diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index ead44ee..21cee0d 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -59,7 +59,7 @@ ifdef(`targeted_policy', `
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(dmesg_t)
+ seutil_sigchld_newrole(dmesg_t)
')
optional_policy(`udev.te', `
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index e616644..11022f8 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -12,13 +12,13 @@ domain_obj_id_change_exempt(logrotate_t)
role system_r types logrotate_t;
type logrotate_exec_t;
-files_file_type(logrotate_exec_t)
+files_type(logrotate_exec_t)
type logrotate_tmp_t;
files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
-files_file_type(logrotate_var_lib_t)
+files_type(logrotate_var_lib_t)
########################################
#
@@ -76,13 +76,13 @@ domain_signal_all_domains(logrotate_t)
domain_use_wide_inherit_fd(logrotate_t)
files_read_usr_files(logrotate_t)
-files_read_generic_etc_files(logrotate_t)
+files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
-files_manage_generic_lock_files(logrotate_t)
+files_manage_generic_locks(logrotate_t)
files_read_all_pids(logrotate_t)
# Write to /var/spool/slrnpull - should be moved into its own type.
-files_manage_spools(logrotate_t)
-files_manage_spool_dirs(logrotate_t)
+files_manage_generic_spools(logrotate_t)
+files_manage_generic_spool_dirs(logrotate_t)
hostname_exec(logrotate_t)
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index a6b8fb2..05b3046 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -56,7 +56,7 @@ fs_getattr_xattr_fs(netutils_t)
domain_use_wide_inherit_fd(netutils_t)
-files_read_generic_etc_files(netutils_t)
+files_read_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)
@@ -110,7 +110,7 @@ fs_dontaudit_getattr_xattr_fs(ping_t)
domain_use_wide_inherit_fd(ping_t)
-files_read_generic_etc_files(ping_t)
+files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
libs_use_ld_so(ping_t)
@@ -166,7 +166,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_wide_inherit_fd(traceroute_t)
-files_read_generic_etc_files(traceroute_t)
+files_read_etc_files(traceroute_t)
files_dontaudit_search_var(traceroute_t)
libs_use_ld_so(traceroute_t)
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 89c8eb8..b5fc841 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -14,7 +14,7 @@ domain_wide_inherit_fd(rpm_t)
role system_r types rpm_t;
type rpm_file_t;
-files_file_type(rpm_file_t)
+files_type(rpm_file_t)
type rpm_tmp_t;
files_tmp_file(rpm_tmp_t)
@@ -26,7 +26,7 @@ type rpm_log_t;
logging_log_file(rpm_log_t)
type rpm_var_lib_t;
-files_file_type(rpm_var_lib_t)
+files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
type rpm_script_t; #, admin, privmem, priv_system_role;
@@ -138,7 +138,7 @@ domain_exec_all_entry_files(rpm_t)
domain_read_all_domains_state(rpm_t)
domain_use_wide_inherit_fd(rpm_t)
-files_exec_generic_etc_files(rpm_t)
+files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -287,7 +287,7 @@ domain_exec_all_entry_files(rpm_script_t)
domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t)
-files_exec_generic_etc_files(rpm_script_t)
+files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 9c01380..93cb52a 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -7,7 +7,7 @@ policy_module(usermanage,1.0)
#
type admin_passwd_exec_t;
-files_file_type(admin_passwd_exec_t)
+files_type(admin_passwd_exec_t)
type chfn_t;
domain_obj_id_change_exempt(chfn_t)
@@ -24,7 +24,7 @@ type crack_exec_t;
domain_entry_file(crack_t,crack_exec_t)
type crack_db_t; #, usercanread;
-files_file_type(crack_db_t)
+files_type(crack_db_t)
type crack_tmp_t;
files_tmp_file(crack_tmp_t)
@@ -49,7 +49,7 @@ domain_type(sysadm_passwd_t)
domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
type sysadm_passwd_tmp_t;
-files_file_type(sysadm_passwd_tmp_t)
+files_type(sysadm_passwd_tmp_t)
type useradd_t; # nscd_client_domain;
type useradd_exec_t;
@@ -95,7 +95,7 @@ dev_read_urand(chfn_t)
domain_use_wide_inherit_fd(chfn_t)
-files_manage_generic_etc_files(chfn_t)
+files_manage_etc_files(chfn_t)
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
@@ -165,7 +165,7 @@ dev_read_urand(crack_t)
fs_getattr_xattr_fs(crack_t)
-files_read_generic_etc_files(crack_t)
+files_read_etc_files(crack_t)
files_read_etc_runtime_files(crack_t)
# for dictionaries
files_read_usr_files(crack_t)
@@ -228,7 +228,7 @@ init_dontaudit_write_script_pid(groupadd_t)
domain_use_wide_inherit_fd(groupadd_t)
-files_manage_generic_etc_files(groupadd_t)
+files_manage_etc_files(groupadd_t)
libs_use_ld_so(groupadd_t)
libs_use_shared_libs(groupadd_t)
@@ -306,7 +306,7 @@ init_dontaudit_rw_script_pid(passwd_t)
domain_use_wide_inherit_fd(passwd_t)
files_read_etc_runtime_files(passwd_t)
-files_manage_generic_etc_files(passwd_t)
+files_manage_etc_files(passwd_t)
files_search_var(passwd_t)
libs_use_ld_so(passwd_t)
@@ -405,7 +405,7 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_wide_inherit_fd(sysadm_passwd_t)
-files_manage_generic_etc_files(sysadm_passwd_t)
+files_manage_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
@@ -496,7 +496,7 @@ corecmd_exec_sbin(useradd_t)
domain_use_wide_inherit_fd(useradd_t)
-files_manage_generic_etc_files(useradd_t)
+files_manage_etc_files(useradd_t)
init_use_fd(useradd_t)
init_rw_script_pid(useradd_t)
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index fdd1690..2ceb904 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -44,7 +44,7 @@ template(`gpg_per_userdomain_template',`
files_tmp_file($1_gpg_agent_tmp_t)
type $1_gpg_secret_t; #, $1_file_type;
- files_file_type($1_gpg_secret_t)
+ files_type($1_gpg_secret_t)
type $1_gpg_helper_t;
domain_type($1_gpg_helper_t)
@@ -95,7 +95,7 @@ template(`gpg_per_userdomain_template',`
fs_getattr_xattr_fs($1_gpg_t)
- files_read_generic_etc_files($1_gpg_t)
+ files_read_etc_files($1_gpg_t)
files_read_usr_files($1_gpg_t)
libs_use_shared_libs($1_gpg_t)
@@ -210,7 +210,7 @@ template(`gpg_per_userdomain_template',`
dev_read_urand($1_gpg_helper_t)
- files_read_generic_etc_files($1_gpg_helper_t)
+ files_read_etc_files($1_gpg_helper_t)
# for nscd
files_dontaudit_search_var($1_gpg_helper_t)
@@ -322,7 +322,7 @@ template(`gpg_per_userdomain_template',`
files_read_usr_files($1_gpg_pinentry_t)
# read /etc/X11/qtrc
- files_read_generic_etc_files($1_gpg_pinentry_t)
+ files_read_etc_files($1_gpg_pinentry_t)
libs_use_ld_so($1_gpg_pinentry_t)
libs_use_shared_libs($1_gpg_pinentry_t)
diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te
index 15154b9..1097ac2 100644
--- a/refpolicy/policy/modules/apps/gpg.te
+++ b/refpolicy/policy/modules/apps/gpg.te
@@ -9,16 +9,16 @@ policy_module(gpg, 1.0)
# Type for gpg or pgp executables.
type gpg_exec_t;
type gpg_helper_exec_t;
-files_file_type(gpg_exec_t)
-files_file_type(gpg_helper_exec_t)
+files_type(gpg_exec_t)
+files_type(gpg_helper_exec_t)
# Type for the gpg-agent executable.
type gpg_agent_exec_t;
-files_file_type(gpg_agent_exec_t)
+files_type(gpg_agent_exec_t)
# type for the pinentry executable
type pinentry_exec_t;
-files_file_type(pinentry_exec_t)
+files_type(pinentry_exec_t)
#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 920b229..bd87091 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -59,7 +59,7 @@ interface(`bootloader_run',`
