
-
- allow $1 fs_t:filesystem quotaget;
-')
-
-########################################
-##
## Do not audit attempts to
## get the attributes of a persistent
## filesystem which has extended
@@ -235,7 +217,7 @@ interface(`fs_relabelfrom_xattr_fs',`
## The type of the domain mounting the filesystem.
##
#
-interface(`fs_get_xattr_fs_quota',`
+interface(`fs_get_xattr_fs_quotas',`
gen_require(`
type fs_t;
')
@@ -252,7 +234,7 @@ interface(`fs_get_xattr_fs_quota',`
## The type of the domain mounting the filesystem.
##
#
-interface(`fs_set_xattr_fs_quota',`
+interface(`fs_set_xattr_fs_quotas',`
gen_require(`
type fs_t;
')
@@ -650,7 +632,7 @@ interface(`fs_read_cifs_symlinks',`
## The type of the domain executing the files.
##
#
-interface(`fs_execute_cifs_files',`
+interface(`fs_exec_cifs_files',`
gen_require(`
type cifs_t;
')
@@ -1189,7 +1171,7 @@ interface(`fs_write_nfs_files',`
## The type of the domain executing the files.
##
#
-interface(`fs_execute_nfs_files',`
+interface(`fs_exec_nfs_files',`
gen_require(`
type nfs_t;
')
@@ -1257,7 +1239,7 @@ interface(`fs_getattr_rpc_dirs',`
## The type of the domain reading the symbolic links.
##
#
-interface(`fs_search_rpc_dirs',`
+interface(`fs_search_rpc',`
gen_require(`
type rpc_pipefs_t;
')
@@ -1273,7 +1255,7 @@ interface(`fs_search_rpc_dirs',`
## Domain allowed access.
##
#
-interface(`fs_search_removable_dirs',`
+interface(`fs_search_removable',`
gen_require(`
type removable_t;
')
@@ -1290,7 +1272,7 @@ interface(`fs_search_removable_dirs',`
## Domain not to audit.
##
#
-interface(`fs_dontaudit_list_removable_dirs',`
+interface(`fs_dontaudit_list_removable',`
gen_require(`
type removable_t;
')
@@ -1354,7 +1336,7 @@ interface(`fs_read_removable_symlinks',`
## The type of the domain reading the symbolic links.
##
#
-interface(`fs_read_rpc_dirs',`
+interface(`fs_list_rpc',`
gen_require(`
type rpc_pipefs_t;
')
@@ -1787,7 +1769,7 @@ interface(`fs_dontaudit_search_ramfs',`
## Domain allowed access.
##
#
-interface(`fs_write_ramfs_pipe',`
+interface(`fs_write_ramfs_pipes',`
gen_require(`
type ramfs_t;
')
@@ -1803,7 +1785,7 @@ interface(`fs_write_ramfs_pipe',`
## Domain allowed access.
##
#
-interface(`fs_rw_ramfs_pipe',`
+interface(`fs_rw_ramfs_pipes',`
gen_require(`
type ramfs_t;
')
@@ -1819,7 +1801,7 @@ interface(`fs_rw_ramfs_pipe',`
## Domain allowed access.
##
#
-interface(`fs_write_ramfs_socket',`
+interface(`fs_write_ramfs_sockets',`
gen_require(`
type ramfs_t;
')
@@ -2051,7 +2033,7 @@ interface(`fs_associate_tmpfs',`
## Domain allowed access.
##
#
-interface(`fs_getattr_tmpfs_dir',`
+interface(`fs_getattr_tmpfs_dirs',`
gen_require(`
type tmpfs_t;
')
@@ -2067,7 +2049,7 @@ interface(`fs_getattr_tmpfs_dir',`
## Domain allowed access.
##
#
-interface(`fs_setattr_tmpfs_dir',`
+interface(`fs_setattr_tmpfs_dirs',`
gen_require(`
type tmpfs_t;
')
@@ -2202,7 +2184,7 @@ interface(`fs_manage_auto_mountpoints',`
## The type of the process performing this action.
##
#
-interface(`fs_rw_tmpfs_file',`
+interface(`fs_rw_tmpfs_files',`
gen_require(`
type tmpfs_t;
')
