diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 2c06304..ffa8e29 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -92,6 +92,8 @@ interface(`portage_compile_domain',`
gen_require(`
class dbus send_msg;
+ type portage_devpts_t, portage_log_t, portage_tmp_t;
+ type portage_tmpfs_t;
')
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
@@ -219,6 +221,10 @@ interface(`portage_compile_domain',`
##
#
interface(`portage_fetch_domain',`
+ gen_require(`
+ type portage_cache_t, portage_conf_t, portage_ebuild_t;
+ type portage_tmp_t, portage_fetch_tmp_t;
+ ')
allow $1 self:capability { dac_override fowner fsetid };
allow $1 self:process signal;
@@ -290,6 +296,9 @@ interface(`portage_fetch_domain',`
##
#
interface(`portage_main_domain',`
+ gen_require(`
+ type portage_log_t, portage_tmp_t;
+ ')
# - setfscreate for merging to live fs
# - setexec to run portage fetch
diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if
index 83a657e..5a2b1b5 100644
--- a/policy/modules/apps/awstats.if
+++ b/policy/modules/apps/awstats.if
@@ -34,6 +34,7 @@ interface(`awstats_rw_pipes',`
interface(`awstats_cgi_exec',`
gen_require(`
type httpd_awstats_script_exec_t;
+ type httpd_awstats_content_t;
')
allow $1 httpd_awstats_content_t:dir search_dir_perms;
diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if
index b9b8c36..93092bc 100644
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@@ -192,11 +192,6 @@ template(`ethereal_per_role_template',`
## is the prefix for user_t).
##
##
-##
-##
-## The type of the user domain.
-##
-##
#
template(`ethereal_admin_template',`
gen_require(`
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 8a7abdb..384734d 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -809,7 +809,12 @@ template(`evolution_per_role_template',`
## Domain allowed access.
##
##
-##
+##
+##
+## Private file type.
+##
+##
+##
##
## The object class of the object being created. If
## no class is specified, dir will be used.
@@ -864,6 +869,12 @@ template(`evolution_stream_connect',`
## Send and receive messages from
## evolution over dbus.
##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
##
##
## Domain allowed access.
@@ -885,6 +896,12 @@ interface(`evolution_dbus_chat',`
## Send and receive messages from
## evolution_alarm over dbus.
##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
##
##
## Domain allowed access.
diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if
index 3d2b8e4..449a07a 100644
--- a/policy/modules/apps/wireshark.if
+++ b/policy/modules/apps/wireshark.if
@@ -192,11 +192,6 @@ template(`wireshark_per_role_template',`
## is the prefix for user_t).
##
##
-##
-##
-## The type of the user domain.
-##
-##
#
template(`wireshark_admin_template',`
gen_require(`
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 1da9eb0..b2a5773 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -199,6 +199,25 @@ interface(`corecmd_getattr_bin_files',`
########################################
##
+## Get the attributes of files in bin directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corecmd_dontaudit_getattr_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ dontaudit $1 bin_t:dir search_dir_perms;
+ dontaudit $1 bin_t:file getattr_file_perms;
+')
+
+########################################
+##
## Read files in bin directories.
##
##
@@ -685,7 +704,7 @@ interface(`corecmd_mmap_sbin_files',`
##
#
interface(`corecmd_sbin_domtrans',`
- corecmd_bin_domtrans($1,$2,$3)
+ corecmd_bin_domtrans($1,$2)
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.')
')
@@ -726,7 +745,7 @@ interface(`corecmd_sbin_domtrans',`
##
#
interface(`corecmd_sbin_spec_domtrans',`
- corecmd_bin_spec_domtrans($1,$2,$3)
+ corecmd_bin_spec_domtrans($1,$2)
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.')
')
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 78a953b..46ca635 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1219,6 +1219,11 @@ interface(`domain_mmap_all_entry_files',`
## Domain allowed access.
##
##
+##
+##
+## The type of the new process.
