diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te index bc7dd8b..893e3e6 100644 --- a/refpolicy/policy/modules/admin/consoletype.te +++ b/refpolicy/policy/modules/admin/consoletype.te @@ -64,7 +64,7 @@ userdom_use_sysadm_fd(consoletype_t) userdom_rw_sysadm_pipe(consoletype_t) ifdef(`distro_redhat',` - fs_use_tmpfs_chr_dev(consoletype_t) + fs_rw_tmpfs_chr_files(consoletype_t) ') optional_policy(`apm',` diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index c69ecf4..dad3a07 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -60,7 +60,7 @@ dev_rwx_zero(kudzu_t) fs_search_auto_mountpoints(kudzu_t) fs_search_ramfs(kudzu_t) -fs_write_ramfs_socket(kudzu_t) +fs_write_ramfs_sockets(kudzu_t) mls_file_read_up(kudzu_t) mls_file_write_down(kudzu_t) diff --git a/refpolicy/policy/modules/admin/quota.te b/refpolicy/policy/modules/admin/quota.te index 672c1ee..cdb87b7 100644 --- a/refpolicy/policy/modules/admin/quota.te +++ b/refpolicy/policy/modules/admin/quota.te @@ -31,8 +31,8 @@ dev_read_sysfs(quota_t) dev_getattr_all_blk_files(quota_t) dev_getattr_all_chr_files(quota_t) -fs_get_xattr_fs_quota(quota_t) -fs_set_xattr_fs_quota(quota_t) +fs_get_xattr_fs_quotas(quota_t) +fs_set_xattr_fs_quotas(quota_t) fs_getattr_xattr_fs(quota_t) fs_remount_xattr_fs(quota_t) fs_search_auto_mountpoints(quota_t) diff --git a/refpolicy/policy/modules/admin/updfstab.te b/refpolicy/policy/modules/admin/updfstab.te index e429bfc..7ebcc13 100644 --- a/refpolicy/policy/modules/admin/updfstab.te +++ b/refpolicy/policy/modules/admin/updfstab.te @@ -33,7 +33,7 @@ dev_manage_generic_symlinks(updfstab_t) fs_getattr_xattr_fs(updfstab_t) fs_getattr_tmpfs(updfstab_t) -fs_getattr_tmpfs_dir(updfstab_t) +fs_getattr_tmpfs_dirs(updfstab_t) fs_search_auto_mountpoints(updfstab_t) selinux_get_fs_mount(updfstab_t) diff --git a/refpolicy/policy/modules/apps/cdrecord.if b/refpolicy/policy/modules/apps/cdrecord.if index caadac5..8202d42 100644 --- a/refpolicy/policy/modules/apps/cdrecord.if +++ b/refpolicy/policy/modules/apps/cdrecord.if @@ -138,14 +138,14 @@ template(`cdrecord_per_userdomain_template', ` ifdef(`enable_mls',` ',` - fs_search_removable_dirs($1_cdrecord_t) + fs_search_removable($1_cdrecord_t) fs_read_removable_files($1_cdrecord_t) fs_read_removable_symlinks($1_cdrecord_t) ') ',` files_dontaudit_list_tmp($1_cdrecord_t) files_dontaudit_list_home($1_cdrecord_t) - fs_dontaudit_list_removable_dirs($1_cdrecord_t) + fs_dontaudit_list_removable($1_cdrecord_t) fs_donaudit_read_removable_files($1_cdrecord_t) userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t) userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t) diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 6b324c0..c5cc6ea 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -155,7 +155,7 @@ dev_node(urandom_device_t) # type usbfs_t alias usbdevfs_t; files_mountpoint(usbfs_t) -fs_make_noxattr_fs(usbfs_t) +fs_noxattr_type(usbfs_t) genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0) genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 756b542..fe21fa6 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -31,7 +31,7 @@ interface(`fs_type',` ## The type of the process performing this action. ## # -interface(`fs_make_noxattr_fs',` +interface(`fs_noxattr_type',` gen_require(` attribute noxattrfs; ') @@ -173,24 +173,6 @@ interface(`fs_getattr_xattr_fs',` ######################################## ## -## Get the quotas of a persistent -## filesystem which has extended -## attributes, such as ext3, JFS, or XFS. -## -## -## The type of the domain getting quotas. -## -# -interface(`fs_get_xattr_fs_quotas',` - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem quotaget; -') - -######################################## -## ## Do not audit attempts to ## get the attributes of a persistent ## filesystem which has extended @@ -235,7 +217,7 @@ interface(`fs_relabelfrom_xattr_fs',` ## The type of the domain mounting the filesystem. ## # -interface(`fs_get_xattr_fs_quota',` +interface(`fs_get_xattr_fs_quotas',` gen_require(` type fs_t; ') @@ -252,7 +234,7 @@ interface(`fs_get_xattr_fs_quota',` ## The type of the domain mounting the filesystem. ## # -interface(`fs_set_xattr_fs_quota',` +interface(`fs_set_xattr_fs_quotas',` gen_require(` type fs_t; ') @@ -650,7 +632,7 @@ interface(`fs_read_cifs_symlinks',` ## The type of the domain executing the files. ## # -interface(`fs_execute_cifs_files',` +interface(`fs_exec_cifs_files',` gen_require(` type cifs_t; ') @@ -1189,7 +1171,7 @@ interface(`fs_write_nfs_files',` ## The type of the domain executing the files. ## # -interface(`fs_execute_nfs_files',` +interface(`fs_exec_nfs_files',` gen_require(` type nfs_t; ') @@ -1257,7 +1239,7 @@ interface(`fs_getattr_rpc_dirs',` ## The type of the domain reading the symbolic links. ## # -interface(`fs_search_rpc_dirs',` +interface(`fs_search_rpc',` gen_require(` type rpc_pipefs_t; ') @@ -1273,7 +1255,7 @@ interface(`fs_search_rpc_dirs',` ## Domain allowed access. ## # -interface(`fs_search_removable_dirs',` +interface(`fs_search_removable',` gen_require(` type removable_t; ') @@ -1290,7 +1272,7 @@ interface(`fs_search_removable_dirs',` ## Domain not to audit. ## # -interface(`fs_dontaudit_list_removable_dirs',` +interface(`fs_dontaudit_list_removable',` gen_require(` type removable_t; ') @@ -1354,7 +1336,7 @@ interface(`fs_read_removable_symlinks',` ## The type of the domain reading the symbolic links. ## # -interface(`fs_read_rpc_dirs',` +interface(`fs_list_rpc',` gen_require(` type rpc_pipefs_t; ') @@ -1787,7 +1769,7 @@ interface(`fs_dontaudit_search_ramfs',` ## Domain allowed access. ## # -interface(`fs_write_ramfs_pipe',` +interface(`fs_write_ramfs_pipes',` gen_require(` type ramfs_t; ') @@ -1803,7 +1785,7 @@ interface(`fs_write_ramfs_pipe',` ## Domain allowed access. ## # -interface(`fs_rw_ramfs_pipe',` +interface(`fs_rw_ramfs_pipes',` gen_require(` type ramfs_t; ') @@ -1819,7 +1801,7 @@ interface(`fs_rw_ramfs_pipe',` ## Domain allowed access. ## # -interface(`fs_write_ramfs_socket',` +interface(`fs_write_ramfs_sockets',` gen_require(` type ramfs_t; ') @@ -2051,7 +2033,7 @@ interface(`fs_associate_tmpfs',` ## Domain allowed access. ## # -interface(`fs_getattr_tmpfs_dir',` +interface(`fs_getattr_tmpfs_dirs',` gen_require(` type tmpfs_t; ') @@ -2067,7 +2049,7 @@ interface(`fs_getattr_tmpfs_dir',` ## Domain allowed access. ## # -interface(`fs_setattr_tmpfs_dir',` +interface(`fs_setattr_tmpfs_dirs',` gen_require(` type tmpfs_t; ') @@ -2202,7 +2184,7 @@ interface(`fs_manage_auto_mountpoints',` ## The type of the process performing this action. ## # -interface(`fs_rw_tmpfs_file',` +interface(`fs_rw_tmpfs_files',` gen_require(` type tmpfs_t; ') @@ -2236,7 +2218,7 @@ interface(`fs_read_tmpfs_symlinks',` ## The type of the process performing this action. ## # -interface(`fs_use_tmpfs_chr_dev',` +interface(`fs_rw_tmpfs_chr_files',` gen_require(` type tmpfs_t; ') @@ -2270,7 +2252,7 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## The type of the process performing this action. ## # -interface(`fs_relabel_tmpfs_chr_dev',` +interface(`fs_relabel_tmpfs_chr_file',` gen_require(` type tmpfs_t; ') @@ -2287,7 +2269,7 @@ interface(`fs_relabel_tmpfs_chr_dev',` ## The type of the process performing this action. ## # -interface(`fs_use_tmpfs_blk_dev',` +interface(`fs_rw_tmpfs_blk_files',` gen_require(` type tmpfs_t; ') @@ -2304,7 +2286,7 @@ interface(`fs_use_tmpfs_blk_dev',` ## The type of the process performing this action. ## # -interface(`fs_relabel_tmpfs_blk_dev',` +interface(`fs_relabel_tmpfs_blk_file',` gen_require(` type tmpfs_t; ') @@ -2376,7 +2358,7 @@ interface(`fs_manage_tmpfs_sockets',` ## The