## The type of the process performing this action.
##
#
-interface(`bootloader_search_boot_dir',`
+interface(`bootloader_search_boot',`
gen_require(`
type boot_t;
class dir search;
@@ -362,9 +362,9 @@ interface(`bootloader_manage_kernel_modules',`
########################################
#
-# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)])
+# bootloader_create_modules(domain,privatetype,[class(es)])
#
-interface(`bootloader_create_private_module_dir_entry',`
+interface(`bootloader_create_modules',`
gen_require(`
type modules_object_t;
class dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index ae1d044..4b17b78 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -12,7 +12,7 @@ attribute rw_kern_modules;
# boot_t is the type for files in /boot
#
type boot_t;
-files_file_type(boot_t)
+files_type(boot_t)
files_mountpoint(boot_t)
#
@@ -21,7 +21,7 @@ files_mountpoint(boot_t)
# only for Red Hat
#
type boot_runtime_t;
-files_file_type(boot_runtime_t)
+files_type(boot_runtime_t)
type bootloader_t;
domain_type(bootloader_t)
@@ -35,7 +35,7 @@ domain_entry_file(bootloader_t,bootloader_exec_t)
# grub.conf, lilo.conf, etc.
#
type bootloader_etc_t alias etc_bootloader_t;
-files_file_type(bootloader_etc_t)
+files_type(bootloader_etc_t)
#
# The temp file is used for initrd creation;
@@ -47,7 +47,7 @@ dev_node(bootloader_tmp_t)
# kernel modules
type modules_object_t;
-files_file_type(modules_object_t)
+files_type(modules_object_t)
neverallow ~rw_kern_modules modules_object_t:file { create append write };
@@ -55,7 +55,7 @@ neverallow ~rw_kern_modules modules_object_t:file { create append write };
# system_map_t is for the system.map files in /boot
#
type system_map_t;
-files_file_type(system_map_t)
+files_type(system_map_t)
########################################
#
@@ -122,11 +122,11 @@ libs_use_ld_so(bootloader_t)
libs_use_shared_libs(bootloader_t)
libs_read_lib(bootloader_t)
-files_read_generic_etc_files(bootloader_t)
+files_read_etc_files(bootloader_t)
files_read_etc_runtime_files(bootloader_t)
-files_read_usr_src(bootloader_t)
+files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
-files_read_var_file(bootloader_t)
+files_read_var_files(bootloader_t)
# for nscd
files_dontaudit_search_pids(bootloader_t)
@@ -185,7 +185,7 @@ optional_policy(`lvm.te',`
optional_policy(`modutils.te',`
modutils_exec_insmod(insmod_t)
- modutils_read_kernel_module_dependencies(bootloader_t)
+ modutils_read_mods_deps(bootloader_t)
modutils_read_module_conf(bootloader_t)
modutils_exec_insmod(bootloader_t)
modutils_exec_depmod(bootloader_t)
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 8a45060..0e776ab 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -9,7 +9,7 @@ attribute memory_raw_write;
# device_t is the type of /dev.
#
type device_t;
-files_file_type(device_t)
+files_type(device_t)
files_mountpoint(device_t)
fs_associate_tmpfs(device_t)
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 42edcd8..fa8fc1b 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -62,7 +62,7 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
# tmpfs_t is the type for tmpfs filesystems
#
type tmpfs_t, filesystem_type;
-files_file_type(tmpfs_t)
+files_type(tmpfs_t)
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index b2682a0..996a029 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -128,7 +128,7 @@ interface(`storage_raw_write_fixed_disk',`
## The type of the process performing this action.
##
#
-interface(`storage_create_fixed_disk_dev_entry',`
+interface(`storage_create_fixed_disk',`
gen_require(`
attribute fixed_disk_raw_read, fixed_disk_raw_write;
type fixed_disk_device_t;
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 5c13c28..ade0f6d 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -25,7 +25,7 @@ template(`cron_per_userdomain_template',`
# Type of user crontabs once moved to cron spool.
type $1_cron_spool_t;
- files_file_type($1_cron_spool_t)
+ files_type($1_cron_spool_t)
type $1_crond_t; # user_crond_domain;
domain_type($1_crond_t);
@@ -92,7 +92,7 @@ template(`cron_per_userdomain_template',`
domain_exec_all_entry_files($1_crond_t)
files_read_usr_files($1_crond_t)
- files_exec_generic_etc_files($1_crond_t)
+ files_exec_etc_files($1_crond_t)
# for nscd:
files_dontaudit_search_pids($1_crond_t)
@@ -176,7 +176,7 @@ template(`cron_per_userdomain_template',`
domain_use_wide_inherit_fd($1_crontab_t)
- files_read_generic_etc_files($1_crontab_t)
+ files_read_etc_files($1_crontab_t)
libs_use_ld_so($1_crontab_t)
libs_use_shared_libs($1_crontab_t)
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 4d1ea1b..bf07c9e 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -7,10 +7,10 @@ policy_module(cron, 1.0)
#
type anacron_exec_t;
-files_file_type(anacron_exec_t)
+files_type(anacron_exec_t)
type cron_spool_t;
-files_file_type(cron_spool_t)
+files_type(cron_spool_t)
type crond_t; #, privmail, nscd_client_domain
type crond_exec_t;
@@ -27,7 +27,7 @@ type crond_var_run_t;
files_pid_file(crond_var_run_t)
type crontab_exec_t;
-files_file_type(crontab_exec_t)
+files_type(crontab_exec_t)
type system_cron_spool_t;
type system_crond_t; #, privmail, nscd_client_domain;
@@ -99,8 +99,8 @@ corecmd_list_sbin(crond_t)
domain_use_wide_inherit_fd(crond_t)
-files_read_generic_etc_files(crond_t)
-files_read_spools(crond_t)
+files_read_etc_files(crond_t)
+files_read_generic_spools(crond_t)
init_use_fd(crond_t)
init_use_script_pty(crond_t)
@@ -112,7 +112,7 @@ logging_send_syslog_msg(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-seutil_newrole_sigchld(crond_t)
+seutil_sigchld_newrole(crond_t)
miscfiles_read_localization(crond_t)
@@ -206,7 +206,7 @@ allow system_crond_t crond_t:process sigchld;