+##
+##
#
# cjp: added for userhelper
interface(`domain_entry_file_spec_domtrans',`
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 7f06066..9978ceb 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4208,7 +4208,7 @@ interface(`files_getattr_generic_locks',`
#
interface(`files_manage_generic_locks',`
gen_require(`
- type var_lock_t;
+ type var_t, var_lock_t;
')
allow $1 var_t:dir search_dir_perms;
@@ -4229,6 +4229,7 @@ interface(`files_manage_generic_locks',`
interface(`files_delete_all_locks',`
gen_require(`
attribute lockfile;
+ type var_t;
')
allow $1 var_t:dir search_dir_perms;
@@ -4659,6 +4660,17 @@ interface(`files_manage_generic_spool',`
## Domain allowed access.
##
##
+##
+##
+## Type to which the created node will be transitioned.
+##
+##
+##
+##
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
+##
+##
#
interface(`files_spool_filetrans',`
gen_require(`
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 20902e6..df40869 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -779,6 +779,25 @@ interface(`fs_read_noxattr_fs_symlinks',`
########################################
##
## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read
## files on a CIFS or SMB filesystem.
##
##
@@ -835,6 +854,44 @@ interface(`fs_read_cifs_symlinks',`
########################################
##
+## Read named pipes
+## on a CIFS or SMB network filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_read_cifs_named_pipes',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ read_fifo_files_pattern($1,cifs_t,cifs_t)
+')
+
+########################################
+##
+## Read named pipes
+## on a CIFS or SMB network filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_read_cifs_named_sockets',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ read_sock_files_pattern($1,cifs_t,cifs_t)
+')
+
+########################################
+##
## Execute files on a CIFS or SMB
## network filesystem, in the caller
## domain.
@@ -1647,6 +1704,43 @@ interface(`fs_read_nfs_symlinks',`
read_lnk_files_pattern($1,nfs_t,nfs_t)
')
+#########################################
+##
+## Read named sockets on a NFS filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_read_nfs_named_sockets',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ read_sock_files_pattern($1,nfs_t,nfs_t)
+')
+
+#########################################
+##
+## Read named pipes on a NFS network filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`fs_read_nfs_named_pipes',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ read_fifo_files_pattern($1,nfs_t,nfs_t)
+')
+
########################################
##
## Read directories of RPC file system pipes.
@@ -2611,7 +2705,7 @@ interface(`fs_getattr_rpc_pipefs',`
#
interface(`fs_rw_rpc_named_pipes',`
gen_require(`
- type nfs_t;
+ type rpc_pipefs_t;
')
allow $1 rpc_pipefs_t:fifo_file { read write };
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index b702156..3c9ebcb 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -625,6 +625,7 @@ interface(`term_dontaudit_use_ptmx',`
interface(`term_getattr_all_user_ptys',`
gen_require(`
attribute ptynode;
+ type devpts_t;
')
dev_list_all_dev_nodes($1)
@@ -667,6 +668,7 @@ interface(`term_dontaudit_getattr_all_user_ptys',`
interface(`term_setattr_all_user_ptys',`
gen_require(`
attribute ptynode;
+ type devpts_t;
')
dev_list_all_dev_nodes($1)
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
index d3c709e..ac888be 100644
--- a/policy/modules/services/fetchmail.if
+++ b/policy/modules/services/fetchmail.if
@@ -10,16 +10,6 @@
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the fetchmail domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`fetchmail_admin',`
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index c000e40..1708315 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -293,6 +293,11 @@ template(`mta_admin_template',`
## Type to be used as a mail server domain.
##
##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
#
interface(`mta_mailserver',`
gen_require(`
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 8954ba6..da7d140 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -102,6 +102,16 @@ interface(`ppp_domtrans',`
## Domain allowed access.
##
##
+##
+##
+## The role to allow the ppp domain.
+##
+##
+##
+##
+## The type of the terminal allow the ppp domain to use.
+##
+##
##
#
interface(`ppp_run_cond',`
@@ -126,6 +136,16 @@ interface(`ppp_run_cond',`
## Domain allowed access.
##
##
+##
+##
+## The role to allow the ppp domain.