@@ -2236,7 +2218,7 @@ interface(`fs_read_tmpfs_symlinks',`
## The type of the process performing this action.
##
#
-interface(`fs_use_tmpfs_chr_dev',`
+interface(`fs_rw_tmpfs_chr_files',`
gen_require(`
type tmpfs_t;
')
@@ -2270,7 +2252,7 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
## The type of the process performing this action.
##
#
-interface(`fs_relabel_tmpfs_chr_dev',`
+interface(`fs_relabel_tmpfs_chr_file',`
gen_require(`
type tmpfs_t;
')
@@ -2287,7 +2269,7 @@ interface(`fs_relabel_tmpfs_chr_dev',`
## The type of the process performing this action.
##
#
-interface(`fs_use_tmpfs_blk_dev',`
+interface(`fs_rw_tmpfs_blk_files',`
gen_require(`
type tmpfs_t;
')
@@ -2304,7 +2286,7 @@ interface(`fs_use_tmpfs_blk_dev',`
## The type of the process performing this action.
##
#
-interface(`fs_relabel_tmpfs_blk_dev',`
+interface(`fs_relabel_tmpfs_blk_file',`
gen_require(`
type tmpfs_t;
')
@@ -2376,7 +2358,7 @@ interface(`fs_manage_tmpfs_sockets',`
## The type of the process performing this action.
##
#
-interface(`fs_manage_tmpfs_chr_dev',`
+interface(`fs_manage_tmpfs_chr_files',`
gen_require(`
type tmpfs_t;
')
@@ -2394,7 +2376,7 @@ interface(`fs_manage_tmpfs_chr_dev',`
## The type of the process performing this action.
##
#
-interface(`fs_manage_tmpfs_blk_dev',`
+interface(`fs_manage_tmpfs_blk_files',`
gen_require(`
type tmpfs_t;
')
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index a00b7d2..3ad5ae6 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -614,13 +614,13 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',`
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
- fs_execute_nfs_files(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
')
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
- fs_execute_cifs_files(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
')
optional_policy(`mailman',`
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 7501a14..cf3114b 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -52,7 +52,7 @@ kernel_read_sysctl(rpcd_t)
corenet_udp_bind_generic_port(rpcd_t)
corenet_udp_bind_reserved_port(rpcd_t)
-fs_read_rpc_dirs(rpcd_t)
+fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_read_rpc_sockets(rpcd_t)
@@ -134,7 +134,7 @@ corenet_udp_bind_reserved_port(gssd_t)
dev_read_urand(gssd_t)
-fs_read_rpc_dirs(gssd_t)
+fs_list_rpc(gssd_t)
fs_read_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc
index 79bc20c..320ce64 100644
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@@ -37,10 +37,13 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
/tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0)
/tmp/\.ICE-unix/.* -s <>
-/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0)
/tmp/\.X11-unix/.* -s <>
+ifdef(`strict_policy',`
+/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0)
+')
+
#
# /usr
#
diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te
index d43696c..01a4284 100644
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@@ -308,14 +308,14 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
fs_manage_nfs_files(xdm_t)
fs_manage_nfs_symlinks(xdm_t)
- fs_execute_nfs_files(xdm_t)
+ fs_exec_nfs_files(xdm_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xdm_t)
fs_manage_cifs_files(xdm_t)
fs_manage_cifs_symlinks(xdm_t)
- fs_execute_cifs_files(xdm_t)
+ fs_exec_cifs_files(xdm_t)
')
optional_policy(`gpm',`
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 25f84f1..9828823 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -74,13 +74,13 @@ dev_rw_lvm_control(fsadm_t)
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
-fs_rw_ramfs_pipe(fsadm_t)
-fs_rw_tmpfs_file(fsadm_t)
+fs_rw_ramfs_pipes(fsadm_t)
+fs_rw_tmpfs_files(fsadm_t)
# remount file system to apply changes
fs_remount_xattr_fs(fsadm_t)
# for /dev/shm
fs_search_tmpfs(fsadm_t)
-fs_getattr_tmpfs_dir(fsadm_t)
+fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
mls_file_write_down(fsadm_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 5ede464..1ce3c8c 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -129,7 +129,7 @@ ifdef(`distro_redhat', `