type of the process performing this action. ## # -interface(`fs_manage_tmpfs_chr_dev',` +interface(`fs_manage_tmpfs_chr_files',` gen_require(` type tmpfs_t; ') @@ -2394,7 +2376,7 @@ interface(`fs_manage_tmpfs_chr_dev',` ## The type of the process performing this action. ## # -interface(`fs_manage_tmpfs_blk_dev',` +interface(`fs_manage_tmpfs_blk_files',` gen_require(` type tmpfs_t; ') diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index a00b7d2..3ad5ae6 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -614,13 +614,13 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) - fs_execute_nfs_files(httpd_suexec_t) + fs_exec_nfs_files(httpd_suexec_t) ') tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) - fs_execute_cifs_files(httpd_suexec_t) + fs_exec_cifs_files(httpd_suexec_t) ') optional_policy(`mailman',` diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te index 7501a14..cf3114b 100644 --- a/refpolicy/policy/modules/services/rpc.te +++ b/refpolicy/policy/modules/services/rpc.te @@ -52,7 +52,7 @@ kernel_read_sysctl(rpcd_t) corenet_udp_bind_generic_port(rpcd_t) corenet_udp_bind_reserved_port(rpcd_t) -fs_read_rpc_dirs(rpcd_t) +fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) fs_read_rpc_symlinks(rpcd_t) fs_read_rpc_sockets(rpcd_t) @@ -134,7 +134,7 @@ corenet_udp_bind_reserved_port(gssd_t) dev_read_urand(gssd_t) -fs_read_rpc_dirs(gssd_t) +fs_list_rpc(gssd_t) fs_read_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) diff --git a/refpolicy/policy/modules/services/xserver.fc b/refpolicy/policy/modules/services/xserver.fc index 79bc20c..320ce64 100644 --- a/refpolicy/policy/modules/services/xserver.fc +++ b/refpolicy/policy/modules/services/xserver.fc @@ -37,10 +37,13 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0) /tmp/\.ICE-unix -d gen_context(system_u:object_r:ice_tmp_t,s0) /tmp/\.ICE-unix/.* -s <> -/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) /tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) /tmp/\.X11-unix/.* -s <> +ifdef(`strict_policy',` +/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_xserver_tmp_t,s0) +') + # # /usr # diff --git a/refpolicy/policy/modules/services/xserver.te b/refpolicy/policy/modules/services/xserver.te index d43696c..01a4284 100644 --- a/refpolicy/policy/modules/services/xserver.te +++ b/refpolicy/policy/modules/services/xserver.te @@ -308,14 +308,14 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) fs_manage_nfs_files(xdm_t) fs_manage_nfs_symlinks(xdm_t) - fs_execute_nfs_files(xdm_t) + fs_exec_nfs_files(xdm_t) ') tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xdm_t) fs_manage_cifs_files(xdm_t) fs_manage_cifs_symlinks(xdm_t) - fs_execute_cifs_files(xdm_t) + fs_exec_cifs_files(xdm_t) ') optional_policy(`gpm',` diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 25f84f1..9828823 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -74,13 +74,13 @@ dev_rw_lvm_control(fsadm_t) fs_search_auto_mountpoints(fsadm_t) fs_getattr_xattr_fs(fsadm_t) -fs_rw_ramfs_pipe(fsadm_t) -fs_rw_tmpfs_file(fsadm_t) +fs_rw_ramfs_pipes(fsadm_t) +fs_rw_tmpfs_files(fsadm_t) # remount file system to apply changes fs_remount_xattr_fs(fsadm_t) # for /dev/shm fs_search_tmpfs(fsadm_t) -fs_getattr_tmpfs_dir(fsadm_t) +fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) mls_file_write_down(fsadm_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 5ede464..1ce3c8c 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -129,7 +129,7 @@ ifdef(`distro_redhat', ` optional_policy(`netutils',` # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(hotplug_t) - fs_use_tmpfs_chr_dev(hotplug_t) + fs_rw_tmpfs_chr_files(hotplug_t) ') files_getattr_generic_locks(hotplug_t) ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 402748f..13d819a 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -164,7 +164,7 @@ seutil_read_config(init_t) miscfiles_read_localization(init_t) ifdef(`distro_redhat',` - fs_use_tmpfs_chr_dev(init_t) + fs_rw_tmpfs_chr_files(init_t) fs_filetrans_tmpfs(init_t,initctl_t,fifo_file) ') @@ -275,7 +275,7 @@ dev_delete_generic_symlinks(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -fs_write_ramfs_pipe(initrc_t) +fs_write_ramfs_pipes(initrc_t) # cjp: not sure why these are here; should use mount policy fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) @@ -387,7 +387,7 @@ ifdef(`distro_debian',` fs_filetrans_tmpfs(initrc_t,initrc_var_run_t,dir) # for storing state under /dev/shm - fs_setattr_tmpfs_dir(initrc_t) + fs_setattr_tmpfs_dirs(initrc_t) storage_create_fixed_disk_tmpfs(initrc_t) files_setattr_etc_dirs(initrc_t) @@ -428,7 +428,7 @@ ifdef(`distro_redhat',` storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) - fs_use_tmpfs_chr_dev(initrc_t) + fs_rw_tmpfs_chr_files(initrc_t) storage_create_fixed_disk(initrc_t) storage_getattr_removable_device(initrc_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 2f42111..d4ca0a6 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -239,7 +239,7 @@ allow sulogin_t self:msg { send receive }; kernel_read_system_state(sulogin_t) fs_search_auto_mountpoints(sulogin_t) -fs_use_tmpfs_chr_dev(sulogin_t) +fs_rw_tmpfs_chr_files(sulogin_t) files_read_etc_files(sulogin_t) # because file systems are not mounted: diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 335f561..d942538 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -45,7 +45,7 @@ fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) fs_relabelfrom_all_fs(mount_t) fs_search_auto_mountpoints(mount_t) -fs_use_tmpfs_chr_dev(mount_t) +fs_rw_tmpfs_chr_files(mount_t) fs_read_tmpfs_symlinks(mount_t) term_use_all_terms(mount_t) @@ -113,7 +113,7 @@ optional_policy(`portmap',` corenet_udp_bind_reserved_port(mount_t) corenet_tcp_connect_all_ports(mount_t) - fs_search_rpc_dirs(mount_t) + fs_search_rpc(mount_t) portmap_udp_sendrecv(mount_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 951ff53..55ff9a6 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -369,10 +369,10 @@ files_list_all(restorecon_t) auth_relabelto_shadow(restorecon_t) ifdef(`distro_redhat', ` - fs_use_tmpfs_chr_dev(restorecon_t) - fs_use_tmpfs_blk_dev(restorecon_t) - fs_relabel_tmpfs_blk_dev(restorecon_t) - fs_relabel_tmpfs_chr_dev(restorecon_t) + fs_rw_tmpfs_chr_files(restorecon_t) + fs_rw_tmpfs_blk_files(restorecon_t) + fs_relabel_tmpfs_blk_file(restorecon_t) + fs_relabel_tmpfs_chr_file(restorecon_t) ') ifdef(`hide_broken_symptoms',` diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 1a48e57..f831dde 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -150,10 +150,10 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_files(udev_t) fs_manage_tmpfs_symlinks(udev_t) fs_manage_tmpfs_sockets(udev_t) - fs_manage_tmpfs_blk_dev(udev_t) - fs_manage_tmpfs_chr_dev(udev_t) - fs_relabel_tmpfs_blk_dev(udev_t) - fs_relabel_tmpfs_chr_dev(udev_t) + fs_manage_tmpfs_blk_files(udev_t) + fs_manage_tmpfs_chr_files(udev_t) + fs_relabel_tmpfs_blk_file(udev_t) + fs_relabel_tmpfs_chr_file(udev_t) # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index c34e666..70fafca 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -290,7 +290,7 @@ template(`base_user_template',` fs_manage_nfs_symlinks($1_t) fs_manage_nfs_named_sockets($1_t) fs_manage_nfs_named_pipes($1_t) - fs_execute_nfs_files($1_t) + fs_exec_nfs_files($1_t) ',` fs_dontaudit_manage_nfs_dirs($1_t) fs_dontaudit_manage_nfs_files($1_t) @@ -302,7 +302,7 @@ template(`base_user_template',` fs_manage_cifs_symlinks($1_t) fs_manage_cifs_named_sockets($1_t) fs_manage_cifs_named_pipes($1_t) - fs_execute_cifs_files($1_t) + fs_exec_cifs_files($1_t) ',` fs_dontaudit_manage_cifs_dirs($1_t) fs_dontaudit_manage_cifs_files($1_t)