# Write /var/lock/makewhatis.lock.
allow system_crond_t system_crond_lock_t:file create_file_perms;
-files_create_lock_file(system_crond_t,system_crond_lock_t)
+files_create_lock(system_crond_t,system_crond_lock_t)
# write temporary files
allow system_crond_t system_crond_tmp_t:file create_file_perms;
@@ -254,18 +254,18 @@ corecmd_exec_sbin(system_crond_t)
domain_exec_all_entry_files(system_crond_t)
-files_exec_generic_etc_files(system_crond_t)
-files_read_generic_etc_files(system_crond_t)
+files_exec_etc_files(system_crond_t)
+files_read_etc_files(system_crond_t)
files_read_etc_runtime_files(system_crond_t)
files_list_all_dirs(system_crond_t)
files_getattr_all_files(system_crond_t)
files_read_usr_files(system_crond_t)
-files_read_var_file(system_crond_t)
+files_read_var_files(system_crond_t)
# for nscd:
files_dontaudit_search_pids(system_crond_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
-files_manage_spools(system_crond_t)
+files_manage_generic_spools(system_crond_t)
init_use_fd(system_crond_t)
init_use_script_fd(system_crond_t)
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index b59177c..97e792d 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -94,7 +94,7 @@ corecmd_read_sbin_symlink(inetd_t)
domain_use_wide_inherit_fd(inetd_t)
-files_read_generic_etc_files(inetd_t)
+files_read_etc_files(inetd_t)
init_use_fd(inetd_t)
init_use_script_pty(inetd_t)
@@ -121,7 +121,7 @@ optional_policy(`mount.te',`
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(inetd_t)
+ seutil_sigchld_newrole(inetd_t)
')
optional_policy(`udev.te', `
@@ -199,7 +199,7 @@ dev_read_urand(inetd_child_t)
fs_getattr_xattr_fs(inetd_child_t)
-files_read_generic_etc_files(inetd_child_t)
+files_read_etc_files(inetd_child_t)
libs_use_ld_so(inetd_child_t)
libs_use_shared_libs(inetd_child_t)
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index f156541..1773fa8 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -54,7 +54,7 @@ template(`mta_per_userdomain_template',`
corecmd_exec_bin($1_mail_t)
- files_read_generic_etc_files($1_mail_t)
+ files_read_etc_files($1_mail_t)
logging_send_syslog_msg($1_mail_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 0ac3e9f..3258ffc 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -7,21 +7,21 @@ policy_module(mta,1.0)
#
type etc_aliases_t;
-files_file_type(etc_aliases_t)
+files_type(etc_aliases_t)
type etc_mail_t;
-files_file_type(etc_mail_t)
+files_type(etc_mail_t)
attribute mailserver_domain;
type mqueue_spool_t;
-files_file_type(mqueue_spool_t)
+files_type(mqueue_spool_t)
type mail_spool_t;
-files_file_type(mail_spool_t)
+files_type(mail_spool_t)
type sendmail_exec_t;
-files_file_type(sendmail_exec_t)
+files_type(sendmail_exec_t)
type system_mail_t; #, user_mail_domain, nscd_client_domain;
domain_type(system_mail_t)
@@ -67,7 +67,7 @@ fs_getattr_xattr_fs(system_mail_t)
init_use_script_pty(system_mail_t)
files_read_etc_runtime_files(system_mail_t)
-files_read_generic_etc_files(system_mail_t)
+files_read_etc_files(system_mail_t)
# It wants to check for nscd
files_dontaudit_search_pids(system_mail_t)
@@ -146,7 +146,7 @@ ifdef(`targeted_policy', `
ifdef(`postfix.te', `', `
domain_exec_all_entry_files(system_mail_t)
-files_exec_generic_etc_files(system_mail_t)
+files_exec_etc_files(system_mail_t)
corecmd_exec_bin(system_mail_t)
corecmd_exec_sbin(system_mail_t)
libs_use_ld_so(system_mail_t)
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index c5745ef..f7e0fa9 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -7,7 +7,7 @@ policy_module(nis,1.0)
#
type var_yp_t;
-files_file_type(var_yp_t)
+files_type(var_yp_t)
type ypbind_t;
type ypbind_exec_t;
@@ -24,7 +24,7 @@ type ypserv_exec_t;
init_daemon_domain(ypserv_t,ypserv_exec_t)
type ypserv_conf_t;
-files_file_type(ypserv_conf_t)
+files_type(ypserv_conf_t)
type ypserv_tmp_t;
files_tmp_file(ypserv_tmp_t)
@@ -83,7 +83,7 @@ term_dontaudit_use_console(ypbind_t)
domain_use_wide_inherit_fd(ypbind_t)
-files_read_generic_etc_files(ypbind_t)
+files_read_etc_files(ypbind_t)
init_use_fd(ypbind_t)
init_use_script_pty(ypbind_t)
@@ -111,7 +111,7 @@ optional_policy(`mount.te',`
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(ypbind_t)
+ seutil_sigchld_newrole(ypbind_t)
')
optional_policy(`udev.te', `
@@ -200,7 +200,7 @@ ifdef(`targeted_policy', `
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(ypserv_t)
+ seutil_sigchld_newrole(ypserv_t)
')
optional_policy(`udev.te', `
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 4c5a5b7..d1c4d85 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -65,7 +65,7 @@ auth_manage_pam_console_data(remote_login_t)
domain_read_all_entry_files(remote_login_t)
-files_read_generic_etc_files(remote_login_t)
+files_read_etc_files(remote_login_t)
files_read_etc_runtime_files(remote_login_t)
files_list_home(remote_login_t)
files_read_usr_files(remote_login_t)
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 359b5ae..57a4844 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -63,7 +63,7 @@ term_dontaudit_use_console(sendmail_t)
domain_use_wide_inherit_fd(sendmail_t)
-files_read_generic_etc_files(sendmail_t)
+files_read_etc_files(sendmail_t)
files_search_spool(sendmail_t)
init_use_fd(sendmail_t)
@@ -100,7 +100,7 @@ optional_policy(`nis.te',`
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(sendmail_t)
+ seutil_sigchld_newrole(sendmail_t)
')
optional_policy(`udev.te', `
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 0369e9d..2635c89 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -28,7 +28,7 @@ template(`ssh_per_userdomain_template',`
#
type $1_home_ssh_t; #, $1_file_type;
- files_file_type($1_home_ssh_t)
+ files_type($1_home_ssh_t)
role $1_r types $1_ssh_t;
type $1_ssh_t; #, nscd_client_domain;
@@ -109,7 +109,7 @@ template(`ssh_per_userdomain_template',`
files_list_home($1_ssh_t)
files_read_usr_files($1_ssh_t)
files_read_etc_runtime_files($1_ssh_t)
- files_read_generic_etc_files($1_ssh_t)
+ files_read_etc_files($1_ssh_t)
libs_use_ld_so($1_ssh_t)
libs_use_shared_libs($1_ssh_t)
@@ -248,7 +248,7 @@ template(`ssh_per_userdomain_template',`
domain_use_wide_inherit_fd($1_ssh_agent_t)
- files_read_generic_etc_files($1_ssh_agent_t)
+ files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
libs_read_lib($1_ssh_agent_t)
@@ -343,11 +343,11 @@ template(`ssh_per_userdomain_template',`
##
##
##
-## The prefix of the user domain (e.g., user
-## is the prefix for user_t).
+## The prefix of the server domain (e.g., sshd
+## is the prefix for sshd_t).
##
#
-template(`sshd_program_domain', `
+template(`ssh_server_template', `
type $1_t, ssh_server; #, nscd_client_domain;
role system_r types $1_t;
@@ -413,7 +413,7 @@ template(`sshd_program_domain', `
domain_role_change_exempt($1_t)
domain_obj_id_change_exempt($1_t)
- files_read_generic_etc_files($1_t)
+ files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
init_rw_script_pid($1_t)
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 9b25e36..8ecd0a7 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -10,18 +10,18 @@ attribute ssh_server;
# Type for the ssh-agent executable.
type ssh_agent_exec_t;
-files_file_type(ssh_agent_exec_t)
+files_type(ssh_agent_exec_t)
