diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 0b875c1..65fde0a 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,5 +1,7 @@ -- Fix expansion of interfaces from disabled - modules. +- Rename file type transition interfaces verb from create to + filetrans to differentiate it from create interfaces without + type transitions. +- Fix expansion of interfaces from disabled modules. - Rsync can be long running from init, added rules to allow this. - Add polyinstantiation build option. diff --git a/refpolicy/policy/modules/admin/acct.te b/refpolicy/policy/modules/admin/acct.te index 198e212..e632a4a 100644 --- a/refpolicy/policy/modules/admin/acct.te +++ b/refpolicy/policy/modules/admin/acct.te @@ -80,7 +80,7 @@ ifdef(`targeted_policy',` optional_policy(`cron',` optional_policy(`authlogin',` # for monthly cron job - auth_create_login_records(acct_t) + auth_filetrans_login_records(acct_t) auth_manage_login_records(acct_t) ') diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te index b951681..ded070f 100644 --- a/refpolicy/policy/modules/admin/amanda.te +++ b/refpolicy/policy/modules/admin/amanda.te @@ -116,11 +116,11 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms; allow amanda_t amanda_log_t:file create_file_perms; allow amanda_t amanda_log_t:dir { rw_dir_perms setattr }; -logging_create_log(amanda_t,amanda_log_t,{ file dir }) +logging_filetrans_log(amanda_t,amanda_log_t,{ file dir }) allow amanda_t amanda_tmp_t:dir create_dir_perms; allow amanda_t amanda_tmp_t:file create_file_perms; -files_create_tmp_files(amanda_t, amanda_tmp_t, { file dir }) +files_filetrans_tmp(amanda_t, amanda_tmp_t, { file dir }) kernel_read_system_state(amanda_t) kernel_read_kernel_sysctl(amanda_t) @@ -213,7 +213,7 @@ allow amanda_recover_t amanda_tmp_t:file create_file_perms; allow amanda_recover_t amanda_tmp_t:lnk_file create_lnk_perms; allow amanda_recover_t amanda_tmp_t:sock_file create_file_perms; allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms; -files_create_tmp_files(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file }) +files_filetrans_tmp(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_system_state(amanda_recover_t) kernel_read_kernel_sysctl(amanda_recover_t) diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te index e2bab19..634a025 100644 --- a/refpolicy/policy/modules/admin/firstboot.te +++ b/refpolicy/policy/modules/admin/firstboot.te @@ -40,7 +40,7 @@ allow firstboot_t firstboot_etc_t:file { getattr read }; allow firstboot_t firstboot_rw_t:dir create_dir_perms; allow firstboot_t firstboot_rw_t:file create_file_perms; -files_create_etc_config(firstboot_t,firstboot_rw_t,file) +files_filetrans_etc(firstboot_t,firstboot_rw_t,file) # The big hammer unconfined_domain_template(firstboot_t) @@ -99,9 +99,9 @@ modutils_read_module_conf(firstboot_t) modutils_read_mods_deps(firstboot_t) # Add/remove user home directories -userdom_create_generic_user_home_dir(firstboot_t) +userdom_filetrans_generic_user_home_dir(firstboot_t) userdom_manage_generic_user_home_dir(firstboot_t) -userdom_create_generic_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file }) +userdom_filetrans_generic_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file }) userdom_manage_generic_user_home_dirs(firstboot_t) userdom_manage_generic_user_home_files(firstboot_t) userdom_manage_generic_user_home_symlinks(firstboot_t) diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te index 8151576..3fbcee3 100644 --- a/refpolicy/policy/modules/admin/kudzu.te +++ b/refpolicy/policy/modules/admin/kudzu.te @@ -32,11 +32,11 @@ allow kudzu_t self:udp_socket { create ioctl }; allow kudzu_t kudzu_tmp_t:dir create_file_perms; allow kudzu_t kudzu_tmp_t:{ file chr_file } create_file_perms; -files_create_tmp_files(kudzu_t, kudzu_tmp_t, { file dir chr_file }) +files_filetrans_tmp(kudzu_t, kudzu_tmp_t, { file dir chr_file }) allow kudzu_t kudzu_var_run_t:file create_file_perms; allow kudzu_t kudzu_var_run_t:dir create_dir_perms; -files_create_pid(kudzu_t,kudzu_var_run_t) +files_filetrans_pid(kudzu_t,kudzu_var_run_t) kernel_change_ring_buffer_level(kudzu_t) kernel_list_proc(kudzu_t) diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index 6343040..3356ccf 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -51,18 +51,18 @@ allow logrotate_t self:msgq create_msgq_perms; allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file create_file_perms; -files_create_lock(logrotate_t,logrotate_lock_t) +files_filetrans_lock(logrotate_t,logrotate_lock_t) can_exec(logrotate_t, logrotate_tmp_t) allow logrotate_t logrotate_tmp_t:dir create_dir_perms; allow logrotate_t logrotate_tmp_t:file create_file_perms; -files_create_tmp_files(logrotate_t, logrotate_tmp_t, { file dir }) +files_filetrans_tmp(logrotate_t, logrotate_tmp_t, { file dir }) # for /var/lib/logrotate.status and /var/lib/logcheck allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms }; allow logrotate_t logrotate_var_lib_t:file create_file_perms; -files_create_var_lib(logrotate_t, logrotate_var_lib_t) +files_filetrans_var_lib(logrotate_t, logrotate_var_lib_t) kernel_read_system_state(logrotate_t) kernel_read_kernel_sysctl(logrotate_t) diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te index 886bf37..c03ddbd 100644 --- a/refpolicy/policy/modules/admin/logwatch.te +++ b/refpolicy/policy/modules/admin/logwatch.te @@ -32,7 +32,7 @@ allow logwatch_t logwatch_cache_t:file create_file_perms; allow logwatch_t logwatch_tmp_t:dir create_dir_perms; allow logwatch_t logwatch_tmp_t:file create_file_perms; -files_create_tmp_files(logwatch_t, logwatch_tmp_t, { file dir }) +files_filetrans_tmp(logwatch_t, logwatch_tmp_t, { file dir }) kernel_read_fs_sysctl(logwatch_t) kernel_read_kernel_sysctl(logwatch_t) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 7f9b295..39536df 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -39,7 +39,7 @@ allow netutils_t self:tcp_socket create_stream_socket_perms; allow netutils_t netutils_tmp_t:dir create_dir_perms; allow netutils_t netutils_tmp_t:file create_file_perms; -files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir }) +files_filetrans_tmp(netutils_t, netutils_tmp_t, { file dir }) kernel_search_proc(netutils_t) diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te index 91c5f86..b5f4b1f 100644 --- a/refpolicy/policy/modules/admin/prelink.te +++ b/refpolicy/policy/modules/admin/prelink.te @@ -27,12 +27,12 @@ allow prelink_t self:process { execheap execmem execstack }; allow prelink_t self:fifo_file rw_file_perms; allow prelink_t prelink_cache_t:file manage_file_perms; -files_create_etc_config(prelink_t, prelink_cache_t, file) +files_filetrans_etc(prelink_t, prelink_cache_t, file) allow prelink_t prelink_log_t:dir { setattr rw_dir_perms }; allow prelink_t prelink_log_t:file { create ra_file_perms }; allow prelink_t prelink_log_t:lnk_file read; -logging_create_log(prelink_t, prelink_log_t) +logging_filetrans_log(prelink_t, prelink_log_t) # prelink misc objects that are not system # libraries or entrypoints diff --git a/refpolicy/policy/modules/admin/readahead.te b/refpolicy/policy/modules/admin/readahead.te index 505b153..2bf7ddf 100644 --- a/refpolicy/policy/modules/admin/readahead.te +++ b/refpolicy/policy/modules/admin/readahead.te @@ -23,7 +23,7 @@ allow readahead_t self:process signal_perms; allow readahead_t readahead_var_run_t:file create_file_perms; allow readahead_t readahead_var_run_t:dir rw_dir_perms; -files_create_pid(readahead_t,readahead_var_run_t) +files_filetrans_pid(readahead_t,readahead_var_run_t) kernel_read_kernel_sysctl(readahead_t) kernel_read_system_state(readahead_t) diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index a47f16b..2fde59e 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -73,19 +73,19 @@ allow rpm_t self:file rw_file_perms;; allow rpm_t rpm_tmp_t:dir create_dir_perms; allow rpm_t rpm_tmp_t:file create_file_perms; -files_create_tmp_files(rpm_t, rpm_tmp_t, { file dir }) +files_filetrans_tmp(rpm_t, rpm_tmp_t, { file dir }) allow rpm_t rpm_tmpfs_t:dir create_dir_perms; allow rpm_t rpm_tmpfs_t:file create_file_perms; allow rpm_t rpm_tmpfs_t:lnk_file create_file_perms; allow rpm_t rpm_tmpfs_t:sock_file create_file_perms; allow rpm_t rpm_tmpfs_t:fifo_file create_file_perms; -fs_create_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_filetrans_tmpfs(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # Access /var/lib/rpm files allow rpm_t rpm_var_lib_t:file create_file_perms; allow rpm_t rpm_var_lib_t:dir rw_dir_perms; -files_create_var_lib(rpm_t,rpm_var_lib_t,dir) +files_filetrans_var_lib(rpm_t,rpm_var_lib_t,dir) kernel_read_system_state(rpm_t) kernel_read_kernel_sysctl(rpm_t) @@ -184,7 +184,7 @@ ifdef(`targeted_policy',` # conflicts since rpm_t is an alias of # unconfined in the targeted policy allow rpm_t rpm_log_t:file create_file_perms; - logging_create_log(rpm_t,rpm_log_t) + logging_filetrans_log(rpm_t,rpm_log_t) ') optional_policy(`cron',` @@ -240,14 +240,14 @@ allow rpm_script_t rpm_tmp_t:file r_file_perms; allow rpm_script_t rpm_script_tmp_t:dir mounton; allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms; allow rpm_script_t rpm_script_tmp_t:file create_file_perms; -files_create_tmp_files(rpm_script_t, rpm_script_tmp_t, { file dir }) +files_filetrans_tmp(rpm_script_t, rpm_script_tmp_t, { file dir }) allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms; allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms; allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms; -fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_filetrans_tmpfs(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow rpm_t rpm_script_t:fd use; allow rpm_script_t rpm_t:fd use; diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 0316748..c4bf881 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -155,7 +155,7 @@ files_search_var(crack_t) allow crack_t crack_tmp_t:dir create_dir_perms; allow crack_t crack_tmp_t:file create_file_perms; -files_create_tmp_files(crack_t, crack_tmp_t, { file dir }) +files_filetrans_tmp(crack_t, crack_tmp_t, { file dir }) kernel_read_system_state(crack_t) @@ -369,7 +369,7 @@ allow sysadm_passwd_t self:msg { send receive }; # allow vipw to create temporary files under /var/tmp/vi.recover allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms; allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms; -files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) +files_filetrans_tmp(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) files_search_var(sysadm_passwd_t) kernel_read_kernel_sysctl(sysadm_passwd_t) @@ -502,9 +502,9 @@ userdom_use_unpriv_users_fd(useradd_t) # for when /root is the cwd userdom_dontaudit_search_sysadm_home_dir(useradd_t) # Add/remove user home directories -userdom_create_generic_user_home_dir(useradd_t) +userdom_filetrans_generic_user_home_dir(useradd_t) userdom_manage_generic_user_home_dir(useradd_t) -userdom_create_generic_user_home(useradd_t,notdevfile_class_set) +userdom_filetrans_generic_user_home(useradd_t,notdevfile_class_set) mta_manage_spool(useradd_t) diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te index e5c5172..cc8544d 100644 --- a/refpolicy/policy/modules/admin/vpn.te +++ b/refpolicy/policy/modules/admin/vpn.te @@ -37,11 +37,11 @@ allow vpnc_t self:socket create_socket_perms; allow vpnc_t vpnc_tmp_t:dir create_dir_perms; allow vpnc_t vpnc_tmp_t:file create_file_perms; -files_create_tmp_files(vpnc_t, vpnc_tmp_t, { file dir }) +files_filetrans_tmp(vpnc_t, vpnc_tmp_t, { file dir }) allow vpnc_t vpnc_var_run_t:file create_file_perms; allow vpnc_t vpnc_var_run_t:dir rw_dir_perms; -files_create_pid(vpnc_t,vpnc_var_run_t) +files_filetrans_pid(vpnc_t,vpnc_var_run_t) kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) @@ -96,7 +96,7 @@ miscfiles_read_localization(vpnc_t) seutil_dontaudit_search_config(vpnc_t) sysnet_exec_ifconfig(vpnc_t) -sysnet_create_config(vpnc_t) +sysnet_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) userdom_use_all_user_fd(vpnc_t) diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 3495ef0..9899d03 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -238,7 +238,7 @@ template(`gpg_per_userdomain_template',` allow $2 $1_gpg_agent_tmp_t:dir create_dir_perms; allow $2 $1_gpg_agent_tmp_t:file create_file_perms; allow $2 $1_gpg_agent_tmp_t:sock_file create_file_perms; - files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) + files_filetrans_tmp($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) corecmd_search_bin($1_gpg_agent_t) diff --git a/refpolicy/policy/modules/apps/irc.if b/refpolicy/policy/modules/apps/irc.if index 2eb7109..54dfd75 100644 --- a/refpolicy/policy/modules/apps/irc.if +++ b/refpolicy/policy/modules/apps/irc.if @@ -70,7 +70,7 @@ template(`irc_per_userdomain_template',` allow $1_irc_t $1_tmp_t:lnk_file create_lnk_perms; allow $1_irc_t $1_tmp_t:sock_file create_file_perms; allow $1_irc_t $1_tmp_t:fifo_file create_file_perms; - files_create_tmp_files($1_irc_t,$1_tmp_t,{ file dir lnk_file sock_file fifo_file }) + files_filetrans_tmp($1_irc_t,$1_tmp_t,{ file dir lnk_file sock_file fifo_file }) # Transition from the user domain to the derived domain. domain_auto_trans($2,irc_exec_t,$1_irc_t) diff --git a/refpolicy/policy/modules/apps/java.if b/refpolicy/policy/modules/apps/java.if index 7e146c7..213f514 100644 --- a/refpolicy/policy/modules/apps/java.if +++ b/refpolicy/policy/modules/apps/java.if @@ -59,7 +59,7 @@ template(`java_per_userdomain_template',` allow $1_javaplugin_t $1_javaplugin_tmp_t:dir create_dir_perms; allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms; - files_create_tmp_files($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir }) + files_filetrans_tmp($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir }) # cjp: rw_dir_perms here doesnt make sense allow $1_javaplugin_t $1_home_t:dir rw_dir_perms; diff --git a/refpolicy/policy/modules/apps/lockdev.if b/refpolicy/policy/modules/apps/lockdev.if index 2e4e8ca..009db0f 100644 --- a/refpolicy/policy/modules/apps/lockdev.if +++ b/refpolicy/policy/modules/apps/lockdev.if @@ -62,7 +62,7 @@ template(`lockdev_per_userdomain_template',` allow $1_lockdev_t $2:process sigchld; allow $1_lockdev_t $1_lockdev_lock_t:file create_file_perms; - files_create_lock($1_lockdev_t,$1_lockdev_lock_t) + files_filetrans_lock($1_lockdev_t,$1_lockdev_lock_t) files_read_all_locks($1_lockdev_t) diff --git a/refpolicy/policy/modules/apps/screen.if b/refpolicy/policy/modules/apps/screen.if index 51a6e14..d49aac3 100644 --- a/refpolicy/policy/modules/apps/screen.if +++ b/refpolicy/policy/modules/apps/screen.if @@ -68,14 +68,14 @@ template(`screen_per_userdomain_template',` allow $1_screen_t $1_screen_tmp_t:dir create_dir_perms; allow $1_screen_t $1_screen_tmp_t:file create_file_perms; allow $1_screen_t $1_screen_tmp_t:fifo_file create_file_perms; - files_create_tmp_files($1_screen_t, $1_screen_tmp_t, { file dir }) + files_filetrans_tmp($1_screen_t, $1_screen_tmp_t, { file dir }) # Create fifo allow $1_screen_t screen_dir_t:dir rw_dir_perms; allow $1_screen_t screen_dir_t:dir create_dir_perms; allow $1_screen_t $1_screen_var_run_t:fifo_file create_file_perms; type_transition $1_screen_t screen_dir_t:fifo_file $1_screen_var_run_t; - files_create_pid($1_screen_t,screen_dir_t,dir) + files_filetrans_pid($1_screen_t,screen_dir_t,dir) allow $1_screen_t $1_screen_ro_home_t:dir r_dir_perms; allow $1_screen_t $1_screen_ro_home_t:file r_file_perms; diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te index 3cea361..70704c3 100644 --- a/refpolicy/policy/modules/apps/webalizer.te +++ b/refpolicy/policy/modules/apps/webalizer.te @@ -50,11 +50,11 @@ allow webalizer_t webalizer_etc_t:file { getattr read }; allow webalizer_t webalizer_tmp_t:dir create_dir_perms; allow webalizer_t webalizer_tmp_t:file create_file_perms; -files_create_tmp_files(webalizer_t, webalizer_tmp_t, { file dir }) +files_filetrans_tmp(webalizer_t, webalizer_tmp_t, { file dir }) allow webalizer_t webalizer_var_lib_t:file create_file_perms; allow webalizer_t webalizer_var_lib_t:dir rw_dir_perms; -files_create_var_lib(webalizer_t,webalizer_var_lib_t) +files_filetrans_var_lib(webalizer_t,webalizer_var_lib_t) kernel_read_kernel_sysctl(webalizer_t) kernel_read_system_state(webalizer_t) diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 7e8b198..721402e 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -138,7 +138,7 @@ interface(`bootloader_rw_boot_symlinks',` ## The type of the process performing this action. ## # -interface(`bootloader_create_kernel',` +interface(`bootloader_create_kernel_img',` gen_require(` type boot_t; ') @@ -399,9 +399,9 @@ interface(`bootloader_manage_kernel_modules',` ######################################## # -# bootloader_create_modules(domain,privatetype,[class(es)]) +# bootloader_filetrans_modules(domain,privatetype,[class(es)]) # -interface(`bootloader_create_modules',` +interface(`bootloader_filetrans_modules',` gen_require(` type modules_object_t; ') diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index d907f50..2a792b7 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -80,16 +80,16 @@ allow bootloader_t boot_t:lnk_file create_lnk_perms; allow bootloader_t bootloader_etc_t:file r_file_perms; # uncomment the following lines if you use "lilo -p" #allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -#files_create_etc_config(bootloader_t,bootloader_etc_t) +#files_filetrans_etc(bootloader_t,bootloader_etc_t) allow bootloader_t bootloader_tmp_t:dir create_dir_perms; allow bootloader_t bootloader_tmp_t:file create_file_perms; allow bootloader_t bootloader_tmp_t:chr_file create_file_perms; allow bootloader_t bootloader_tmp_t:blk_file create_file_perms; allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms; -files_create_tmp_files(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file }) +files_filetrans_tmp(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file }) # for tune2fs (cjp: ?) -files_create_root(bootloader_t,bootloader_tmp_t) +files_filetrans_root(bootloader_t,bootloader_tmp_t) allow bootloader_t modules_object_t:dir r_dir_perms; allow bootloader_t modules_object_t:file r_file_perms; diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 83e5dc2..7f65d38 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -484,7 +484,7 @@ interface(`dev_manage_generic_chr_file',` ## the transition will occur. ## # -interface(`dev_create_dev_node',` +interface(`dev_filetrans_dev_node',` gen_require(` type device_t; ') diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if index 30720ec..4f6c9f4 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if @@ -952,23 +952,20 @@ interface(`files_list_root',` ######################################## ## ## Create an object in the root directory, with a private -## type. If no object class is specified, the -## default is file. +## type. ## ## ## The type of the process performing this action. ## -## -## The type of the object to be created. If no type -## is specified, the type of the root directory will -## be used. +## +## The type of the object to be created. ## ## ## The object class of the object being created. If ## no class is specified, file will be used. ## # -interface(`files_create_root',` +interface(`files_filetrans_root',` gen_require(` type root_t; class dir create_dir_perms; @@ -977,17 +974,9 @@ interface(`files_create_root',` allow $1 root_t:dir rw_dir_perms; ifelse(`$3',`',` - ifelse(`$2',`',` - allow $1 root_t:file create_file_perms; - ',` - type_transition $1 root_t:file $2; - ') + type_transition $1 root_t:file $2; ',` - ifelse(`$2',`',` - allow $1 root_t:$3 create_file_perms; - ',` - type_transition $1 root_t:$3 $2; - ') + type_transition $1 root_t:$3 $2; ') ') @@ -1501,9 +1490,9 @@ interface(`files_manage_etc_runtime_files',` ######################################## # -# files_create_etc_config(domain,privatetype,[class(es)]) +# files_filetrans_etc(domain,privatetype,[class(es)]) # -interface(`files_create_etc_config',` +interface(`files_filetrans_etc',` gen_require(` type etc_t; class dir rw_dir_perms; @@ -1847,23 +1836,32 @@ interface(`files_list_home',` ######################################## ## -## Create home directories +## Create objects in /home. ## ## ## The type of the process performing this action. ## ## -## The type of the home directory +## The private type. +## +## +## The object class of the object being created. If +## no class is specified, dir will be used. ## # -interface(`files_create_home_dirs',` +interface(`files_filetrans_home',` gen_require(` type home_root_t; - class dir rw_dir_perms; ') allow $1 home_root_t:dir rw_dir_perms; - type_transition $1 home_root_t:dir $2; + + ifelse(`$3',`',` + type_transition $1 home_root_t:dir $2; + ',` + type_transition $1 home_root_t:$3 $2; + ') + ') ######################################## @@ -2245,9 +2243,9 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## # -# files_create_tmp_files(domain,private_type,[object class(es)]) +# files_filetrans_tmp(domain,private_type,[object class(es)]) # -interface(`files_create_tmp_files',` +interface(`files_filetrans_tmp',` gen_require(` type tmp_t; class dir rw_dir_perms; @@ -2412,7 +2410,7 @@ interface(`files_read_usr_symlinks',` ## The object class. If not specified, file is used. ## # -interface(`files_create_usr',` +interface(`files_filetrans_usr',` gen_require(` type usr_t; class dir rw_dir_perms; @@ -2640,7 +2638,7 @@ interface(`files_manage_var_symlinks',` ## The object class. If not specified, file is used. ## # -interface(`files_create_var',` +interface(`files_filetrans_var',` gen_require(` type var_t; class dir rw_dir_perms; @@ -2737,7 +2735,7 @@ interface(`files_list_var_lib',` ## The object class. If not specified, file is used. ## # -interface(`files_create_var_lib',` +interface(`files_filetrans_var_lib',` gen_require(` type var_t, var_lib_t; class dir rw_dir_perms; @@ -2934,9 +2932,9 @@ interface(`files_read_all_locks',` ######################################## # -# files_create_lock(domain,private_type,[object class(es)]) +# files_filetrans_lock(domain,private_type,[object class(es)]) # -interface(`files_create_lock',` +interface(`files_filetrans_lock',` gen_require(` type var_t, var_lock_t; class dir rw_dir_perms; @@ -3016,9 +3014,9 @@ interface(`files_list_pids',` ######################################## # -# files_create_pid(domain,pidfile,[object class(es)]) +# files_filetrans_pid(domain,pidfile,[object class(es)]) # -interface(`files_create_pid',` +interface(`files_filetrans_pid',` gen_require(` type var_t, var_run_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 8e71d3c..ccf9265 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -2191,9 +2191,9 @@ interface(`fs_manage_tmpfs_dirs',` ######################################## # -# fs_create_tmpfs_data(domain,derivedtype,[class]) +# fs_filetrans_tmpfs(domain,derivedtype,[class]) # -interface(`fs_create_tmpfs_data',` +interface(`fs_filetrans_tmpfs',` gen_require(` type tmpfs_t; class filesystem associate; diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index c6c34fb..54c0cf8 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -152,7 +152,7 @@ interface(`storage_create_fixed_disk',` ') allow $1 fixed_disk_device_t:blk_file create_file_perms; - dev_create_dev_node($1,fixed_disk_device_t,blk_file) + dev_filetrans_dev_node($1,fixed_disk_device_t,blk_file) typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') @@ -192,7 +192,7 @@ interface(`storage_create_fixed_disk_tmpfs',` ') allow $1 fixed_disk_device_t:blk_file create_file_perms; - fs_create_tmpfs_data($1,fixed_disk_device_t,blk_file) + fs_filetrans_tmpfs($1,fixed_disk_device_t,blk_file) typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 6748e10..93d0da3 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -82,7 +82,7 @@ template(`apache_content_template',` allow httpd_$1_script_t httpd_$1_script_rw_t:lnk_file create_lnk_perms; allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file create_file_perms; allow httpd_$1_script_t httpd_$1_script_rw_t:fifo_file create_file_perms; - files_create_tmp_files(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file }) + files_filetrans_tmp(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file }) kernel_dontaudit_search_sysctl(httpd_$1_script_t) kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t) diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 32b7be4..0dcf3a2 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -166,14 +166,14 @@ allow httpd_t httpd_config_t:lnk_file { getattr read }; can_exec(httpd_t, httpd_exec_t) allow httpd_t httpd_lock_t:file create_file_perms; -files_create_lock(httpd_t,httpd_lock_t) +files_filetrans_lock(httpd_t,httpd_lock_t) allow httpd_t httpd_log_t:dir { setattr rw_dir_perms }; allow httpd_t httpd_log_t:file { create ra_file_perms }; allow httpd_t httpd_log_t:lnk_file read; # cjp: need to refine create interfaces to # cut this back to add_name only -logging_create_log(httpd_t,httpd_log_t) +logging_filetrans_log(httpd_t,httpd_log_t) allow httpd_t httpd_modules_t:file rx_file_perms; allow httpd_t httpd_modules_t:dir r_dir_perms; @@ -190,23 +190,23 @@ allow httpd_t httpd_sys_content_t:file r_file_perms; allow httpd_t httpd_tmp_t:dir create_dir_perms; allow httpd_t httpd_tmp_t:file create_file_perms; -files_create_tmp_files(httpd_t, httpd_tmp_t, { file dir }) +files_filetrans_tmp(httpd_t, httpd_tmp_t, { file dir }) allow httpd_t httpd_tmpfs_t:dir create_dir_perms; allow httpd_t httpd_tmpfs_t:file create_file_perms; allow httpd_t httpd_tmpfs_t:lnk_file create_lnk_perms; allow httpd_t httpd_tmpfs_t:sock_file create_file_perms; allow httpd_t httpd_tmpfs_t:fifo_file create_file_perms; -fs_create_tmpfs_data(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_filetrans_tmpfs(httpd_t,httpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow httpd_t httpd_var_lib_t:file create_file_perms; allow httpd_t httpd_var_lib_t:dir rw_dir_perms; -files_create_var_lib(httpd_t,httpd_var_lib_t) +files_filetrans_var_lib(httpd_t,httpd_var_lib_t) allow httpd_t httpd_var_run_t:file create_file_perms; allow httpd_t httpd_var_run_t:sock_file create_file_perms; allow httpd_t httpd_var_run_t:dir rw_dir_perms; -files_create_pid(httpd_t,httpd_var_run_t, { file sock_file }) +files_filetrans_pid(httpd_t,httpd_var_run_t, { file sock_file }) allow httpd_t squirrelmail_spool_t:dir create_dir_perms; allow httpd_t squirrelmail_spool_t:file create_file_perms; @@ -490,7 +490,7 @@ allow httpd_php_t httpd_log_t:file ra_file_perms; allow httpd_php_t httpd_php_tmp_t:dir create_dir_perms; allow httpd_php_t httpd_php_tmp_t:file create_file_perms; -files_create_tmp_files(httpd_php_t, httpd_php_tmp_t, { file dir }) +files_filetrans_tmp(httpd_php_t, httpd_php_tmp_t, { file dir }) fs_search_auto_mountpoints(httpd_php_t) @@ -535,7 +535,7 @@ allow httpd_suexec_t httpd_t:fifo_file getattr; allow httpd_suexec_t httpd_suexec_tmp_t:dir create_dir_perms; allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms; -files_create_tmp_files(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) +files_filetrans_tmp(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) kernel_read_kernel_sysctl(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 25c64d2..7297b2e 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -72,16 +72,16 @@ allow apmd_t self:unix_dgram_socket create_socket_perms; allow apmd_t self:unix_stream_socket create_stream_socket_perms; allow apmd_t apmd_log_t:file create_file_perms; -logging_create_log(apmd_t,apmd_log_t) +logging_filetrans_log(apmd_t,apmd_log_t) allow apmd_t apmd_tmp_t:dir create_dir_perms; allow apmd_t apmd_tmp_t:file create_file_perms; -files_create_tmp_files(apmd_t, apmd_tmp_t, { file dir }) +files_filetrans_tmp(apmd_t, apmd_tmp_t, { file dir }) allow apmd_t apmd_var_run_t:dir rw_dir_perms; allow apmd_t apmd_var_run_t:file create_file_perms; allow apmd_t apmd_var_run_t:sock_file create_file_perms; -files_create_pid(apmd_t, apmd_var_run_t, { file sock_file }) +files_filetrans_pid(apmd_t, apmd_var_run_t, { file sock_file }) kernel_read_kernel_sysctl(apmd_t) kernel_rw_all_sysctl(apmd_t) @@ -151,7 +151,7 @@ userdom_dontaudit_search_all_users_home(apmd_t) # Excessive? ifdef(`distro_redhat',` allow apmd_t apmd_lock_t:file create_file_perms; - files_create_lock(apmd_t,apmd_lock_t) + files_filetrans_lock(apmd_t,apmd_lock_t) can_exec(apmd_t, apmd_var_run_t) @@ -176,7 +176,7 @@ ifdef(`distro_redhat',` ifdef(`distro_suse',` allow apmd_t apmd_var_lib_t:file create_file_perms; allow apmd_t apmd_var_lib_t:dir create_dir_perms; - files_create_var_lib(apmd_t,apmd_var_lib_t) + files_filetrans_var_lib(apmd_t,apmd_var_lib_t) ') ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/arpwatch.te b/refpolicy/policy/modules/services/arpwatch.te index ffa66d7..30994a6 100644 --- a/refpolicy/policy/modules/services/arpwatch.te +++ b/refpolicy/policy/modules/services/arpwatch.te @@ -39,11 +39,11 @@ allow arpwatch_t arpwatch_data_t:lnk_file create_lnk_perms; allow arpwatch_t arpwatch_tmp_t:dir create_dir_perms; allow arpwatch_t arpwatch_tmp_t:file create_file_perms; -files_create_tmp_files(arpwatch_t, arpwatch_tmp_t, { file dir }) +files_filetrans_tmp(arpwatch_t, arpwatch_tmp_t, { file dir }) allow arpwatch_t arpwatch_var_run_t:file create_file_perms; allow arpwatch_t arpwatch_var_run_t:dir rw_dir_perms; -files_create_pid(arpwatch_t,arpwatch_var_run_t) +files_filetrans_pid(arpwatch_t,arpwatch_var_run_t) kernel_read_kernel_sysctl(arpwatch_t) kernel_list_proc(arpwatch_t) diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index 3a5778b..bf22d32 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -42,20 +42,20 @@ allow automount_t automount_etc_t:file { getattr read }; can_exec(automount_t, automount_etc_t) allow automount_t automount_lock_t:file create_file_perms; -files_create_lock(automount_t,automount_lock_t) +files_filetrans_lock(automount_t,automount_lock_t) allow automount_t automount_tmp_t:dir create_dir_perms; allow automount_t automount_tmp_t:file create_file_perms; -files_create_tmp_files(automount_t, automount_tmp_t, { file dir }) +files_filetrans_tmp(automount_t, automount_tmp_t, { file dir }) # Allow automount to create and delete directories in / and /home allow automount_t automount_tmp_t:dir create_dir_perms; -files_create_home_dirs(automount_t,automount_tmp_t) -files_create_root(automount_t,automount_tmp_t,dir) +files_filetrans_home(automount_t,automount_tmp_t) +files_filetrans_root(automount_t,automount_tmp_t,dir) allow automount_t automount_var_run_t:file create_file_perms; allow automount_t automount_var_run_t:dir rw_dir_perms; -files_create_pid(automount_t,automount_var_run_t) +files_filetrans_pid(automount_t,automount_var_run_t) kernel_read_kernel_sysctl(automount_t) kernel_read_fs_sysctl(automount_t) diff --git a/refpolicy/policy/modules/services/avahi.te b/refpolicy/policy/modules/services/avahi.te index a56b857..436c6c9 100644 --- a/refpolicy/policy/modules/services/avahi.te +++ b/refpolicy/policy/modules/services/avahi.te @@ -31,7 +31,7 @@ allow avahi_t self:udp_socket create_socket_perms; allow avahi_t avahi_var_run_t:sock_file create_file_perms; allow avahi_t avahi_var_run_t:file create_file_perms; allow avahi_t avahi_var_run_t:dir { rw_dir_perms setattr }; -files_create_pid(avahi_t,avahi_var_run_t) +files_filetrans_pid(avahi_t,avahi_var_run_t) kernel_read_kernel_sysctl(avahi_t) kernel_list_proc(avahi_t) diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te index e2062cd..a3662b9 100644 --- a/refpolicy/policy/modules/services/bind.te +++ b/refpolicy/policy/modules/services/bind.te @@ -76,16 +76,16 @@ can_exec(named_t, named_exec_t) allow named_t named_log_t:file create_file_perms; allow named_t named_log_t:dir rw_dir_perms; -logging_create_log(named_t,named_log_t,{ file dir }) +logging_filetrans_log(named_t,named_log_t,{ file dir }) allow named_t named_tmp_t:dir create_dir_perms; allow named_t named_tmp_t:file create_file_perms; -files_create_tmp_files(named_t, named_tmp_t, { file dir }) +files_filetrans_tmp(named_t, named_tmp_t, { file dir }) allow named_t named_var_run_t:dir rw_dir_perms; allow named_t named_var_run_t:file create_file_perms; allow named_t named_var_run_t:sock_file create_file_perms; -files_create_pid(named_t,named_var_run_t,{ file sock_file }) +files_filetrans_pid(named_t,named_var_run_t,{ file sock_file }) # read zone files allow named_t named_zone_t:dir r_dir_perms; diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index 9c9e472..1c30d28 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -69,20 +69,20 @@ allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms; allow bluetooth_helper_t bluetooth_t:process sigchld; allow bluetooth_t bluetooth_lock_t:file create_file_perms; -files_create_lock(bluetooth_t,bluetooth_lock_t) +files_filetrans_lock(bluetooth_t,bluetooth_lock_t) allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms; allow bluetooth_t bluetooth_tmp_t:file create_file_perms; -files_create_tmp_files(bluetooth_t, bluetooth_tmp_t, { file dir }) +files_filetrans_tmp(bluetooth_t, bluetooth_tmp_t, { file dir }) allow bluetooth_t bluetooth_var_lib_t:file create_file_perms; allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms; -files_create_var_lib(bluetooth_t,bluetooth_var_lib_t) +files_filetrans_var_lib(bluetooth_t,bluetooth_var_lib_t) allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms; allow bluetooth_t bluetooth_var_run_t:file create_file_perms; allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms; -files_create_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file }) +files_filetrans_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file }) kernel_read_kernel_sysctl(bluetooth_t) kernel_read_system_state(bluetooth_t) @@ -174,7 +174,7 @@ allow bluetooth_helper_t bluetooth_t:socket { read write }; allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms; allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms; -files_create_tmp_files(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir }) +files_filetrans_tmp(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir }) kernel_read_system_state(bluetooth_helper_t) kernel_read_kernel_sysctl(bluetooth_helper_t) diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te index a39ac7f..6a60cce 100644 --- a/refpolicy/policy/modules/services/canna.te +++ b/refpolicy/policy/modules/services/canna.te @@ -33,17 +33,17 @@ allow canna_t self:tcp_socket create_stream_socket_perms; allow canna_t canna_log_t:file create_file_perms; allow canna_t canna_log_t:dir { rw_dir_perms setattr }; -logging_create_log(canna_t,canna_log_t,{ file dir }) +logging_filetrans_log(canna_t,canna_log_t,{ file dir }) allow canna_t canna_var_lib_t:dir create_dir_perms; allow canna_t canna_var_lib_t:file create_file_perms; allow canna_t canna_var_lib_t:lnk_file create_lnk_perms; -files_create_var_lib(canna_t,canna_var_lib_t) +files_filetrans_var_lib(canna_t,canna_var_lib_t) allow canna_t canna_var_run_t:dir rw_dir_perms; allow canna_t canna_var_run_t:file create_file_perms; allow canna_t canna_var_run_t:sock_file