optional_policy(`netutils',`
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(hotplug_t)
- fs_use_tmpfs_chr_dev(hotplug_t)
+ fs_rw_tmpfs_chr_files(hotplug_t)
')
files_getattr_generic_locks(hotplug_t)
')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 402748f..13d819a 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -164,7 +164,7 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
ifdef(`distro_redhat',`
- fs_use_tmpfs_chr_dev(init_t)
+ fs_rw_tmpfs_chr_files(init_t)
fs_filetrans_tmpfs(init_t,initctl_t,fifo_file)
')
@@ -275,7 +275,7 @@ dev_delete_generic_symlinks(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-fs_write_ramfs_pipe(initrc_t)
+fs_write_ramfs_pipes(initrc_t)
# cjp: not sure why these are here; should use mount policy
fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
@@ -387,7 +387,7 @@ ifdef(`distro_debian',`
fs_filetrans_tmpfs(initrc_t,initrc_var_run_t,dir)
# for storing state under /dev/shm
- fs_setattr_tmpfs_dir(initrc_t)
+ fs_setattr_tmpfs_dirs(initrc_t)
storage_create_fixed_disk_tmpfs(initrc_t)
files_setattr_etc_dirs(initrc_t)
@@ -428,7 +428,7 @@ ifdef(`distro_redhat',`
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
- fs_use_tmpfs_chr_dev(initrc_t)
+ fs_rw_tmpfs_chr_files(initrc_t)
storage_create_fixed_disk(initrc_t)
storage_getattr_removable_device(initrc_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 2f42111..d4ca0a6 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -239,7 +239,7 @@ allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
-fs_use_tmpfs_chr_dev(sulogin_t)
+fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)
# because file systems are not mounted:
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 335f561..d942538 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -45,7 +45,7 @@ fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
fs_search_auto_mountpoints(mount_t)
-fs_use_tmpfs_chr_dev(mount_t)
+fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)
term_use_all_terms(mount_t)
@@ -113,7 +113,7 @@ optional_policy(`portmap',`
corenet_udp_bind_reserved_port(mount_t)
corenet_tcp_connect_all_ports(mount_t)
- fs_search_rpc_dirs(mount_t)
+ fs_search_rpc(mount_t)
portmap_udp_sendrecv(mount_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 951ff53..55ff9a6 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -369,10 +369,10 @@ files_list_all(restorecon_t)
auth_relabelto_shadow(restorecon_t)
ifdef(`distro_redhat', `
- fs_use_tmpfs_chr_dev(restorecon_t)
- fs_use_tmpfs_blk_dev(restorecon_t)
- fs_relabel_tmpfs_blk_dev(restorecon_t)
- fs_relabel_tmpfs_chr_dev(restorecon_t)
+ fs_rw_tmpfs_chr_files(restorecon_t)
+ fs_rw_tmpfs_blk_files(restorecon_t)
+ fs_relabel_tmpfs_blk_file(restorecon_t)
+ fs_relabel_tmpfs_chr_file(restorecon_t)
')
ifdef(`hide_broken_symptoms',`
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 1a48e57..f831dde 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -150,10 +150,10 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_files(udev_t)
fs_manage_tmpfs_symlinks(udev_t)
fs_manage_tmpfs_sockets(udev_t)
- fs_manage_tmpfs_blk_dev(udev_t)
- fs_manage_tmpfs_chr_dev(udev_t)
- fs_relabel_tmpfs_blk_dev(udev_t)
- fs_relabel_tmpfs_chr_dev(udev_t)
+ fs_manage_tmpfs_blk_files(udev_t)
+ fs_manage_tmpfs_chr_files(udev_t)
+ fs_relabel_tmpfs_blk_file(udev_t)
+ fs_relabel_tmpfs_chr_file(udev_t)
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index c34e666..70fafca 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -290,7 +290,7 @@ template(`base_user_template',`
fs_manage_nfs_symlinks($1_t)
fs_manage_nfs_named_sockets($1_t)
fs_manage_nfs_named_pipes($1_t)
- fs_execute_nfs_files($1_t)
+ fs_exec_nfs_files($1_t)
',`
fs_dontaudit_manage_nfs_dirs($1_t)
fs_dontaudit_manage_nfs_files($1_t)
@@ -302,7 +302,7 @@ template(`base_user_template',`
fs_manage_cifs_symlinks($1_t)
fs_manage_cifs_named_sockets($1_t)
fs_manage_cifs_named_pipes($1_t)
- fs_execute_cifs_files($1_t)
+ fs_exec_cifs_files($1_t)
',`
fs_dontaudit_manage_cifs_dirs($1_t)
fs_dontaudit_manage_cifs_files($1_t)