# ssh client executable.
type ssh_exec_t;
-files_file_type(ssh_exec_t)
+files_type(ssh_exec_t)
type ssh_keygen_t;
type ssh_keygen_exec_t;
init_daemon_domain(ssh_keygen_t,ssh_keygen_exec_t)
role system_r types ssh_keygen_t;
-sshd_program_domain(sshd)
+ssh_server_template(sshd)
optional_policy(`inetd.te',`
# CJP: commenting this out until typeattribute works in a conditional
@@ -37,12 +37,12 @@ optional_policy(`inetd.te',`
')
type sshd_exec_t;
-files_file_type(sshd_exec_t)
+files_type(sshd_exec_t)
-sshd_program_domain(sshd_extern)
+ssh_server_template(sshd_extern)
type sshd_key_t;
-files_file_type(sshd_key_t)
+files_type(sshd_key_t)
type sshd_tmp_t;
files_tmp_file(sshd_tmp_t)
@@ -191,7 +191,7 @@ term_dontaudit_use_console(ssh_keygen_t)
domain_use_wide_inherit_fd(ssh_keygen_t)
-files_read_generic_etc_files(ssh_keygen_t)
+files_read_etc_files(ssh_keygen_t)
init_use_fd(ssh_keygen_t)
init_use_script_pty(ssh_keygen_t)
@@ -222,7 +222,7 @@ optional_policy(`rhgb.te', `
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(ssh_keygen_t)
+ seutil_sigchld_newrole(ssh_keygen_t)
')
optional_policy(`udev.te', `
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 6fcb4d0..91436bd 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -57,7 +57,7 @@ template(`authlogin_per_userdomain_template',`
libs_use_ld_so($1_chkpwd_t)
libs_use_shared_libs($1_chkpwd_t)
- files_read_generic_etc_files($1_chkpwd_t)
+ files_read_etc_files($1_chkpwd_t)
# for nscd
files_dontaudit_search_var($1_chkpwd_t)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index c33677c..b13fd9c 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -11,7 +11,7 @@ attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
type chkpwd_exec_t;
-files_file_type(chkpwd_exec_t)
+files_type(chkpwd_exec_t)
type faillog_t;
logging_log_file(faillog_t)
@@ -20,7 +20,7 @@ type lastlog_t;
logging_log_file(lastlog_t)
type login_exec_t;
-files_file_type(login_exec_t)
+files_type(login_exec_t)
type pam_console_t;
type pam_console_exec_t;
@@ -40,13 +40,13 @@ type pam_tmp_t;
files_tmp_file(pam_tmp_t)
type pam_var_console_t; #, nscd_client_domain
-files_file_type(pam_var_console_t)
+files_type(pam_var_console_t)
type pam_var_run_t;
files_pid_file(pam_var_run_t)
type shadow_t;
-files_file_type(shadow_t)
+files_type(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
@@ -100,7 +100,7 @@ term_use_all_user_ptys(pam_t)
init_dontaudit_rw_script_pid(pam_t)
-files_read_generic_etc_files(pam_t)
+files_read_etc_files(pam_t)
files_list_pids(pam_t)
libs_use_ld_so(pam_t)
@@ -172,7 +172,7 @@ term_setattr_unallocated_ttys(pam_console_t)
domain_use_wide_inherit_fd(pam_console_t)
-files_read_generic_etc_files(pam_console_t)
+files_read_etc_files(pam_console_t)
files_search_pids(pam_console_t)
files_list_mnt(pam_console_t)
@@ -204,7 +204,7 @@ optional_policy(`hotplug.te', `
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(pam_console_t)
+ seutil_sigchld_newrole(pam_console_t)
')
optional_policy(`udev.te', `
@@ -244,7 +244,7 @@ fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
term_use_unallocated_tty(system_chkpwd_t)
-files_read_generic_etc_files(system_chkpwd_t)
+files_read_etc_files(system_chkpwd_t)
# for nscd
files_dontaudit_search_var(system_chkpwd_t)
@@ -297,7 +297,7 @@ term_dontaudit_use_ptmx(utempter_t)
init_rw_script_pid(utempter_t)
-files_read_generic_etc_files(utempter_t)
+files_read_etc_files(utempter_t)
domain_use_wide_inherit_fd(utempter_t)
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 5833654..71bcd63 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -7,7 +7,7 @@ policy_module(clock,1.0)
#
type adjtime_t;
-files_file_type(adjtime_t)
+files_type(adjtime_t)
type hwclock_t;
type hwclock_exec_t;
@@ -65,7 +65,7 @@ ifdef(`targeted_policy', `
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(hwclock_t)
+ seutil_sigchld_newrole(hwclock_t)
')
optional_policy(`udev.te', `
diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te
index 8c49c97..712367f 100644
--- a/refpolicy/policy/modules/system/corecommands.te
+++ b/refpolicy/policy/modules/system/corecommands.te
@@ -5,25 +5,25 @@ policy_module(corecommands,1.0)
# bin_t is the type of files in the system bin directories.
#
type bin_t;
-files_file_type(bin_t)
+files_type(bin_t)
#
# sbin_t is the type of files in the system sbin directories.
#
type sbin_t;
-files_file_type(sbin_t)
+files_type(sbin_t)
#
# ls_exec_t is the type of the ls program.
#
type ls_exec_t;
-files_file_type(ls_exec_t)
+files_type(ls_exec_t)
#
# shell_exec_t is the type of user shells such as /bin/bash.
#
type shell_exec_t;
-files_file_type(shell_exec_t)
+files_type(shell_exec_t)
type chroot_exec_t;
-files_file_type(chroot_exec_t)
+files_type(chroot_exec_t)
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index b77214b..2675b4a 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -61,7 +61,7 @@ interface(`domain_entry_file',`
class file entrypoint;
')
- files_file_type($2)
+ files_type($2)
allow $1 $2:file entrypoint;
typeattribute $2 entry_type;
')
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index c28b1fb..1e285b3 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -17,9 +17,9 @@
########################################
#
-# files_file_type(type)
+# files_type(type)
#
-interface(`files_file_type',`
+interface(`files_type',`
gen_require(`
attribute file_type;
')
@@ -38,7 +38,7 @@ interface(`files_lock_file',`
attribute lockfile;
')
- files_file_type($1)
+ files_type($1)
typeattribute $1 lockfile;
')
@@ -51,7 +51,7 @@ interface(`files_mountpoint',`
attribute mountpoint;
')
- files_file_type($1)
+ files_type($1)
typeattribute $1 mountpoint;
')
@@ -64,7 +64,7 @@ interface(`files_pid_file',`
attribute pidfile;
')
- files_file_type($1)
+ files_type($1)
typeattribute $1 pidfile;
')
@@ -77,7 +77,7 @@ interface(`files_tmp_file',`
attribute tmpfile;
')
- files_file_type($1)
+ files_type($1)
typeattribute $1 tmpfile;
')
@@ -95,7 +95,7 @@ interface(`files_tmpfs_file',`
attribute tmpfsfile;
')
- files_file_type($1)
+ files_type($1)
fs_associate_tmpfs($1)
typeattribute $1 tmpfsfile;
')
@@ -439,9 +439,9 @@ interface(`files_list_etc',`
########################################
#
-# files_read_generic_etc_files(domain)
+# files_read_etc_files(domain)
#
-interface(`files_read_generic_etc_files',`
+interface(`files_read_etc_files',`
gen_require(`
type etc_t;
class dir r_dir_perms;
@@ -456,9 +456,9 @@ interface(`files_read_generic_etc_files',`
########################################
#
-# files_rw_generic_etc_files(domain)
+# files_rw_etc_files(domain)
#
-interface(`files_rw_generic_etc_files',`
+interface(`files_rw_etc_files',`
gen_require(`
type etc_t;
class dir r_dir_perms;
@@ -473,9 +473,9 @@ interface(`files_rw_generic_etc_files',`
########################################
#
-# files_manage_generic_etc_files(domain)
+# files_manage_etc_files(domain)
#
-interface(`files_manage_generic_etc_files',`
+interface(`files_manage_etc_files',`
gen_require(`
type etc_t;
class dir rw_dir_perms;
@@ -496,7 +496,7 @@ interface(`files_manage_generic_etc_files',`
## The type of the process performing this action.
##
#
-interface(`files_delete_generic_etc_files',`
+interface(`files_delete_etc_files',`
gen_require(`
type etc_t;
class dir rw_dir_perms;
@@ -509,9 +509,9 @@ interface(`files_delete_generic_etc_files',`
########################################
#
-# files_exec_generic_etc_files(domain)
+# files_exec_etc_files(domain)
#
-interface(`files_exec_generic_etc_files',`
+interface(`files_exec_etc_files',`
gen_require(`
type etc_t;
class dir r_dir_perms;
@@ -591,7 +591,6 @@ interface(`files_create_etc_config',`
')
')
-
########################################
##
## Do not audit attempts to search directories on new filesystems
@@ -908,9 +907,9 @@ interface(`files_exec_usr_files',`
########################################
#
-# files_read_usr_src(domain)
+# files_read_usr_src_files(domain)
#
-interface(`files_read_usr_src',`
+interface(`files_read_usr_src_files',`
gen_require(`
type usr_t, src_t;
class dir r_dir_perms;