create_file_perms; -files_create_pid(canna_t, canna_var_run_t, { file sock_file }) +files_filetrans_pid(canna_t, canna_var_run_t, { file sock_file }) kernel_read_kernel_sysctl(canna_t) kernel_read_system_state(canna_t) diff --git a/refpolicy/policy/modules/services/comsat.te b/refpolicy/policy/modules/services/comsat.te index 418472f..330a670 100644 --- a/refpolicy/policy/modules/services/comsat.te +++ b/refpolicy/policy/modules/services/comsat.te @@ -33,11 +33,11 @@ allow comsat_t self:udp_socket create_socket_perms; allow comsat_t comsat_tmp_t:dir create_dir_perms; allow comsat_t comsat_tmp_t:file create_file_perms; -files_create_tmp_files(comsat_t, comsat_tmp_t, { file dir }) +files_filetrans_tmp(comsat_t, comsat_tmp_t, { file dir }) allow comsat_t comsat_var_run_t:file create_file_perms; allow comsat_t comsat_var_run_t:dir rw_dir_perms; -files_create_pid(comsat_t,comsat_var_run_t) +files_filetrans_pid(comsat_t,comsat_var_run_t) kernel_read_kernel_sysctl(comsat_t) kernel_read_network_state(comsat_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 90fcf06..ea6890b 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -80,7 +80,7 @@ allow crond_t self:msgq create_msgq_perms; allow crond_t self:msg { send receive }; allow crond_t crond_var_run_t:file create_file_perms; -files_create_pid(crond_t,crond_var_run_t) +files_filetrans_pid(crond_t,crond_var_run_t) allow crond_t cron_spool_t:dir rw_dir_perms; allow crond_t cron_spool_t:file r_file_perms; @@ -149,7 +149,7 @@ ifdef(`targeted_policy',` allow crond_t system_crond_tmp_t:lnk_file create_lnk_perms; allow crond_t system_crond_tmp_t:sock_file create_file_perms; allow crond_t system_crond_tmp_t:fifo_file create_file_perms; - files_create_tmp_files(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file }) + files_filetrans_tmp(crond_t,system_crond_tmp_t,{ dir file lnk_file sock_file fifo_file }) unconfined_domain_template(crond_t) @@ -166,7 +166,7 @@ ifdef(`targeted_policy',` ',` allow crond_t crond_tmp_t:dir create_dir_perms; allow crond_t crond_tmp_t:file create_file_perms; - files_create_tmp_files(crond_t, crond_tmp_t, { file dir }) + files_filetrans_tmp(crond_t, crond_tmp_t, { file dir }) mta_send_mail(crond_t) ') @@ -261,11 +261,11 @@ ifdef(`targeted_policy',` # Write /var/lock/makewhatis.lock. allow system_crond_t system_crond_lock_t:file create_file_perms; - files_create_lock(system_crond_t,system_crond_lock_t) + files_filetrans_lock(system_crond_t,system_crond_lock_t) # write temporary files allow system_crond_t system_crond_tmp_t:file create_file_perms; - files_create_tmp_files(system_crond_t,system_crond_tmp_t) + files_filetrans_tmp(system_crond_t,system_crond_tmp_t) # write temporary files in crond tmp dir: allow system_crond_t crond_tmp_t:dir rw_dir_perms; diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te index 35f0305..6875f0e 100644 --- a/refpolicy/policy/modules/services/cups.te +++ b/refpolicy/policy/modules/services/cups.te @@ -92,7 +92,7 @@ files_search_etc(cupsd_t) allow cupsd_t cupsd_rw_etc_t:file manage_file_perms; allow cupsd_t cupsd_rw_etc_t:dir manage_dir_perms; type_transition cupsd_t cupsd_etc_t:file cupsd_rw_etc_t; -files_create_var(cupsd_t,cupsd_rw_etc_t,{ dir file }) +files_filetrans_var(cupsd_t,cupsd_rw_etc_t,{ dir file }) # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -101,16 +101,16 @@ allow cupsd_t cupsd_exec_t:lnk_file read; allow cupsd_t cupsd_log_t:file create_file_perms; allow cupsd_t cupsd_log_t:dir { setattr rw_dir_perms }; -logging_create_log(cupsd_t,cupsd_log_t,{ file dir }) +logging_filetrans_log(cupsd_t,cupsd_log_t,{ file dir }) allow cupsd_t cupsd_tmp_t:dir create_dir_perms; allow cupsd_t cupsd_tmp_t:file create_file_perms; allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms; -files_create_tmp_files(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) +files_filetrans_tmp(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) allow cupsd_t cupsd_var_run_t:file create_file_perms; allow cupsd_t cupsd_var_run_t:dir rw_dir_perms; -files_create_pid(cupsd_t,cupsd_var_run_t) +files_filetrans_pid(cupsd_t,cupsd_var_run_t) allow cupsd_t hplip_var_run_t:file { read getattr }; @@ -299,11 +299,11 @@ allow ptal_t ptal_var_run_t:file create_file_perms; allow ptal_t ptal_var_run_t:lnk_file create_lnk_perms; allow ptal_t ptal_var_run_t:sock_file create_file_perms; allow ptal_t ptal_var_run_t:fifo_file create_file_perms; -files_create_pid(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file }) +files_filetrans_pid(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file }) allow ptal_t ptal_var_run_t:file create_file_perms; allow ptal_t ptal_var_run_t:dir rw_dir_perms; -files_create_pid(ptal_t,ptal_var_run_t) +files_filetrans_pid(ptal_t,ptal_var_run_t) kernel_read_kernel_sysctl(ptal_t) kernel_list_proc(ptal_t) @@ -390,7 +390,7 @@ files_search_etc(hplip_t) allow hplip_t hplip_var_run_t:file create_file_perms; allow hplip_t hplip_var_run_t:dir rw_dir_perms; -files_create_pid(hplip_t,hplip_var_run_t) +files_filetrans_pid(hplip_t,hplip_var_run_t) kernel_read_system_state(hplip_t) kernel_read_kernel_sysctl(hplip_t) @@ -497,7 +497,7 @@ dontaudit cupsd_config_t cupsd_t:process ptrace; allow cupsd_config_t cupsd_config_var_run_t:file create_file_perms; allow cupsd_config_t cupsd_config_var_run_t:dir rw_dir_perms; -files_create_pid(cupsd_config_t,cupsd_config_var_run_t) +files_filetrans_pid(cupsd_config_t,cupsd_config_var_run_t) can_exec(cupsd_config_t, cupsd_config_exec_t) @@ -511,7 +511,7 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms; allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms; allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms; allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms; -files_create_var(cupsd_config_t,cupsd_rw_etc_t) +files_filetrans_var(cupsd_config_t,cupsd_rw_etc_t) allow cupsd_config_t cupsd_var_run_t:file { getattr read }; @@ -679,11 +679,11 @@ allow cupsd_lpd_t cupsd_etc_t:lnk_file { getattr read }; allow cupsd_lpd_t cupsd_lpd_tmp_t:dir create_dir_perms; allow cupsd_lpd_t cupsd_lpd_tmp_t:file create_file_perms; -files_create_tmp_files(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir }) +files_filetrans_tmp(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir }) allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms; allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms; -files_create_pid(cupsd_lpd_t,cupsd_lpd_var_run_t) +files_filetrans_pid(cupsd_lpd_t,cupsd_lpd_var_run_t) allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms; allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms; diff --git a/refpolicy/policy/modules/services/cvs.te b/refpolicy/policy/modules/services/cvs.te index 08d2ad1..25cf01e 100644 --- a/refpolicy/policy/modules/services/cvs.te +++ b/refpolicy/policy/modules/services/cvs.te @@ -38,11 +38,11 @@ allow cvs_t cvs_data_t:lnk_file create_lnk_perms; allow cvs_t cvs_tmp_t:dir create_dir_perms; allow cvs_t cvs_tmp_t:file create_file_perms; -files_create_tmp_files(cvs_t, cvs_tmp_t, { file dir }) +files_filetrans_tmp(cvs_t, cvs_tmp_t, { file dir }) allow cvs_t cvs_var_run_t:file create_file_perms; allow cvs_t cvs_var_run_t:dir rw_dir_perms; -files_create_pid(cvs_t,cvs_var_run_t) +files_filetrans_pid(cvs_t,cvs_var_run_t) kernel_read_kernel_sysctl(cvs_t) kernel_read_system_state(cvs_t) diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te index 5fe6d41..57f5b65 100644 --- a/refpolicy/policy/modules/services/cyrus.te +++ b/refpolicy/policy/modules/services/cyrus.te @@ -44,16 +44,16 @@ allow cyrus_t self:udp_socket create_socket_perms; allow cyrus_t cyrus_tmp_t:dir create_dir_perms; allow cyrus_t cyrus_tmp_t:file create_file_perms; -files_create_tmp_files(cyrus_t, cyrus_tmp_t, { file dir }) +files_filetrans_tmp(cyrus_t, cyrus_tmp_t, { file dir }) allow cyrus_t cyrus_var_lib_t:dir create_dir_perms; allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms; -files_create_pid(cyrus_t,cyrus_var_run_t) +files_filetrans_pid(cyrus_t,cyrus_var_run_t) allow cyrus_t cyrus_var_run_t:dir rw_dir_perms; allow cyrus_t cyrus_var_run_t:sock_file create_file_perms; allow cyrus_t cyrus_var_run_t:file create_file_perms; -files_create_pid(cyrus_t,cyrus_var_run_t,{ file sock_file }) +files_filetrans_pid(cyrus_t,cyrus_var_run_t,{ file sock_file }) kernel_read_kernel_sysctl(cyrus_t) kernel_read_system_state(cyrus_t) diff --git a/refpolicy/policy/modules/services/dbskk.te b/refpolicy/policy/modules/services/dbskk.te index 34f7d2a..fc4017d 100644 --- a/refpolicy/policy/modules/services/dbskk.te +++ b/refpolicy/policy/modules/services/dbskk.te @@ -39,11 +39,11 @@ optional_policy(`kerberos',` allow dbskkd_t dbskkd_tmp_t:dir create_dir_perms; allow dbskkd_t dbskkd_tmp_t:file create_file_perms; -files_create_tmp_files(dbskkd_t, dbskkd_tmp_t, { file dir }) +files_filetrans_tmp(dbskkd_t, dbskkd_tmp_t, { file dir }) allow dbskkd_t dbskkd_var_run_t:file create_file_perms; allow dbskkd_t dbskkd_var_run_t:dir rw_dir_perms; -files_create_pid(dbskkd_t,dbskkd_var_run_t) +files_filetrans_pid(dbskkd_t,dbskkd_var_run_t) kernel_read_kernel_sysctl(dbskkd_t) kernel_read_system_state(dbskkd_t) diff --git a/refpolicy/policy/modules/services/dbus.if b/refpolicy/policy/modules/services/dbus.if index 66468e1..2db8946 100644 --- a/refpolicy/policy/modules/services/dbus.if +++ b/refpolicy/policy/modules/services/dbus.if @@ -89,7 +89,7 @@ template(`dbus_per_userdomain_template',` allow $1_dbusd_t $1_dbusd_tmp_t:dir create_dir_perms; allow $1_dbusd_t $1_dbusd_tmp_t:file create_file_perms; - files_create_tmp_files($1_dbusd_t, $1_dbusd_tmp_t, { file dir }) + files_filetrans_tmp($1_dbusd_t, $1_dbusd_tmp_t, { file dir }) domain_auto_trans($2, system_dbusd_exec_t, $1_dbusd_t) allow $2 $1_dbusd_t:fd use; diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te index 75bdf43..cc73779 100644 --- a/refpolicy/policy/modules/services/dbus.te +++ b/refpolicy/policy/modules/services/dbus.te @@ -47,12 +47,12 @@ allow system_dbusd_t dbusd_etc_t:lnk_file { getattr read }; allow system_dbusd_t system_dbusd_tmp_t:dir create_dir_perms; allow system_dbusd_t system_dbusd_tmp_t:file create_file_perms; -files_create_tmp_files(system_dbusd_t, system_dbusd_tmp_t, { file dir }) +files_filetrans_tmp(system_dbusd_t, system_dbusd_tmp_t, { file dir }) allow system_dbusd_t system_dbusd_var_run_t:file create_file_perms; allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms; allow system_dbusd_t system_dbusd_var_run_t:dir rw_dir_perms; -files_create_pid(system_dbusd_t,system_dbusd_var_run_t) +files_filetrans_pid(system_dbusd_t,system_dbusd_var_run_t) kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctl(system_dbusd_t) diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te index ee5a94b..294d420 100644 --- a/refpolicy/policy/modules/services/dhcp.te +++ b/refpolicy/policy/modules/services/dhcp.te @@ -41,15 +41,15 @@ can_exec(dhcpd_t,dhcpd_exec_t) allow dhcpd_t dhcpd_state_t:dir rw_dir_perms; allow dhcpd_t dhcpd_state_t:file create_file_perms; -sysnet_create_dhcp_state(dhcpd_t,dhcpd_state_t) +sysnet_filetrans_dhcp_state(dhcpd_t,dhcpd_state_t) allow dhcpd_t dhcpd_tmp_t:dir create_dir_perms; allow dhcpd_t dhcpd_tmp_t:file create_file_perms; -files_create_tmp_files(dhcpd_t, dhcpd_tmp_t, { file dir }) +files_filetrans_tmp(dhcpd_t, dhcpd_tmp_t, { file dir }) allow dhcpd_t dhcpd_var_run_t:file create_file_perms; allow dhcpd_t dhcpd_var_run_t:dir rw_dir_perms; -files_create_pid(dhcpd_t,dhcpd_var_run_t) +files_filetrans_pid(dhcpd_t,dhcpd_var_run_t) kernel_read_system_state(dhcpd_t) kernel_read_kernel_sysctl(dhcpd_t) diff --git a/refpolicy/policy/modules/services/distcc.te b/refpolicy/policy/modules/services/distcc.te index 7ce4d6f..0af1681 100644 --- a/refpolicy/policy/modules/services/distcc.te +++ b/refpolicy/policy/modules/services/distcc.te @@ -32,15 +32,15 @@ allow distccd_t self:tcp_socket create_stream_socket_perms; allow distccd_t self:udp_socket create_socket_perms; allow distccd_t distccd_log_t:file create_file_perms; -logging_create_log(distccd_t,distccd_log_t) +logging_filetrans_log(distccd_t,distccd_log_t) allow distccd_t distccd_tmp_t:dir create_dir_perms; allow distccd_t distccd_tmp_t:file create_file_perms; -files_create_tmp_files(distccd_t, distccd_tmp_t, { file dir }) +files_filetrans_tmp(distccd_t, distccd_tmp_t, { file dir }) allow distccd_t distccd_var_run_t:file create_file_perms; allow distccd_t distccd_var_run_t:dir rw_dir_perms; -files_create_pid(distccd_t,distccd_var_run_t) +files_filetrans_pid(distccd_t,distccd_var_run_t) kernel_read_system_state(distccd_t) kernel_read_kernel_sysctl(distccd_t) diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index e5b58d9..d1d7445 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -65,7 +65,7 @@ allow dovecot_t dovecot_spool_t:lnk_file create_lnk_perms; allow dovecot_t dovecot_var_run_t:file create_file_perms; allow dovecot_t dovecot_var_run_t:sock_file create_file_perms; allow dovecot_t dovecot_var_run_t:dir rw_dir_perms; -files_create_pid(dovecot_t,dovecot_var_run_t) +files_filetrans_pid(dovecot_t,dovecot_var_run_t) kernel_read_kernel_sysctl(dovecot_t) kernel_read_system_state(dovecot_t) diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te index d5ea203..44a8381 100644 --- a/refpolicy/policy/modules/services/fetchmail.te +++ b/refpolicy/policy/modules/services/fetchmail.te @@ -33,11 +33,11 @@ allow fetchmail_t self:udp_socket create_socket_perms; allow fetchmail_t fetchmail_etc_t:file r_file_perms; allow fetchmail_t fetchmail_uidl_cache_t:file create_file_perms; -mta_create_spool(fetchmail_t,fetchmail_uidl_cache_t) +mta_filetrans_spool(fetchmail_t,fetchmail_uidl_cache_t) allow fetchmail_t fetchmail_var_run_t:file create_file_perms; allow fetchmail_t fetchmail_var_run_t:dir rw_dir_perms; -files_create_pid(fetchmail_t,fetchmail_var_run_t) +files_filetrans_pid(fetchmail_t,fetchmail_var_run_t) kernel_read_kernel_sysctl(fetchmail_t) kernel_list_proc(fetchmail_t) diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index 4550334..825d418 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -34,14 +34,14 @@ allow fingerd_t self:unix_stream_socket create_socket_perms; allow fingerd_t fingerd_var_run_t:file create_file_perms; allow fingerd_t fingerd_var_run_t:dir rw_dir_perms; -files_create_pid(fingerd_t,fingerd_var_run_t) +files_filetrans_pid(fingerd_t,fingerd_var_run_t) allow fingerd_t fingerd_etc_t:file r_file_perms; allow fingerd_t fingerd_etc_t:dir r_dir_perms; allow fingerd_t fingerd_etc_t:lnk_file { getattr read }; allow fingerd_t fingerd_log_t:file create_file_perms; -logging_create_log(fingerd_t,fingerd_log_t) +logging_filetrans_log(fingerd_t,fingerd_log_t) kernel_read_kernel_sysctl(fingerd_t) kernel_read_system_state(fingerd_t) diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index 0b90109..d83523a 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -48,22 +48,22 @@ allow ftpd_t ftpd_etc_t:file r_file_perms; allow ftpd_t ftpd_tmp_t:dir create_dir_perms; allow ftpd_t ftpd_tmp_t:file create_file_perms; -files_create_tmp_files(ftpd_t, ftpd_tmp_t, { file dir }) +files_filetrans_tmp(ftpd_t, ftpd_tmp_t, { file dir }) allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms; allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms; allow ftpd_t ftpd_tmpfs_t:file create_file_perms; allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms; allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms; -fs_create_tmpfs_data(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_filetrans_tmpfs(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow ftpd_t ftpd_var_run_t:file create_file_perms; allow ftpd_t ftpd_var_run_t:dir rw_dir_perms; -files_create_pid(ftpd_t,ftpd_var_run_t) +files_filetrans_pid(ftpd_t,ftpd_var_run_t) # Create and modify /var/log/xferlog. allow ftpd_t xferlog_t:file create_file_perms; -logging_create_log(ftpd_t,xferlog_t) +logging_filetrans_log(ftpd_t,xferlog_t) kernel_read_kernel_sysctl(ftpd_t) kernel_read_system_state(ftpd_t) @@ -160,13 +160,13 @@ tunable_policy(`ftp_home_dir',` userdom_manage_all_user_symlinks(ftpd_t) ifdef(`targeted_policy',` - userdom_create_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file }) + userdom_filetrans_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file }) ') ') tunable_policy(`ftpd_is_daemon',` allow ftpd_t ftpd_lock_t:file create_file_perms; - files_create_lock(ftpd_t,ftpd_lock_t) + files_filetrans_lock(ftpd_t,ftpd_lock_t) corenet_tcp_bind_ftp_port(ftpd_t) ') diff --git a/refpolicy/policy/modules/services/gpm.te b/refpolicy/policy/modules/services/gpm.te index beb05f1..09bc8c5 100644 --- a/refpolicy/policy/modules/services/gpm.te +++ b/refpolicy/policy/modules/services/gpm.te @@ -36,14 +36,14 @@ allow gpm_t gpm_conf_t:lnk_file { getattr read }; allow gpm_t gpm_tmp_t:dir create_dir_perms; allow gpm_t gpm_tmp_t:file create_file_perms; -files_create_tmp_files(gpm_t, gpm_tmp_t, { file dir }) +files_filetrans_tmp(gpm_t, gpm_tmp_t, { file dir }) allow gpm_t gpm_var_run_t:file create_file_perms; -files_create_pid(gpm_t,gpm_var_run_t) +files_filetrans_pid(gpm_t,gpm_var_run_t) allow gpm_t gpmctl_t:sock_file create_file_perms; allow gpm_t gpmctl_t:fifo_file create_file_perms; -dev_create_dev_node(gpm_t,gpmctl_t,{ sock_file fifo_file }) +dev_filetrans_dev_node(gpm_t,gpmctl_t,{ sock_file fifo_file }) # cjp: this has no effect allow gpm_t gpmctl_t:unix_stream_socket name_bind; diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index 27ee77e..93199de 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -38,11 +38,11 @@ allow hald_t self:netlink_socket create_socket_perms; allow hald_t hald_tmp_t:dir create_dir_perms; allow hald_t hald_tmp_t:file create_file_perms; -files_create_tmp_files(hald_t, hald_tmp_t, { file dir }) +files_filetrans_tmp(hald_t, hald_tmp_t, { file dir }) allow hald_t hald_var_run_t:file create_file_perms; allow hald_t hald_var_run_t:dir rw_dir_perms; -files_create_pid(hald_t,hald_var_run_t) +files_filetrans_pid(hald_t,hald_var_run_t) kernel_read_system_state(hald_t) kernel_read_network_state(hald_t) diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index d5f16a7..3b3f1a2 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -27,7 +27,7 @@ allow howl_t self:udp_socket create_socket_perms; allow howl_t howl_var_run_t:file create_file_perms; allow howl_t howl_var_run_t:dir rw_dir_perms; -files_create_pid(howl_t,howl_var_run_t) +files_filetrans_pid(howl_t,howl_var_run_t) kernel_read_network_state(howl_t) kernel_read_kernel_sysctl(howl_t) diff --git a/refpolicy/policy/modules/services/i18n_input.te b/refpolicy/policy/modules/services/i18n_input.te index e267a17..433d098 100644 --- a/refpolicy/policy/modules/services/i18n_input.te +++ b/refpolicy/policy/modules/services/i18n_input.te @@ -30,7 +30,7 @@ allow i18n_input_t self:udp_socket create_socket_perms; allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms; allow i18n_input_t i18n_input_var_run_t:file create_file_perms; allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms; -files_create_pid(i18n_input_t,i18n_input_var_run_t) +files_filetrans_pid(i18n_input_t,i18n_input_var_run_t) can_exec(i18n_input_t, i18n_input_exec_t) diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index da7052d..32cb8a0 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -43,14 +43,14 @@ allow inetd_t self:tcp_socket create_stream_socket_perms; allow inetd_t self:udp_socket { connect connected_socket_perms }; allow inetd_t inetd_log_t:file create_file_perms; -logging_create_log(inetd_t,inetd_log_t) +logging_filetrans_log(inetd_t,inetd_log_t) allow inetd_t inetd_tmp_t:dir create_dir_perms; allow inetd_t inetd_tmp_t:file create_file_perms; -files_create_tmp_files(inetd_t, inetd_tmp_t, { file dir }) +files_filetrans_tmp(inetd_t, inetd_tmp_t, { file dir }) allow inetd_t inetd_var_run_t:file create_file_perms; -files_create_pid(inetd_t,inetd_var_run_t) +files_filetrans_pid(inetd_t,inetd_var_run_t) kernel_read_kernel_sysctl(inetd_t) kernel_list_proc(inetd_t) @@ -175,11 +175,11 @@ files_search_home(inetd_child_t) allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms; allow inetd_child_t inetd_child_tmp_t:file create_file_perms; -files_create_tmp_files(inetd_child_t, inetd_child_tmp_t, { file dir }) +files_filetrans_tmp(inetd_child_t, inetd_child_tmp_t, { file dir }) allow inetd_child_t inetd_child_var_run_t:file create_file_perms; allow inetd_child_t inetd_child_var_run_t:dir rw_dir_perms; -files_create_pid(inetd_child_t,inetd_child_var_run_t) +files_filetrans_pid(inetd_child_t,inetd_child_var_run_t) kernel_read_kernel_sysctl(inetd_child_t) kernel_read_system_state(inetd_child_t) diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te index de8cab0..0fa2227 100644 --- a/refpolicy/policy/modules/services/inn.te +++ b/refpolicy/policy/modules/services/inn.te @@ -45,16 +45,16 @@ can_exec(innd_t, innd_exec_t) allow innd_t innd_log_t:file manage_file_perms; allow innd_t innd_log_t:dir { setattr rw_dir_perms }; -logging_create_log(innd_t,innd_log_t) +logging_filetrans_log(innd_t,innd_log_t) allow innd_t innd_var_lib_t:dir create_dir_perms; allow innd_t innd_var_lib_t:file create_file_perms; -files_create_var_lib(innd_t,innd_var_lib_t) +files_filetrans_var_lib(innd_t,innd_var_lib_t) allow innd_t innd_var_run_t:dir create_dir_perms; allow innd_t innd_var_run_t:file create_file_perms; allow innd_t innd_var_run_t:sock_file create_file_perms; -files_create_pid(innd_t,innd_var_run_t) +files_filetrans_pid(innd_t,innd_var_run_t) allow innd_t news_spool_t:dir create_dir_perms; allow innd_t news_spool_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/irqbalance.te b/refpolicy/policy/modules/services/irqbalance.te index 6dd863b..8118845 100644 --- a/refpolicy/policy/modules/services/irqbalance.te +++ b/refpolicy/policy/modules/services/irqbalance.te @@ -23,7 +23,7 @@ allow irqbalance_t self:process signal_perms; allow irqbalance_t irqbalance_var_run_t:file create_file_perms; allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms; -files_create_pid(irqbalance_t,irqbalance_var_run_t) +files_filetrans_pid(irqbalance_t,irqbalance_var_run_t) kernel_read_system_state(irqbalance_t) kernel_read_kernel_sysctl(irqbalance_t) diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te index 760bb04..dd8042a 100644 --- a/refpolicy/policy/modules/services/kerberos.te +++ b/refpolicy/policy/modules/services/kerberos.te @@ -62,7 +62,7 @@ allow kadmind_t self:tcp_socket connected_stream_socket_perms; allow kadmind_t self:udp_socket create_socket_perms; allow kadmind_t kadmind_log_t:file create_file_perms; -logging_create_log(kadmind_t,kadmind_log_t) +logging_filetrans_log(kadmind_t,kadmind_log_t) allow kadmind_t krb5_conf_t:file r_file_perms; dontaudit kadmind_t krb5_conf_t:file write; @@ -77,11 +77,11 @@ can_exec(kadmind_t, kadmind_exec_t) allow kadmind_t kadmind_tmp_t:dir create_dir_perms; allow kadmind_t kadmind_tmp_t:file create_file_perms; -files_create_tmp_files(kadmind_t, kadmind_tmp_t, { file dir }) +files_filetrans_tmp(kadmind_t, kadmind_tmp_t, { file dir }) allow kadmind_t kadmind_var_run_t:file create_file_perms; allow kadmind_t kadmind_var_run_t:dir rw_dir_perms; -files_create_pid(kadmind_t,kadmind_var_run_t) +files_filetrans_pid(kadmind_t,kadmind_var_run_t) kernel_read_kernel_sysctl(kadmind_t) kernel_list_proc(kadmind_t) @@ -172,18 +172,18 @@ allow krb5kdc_t krb5kdc_conf_t:file r_file_perms; dontaudit krb5kdc_t krb5kdc_conf_t:file write; allow krb5kdc_t krb5kdc_log_t:file