+##
+##
+##
+##
+## The type of the terminal allow the ppp domain to use.
+##
+##
##
#
interface(`ppp_run',`
@@ -280,23 +300,13 @@ interface(`ppp_pid_filetrans',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the ppp domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`ppp_admin',`
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
- type pppd_etc_t, pppd_script_t, pppd_secret_t;
- type pppd_etc_rw_t, pppd_var_lib_t, pppd_var_run_t;
+ type pppd_etc_t, pppd_secret_t;
+ type pppd_etc_rw_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
')
@@ -319,9 +329,6 @@ interface(`ppp_admin',`
manage_files_pattern($1, pppd_secret_t, pppd_secret_t)
- files_list_var_lib($1)
- manage_files_pattern($1, pppd_var_lib_t, pppd_var_lib_t)
-
files_list_pids($1)
manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
index f1be394..af6312e 100644
--- a/policy/modules/services/privoxy.if
+++ b/policy/modules/services/privoxy.if
@@ -10,16 +10,6 @@
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the privoxy domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`privoxy_admin',`
diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
index 0e8fab2..b8a1477 100644
--- a/policy/modules/services/radius.if
+++ b/policy/modules/services/radius.if
@@ -24,38 +24,28 @@ interface(`radius_use',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the radius domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`radius_admin',`
gen_require(`
- type radius_t, radius_etc_t, radius_log_t;
- type radius_etc_rw_t, radius_var_lib_t, radius_var_run_t;
+ type radiusd_t, radiusd_etc_t, radiusd_log_t;
+ type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
')
- allow $1 radius_t:process { ptrace signal_perms getattr };
- ps_process_pattern($1, radius_t)
+ allow $1 radiusd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, radiusd_t)
files_list_etc($1)
- manage_files_pattern($1, radius_etc_t, radius_etc_t)
+ manage_files_pattern($1, radiusd_etc_t, radiusd_etc_t)
logging_list_logs($1)
- manage_files_pattern($1, radius_log_t, radius_log_t)
+ manage_files_pattern($1, radiusd_log_t, radiusd_log_t)
- manage_files_pattern($1, radius_etc_rw_t, radius_etc_rw_t)
+ manage_files_pattern($1, radiusd_etc_rw_t, radiusd_etc_rw_t)
files_list_var_lib($1)
- manage_files_pattern($1, radius_var_lib_t, radius_var_lib_t)
+ manage_files_pattern($1, radiusd_var_lib_t, radiusd_var_lib_t)
files_list_pids($1)
- manage_files_pattern($1, radius_var_run_t, radius_var_run_t)
+ manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t)
')
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
index a24aefc..596e3f4 100644
--- a/policy/modules/services/radvd.if
+++ b/policy/modules/services/radvd.if
@@ -10,16 +10,6 @@
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the radvd domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`radvd_admin',`
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
index 0f8dad6..d177de4 100644
--- a/policy/modules/services/rwho.if
+++ b/policy/modules/services/rwho.if
@@ -126,16 +126,6 @@ interface(`rwho_manage_spool_files',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the rwho domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`rwho_admin',`
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index f5041ae..01ef9cc 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -29,16 +29,6 @@ interface(`sasl_connect',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the sasl domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`sasl_admin',`
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
index f52f7e7..56e1f72 100644
--- a/policy/modules/services/smartmon.if
+++ b/policy/modules/services/smartmon.if
@@ -28,16 +28,6 @@ interface(`smartmon_read_tmp_files',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the smartmon domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`smartmon_admin',`
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
index 579ab1b..2539d93 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -95,33 +95,23 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the snmp domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`snmp_admin',`
gen_require(`
- type snmp_t, snmp_log_t;
- type snmp_var_lib_t, snmp_var_run_t;
+ type snmpd_t, snmpd_log_t;
+ type snmpd_var_lib_t, snmpd_var_run_t;
')
- allow $1 snmp_t:process { ptrace signal_perms getattr };
- ps_process_pattern($1, snmp_t)
+ allow $1 snmpd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, snmpd_t)
logging_list_logs($1)
- manage_files_pattern($1, snmp_log_t, snmp_log_t)
+ manage_files_pattern($1, snmpd_log_t, snmpd_log_t)