@@ -957,7 +956,7 @@ interface(`files_dontaudit_search_var',`
## The type of the process performing this action.
##
#
-interface(`files_read_var_file',`
+interface(`files_read_var_files',`
gen_require(`
type var_t;
class dir search;
@@ -1003,9 +1002,9 @@ interface(`files_manage_urandom_seed',`
########################################
#
-# files_getattr_generic_lock_files(domain)
+# files_getattr_generic_locks(domain)
#
-interface(`files_getattr_generic_lock_files',`
+interface(`files_getattr_generic_locks',`
gen_require(`
type var_lock_t;
class dir r_dir_perms;
@@ -1018,9 +1017,9 @@ interface(`files_getattr_generic_lock_files',`
########################################
#
-# files_manage_generic_lock_files(domain)
+# files_manage_generic_locks(domain)
#
-interface(`files_manage_generic_lock_files',`
+interface(`files_manage_generic_locks',`
gen_require(`
type var_lock_t;
class dir { getattr search create read write setattr add_name remove_name rmdir };
@@ -1033,9 +1032,9 @@ interface(`files_manage_generic_lock_files',`
########################################
#
-# files_delete_all_lock_files(domain)
+# files_delete_all_locks(domain)
#
-interface(`files_delete_all_lock_files',`
+interface(`files_delete_all_locks',`
gen_require(`
attribute lockfile;
class dir rw_dir_perms;
@@ -1048,9 +1047,9 @@ interface(`files_delete_all_lock_files',`
########################################
#
-# files_create_lock_file(domain,private_type,[object class(es)])
+# files_create_lock(domain,private_type,[object class(es)])
#
-interface(`files_create_lock_file',`
+interface(`files_create_lock',`
gen_require(`
type var_t, var_lock_t;
class dir rw_dir_perms;
@@ -1246,9 +1245,9 @@ interface(`files_list_spool',`
########################################
#
-# files_manage_spool_dirs(domain)
+# files_manage_generic_spool_dirs(domain)
#
-interface(`files_manage_spool_dirs',`
+interface(`files_manage_generic_spool_dirs',`
gen_require(`
type var_t, var_spool_t;
class dir create_dir_perms;
@@ -1260,9 +1259,9 @@ interface(`files_manage_spool_dirs',`
########################################
#
-# files_read_spools(domain)
+# files_read_generic_spools(domain)
#
-interface(`files_read_spools',`
+interface(`files_read_generic_spools',`
gen_require(`
type var_t, var_spool_t;
class dir r_dir_perms;
@@ -1276,9 +1275,9 @@ interface(`files_read_spools',`
########################################
#
-# files_manage_spools(domain)
+# files_manage_generic_spools(domain)
#
-interface(`files_manage_spools',`
+interface(`files_manage_generic_spools',`
gen_require(`
type var_t, var_spool_t;
class dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 17eae07..643195c 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -14,7 +14,7 @@ type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)
type swapfile_t;
-files_file_type(swapfile_t)
+files_type(swapfile_t)
########################################
@@ -73,7 +73,7 @@ domain_use_wide_inherit_fd(fsadm_t)
files_list_home(fsadm_t)
files_read_usr_files(fsadm_t)
-files_read_generic_etc_files(fsadm_t)
+files_read_etc_files(fsadm_t)
files_list_mnt(fsadm_t)
files_manage_lost_found(fsadm_t)
# Write to /etc/mtab.
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 235375e..8aaa31a 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -59,9 +59,9 @@ auth_rw_login_records(getty_t)
corecmd_search_bin(getty_t)
files_rw_generic_pids(getty_t)
-files_manage_generic_lock_files(getty_t)
+files_manage_generic_locks(getty_t)
files_read_etc_runtime_files(getty_t)
-files_read_generic_etc_files(getty_t)
+files_read_etc_files(getty_t)
init_rw_script_pid(getty_t)
init_use_script_pty(getty_t)
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 0605871..68d95a5 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -41,7 +41,7 @@ init_use_script_pty(hostname_t)
domain_use_wide_inherit_fd(hostname_t)
-files_read_generic_etc_files(hostname_t)
+files_read_etc_files(hostname_t)
files_dontaudit_search_var(hostname_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(hostname_t)
@@ -81,7 +81,7 @@ optional_policy(`hotplug.te',`
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(hostname_t)
+ seutil_sigchld_newrole(hostname_t)
')
optional_policy(`udev.te', `
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index ecb0dca..a358722 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -12,7 +12,7 @@ kernel_userland_entry(hotplug_t,hotplug_exec_t)
init_system_domain(hotplug_t,hotplug_exec_t)
type hotplug_etc_t; #, usercanread;
-files_file_type(hotplug_etc_t)
+files_type(hotplug_etc_t)
type hotplug_var_run_t;
files_pid_file(hotplug_var_run_t)
@@ -78,9 +78,9 @@ corecmd_exec_sbin(hotplug_t)
domain_use_wide_inherit_fd(hotplug_t)
-files_read_generic_etc_files(hotplug_t)
+files_read_etc_files(hotplug_t)
files_manage_etc_runtime_files(hotplug_t)
-files_exec_generic_etc_files(hotplug_t)
+files_exec_etc_files(hotplug_t)
# for when filesystems are not mounted early in the boot:
files_dontaudit_search_isid_type_dir(hotplug_t)
@@ -102,7 +102,7 @@ libs_use_shared_libs(hotplug_t)
libs_read_lib(hotplug_t)
modutils_domtrans_insmod(hotplug_t)
-modutils_read_kernel_module_dependencies(hotplug_t)
+modutils_read_mods_deps(hotplug_t)
miscfiles_read_localization(hotplug_t)
@@ -118,7 +118,7 @@ ifdef(`distro_redhat', `
netutils_domtrans(hotplug_t)
fs_use_tmpfs_character_devices(hotplug_t)
')
- files_getattr_generic_lock_files(hotplug_t)
+ files_getattr_generic_locks(hotplug_t)
')
ifdef(`targeted_policy', `
@@ -152,7 +152,7 @@ optional_policy(`nis.te',`
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(hotplug_t)
+ seutil_sigchld_newrole(hotplug_t)
')
optional_policy(`sysnetwork.te',`
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 688df50..114b50d 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -32,7 +32,7 @@ files_pid_file(init_var_run_t)