create_file_perms; -logging_create_log(krb5kdc_t,krb5kdc_log_t) +logging_filetrans_log(krb5kdc_t,krb5kdc_log_t) allow krb5kdc_t krb5kdc_principal_t:file r_file_perms; dontaudit krb5kdc_t krb5kdc_principal_t:file write; allow krb5kdc_t krb5kdc_tmp_t:dir create_dir_perms; allow krb5kdc_t krb5kdc_tmp_t:file create_file_perms; -files_create_tmp_files(krb5kdc_t, krb5kdc_tmp_t, { file dir }) +files_filetrans_tmp(krb5kdc_t, krb5kdc_tmp_t, { file dir }) allow krb5kdc_t krb5kdc_var_run_t:file create_file_perms; allow krb5kdc_t krb5kdc_var_run_t:dir rw_dir_perms; -files_create_pid(krb5kdc_t,krb5kdc_var_run_t) +files_filetrans_pid(krb5kdc_t,krb5kdc_var_run_t) kernel_read_system_state(krb5kdc_t) kernel_read_kernel_sysctl(krb5kdc_t) diff --git a/refpolicy/policy/modules/services/ktalk.te b/refpolicy/policy/modules/services/ktalk.te index df77c78..00167ed 100644 --- a/refpolicy/policy/modules/services/ktalk.te +++ b/refpolicy/policy/modules/services/ktalk.te @@ -40,11 +40,11 @@ optional_policy(`kerberos',` allow ktalkd_t ktalkd_tmp_t:dir create_dir_perms; allow ktalkd_t ktalkd_tmp_t:file create_file_perms; -files_create_tmp_files(ktalkd_t, ktalkd_tmp_t, { file dir }) +files_filetrans_tmp(ktalkd_t, ktalkd_tmp_t, { file dir }) allow ktalkd_t ktalkd_var_run_t:file create_file_perms; allow ktalkd_t ktalkd_var_run_t:dir rw_dir_perms; -files_create_pid(ktalkd_t,ktalkd_var_run_t) +files_filetrans_pid(ktalkd_t,ktalkd_var_run_t) kernel_read_kernel_sysctl(ktalkd_t) kernel_read_system_state(ktalkd_t) diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index 2010674..975aa5d 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -59,7 +59,7 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms; allow slapd_t slapd_etc_t:file { getattr read }; allow slapd_t slapd_lock_t:file create_file_perms; -files_create_lock(slapd_t,slapd_lock_t) +files_filetrans_lock(slapd_t,slapd_lock_t) # Allow access to write the replication log (should tighten this) allow slapd_t slapd_replog_t:dir create_dir_perms; @@ -68,11 +68,11 @@ allow slapd_t slapd_replog_t:lnk_file create_lnk_perms; allow slapd_t slapd_tmp_t:dir create_dir_perms; allow slapd_t slapd_tmp_t:file create_file_perms; -files_create_tmp_files(slapd_t, slapd_tmp_t, { file dir }) +files_filetrans_tmp(slapd_t, slapd_tmp_t, { file dir }) allow slapd_t slapd_var_run_t:file create_file_perms; allow slapd_t slapd_var_run_t:dir rw_dir_perms; -files_create_pid(slapd_t,slapd_var_run_t) +files_filetrans_pid(slapd_t,slapd_var_run_t) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctl(slapd_t) diff --git a/refpolicy/policy/modules/services/lpd.te b/refpolicy/policy/modules/services/lpd.te index 08cd0a2..d4d916a 100644 --- a/refpolicy/policy/modules/services/lpd.te +++ b/refpolicy/policy/modules/services/lpd.te @@ -46,7 +46,7 @@ allow checkpc_t self:process { fork signal_perms }; allow checkpc_t self:unix_stream_socket create_socket_perms; allow checkpc_t checkpc_log_t:file create_file_perms; -logging_create_log(checkpc_t,checkpc_log_t) +logging_filetrans_log(checkpc_t,checkpc_log_t) allow checkpc_t lpd_var_run_t:dir { search getattr }; files_search_pids(checkpc_t) @@ -127,12 +127,12 @@ allow lpd_t self:unix_dgram_socket create_socket_perms; allow lpd_t lpd_tmp_t:dir create_dir_perms; allow lpd_t lpd_tmp_t:file create_file_perms; -files_create_tmp_files(lpd_t, lpd_tmp_t, { file dir }) +files_filetrans_tmp(lpd_t, lpd_tmp_t, { file dir }) allow lpd_t lpd_var_run_t:dir rw_dir_perms; allow lpd_t lpd_var_run_t:file create_file_perms; allow lpd_t lpd_var_run_t:sock_file create_file_perms; -files_create_pid(lpd_t,lpd_var_run_t) +files_filetrans_pid(lpd_t,lpd_var_run_t) # Write to /var/spool/lpd. allow lpd_t print_spool_t:dir rw_dir_perms; @@ -146,7 +146,7 @@ can_exec(lpd_t, printconf_t) # Create and bind to /dev/printer. allow lpd_t printer_t:lnk_file create_lnk_perms; -dev_create_dev_node(lpd_t,printer_t,lnk_file) +dev_filetrans_dev_node(lpd_t,printer_t,lnk_file) # cjp: I believe these have no effect: allow lpd_t printer_t:unix_stream_socket name_bind; allow lpd_t printer_t:unix_dgram_socket name_bind; diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if index cd4e1a5..753d7f1 100644 --- a/refpolicy/policy/modules/services/mailman.if +++ b/refpolicy/policy/modules/services/mailman.if @@ -35,15 +35,15 @@ template(`mailman_domain_template', ` allow mailman_$1_t mailman_lock_t:dir rw_dir_perms; allow mailman_$1_t mailman_lock_t:file create_file_perms; - files_create_lock(mailman_$1_t,mailman_lock_t) + files_filetrans_lock(mailman_$1_t,mailman_lock_t) allow mailman_$1_t mailman_log_t:dir rw_dir_perms; allow mailman_$1_t mailman_log_t:file create_file_perms; - logging_create_log(mailman_$1_t,mailman_log_t) + logging_filetrans_log(mailman_$1_t,mailman_log_t) allow mailman_$1_t mailman_$1_tmp_t:dir create_dir_perms; allow mailman_$1_t mailman_$1_tmp_t:file create_file_perms; - files_create_tmp_files(mailman_$1_t, mailman_$1_tmp_t, { file dir }) + files_filetrans_tmp(mailman_$1_t, mailman_$1_tmp_t, { file dir }) kernel_read_kernel_sysctl(mailman_$1_t) kernel_read_system_state(mailman_$1_t) diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index c4ec347..e16be43 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -119,7 +119,7 @@ template(`mta_base_mail_template',` allow $1_mail_t $1_mail_tmp_t:dir create_dir_perms; allow $1_mail_t $1_mail_tmp_t:file create_file_perms; - files_create_tmp_files($1_mail_t, $1_mail_tmp_t, { file dir }) + files_filetrans_tmp($1_mail_t, $1_mail_tmp_t, { file dir }) allow $1_mail_t etc_mail_t:dir { getattr search }; @@ -280,7 +280,7 @@ template(`mta_admin_template',` allow $1_mail_t etc_aliases_t:lnk_file create_lnk_perms; allow $1_mail_t etc_aliases_t:sock_file create_file_perms; allow $1_mail_t etc_aliases_t:fifo_file create_file_perms; - files_create_etc_config($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) + files_filetrans_etc($1_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) # postfix needs this for newaliases files_getattr_tmp_dir($1_mail_t) @@ -289,7 +289,7 @@ template(`mta_admin_template',` ifdef(`distro_redhat',` # compatability for old default main.cf - postfix_create_config($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) + postfix_filetrans_config($1_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) ') ') ') @@ -596,7 +596,7 @@ interface(`mta_getattr_spool',` ## no class is specified, file will be used. ## # -interface(`mta_create_spool',` +interface(`mta_filetrans_spool',` gen_require(` type mail_spool_t; ') diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index 85139a9..ef67ac1 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -130,7 +130,7 @@ optional_policy(`logwatch',` ') optional_policy(`sendmail',` - files_create_etc_config(sendmail_t,etc_aliases_t, file) + files_filetrans_etc(sendmail_t,etc_aliases_t, file) ') optional_policy(`postfix',` @@ -139,7 +139,7 @@ optional_policy(`postfix',` allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms; allow system_mail_t etc_aliases_t:sock_file create_file_perms; allow system_mail_t etc_aliases_t:fifo_file create_file_perms; - files_create_etc_config(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) + files_filetrans_etc(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file }) domain_use_wide_inherit_fd(system_mail_t) @@ -150,7 +150,7 @@ optional_policy(`postfix',` ifdef(`distro_redhat',` # compatability for old default main.cf - postfix_create_config(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) + postfix_filetrans_config(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file }) ') optional_policy(`cron',` diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te index 91c18b9..bbfa13d 100644 --- a/refpolicy/policy/modules/services/mysql.te +++ b/refpolicy/policy/modules/services/mysql.te @@ -42,23 +42,23 @@ allow mysqld_t self:udp_socket create_socket_perms; allow mysqld_t mysqld_db_t:dir create_dir_perms; allow mysqld_t mysqld_db_t:file create_file_perms; allow mysqld_t mysqld_db_t:lnk_file create_lnk_perms; -files_create_var_lib(mysqld_t,mysqld_db_t,{ dir file }) +files_filetrans_var_lib(mysqld_t,mysqld_db_t,{ dir file }) allow mysqld_t mysqld_etc_t:file { getattr read }; allow mysqld_t mysqld_etc_t:lnk_file { getattr read }; allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file create_file_perms; -logging_create_log(mysqld_t,mysqld_log_t) +logging_filetrans_log(mysqld_t,mysqld_log_t) allow mysqld_t mysqld_tmp_t:dir create_dir_perms; allow mysqld_t mysqld_tmp_t:file create_file_perms; -files_create_tmp_files(mysqld_t, mysqld_tmp_t, { file dir }) +files_filetrans_tmp(mysqld_t, mysqld_tmp_t, { file dir }) allow mysqld_t mysqld_var_run_t:dir rw_dir_perms; allow mysqld_t mysqld_var_run_t:sock_file create_file_perms; allow mysqld_t mysqld_var_run_t:file create_file_perms; -files_create_pid(mysqld_t,mysqld_var_run_t) +files_filetrans_pid(mysqld_t,mysqld_var_run_t) kernel_list_proc(mysqld_t) kernel_read_kernel_sysctl(mysqld_t) diff --git a/refpolicy/policy/modules/services/networkmanager.te b/refpolicy/policy/modules/services/networkmanager.te index 0ada346..9d88a85 100644 --- a/refpolicy/policy/modules/services/networkmanager.te +++ b/refpolicy/policy/modules/services/networkmanager.te @@ -31,7 +31,7 @@ allow NetworkManager_t self:packet_socket create_socket_perms; allow NetworkManager_t NetworkManager_var_run_t:file create_file_perms; allow NetworkManager_t NetworkManager_var_run_t:dir rw_dir_perms; -files_create_pid(NetworkManager_t,NetworkManager_var_run_t) +files_filetrans_pid(NetworkManager_t,NetworkManager_var_run_t) kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) @@ -102,7 +102,7 @@ sysnet_delete_dhcpc_pid(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) # in /etc created by NetworkManager will be labelled net_conf_t. sysnet_manage_config(NetworkManager_t) -sysnet_create_config(NetworkManager_t) +sysnet_filetrans_config(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fd(NetworkManager_t) userdom_dontaudit_search_sysadm_home_dir(NetworkManager_t) diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index 8fd2656..2ae303f 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -54,11 +54,11 @@ allow ypbind_t self:udp_socket create_socket_perms; allow ypbind_t ypbind_tmp_t:dir create_dir_perms; allow ypbind_t ypbind_tmp_t:file create_file_perms; -files_create_tmp_files(ypbind_t, ypbind_tmp_t, { file dir }) +files_filetrans_tmp(ypbind_t, ypbind_tmp_t, { file dir }) allow ypbind_t ypbind_var_run_t:file manage_file_perms; allow ypbind_t ypbind_var_run_t:dir rw_dir_perms; -files_create_pid(ypbind_t,ypbind_var_run_t) +files_filetrans_pid(ypbind_t,ypbind_var_run_t) allow ypbind_t var_yp_t:dir rw_dir_perms; allow ypbind_t var_yp_t:file create_file_perms; @@ -151,7 +151,7 @@ allow yppasswdd_t self:udp_socket create_socket_perms; allow yppasswdd_t yppasswdd_var_run_t:file create_file_perms; allow yppasswdd_t yppasswdd_var_run_t:dir rw_dir_perms; -files_create_pid(yppasswdd_t,yppasswdd_var_run_t) +files_filetrans_pid(yppasswdd_t,yppasswdd_var_run_t) allow yppasswdd_t var_yp_t:dir rw_dir_perms; allow yppasswdd_t var_yp_t:file create_file_perms; @@ -256,11 +256,11 @@ allow ypserv_t ypserv_conf_t:file { getattr read }; allow ypserv_t ypserv_tmp_t:dir create_dir_perms; allow ypserv_t ypserv_tmp_t:file create_file_perms; -files_create_tmp_files(ypserv_t, ypserv_tmp_t, { file dir }) +files_filetrans_tmp(ypserv_t, ypserv_tmp_t, { file dir }) allow ypserv_t ypserv_var_run_t:dir rw_dir_perms; allow ypserv_t ypserv_var_run_t:file manage_file_perms; -files_create_pid(ypserv_t,ypserv_var_run_t) +files_filetrans_pid(ypserv_t,ypserv_var_run_t) kernel_read_kernel_sysctl(ypserv_t) kernel_list_proc(ypserv_t) diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index