files_list_var_lib($1)
- manage_files_pattern($1, snmp_var_lib_t, snmp_var_lib_t)
+ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
files_list_pids($1)
- manage_files_pattern($1, snmp_var_run_t, snmp_var_run_t)
+ manage_files_pattern($1, snmpd_var_run_t, snmpd_var_run_t)
')
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
index 2adcb52..4357c1c 100644
--- a/policy/modules/services/tftp.if
+++ b/policy/modules/services/tftp.if
@@ -10,31 +10,21 @@
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the tftp domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`tftp_admin',`
gen_require(`
- type tftp_t, tftpdir_t;
- type tftp_rw_t, tftp_var_run_t;
+ type tftpd_t, tftpdir_t;
+ type tftpdir_rw_t, tftpd_var_run_t;
')
- allow $1 tftp_t:process { ptrace signal_perms getattr };
- ps_process_pattern($1, tftp_t)
+ allow $1 tftpd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, tftpd_t)
- manage_files_pattern($1, tftp_rw_t, tftp_rw_t)
+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern($1, tftpdir_t, tftpdir_t)
files_list_pids($1)
- manage_files_pattern($1, tftp_var_run_t, tftp_var_run_t)
+ manage_files_pattern($1, tftpd_var_run_t, tftpd_var_run_t)
')
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
index 513fb4d..15146c0 100644
--- a/policy/modules/services/tor.if
+++ b/policy/modules/services/tor.if
@@ -28,21 +28,11 @@ interface(`tor_domtrans',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the tor domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`tor_admin',`
gen_require(`
- type tor_t, tor_log_t, tor_etc_t;
+ type tor_t, tor_var_log_t, tor_etc_t;
type tor_var_lib_t, tor_var_run_t;
')
@@ -50,7 +40,7 @@ interface(`tor_admin',`
ps_process_pattern($1, tor_t)
logging_list_logs($1)
- manage_files_pattern($1, tor_log_t, tor_log_t)
+ manage_files_pattern($1, tor_var_log_t, tor_var_log_t)
files_list_etc($1)
manage_files_pattern($1, tor_etc_t, tor_etc_t)
diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
index 699fc79..12d11f6 100644
--- a/policy/modules/services/uucp.if
+++ b/policy/modules/services/uucp.if
@@ -71,41 +71,31 @@ interface(`uucp_domtrans_uux',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the uucp domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`uucp_admin',`
gen_require(`
- type uucp_t, uucp_tmp_t, uucp_log_t;
- type uucp_spool_t, uucp_ro_t, uucp_rw_t;
- type uucp_var_run_t;
+ type uucpd_t, uucpd_tmp_t, uucpd_log_t;
+ type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t;
+ type uucpd_var_run_t;
')
- allow $1 uucp_t:process { ptrace signal_perms getattr };
- ps_process_pattern($1, uucp_t)
+ allow $1 uucpd_t:process { ptrace signal_perms getattr };
+ ps_process_pattern($1, uucpd_t)
files_list_tmp($1)
- manage_files_pattern($1, uucp_tmp_t, uucp_tmp_t)
+ manage_files_pattern($1, uucpd_tmp_t, uucpd_tmp_t)
logging_list_logs($1)
- manage_files_pattern($1, uucp_log_t, uucp_log_t)
+ manage_files_pattern($1, uucpd_log_t, uucpd_log_t)
files_list_spool($1)
- manage_files_pattern($1, uucp_spool_t, uucp_spool_t)
+ manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
- manage_files_pattern($1, uucp_rw_t, uucp_rw_t)
+ manage_files_pattern($1, uucpd_rw_t, uucpd_rw_t)
- manage_files_pattern($1, uucp_ro_t, uucp_ro_t)
+ manage_files_pattern($1, uucpd_ro_t, uucpd_ro_t)
files_list_pids($1)
- manage_files_pattern($1, uucp_var_run_t, uucp_var_run_t)
+ manage_files_pattern($1, uucpd_var_run_t, uucpd_var_run_t)
')
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
index 3360078..bdd8cbc 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -87,16 +87,6 @@ interface(`zabbix_read_pid_files',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the zabbix domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`zabbix_admin',`
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index f1af65b..bd9f6bc 100644
--- a/policy/modules/services/zebra.if
+++ b/policy/modules/services/zebra.if
@@ -32,16 +32,6 @@ interface(`zebra_read_config',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the zebra domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`zebra_admin',`
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index e566ab1..0a0163a 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -690,16 +690,6 @@ interface(`logging_manage_generic_logs',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the audit domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`logging_admin_audit',`
@@ -731,16 +721,6 @@ interface(`logging_admin_audit',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the syslog domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`logging_admin_syslog',`