# to communicate with init.
#
type initctl_t;
-files_file_type(initctl_t)
+files_type(initctl_t)
type initrc_t;
domain_type(initrc_t)
@@ -50,7 +50,7 @@ type initrc_var_run_t;
files_pid_file(initrc_var_run_t)
type initrc_state_t;
-files_file_type(initrc_state_t)
+files_type(initrc_state_t)
type initrc_tmp_t;
files_tmp_file(initrc_tmp_t)
@@ -108,12 +108,12 @@ domain_sigstop_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
-files_read_generic_etc_files(init_t)
+files_read_etc_files(init_t)
files_rw_generic_pids(init_t)
files_dontaudit_search_isid_type_dir(init_t)
files_manage_etc_runtime_files(init_t)
# Run /etc/X11/prefdm:
-files_exec_generic_etc_files(init_t)
+files_exec_etc_files(init_t)
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_file(init_t)
files_dontaudit_rw_root_chr_dev(init_t)
@@ -260,16 +260,16 @@ domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
files_getattr_all_files(initrc_t)
files_delete_all_tmp_files(initrc_t)
-files_delete_all_lock_files(initrc_t)
+files_delete_all_locks(initrc_t)
files_read_all_pids(initrc_t)
files_delete_all_pids(initrc_t)
-files_read_generic_etc_files(initrc_t)
+files_read_etc_files(initrc_t)
files_manage_etc_runtime_files(initrc_t)
-files_manage_generic_lock_files(initrc_t)
-files_exec_generic_etc_files(initrc_t)
+files_manage_generic_locks(initrc_t)
+files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-files_manage_spools(initrc_t)
+files_manage_generic_spools(initrc_t)
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
@@ -340,7 +340,7 @@ optional_policy(`hotplug.te',`
# init scripts run /etc/hotplug/usb.rc
hotplug_read_config(initrc_t)
- modutils_read_kernel_module_dependencies(initrc_t)
+ modutils_read_mods_deps(initrc_t)
')
optional_policy(`lvm.te',`
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 27e8af2..9baa855 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -52,7 +52,7 @@ term_dontaudit_use_console(iptables_t)
domain_use_wide_inherit_fd(iptables_t)
-files_read_generic_etc_files(iptables_t)
+files_read_etc_files(iptables_t)
init_use_fd(iptables_t)
init_use_script_pty(iptables_t)
@@ -103,7 +103,7 @@ optional_policy(`nis.te',`
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(iptables_t)
+ seutil_sigchld_newrole(iptables_t)
')
optional_policy(`udev.te', `
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 9064a91..9243b74 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -10,33 +10,33 @@ policy_module(libraries,1.0)
# ld_so_cache_t is the type of /etc/ld.so.cache.
#
type ld_so_cache_t;
-files_file_type(ld_so_cache_t)
+files_type(ld_so_cache_t)
#
# ld_so_t is the type of the system dynamic loaders.
#
type ld_so_t;
-files_file_type(ld_so_t)
+files_type(ld_so_t)
#
# lib_t is the type of files in the system lib directories.
#
type lib_t;
-files_file_type(lib_t)
+files_type(lib_t)
#
# shlib_t is the type of shared objects in the system lib
# directories.
#
type shlib_t;
-files_file_type(shlib_t)
+files_type(shlib_t)
#
# texrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
type texrel_shlib_t;
-files_file_type(texrel_shlib_t)
+files_type(texrel_shlib_t)
########################################
#
@@ -65,9 +65,9 @@ fs_getattr_xattr_fs(ldconfig_t)
domain_use_wide_inherit_fd(ldconfig_t)
files_search_var_lib(ldconfig_t)
-files_read_generic_etc_files(ldconfig_t)
+files_read_etc_files(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled:
-files_delete_generic_etc_files(ldconfig_t)
+files_delete_etc_files(ldconfig_t)
init_use_script_pty(ldconfig_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 433c4f7..c8779a8 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -16,7 +16,7 @@ domain_wide_inherit_fd(local_login_t)
role system_r types local_login_t;
type local_login_tmp_t;
-files_file_type(local_login_tmp_t)
+files_type(local_login_tmp_t)
type sulogin_t;
type sulogin_exec_t;
@@ -102,10 +102,10 @@ auth_manage_pam_console_data(local_login_t)
domain_read_all_entry_files(local_login_t)
-files_read_generic_etc_files(local_login_t)
+files_read_etc_files(local_login_t)
files_read_etc_runtime_files(local_login_t)
files_read_usr_files(local_login_t)
-files_manage_generic_lock_files(var_lock_t)
+files_manage_generic_locks(var_lock_t)
init_rw_script_pid(local_login_t)
init_dontaudit_use_fd(local_login_t)
@@ -223,7 +223,7 @@ kernel_read_system_state(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
-files_read_generic_etc_files(sulogin_t)
+files_read_etc_files(sulogin_t)
# because file systems are not mounted:
files_dontaudit_search_isid_type_dir(sulogin_t)
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 07a65c5..295cf62 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -9,7 +9,7 @@ interface(`logging_log_file',`
attribute logfile;
')
- files_file_type($1)
+ files_type($1)
typeattribute $1 logfile;
')
@@ -143,10 +143,16 @@ interface(`logging_read_all_logs',`
allow $1 logfile:file r_file_perms;
')
-#######################################
-#
-# logging_exec_all_logs(domain)
+########################################
+##
+## Execute all log files in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
#
+# cjp: not sure why this is needed. This was added
+# because of logrotate.
interface(`logging_exec_all_logs',`
gen_require(`
attribute logfile;
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 4838db1..134e411 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -19,7 +19,7 @@ type auditd_var_run_t;
files_pid_file(auditd_var_run_t)
type devlog_t;
-files_file_type(devlog_t)
+files_type(devlog_t)
type klogd_t;
type klogd_exec_t;
@@ -42,7 +42,7 @@ type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t)
type var_log_t, logfile;
-files_file_type(var_log_t)
+files_type(var_log_t)
########################################
#
@@ -72,7 +72,7 @@ init_use_script_pty(auditd_t)
domain_use_wide_inherit_fd(auditd_t)
-files_read_generic_etc_files(auditd_t)
+files_read_etc_files(auditd_t)
logging_send_syslog_msg(auditd_t)
@@ -90,7 +90,7 @@ ifdef(`targeted_policy', `
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(auditd_t)
+ seutil_sigchld_newrole(auditd_t)
')
optional_policy(`udev.te', `
@@ -139,7 +139,7 @@ fs_getattr_all_fs(klogd_t)
files_create_pid(klogd_t,klogd_var_run_t)
files_read_etc_runtime_files(klogd_t)
# read /etc/nsswitch.conf
-files_read_generic_etc_files(klogd_t)
+files_read_etc_files(klogd_t)
init_use_fd(klogd_t)
@@ -219,7 +219,7 @@ init_use_script_pty(syslogd_t)
domain_use_wide_inherit_fd(syslogd_t)
-files_read_generic_etc_files(syslogd_t)
+files_read_etc_files(syslogd_t)
libs_use_ld_so(syslogd_t)
libs_use_shared_libs(syslogd_t)
@@ -262,7 +262,7 @@ optional_policy(`nis.te',`
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(syslogd_t)
+ seutil_sigchld_newrole(syslogd_t)
')
optional_policy(`udev.te', `
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 35098c4..78d6f0f 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -15,13 +15,13 @@ domain_obj_id_change_exempt(lvm_t)
role system_r types lvm_t;
type lvm_etc_t;
-files_file_type(lvm_etc_t)
+files_type(lvm_etc_t)
type lvm_lock_t;
files_lock_file(lvm_lock_t)
type lvm_metadata_t;
-files_file_type(lvm_metadata_t)
+files_type(lvm_metadata_t)
type lvm_tmp_t;
files_tmp_file(lvm_tmp_t)
@@ -57,7 +57,7 @@ can_exec(lvm_t, lvm_exec_t)
# Creating lock files
allow lvm_t lvm_lock_t:dir rw_dir_perms;
allow lvm_t lvm_lock_t:file create_file_perms;
-files_create_lock_file(lvm_t,lvm_lock_t)
+files_create_lock(lvm_t,lvm_lock_t)
allow lvm_t lvm_etc_t:file r_file_perms;
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
@@ -111,7 +111,7 @@ storage_relabel_fixed_disk(lvm_t)
# depending on its version
# LVM(2) needs to create directores (/dev/mapper, /dev/)
# and links from /dev/ to /dev/mapper/-
-storage_create_fixed_disk_dev_entry(lvm_t)
+storage_create_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -123,7 +123,7 @@ corecmd_dontaudit_getattr_sbin_file(lvm_t)
domain_use_wide_inherit_fd(lvm_t)
files_search_var(lvm_t)
-files_read_generic_etc_files(lvm_t)
+files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(lvm_t)
@@ -141,7 +141,7 @@ miscfiles_read_localization(lvm_t)
seutil_read_config(lvm_t)
seutil_read_file_contexts(lvm_t)
-seutil_newrole_sigchld(lvm_t)
+seutil_sigchld_newrole(lvm_t)
ifdef(`distro_redhat',`
# this is from the initrd:
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index c275451..6a4d3dd 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -5,41 +5,41 @@ policy_module(miscfiles,1.0)