dd79db2..1659ece 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -45,12 +45,12 @@ allow nscd_t self:udp_socket create_socket_perms; allow nscd_t self:nscd { admin getstat }; allow nscd_t nscd_log_t:file create_file_perms; -logging_create_log(nscd_t,nscd_log_t) +logging_filetrans_log(nscd_t,nscd_log_t) allow nscd_t nscd_var_run_t:file create_file_perms; allow nscd_t nscd_var_run_t:sock_file create_file_perms; allow nscd_t nscd_var_run_t:dir rw_dir_perms; -files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file }) +files_filetrans_pid(nscd_t,nscd_var_run_t,{ file sock_file }) kernel_read_kernel_sysctl(nscd_t) kernel_list_proc(nscd_t) diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te index df17f67..530dfe7 100644 --- a/refpolicy/policy/modules/services/ntp.te +++ b/refpolicy/policy/modules/services/ntp.te @@ -49,16 +49,16 @@ can_exec(ntpd_t,ntpd_exec_t) allow ntpd_t ntpd_log_t:file create_file_perms; allow ntpd_t ntpd_log_t:dir { rw_dir_perms setattr }; -logging_create_log(ntpd_t,ntpd_log_t,{ file dir }) +logging_filetrans_log(ntpd_t,ntpd_log_t,{ file dir }) # for some reason it creates a file in /tmp allow ntpd_t ntpd_tmp_t:dir create_dir_perms; allow ntpd_t ntpd_tmp_t:file create_file_perms; -files_create_tmp_files(ntpd_t, ntpd_tmp_t, { file dir }) +files_filetrans_tmp(ntpd_t, ntpd_tmp_t, { file dir }) allow ntpd_t ntpd_var_run_t:file create_file_perms; allow ntpd_t ntpd_var_run_t:dir rw_dir_perms; -files_create_pid(ntpd_t,ntpd_var_run_t) +files_filetrans_pid(ntpd_t,ntpd_var_run_t) kernel_read_kernel_sysctl(ntpd_t) kernel_read_system_state(ntpd_t) diff --git a/refpolicy/policy/modules/services/openct.te b/refpolicy/policy/modules/services/openct.te index 964efb5..b36f450 100644 --- a/refpolicy/policy/modules/services/openct.te +++ b/refpolicy/policy/modules/services/openct.te @@ -23,7 +23,7 @@ allow openct_t self:process signal_perms; allow openct_t openct_var_run_t:file create_file_perms; allow openct_t openct_var_run_t:dir rw_dir_perms; -files_create_pid(openct_t,openct_var_run_t) +files_filetrans_pid(openct_t,openct_var_run_t) kernel_read_kernel_sysctl(openct_t) kernel_list_proc(openct_t) diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te index 96b0472..daa26b2 100644 --- a/refpolicy/policy/modules/services/pegasus.te +++ b/refpolicy/policy/modules/services/pegasus.te @@ -54,12 +54,12 @@ allow pegasus_t pegasus_mof_t:lnk_file { getattr read }; allow pegasus_t pegasus_tmp_t:dir create_dir_perms; allow pegasus_t pegasus_tmp_t:file create_file_perms; -files_create_tmp_files(pegasus_t, pegasus_tmp_t, { file dir }) +files_filetrans_tmp(pegasus_t, pegasus_tmp_t, { file dir }) allow pegasus_t pegasus_var_run_t:file create_file_perms; allow pegasus_t pegasus_var_run_t:sock_file { create setattr unlink }; allow pegasus_t pegasus_var_run_t:dir rw_dir_perms; -files_create_pid(pegasus_t,pegasus_var_run_t) +files_filetrans_pid(pegasus_t,pegasus_var_run_t) kernel_read_kernel_sysctl(pegasus_t) kernel_read_fs_sysctl(pegasus_t) diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te index 77dce07..87f6ba5 100644 --- a/refpolicy/policy/modules/services/portmap.te +++ b/refpolicy/policy/modules/services/portmap.te @@ -36,11 +36,11 @@ allow portmap_t self:udp_socket create_socket_perms; allow portmap_t portmap_tmp_t:dir create_dir_perms; allow portmap_t portmap_tmp_t:file create_file_perms; -files_create_tmp_files(portmap_t, portmap_tmp_t, { file dir }) +files_filetrans_tmp(portmap_t, portmap_tmp_t, { file dir }) allow portmap_t portmap_var_run_t:file create_file_perms; allow portmap_t portmap_var_run_t:dir rw_dir_perms; -files_create_pid(portmap_t,portmap_var_run_t) +files_filetrans_pid(portmap_t,portmap_var_run_t) kernel_read_kernel_sysctl(portmap_t) kernel_list_proc(portmap_t) @@ -163,7 +163,7 @@ allow portmap_helper_t self:tcp_socket create_stream_socket_perms; allow portmap_helper_t self:udp_socket create_socket_perms; allow portmap_helper_t portmap_var_run_t:file create_file_perms; -files_create_pid(portmap_helper_t,portmap_var_run_t) +files_filetrans_pid(portmap_helper_t,portmap_var_run_t) corenet_tcp_sendrecv_all_if(portmap_helper_t) corenet_udp_sendrecv_all_if(portmap_helper_t) diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if index 3c4f403..a749e8e 100644 --- a/refpolicy/policy/modules/services/postfix.if +++ b/refpolicy/policy/modules/services/postfix.if @@ -43,7 +43,7 @@ template(`postfix_domain_template',` allow postfix_$1_t postfix_spool_t:dir r_dir_perms; allow postfix_$1_t postfix_var_run_t:file manage_file_perms; - files_create_pid(postfix_$1_t,postfix_var_run_t) + files_filetrans_pid(postfix_$1_t,postfix_var_run_t) kernel_read_system_state(postfix_$1_t) kernel_read_network_state(postfix_$1_t) @@ -207,7 +207,7 @@ interface(`postfix_read_config',` ## no class is specified, file will be used. ## # -interface(`postfix_create_config',` +interface(`postfix_filetrans_config',` gen_require(` type postfix_etc_t; ') diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 3510a35..4c85ccb 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -257,7 +257,7 @@ allow postfix_local_t self:process { setsched setrlimit }; allow postfix_local_t postfix_local_tmp_t:dir create_dir_perms; allow postfix_local_t postfix_local_tmp_t:file create_file_perms; -files_create_tmp_files(postfix_local_t, postfix_local_tmp_t, { file dir }) +files_filetrans_tmp(postfix_local_t, postfix_local_tmp_t, { file dir }) # connect to master process allow postfix_local_t postfix_master_t:unix_stream_socket connectto; @@ -299,7 +299,7 @@ allow postfix_map_t postfix_etc_t:lnk_file create_lnk_perms; allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms; allow postfix_map_t postfix_map_tmp_t:file create_file_perms; -files_create_tmp_files(postfix_map_t, postfix_map_tmp_t, { file dir }) +files_filetrans_tmp(postfix_map_t, postfix_map_tmp_t, { file dir }) kernel_read_kernel_sysctl(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te index 9a53560..ca0f3cc 100644 --- a/refpolicy/policy/modules/services/postgresql.te +++ b/refpolicy/policy/modules/services/postgresql.te @@ -48,7 +48,7 @@ allow postgresql_t postgresql_db_t:fifo_file create_file_perms; allow postgresql_t postgresql_db_t:file create_file_perms; allow postgresql_t postgresql_db_t:lnk_file create_lnk_perms; allow postgresql_t postgresql_db_t:sock_file create_file_perms; -files_create_var_lib(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) +files_filetrans_var_lib(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) allow postgresql_t postgresql_etc_t:dir r_dir_perms; allow postgresql_t postgresql_etc_t:file r_file_perms; @@ -58,24 +58,24 @@ allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; can_exec(postgresql_t, postgresql_exec_t ) allow postgresql_t postgresql_lock_t:file create_file_perms; -files_create_lock(postgresql_t,postgresql_lock_t) +files_filetrans_lock(postgresql_t,postgresql_lock_t) allow postgresql_t postgresql_log_t:dir rw_dir_perms; allow postgresql_t postgresql_log_t:file create_file_perms; -logging_create_log(postgresql_t,postgresql_log_t,{ file dir }) +logging_filetrans_log(postgresql_t,postgresql_log_t,{ file dir }) allow postgresql_t postgresql_tmp_t:dir create_dir_perms; allow postgresql_t postgresql_tmp_t:fifo_file create_file_perms; allow postgresql_t postgresql_tmp_t:file create_file_perms; allow postgresql_t postgresql_tmp_t:lnk_file create_lnk_perms; allow postgresql_t postgresql_tmp_t:sock_file create_file_perms; -files_create_tmp_files(postgresql_t, postgresql_tmp_t, { dir file sock_file }) -fs_create_tmpfs_data(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) +files_filetrans_tmp(postgresql_t, postgresql_tmp_t, { dir file sock_file }) +fs_filetrans_tmpfs(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) allow postgresql_t postgresql_var_run_t:dir rw_dir_perms; allow postgresql_t postgresql_var_run_t:file create_file_perms; allow postgresql_t postgresql_var_run_t:sock_file create_file_perms; -files_create_pid(postgresql_t,postgresql_var_run_t) +files_filetrans_pid(postgresql_t,postgresql_var_run_t) kernel_read_kernel_sysctl(postgresql_t) kernel_read_system_state(postgresql_t) diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te index 8e3e8dd..6b82f71 100644 --- a/refpolicy/policy/modules/services/ppp.te +++ b/refpolicy/policy/modules/services/ppp.te @@ -80,23 +80,23 @@ allow pppd_t pppd_devpts_t:chr_file { rw_file_perms setattr }; allow pppd_t pppd_etc_t:dir rw_dir_perms; allow pppd_t pppd_etc_t:file r_file_perms; allow pppd_t pppd_etc_t:lnk_file { getattr read }; -files_create_etc_config(pppd_t,pppd_etc_t) +files_filetrans_etc(pppd_t,pppd_etc_t) allow pppd_t pppd_etc_rw_t:file create_file_perms; allow pppd_t pppd_lock_t:file create_file_perms; -files_create_lock(pppd_t,pppd_lock_t) +files_filetrans_lock(pppd_t,pppd_lock_t) allow pppd_t pppd_log_t:file create_file_perms; -logging_create_log(pppd_t,pppd_log_t) +logging_filetrans_log(pppd_t,pppd_log_t) allow pppd_t pppd_tmp_t:dir create_dir_perms; allow pppd_t pppd_tmp_t:file create_file_perms; -files_create_tmp_files(pppd_t, pppd_tmp_t, { file dir }) +files_filetrans_tmp(pppd_t, pppd_tmp_t, { file dir }) allow pppd_t pppd_var_run_t:dir rw_dir_perms; allow pppd_t pppd_var_run_t:file create_file_perms; -files_create_pid(pppd_t,pppd_var_run_t) +files_filetrans_pid(pppd_t,pppd_var_run_t) allow pppd_t pptp_t:process signal; @@ -248,12 +248,12 @@ can_exec(pptp_t, pppd_etc_rw_t) allow pptp_t pppd_log_t:file append; allow pptp_t pptp_log_t:file create_file_perms; -logging_create_log(pptp_t,pptp_log_t) +logging_filetrans_log(pptp_t,pptp_log_t) allow pptp_t pptp_var_run_t:file create_file_perms; allow pptp_t pptp_var_run_t:dir rw_dir_perms; allow pptp_t pptp_var_run_t:sock_file create_file_perms; -files_create_pid(pptp_t,pptp_var_run_t) +files_filetrans_pid(pptp_t,pptp_var_run_t) kernel_list_proc(pptp_t) kernel_read_kernel_sysctl(pptp_t) diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te index d9a487b..ea69c43 100644 --- a/refpolicy/policy/modules/services/privoxy.te +++ b/refpolicy/policy/modules/services/privoxy.te @@ -32,11 +32,11 @@ allow privoxy_t privoxy_etc_rw_t:file rw_file_perms; allow privoxy_t privoxy_log_t:file create_file_perms; allow privoxy_t privoxy_log_t:dir rw_dir_perms; -logging_create_log(privoxy_t,privoxy_log_t) +logging_filetrans_log(privoxy_t,privoxy_log_t) allow privoxy_t privoxy_var_run_t:file create_file_perms; allow privoxy_t privoxy_var_run_t:dir rw_dir_perms; -files_create_pid(privoxy_t,privoxy_var_run_t) +files_filetrans_pid(privoxy_t,privoxy_var_run_t) kernel_read_kernel_sysctl(privoxy_t) kernel_list_proc(privoxy_t) diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te index 5f0b812..0b49f23 100644 --- a/refpolicy/policy/modules/services/radius.te +++ b/refpolicy/policy/modules/services/radius.te @@ -41,11 +41,11 @@ files_search_etc(radiusd_t) allow radiusd_t radiusd_log_t:file create_file_perms; allow radiusd_t radiusd_log_t:dir create_dir_perms; -logging_create_log(radiusd_t,radiusd_log_t,{ file dir }) +logging_filetrans_log(radiusd_t,radiusd_log_t,{ file dir }) allow radiusd_t radiusd_var_run_t:file create_file_perms; allow radiusd_t radiusd_var_run_t:dir rw_dir_perms; -files_create_pid(radiusd_t,radiusd_var_run_t) +files_filetrans_pid(radiusd_t,radiusd_var_run_t) kernel_read_kernel_sysctl(radiusd_t) kernel_read_system_state(radiusd_t) diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te index c368f8e..0cb9893 100644 --- a/refpolicy/policy/modules/services/radvd.te +++ b/refpolicy/policy/modules/services/radvd.te @@ -32,7 +32,7 @@ allow radvd_t radvd_etc_t:file { getattr read }; allow radvd_t radvd_var_run_t:file create_file_perms; allow