@@ -788,19 +768,9 @@ interface(`logging_admin_syslog',`
## Domain allowed access.
##
##
-##
-##
-## The role to be allowed to manage the syslog domain.
-##
-##
-##
-##
-## The type of the user terminal.
-##
-##
##
#
interface(`logging_admin',`
- logging_admin_audit($1, $2, $3)
- logging_admin_syslog($1, $2, $3)
+ logging_admin_audit($1)
+ logging_admin_syslog($1)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index bebb25f..6b178bb 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -382,6 +382,7 @@ interface(`miscfiles_read_tetex_data',`
interface(`miscfiles_exec_tetex_data',`
gen_require(`
type fonts_t;
+ type tetex_data_t;
')
files_search_var($1)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 89f7ed6..095bd1e 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -200,7 +200,7 @@ interface(`modutils_domtrans_depmod',`
#
interface(`modutils_run_depmod',`
gen_require(`
- type depmod_t;
+ type depmod_t, insmod_t;
')
modutils_domtrans_depmod($1)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 7220070..9ebb939 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -817,7 +817,7 @@ interface(`seutil_read_file_contexts',`
#
interface(`seutil_rw_file_contexts',`
gen_require(`
- type selinux_config_t, file_context_t;
+ type selinux_config_t, file_context_t, default_context_t;
')
files_search_etc($1)
@@ -838,7 +838,7 @@ interface(`seutil_rw_file_contexts',`
#
interface(`seutil_manage_file_contexts',`
gen_require(`
- type selinux_config_t, file_context_t;
+ type selinux_config_t, file_context_t, default_context_t;
')
files_search_etc($1)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 91ef0a0..824005d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -191,7 +191,7 @@ template(`userdom_ro_home_template',`
fs_read_nfs_named_sockets($1_t)
fs_read_nfs_named_pipes($1_t)
',`
- fs_dontaudit_read_nfs_dirs($1_t)
+ fs_dontaudit_list_nfs($1_t)
fs_dontaudit_read_nfs_files($1_t)
')
@@ -1112,10 +1112,6 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
- mono_per_role_template($1, $1_t, $1_r)
- ')
-
- optional_policy(`
setroubleshoot_dontaudit_stream_connect($1_t)
')
')
@@ -4130,8 +4126,8 @@ interface(`userdom_sysadm_sbin_spec_domtrans_to',`
##
#
interface(`userdom_sysadm_entry_spec_domtrans_to',`
- refpolicywarn(`$0($*) has been deprecated. Please use sysadm_entry_spec_domtrans_to() instead.')
- sysadm_entry_spec_domtrans_to($1)
+ refpolicywarn(`$0($*) has been deprecated. Please use sysadm_entry_spec_domtrans() instead.')
+ sysadm_entry_spec_domtrans($1)
')
########################################
@@ -4850,7 +4846,7 @@ interface(`userdom_search_generic_user_home_dirs',`
#
interface(`userdom_generic_user_home_dir_filetrans_generic_user_home_content',`
refpolicywarn(`$0($*) has been deprecated. Please use unprivuser_home_dir_filetrans_home_content() instead.')
- unprivuser_home_dir_filetrans_home_content($1)
+ unprivuser_home_dir_filetrans_home_content($1, $2)
')
########################################