diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te
index 0bec93a..98aa2f8 100644
--- a/refpolicy/policy/modules/admin/bootloader.te
+++ b/refpolicy/policy/modules/admin/bootloader.te
@@ -110,6 +110,7 @@ files_read_kernel_modules(bootloader_t)
files_dontaudit_search_pids(bootloader_t)
# for blkid.tab
files_manage_etc_runtime_files(bootloader_t)
+files_etc_filetrans_etc_runtime(bootloader_t,file)
init_getattr_initctl(bootloader_t)
init_use_script_ptys(bootloader_t)
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index 6615973..481f0d5 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -88,6 +88,7 @@ files_search_var(kudzu_t)
files_search_locks(kudzu_t)
files_manage_etc_files(kudzu_t)
files_manage_etc_runtime_files(kudzu_t)
+files_etc_filetrans_etc_runtime(kudzu_t,file)
files_manage_mnt_files(kudzu_t)
files_manage_mnt_symlinks(kudzu_t)
files_dontaudit_search_src(kudzu_t)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 77dad24..5f5a897 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -1684,6 +1684,19 @@ interface(`files_relabel_etc_files',`
########################################
#
+# files_etc_filetrans(domain,privatetype,class(es))
+#
+interface(`files_etc_filetrans',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+ type_transition $1 etc_t:$3 $2;
+')
+
+########################################
+#
# files_create_boot_flag(domain)
#
# /halt, /.autofsck, etc
@@ -1778,21 +1791,32 @@ interface(`files_manage_etc_runtime_files',`
allow $1 etc_t:dir rw_dir_perms;
allow $1 etc_runtime_t:dir rw_dir_perms;
- allow $1 etc_runtime_t:file create_file_perms;
- type_transition $1 etc_t:file etc_runtime_t;
+ allow $1 etc_runtime_t:file manage_file_perms;
')
########################################
+##
+## Create, etc runtime objects with an automatic
+## type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object being created.
+##
+##
#
-# files_etc_filetrans(domain,privatetype,class(es))
-#
-interface(`files_etc_filetrans',`
+interface(`files_etc_filetrans_etc_runtime',`
gen_require(`
- type etc_t;
+ type etc_t, etc_runtime_t;
')
allow $1 etc_t:dir rw_dir_perms;
- type_transition $1 etc_t:$3 $2;
+ type_transition $1 etc_t:$2 etc_runtime_t;
')
########################################
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index bddf574..3f59ac4 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -496,6 +496,7 @@ corecmd_list_bin(smbmount_t)
files_list_mnt(smbmount_t)
files_mounton_mnt(smbmount_t)
files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t,file)
files_read_etc_files(smbmount_t)
miscfiles_read_localization(smbmount_t)
diff --git a/refpolicy/policy/modules/services/watchdog.te b/refpolicy/policy/modules/services/watchdog.te
index d6bc58f..77e8c19 100644
--- a/refpolicy/policy/modules/services/watchdog.te
+++ b/refpolicy/policy/modules/services/watchdog.te
@@ -75,6 +75,7 @@ domain_kill_all_domains(watchdog_t)
files_read_etc_files(watchdog_t)
# for updating mtab on umount
files_manage_etc_runtime_files(watchdog_t)
+files_etc_filetrans_etc_runtime(watchdog_t,file)
fs_unmount_xattr_fs(watchdog_t)
fs_getattr_all_fs(watchdog_t)
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 3b479a0..73a8fe0 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -121,6 +121,7 @@ files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
+files_etc_filetrans_etc_runtime(fsadm_t,file)
# Access to /initrd devices
files_rw_isid_type_dirs(fsadm_t)
files_rw_isid_type_blk_files(fsadm_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index a71dfa6..e159888 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -91,6 +91,7 @@ domain_dontaudit_getattr_all_domains(hotplug_t)
files_read_etc_files(hotplug_t)
files_manage_etc_runtime_files(hotplug_t)
+files_etc_filetrans_etc_runtime(hotplug_t,file)
files_exec_etc_files(hotplug_t)
# for when filesystems are not mounted early in the boot:
files_dontaudit_search_isid_type_dirs(hotplug_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 4ae76e0..55f0cdc 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -146,6 +146,7 @@ files_read_etc_files(init_t)
files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dirs(init_t)
files_manage_etc_runtime_files(init_t)
+files_etc_filetrans_etc_runtime(init_t,file)
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
# file descriptors inherited from the rootfs:
@@ -337,6 +338,7 @@ files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
files_manage_etc_runtime_files(initrc_t)
+files_etc_filetrans_etc_runtime(initrc_t,file)
files_manage_generic_locks(initrc_t)
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index acf6d73..8c9c181 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -71,6 +71,7 @@ domain_use_interactive_fds(mount_t)
files_search_all(mount_t)
files_read_etc_files(mount_t)
files_manage_etc_runtime_files(mount_t)
+files_etc_filetrans_etc_runtime(mount_t,file)
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
@@ -164,6 +165,6 @@ optional_policy(`
#
ifdef(`targeted_policy',`
- files_manage_etc_runtime_files(unconfined_mount_t)
+ files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
')