# catman_t is the type for /var/catman.
#
type catman_t; # , tmpfile;
-files_file_type(catman_t)
+files_type(catman_t)
#
# cert_t is the type of files in the system certs directories.
#
type cert_t;
-files_file_type(cert_t)
+files_type(cert_t)
#
# fonts_t is the type of various font
# files in /usr
#
type fonts_t;
-files_file_type(fonts_t)
+files_type(fonts_t)
#
# locale_t is the type for system localization
#
type locale_t;
-files_file_type(locale_t)
+files_type(locale_t)
#
# man_t is the type for the man directories.
#
type man_t;
-files_file_type(man_t)
+files_type(man_t)
#
# Base type for the tests directory.
#
type test_file_t;
-files_file_type(test_file_t)
+files_type(test_file_t)
#
# for /var/{spool,lib}/texmf index files
#
type tetex_data_t; # , tmpfile;
-files_file_type(tetex_data_t)
+files_type(tetex_data_t)
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index eb6d927..199619d 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -8,7 +8,7 @@
## The type of the process performing this action.
##
#
-interface(`modutils_read_kernel_module_dependencies',`
+interface(`modutils_read_mods_deps',`
gen_require(`
type modules_dep_t;
class file r_file_perms;
@@ -36,7 +36,7 @@ interface(`modutils_read_module_conf',`
# This file type can be in /etc or
# /lib(64)?/modules
files_search_etc($1)
- bootloader_search_boot_dir($1)
+ bootloader_search_boot($1)
allow $1 modules_conf_t:file r_file_perms;
')
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index d03abd9..02f2833 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -8,11 +8,11 @@ policy_module(modutils,1.0)
# module loading config
type modules_conf_t;
-files_file_type(modules_conf_t)
+files_type(modules_conf_t)
# module dependencies
type modules_dep_t;
-files_file_type(modules_dep_t)
+files_type(modules_dep_t)
type insmod_t;
type insmod_exec_t;
@@ -78,9 +78,9 @@ domain_signal_all_domains(insmod_t)
domain_use_wide_inherit_fd(insmod_t)
files_read_etc_runtime_files(insmod_t)
-files_read_generic_etc_files(insmod_t)
+files_read_etc_files(insmod_t)
files_read_usr_files(insmod_t)
-files_exec_generic_etc_files(insmod_t)
+files_exec_etc_files(insmod_t)
# for nscd:
files_dontaudit_search_pids(insmod_t)
# for when /var is not mounted early in the boot:
@@ -127,7 +127,7 @@ can_exec(depmod_t, depmod_exec_t)
allow depmod_t modules_conf_t:file r_file_perms;
allow depmod_t modules_dep_t:file create_file_perms;
-bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
+bootloader_create_modules(depmod_t,modules_dep_t)
kernel_read_system_state(depmod_t)
@@ -148,8 +148,8 @@ init_use_script_fd(depmod_t)
init_use_script_pty(depmod_t)
files_read_etc_runtime_files(depmod_t)
-files_read_generic_etc_files(depmod_t)
-files_read_usr_src(depmod_t)
+files_read_etc_files(depmod_t)
+files_read_usr_src_files(depmod_t)
libs_use_ld_so(depmod_t)
libs_use_shared_libs(depmod_t)
@@ -177,7 +177,7 @@ can_exec(update_modules_t, update_modules_exec_t)
# manage module loading configuration
allow update_modules_t modules_conf_t:file create_file_perms;
-bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
+bootloader_create_modules(update_modules_t,modules_conf_t)
files_create_etc_config(update_modules_t,modules_conf_t)
# transition to depmod
@@ -203,8 +203,8 @@ init_use_script_pty(depmod_t)
domain_use_wide_inherit_fd(depmod_t)
files_read_etc_runtime_files(update_modules_t)
-files_read_generic_etc_files(update_modules_t)
-files_exec_generic_etc_files(update_modules_t)
+files_read_etc_files(update_modules_t)
+files_exec_etc_files(update_modules_t)
corecmd_exec_bin(update_modules_t)
corecmd_exec_sbin(update_modules_t)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index acd8425..ee701ab 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -55,7 +55,7 @@ corecmd_exec_bin(mount_t)
domain_use_wide_inherit_fd(mount_t)
files_search_all_dirs(mount_t)
-files_read_generic_etc_files(mount_t)
+files_read_etc_files(mount_t)
files_manage_etc_runtime_files(mount_t)
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index f5e0ec7..b1e394c 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -224,7 +224,7 @@ interface(`seutil_exec_newrole',`
## The type of the process performing this action.
##
#
-interface(`seutil_dontaudit_newrole_signal',`
+interface(`seutil_dontaudit_signal_newrole',`
gen_require(`
type newrole_t;
class process signal;
@@ -235,9 +235,9 @@ interface(`seutil_dontaudit_newrole_signal',`
#######################################
#
-# seutil_newrole_sigchld(domain)
+# seutil_sigchld_newrole(domain)
#
-interface(`seutil_newrole_sigchld',`
+interface(`seutil_sigchld_newrole',`
gen_require(`
type newrole_t;
class process sigchld;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index ff2423f..75db193 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -21,14 +21,14 @@ domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
# /etc/selinux/*/contexts/*
#
type default_context_t;
-files_file_type(default_context_t)
+files_type(default_context_t)
#
# file_context_t is the type applied to
# /etc/selinux/*/contexts/files
#
type file_context_t;
-files_file_type(file_context_t)
+files_type(file_context_t)
type load_policy_t;
domain_type(load_policy_t)
@@ -51,7 +51,7 @@ domain_entry_file(newrole_t,newrole_exec_t)
# the security server policy configuration.
#
type policy_config_t;
-files_file_type(policy_config_t)
+files_type(policy_config_t)
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
neverallow ~can_write_binary_policy policy_config_t:file { write append };
@@ -61,7 +61,7 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
# files.
#
type policy_src_t;
-files_file_type(policy_src_t)
+files_type(policy_src_t)
type restorecon_t, can_relabelto_binary_policy;
type restorecon_exec_t;
@@ -80,7 +80,7 @@ domain_entry_file(run_init_t,run_init_exec_t)
# /etc/selinux/config
#
type selinux_config_t;
-files_file_type(selinux_config_t)
+files_type(selinux_config_t)
type setfiles_t, can_relabelto_binary_policy;
domain_obj_id_change_exempt(setfiles_t)
@@ -216,7 +216,7 @@ domain_use_wide_inherit_fd(newrole_t)
# Write to utmp.
init_rw_script_pid(newrole_t)
-files_read_generic_etc_files(newrole_t)
+files_read_etc_files(newrole_t)
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
@@ -284,7 +284,7 @@ init_use_script_pty(restorecon_t)
domain_use_wide_inherit_fd(restorecon_t)
files_read_etc_runtime_files(restorecon_t)
-files_read_generic_etc_files(restorecon_t)
+files_read_etc_files(restorecon_t)
libs_use_ld_so(restorecon_t)
libs_use_shared_libs(restorecon_t)
@@ -362,7 +362,7 @@ ifdef(`targeted_policy',`',`
domain_use_wide_inherit_fd(run_init_t)
- files_read_generic_etc_files(run_init_t)
+ files_read_etc_files(run_init_t)
files_dontaudit_search_all_dirs(run_init_t)
init_domtrans_script(run_init_t)
@@ -427,7 +427,7 @@ libs_use_ld_so(setfiles_t)
libs_use_shared_libs(setfiles_t)
files_read_etc_runtime_files(setfiles_t)
-files_read_generic_etc_files(setfiles_t)
+files_read_etc_files(setfiles_t)
logging_send_syslog_msg(setfiles_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index cbccdc3..2d4057a 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -9,11 +9,11 @@ policy_module(sysnetwork,1.0)
# this is shared between dhcpc and dhcpd:
type dhcp_etc_t; #, usercanread;
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
-files_file_type(dhcp_etc_t)
+files_type(dhcp_etc_t)
# this is shared between dhcpc and dhcpd:
type dhcp_state_t;
-files_file_type(dhcp_state_t)
+files_type(dhcp_state_t)
type dhcpc_t;
type dhcpc_exec_t;
@@ -21,7 +21,7 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
type dhcpc_state_t;
-files_file_type(dhcpc_state_t)
+files_type(dhcpc_state_t)
type dhcpc_tmp_t;
files_tmp_file(dhcpc_tmp_t)
@@ -35,7 +35,7 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t;
type net_conf_t alias resolv_conf_t;
-files_file_type(net_conf_t)
+files_type(net_conf_t)
########################################
#
@@ -118,7 +118,7 @@ corecmd_exec_shell(dhcpc_t)
domain_use_wide_inherit_fd(dhcpc_t)
-files_read_generic_etc_files(dhcpc_t)
+files_read_etc_files(dhcpc_t)
files_read_etc_runtime_files(dhcpc_t)
init_use_fd(dhcpc_t)
@@ -135,7 +135,7 @@ miscfiles_read_localization(dhcpc_t)
modutils_domtrans_insmod(dhcpc_t)
ifdef(`distro_redhat', `
- files_exec_generic_etc_files(dhcpc_t)
+ files_exec_etc_files(dhcpc_t)
')
ifdef(`targeted_policy', `
@@ -171,7 +171,7 @@ optional_policy(`ntpd.te',`
')
optional_policy(`selinux.te',`
- seutil_newrole_sigchld(dhcpc_t)
+ seutil_sigchld_newrole(dhcpc_t)
')
optional_policy(`udev.te',`
@@ -257,7 +257,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
-files_read_generic_etc_files(ifconfig_t);
+files_read_etc_files(ifconfig_t);
kernel_use_fd(ifconfig_t)
kernel_read_system_state(ifconfig_t)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 591ddae..1e28308 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -16,15 +16,15 @@ domain_wide_inherit_fd(udev_t)
init_daemon_domain(udev_t,udev_exec_t)
type udev_etc_t alias etc_udev_t;
-files_file_type(udev_etc_t)
+files_type(udev_etc_t)
# udev_runtime_t is the type of the udev table file
# cjp: this is probably a copy of udev_tbl_t and can be removed
type udev_runtime_t;
-files_file_type(udev_runtime_t)
+files_type(udev_runtime_t)
type udev_tbl_t alias udev_tdb_t;
-files_file_type(udev_tbl_t)
+files_type(udev_tbl_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
@@ -91,8 +91,8 @@ domain_exec_all_entry_files(udev_t)
domain_dontaudit_list_all_domains_proc(udev_t)
files_read_etc_runtime_files(udev_t)
-files_read_generic_etc_files(udev_t)
-files_exec_generic_etc_files(udev_t)
+files_read_etc_files(udev_t)
+files_exec_etc_files(udev_t)
files_dontaudit_search_isid_type_dir(udev_t)
init_use_fd(udev_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 4a9c7d6..fd54566 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1,12 +1,28 @@
## Policy for user domains
-########################################
-#
-# Base user domain template
+#######################################
+##
+## The template containing rules common to unprivileged
+## users and administrative users.
+##
+##
+##
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+##
+##
+## This generally should not be used, rather the
+## unpriv_user_template or admin_user_template should
+## be used.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
#
-# This is common to user and admin domain
-
-template(`base_user_domain',`
+template(`base_user_template',`
attribute $1_file_type;
@@ -22,11 +38,11 @@ template(`base_user_domain',`
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
- files_file_type($1_home_t)
+ files_type($1_home_t)
# type of home directory
type $1_home_dir_t, home_dir_type, home_type;
- files_file_type($1_home_t)
+ files_type($1_home_t)
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
@@ -154,8 +170,8 @@ template(`base_user_domain',`
domain_exec_all_entry_files($1_t)
domain_use_wide_inherit_fd($1_t)
- files_exec_generic_etc_files($1_t)
- files_read_usr_src($1_t)
+ files_exec_etc_files($1_t)
+ files_read_usr_src_files($1_t)
# Caused by su - init scripts
init_dontaudit_use_script_pty($1_t)
@@ -392,19 +408,30 @@ template(`base_user_domain',`
')dnl end base_user_domain macro
-########################################
-#
-# User domain template
+#######################################
+##
+## The template for creating a unprivileged user.
+##
+##
+##
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
#
-
-template(`user_domain_template', `
+template(`unpriv_user_template', `
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
- base_user_domain($1)
+ base_user_template($1)
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
domain_wide_inherit_fd($1_t)
@@ -455,7 +482,7 @@ template(`user_domain_template', `
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
- files_read_generic_etc_files($1_t)
+ files_read_etc_files($1_t)
files_list_home($1_t)
files_read_usr_files($1_t)
@@ -494,7 +521,7 @@ template(`user_domain_template', `
optional_policy(`selinux.te',`
# for when the network connection is killed
- seutil_dontaudit_newrole_signal($1_t)
+ seutil_dontaudit_signal_newrole($1_t)
')
# Need the following rule to allow users to run vpnc
@@ -594,18 +621,44 @@ template(`user_domain_template', `
') dnl end TODO
')
-########################################
-#
-# Admin domain template
+#######################################
+##
+## The template for creating an administrative user.
+##
+##
+##
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+##
+##
+##
+## The privileges given to administrative users are:
+##
+## - Raw disk access
+## - Set all sysctls
+## - All kernel ring buffer controls
+## - Set SELinux enforcement mode (enforcing/permissive)
+## - Set SELinux booleans
+## - Relabel all files but shadow
+## - Create, read, write, and delete all files but shadow
+## - Manage source and binary format SELinux policy
+## - Run insmod
+##
+##
+##
+## The prefix of the user domain (e.g., sysadm
+## is the prefix for sysadm_t).
+##
#
-template(`admin_domain_template',`
+template(`admin_user_template',`
##############################
#
# Declarations
#
# Inherit rules for ordinary users.
- base_user_domain($1)
+ base_user_template($1)
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
domain_obj_id_change_exempt($1_t)
@@ -658,6 +711,14 @@ template(`admin_domain_template',`
kernel_read_ring_buffer($1_t)
kernel_get_sysvipc_info($1_t)
kernel_rw_all_sysctl($1_t)
+
+ # signal unlabeled processes:
+ kernel_kill_unlabeled($1_t)
+ kernel_signal_unlabeled($1_t)
+ kernel_sigstop_unlabeled($1_t)
+ kernel_signull_unlabeled($1_t)
+ kernel_sigchld_unlabeled($1_t)
+
selinux_set_enforce_mode($1_t)
selinux_set_boolean($1_t)
selinux_set_parameters($1_t)
@@ -668,12 +729,6 @@ template(`admin_domain_template',`
selinux_compute_create_context($1_t)
selinux_compute_relabel_context($1_t)
selinux_compute_user_contexts($1_t)
- # signal unlabeled processes:
- kernel_kill_unlabeled($1_t)
- kernel_signal_unlabeled($1_t)
- kernel_sigstop_unlabeled($1_t)
- kernel_signull_unlabeled($1_t)
- kernel_sigchld_unlabeled($1_t)
corenet_tcp_bind_generic_port($1_t)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 8998808..36f3763 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -29,9 +29,9 @@ attribute userdomain;
# unprivileged user domains
attribute unpriv_userdomain;
-admin_domain_template(sysadm)
-user_domain_template(staff)
-user_domain_template(user)
+admin_user_template(sysadm)
+unpriv_user_template(staff)
+unpriv_user_template(user)
########################################
#