radvd_t radvd_var_run_t:dir rw_dir_perms; -files_create_pid(radvd_t,radvd_var_run_t) +files_filetrans_pid(radvd_t,radvd_var_run_t) kernel_read_kernel_sysctl(radvd_t) kernel_read_net_sysctl(radvd_t) diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 7dfb861..ebc250d 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -40,7 +40,7 @@ allow remote_login_t self:msg { send receive }; allow remote_login_t remote_login_tmp_t:dir create_dir_perms; allow remote_login_t remote_login_tmp_t:file create_file_perms; -files_create_tmp_files(remote_login_t, remote_login_tmp_t, { file dir }) +files_filetrans_tmp(remote_login_t, remote_login_tmp_t, { file dir }) kernel_read_system_state(remote_login_t) kernel_read_kernel_sysctl(remote_login_t) diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te index 8cfe7a5..d019255 100644 --- a/refpolicy/policy/modules/services/rlogin.te +++ b/refpolicy/policy/modules/services/rlogin.te @@ -41,11 +41,11 @@ can_exec(rlogind_t, rlogind_exec_t) allow rlogind_t rlogind_tmp_t:dir create_dir_perms; allow rlogind_t rlogind_tmp_t:file create_file_perms; -files_create_tmp_files(rlogind_t, rlogind_tmp_t, { file dir }) +files_filetrans_tmp(rlogind_t, rlogind_tmp_t, { file dir }) allow rlogind_t rlogind_var_run_t:file create_file_perms; allow rlogind_t rlogind_var_run_t:dir rw_dir_perms; -files_create_pid(rlogind_t,rlogind_var_run_t) +files_filetrans_pid(rlogind_t,rlogind_var_run_t) kernel_read_kernel_sysctl(rlogind_t) kernel_read_system_state(rlogind_t) diff --git a/refpolicy/policy/modules/services/roundup.te b/refpolicy/policy/modules/services/roundup.te index ce126ea..a7cedb4 100644 --- a/refpolicy/policy/modules/services/roundup.te +++ b/refpolicy/policy/modules/services/roundup.te @@ -30,11 +30,11 @@ allow roundup_t self:udp_socket create_socket_perms; allow roundup_t roundup_var_run_t:file create_file_perms; allow roundup_t roundup_var_run_t:dir rw_dir_perms; -files_create_pid(roundup_t,roundup_var_run_t) +files_filetrans_pid(roundup_t,roundup_var_run_t) allow roundup_t roundup_var_lib_t:file create_file_perms; allow roundup_t roundup_var_lib_t:dir rw_dir_perms; -files_create_var_lib(roundup_t,roundup_var_lib_t) +files_filetrans_var_lib(roundup_t,roundup_var_lib_t) kernel_read_kernel_sysctl(roundup_t) kernel_list_proc(roundup_t) diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te index 67a1c7d..db9be79 100644 --- a/refpolicy/policy/modules/services/rpc.te +++ b/refpolicy/policy/modules/services/rpc.te @@ -43,7 +43,7 @@ allow rpcd_t self:file { getattr read }; allow rpcd_t rpcd_var_run_t:file manage_file_perms; allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr }; -files_create_pid(rpcd_t,rpcd_var_run_t) +files_filetrans_pid(rpcd_t,rpcd_var_run_t) kernel_search_network_state(rpcd_t) # for rpc.rquotad @@ -124,7 +124,7 @@ allow gssd_t self:fifo_file { read write }; allow gssd_t gssd_tmp_t:dir create_dir_perms; allow gssd_t gssd_tmp_t:file create_file_perms; -files_create_tmp_files(gssd_t, gssd_tmp_t, { file dir }) +files_filetrans_tmp(gssd_t, gssd_tmp_t, { file dir }) kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index ac9af2a..d439016 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -44,11 +44,11 @@ allow rsync_t rsync_data_t:lnk_file r_file_perms; allow rsync_t rsync_tmp_t:dir create_dir_perms; allow rsync_t rsync_tmp_t:file create_file_perms; -files_create_tmp_files(rsync_t, rsync_tmp_t, { file dir }) +files_filetrans_tmp(rsync_t, rsync_tmp_t, { file dir }) allow rsync_t rsync_var_run_t:file create_file_perms; allow rsync_t rsync_var_run_t:dir rw_dir_perms; -files_create_pid(rsync_t,rsync_var_run_t) +files_filetrans_pid(rsync_t,rsync_var_run_t) kernel_read_kernel_sysctl(rsync_t) kernel_read_system_state(rsync_t) diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 60f8c10..cef316c 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -103,7 +103,7 @@ type_transition samba_net_t samba_etc_t:file samba_secrets_t; allow samba_net_t samba_net_tmp_t:dir create_dir_perms; allow samba_net_t samba_net_tmp_t:file create_file_perms; -files_create_tmp_files(samba_net_t, samba_net_tmp_t, { file dir }) +files_filetrans_tmp(samba_net_t, samba_net_tmp_t, { file dir }) allow samba_net_t samba_var_t:dir rw_dir_perms; allow samba_net_t samba_var_t:lnk_file create_lnk_perms; @@ -212,14 +212,14 @@ allow smbd_t samba_var_t:sock_file create_file_perms; allow smbd_t smbd_tmp_t:dir create_dir_perms; allow smbd_t smbd_tmp_t:file create_file_perms; -files_create_tmp_files(smbd_t, smbd_tmp_t, { file dir }) +files_filetrans_tmp(smbd_t, smbd_tmp_t, { file dir }) allow smbd_t nmbd_var_run_t:file rw_file_perms; allow smbd_t smbd_var_run_t:dir create_dir_perms; allow smbd_t smbd_var_run_t:file create_file_perms; allow smbd_t smbd_var_run_t:sock_file create_file_perms; -files_create_pid(smbd_t,smbd_var_run_t) +files_filetrans_pid(smbd_t,smbd_var_run_t) allow smbd_t winbind_var_run_t:sock_file { read write getattr }; @@ -356,7 +356,7 @@ allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow nmbd_t nmbd_var_run_t:file create_file_perms; allow nmbd_t nmbd_var_run_t:dir rw_dir_perms; -files_create_pid(nmbd_t,nmbd_var_run_t) +files_filetrans_pid(nmbd_t,nmbd_var_run_t) allow nmbd_t samba_etc_t:dir { search getattr }; allow nmbd_t samba_etc_t:file { getattr read }; @@ -559,11 +559,11 @@ allow swat_t smbd_var_run_t:file read; allow swat_t swat_tmp_t:dir create_dir_perms; allow swat_t swat_tmp_t:file create_file_perms; -files_create_tmp_files(swat_t, swat_tmp_t, { file dir }) +files_filetrans_tmp(swat_t, swat_tmp_t, { file dir }) allow swat_t swat_var_run_t:file create_file_perms; allow swat_t swat_var_run_t:dir rw_dir_perms; -files_create_pid(swat_t,swat_var_run_t) +files_filetrans_pid(swat_t,swat_var_run_t) allow swat_t winbind_exec_t:file execute; @@ -652,16 +652,16 @@ allow winbind_t samba_var_t:file create_file_perms; allow winbind_t samba_var_t:lnk_file create_lnk_perms; allow winbind_t winbind_log_t:file create_file_perms; -logging_create_log(winbind_t,winbind_log_t) +logging_filetrans_log(winbind_t,winbind_log_t) allow winbind_t winbind_tmp_t:dir create_dir_perms; allow winbind_t winbind_tmp_t:file create_file_perms; -files_create_tmp_files(winbind_t, winbind_tmp_t, { file dir }) +files_filetrans_tmp(winbind_t, winbind_tmp_t, { file dir }) allow winbind_t winbind_var_run_t:file create_file_perms; allow winbind_t winbind_var_run_t:sock_file create_file_perms; allow winbind_t winbind_var_run_t:dir rw_dir_perms; -files_create_pid(winbind_t,winbind_var_run_t) +files_filetrans_pid(winbind_t,winbind_var_run_t) kernel_read_kernel_sysctl(winbind_t) kernel_list_proc(winbind_t) diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te index 39745b7..f802e41 100644 --- a/refpolicy/policy/modules/services/sasl.te +++ b/refpolicy/policy/modules/services/sasl.te @@ -29,7 +29,7 @@ allow saslauthd_t self:tcp_socket create_socket_perms; allow saslauthd_t saslauthd_var_run_t:file create_file_perms; allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms; allow saslauthd_t saslauthd_var_run_t:dir rw_dir_perms; -files_create_pid(saslauthd_t,saslauthd_var_run_t) +files_filetrans_pid(saslauthd_t,saslauthd_var_run_t) kernel_read_kernel_sysctl(saslauthd_t) kernel_read_system_state(saslauthd_t) diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if index 51d2e28..0ab0a34 100644 --- a/refpolicy/policy/modules/services/sendmail.if +++ b/refpolicy/policy/modules/services/sendmail.if @@ -83,5 +83,5 @@ interface(`sendmail_create_log',` type sendmail_log_t; ') - logging_create_log($1,sendmail_log_t,file) + logging_filetrans_log($1,sendmail_log_t,file) ') diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index c207b54..d406396 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -34,7 +34,7 @@ allow sendmail_t self:tcp_socket create_stream_socket_perms; allow sendmail_t sendmail_log_t:file create_file_perms; allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr }; -logging_create_log(sendmail_t,sendmail_log_t,{ file dir }) +logging_filetrans_log(sendmail_t,sendmail_log_t,{ file dir }) kernel_read_kernel_sysctl(sendmail_t) # for piping mail to a command @@ -106,10 +106,10 @@ ifdef(`targeted_policy',` ',` allow sendmail_t sendmail_tmp_t:dir create_dir_perms; allow sendmail_t sendmail_tmp_t:file create_file_perms; - files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir }) + files_filetrans_tmp(sendmail_t, sendmail_tmp_t, { file dir }) allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock }; - files_create_pid(sendmail_t,sendmail_var_run_t) + files_filetrans_pid(sendmail_t,sendmail_var_run_t) ') optional_policy(`nis',` diff --git a/refpolicy/policy/modules/services/slrnpull.te b/refpolicy/policy/modules/services/slrnpull.te index f1e84d8..f27268d 100644 --- a/refpolicy/policy/modules/services/slrnpull.te +++ b/refpolicy/policy/modules/services/slrnpull.te @@ -28,7 +28,7 @@ dontaudit slrnpull_t self:capability sys_tty_config; allow slrnpull_t self:process signal_perms; allow slrnpull_t slrnpull_log_t:file create_file_perms; -logging_create_log(slrnpull_t,slrnpull_log_t) +logging_filetrans_log(slrnpull_t,slrnpull_log_t) allow slrnpull_t slrnpull_spool_t:dir rw_dir_perms; allow slrnpull_t slrnpull_spool_t:dir create_dir_perms; @@ -38,7 +38,7 @@ files_search_spool(slrnpull_t) allow slrnpull_t slrnpull_var_run_t:file create_file_perms; allow slrnpull_t slrnpull_var_run_t:dir rw_dir_perms; -files_create_pid(slrnpull_t,slrnpull_var_run_t) +files_filetrans_pid(slrnpull_t,slrnpull_var_run_t) kernel_list_proc(slrnpull_t) kernel_read_kernel_sysctl(slrnpull_t) diff --git a/refpolicy/policy/modules/services/smartmon.te b/refpolicy/policy/modules/services/smartmon.te index 11a8215..321fc97 100644 --- a/refpolicy/policy/modules/services/smartmon.te +++ b/refpolicy/policy/modules/services/smartmon.te @@ -31,11 +31,11 @@ allow fsdaemon_t self:udp_socket create_socket_perms; allow fsdaemon_t fsdaemon_tmp_t:dir create_dir_perms; allow fsdaemon_t fsdaemon_tmp_t:file create_file_perms; -files_create_tmp_files(fsdaemon_t, fsdaemon_tmp_t, { file dir }) +files_filetrans_tmp(fsdaemon_t, fsdaemon_tmp_t, { file dir }) allow fsdaemon_t fsdaemon_var_run_t:file create_file_perms; allow fsdaemon_t fsdaemon_var_run_t:dir rw_dir_perms; -files_create_pid(fsdaemon_t,fsdaemon_var_run_t) +files_filetrans_pid(fsdaemon_t,fsdaemon_var_run_t) kernel_read_kernel_sysctl(fsdaemon_t) kernel_read_software_raid_state(fsdaemon_t) diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te index 413466f..e27fcbe 100644 --- a/refpolicy/policy/modules/services/snmp.te +++ b/refpolicy/policy/modules/services/snmp.te @@ -36,18 +36,18 @@ allow snmpd_t self:udp_socket connected_stream_socket_perms; allow snmpd_t snmpd_etc_t:file { getattr read }; allow snmpd_t snmpd_log_t:file create_file_perms; -logging_create_log(snmpd_t,snmpd_log_t) +logging_filetrans_log(snmpd_t,snmpd_log_t) allow snmpd_t snmpd_var_lib_t:file create_file_perms; allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms; allow snmpd_t snmpd_var_lib_t:dir create_dir_perms; -files_create_usr(snmpd_t,snmpd_var_lib_t) -files_create_var(snmpd_t,snmpd_var_lib_t,{ file dir sock_file }) -files_create_var_lib(snmpd_t,snmpd_var_lib_t) +files_filetrans_usr(snmpd_t,snmpd_var_lib_t) +files_filetrans_var(snmpd_t,snmpd_var_lib_t,{ file dir sock_file }) +files_filetrans_var_lib(snmpd_t,snmpd_var_lib_t) allow snmpd_t snmpd_var_run_t:file create_file_perms; allow snmpd_t snmpd_var_run_t:dir rw_dir_perms; -files_create_pid(snmpd_t,snmpd_var_run_t) +files_filetrans_pid(snmpd_t,snmpd_var_run_t) kernel_read_kernel_sysctl(snmpd_t) kernel_read_net_sysctl(snmpd_t) diff --git a/refpolicy/policy/modules/services/spamassassin.if b/refpolicy/policy/modules/services/spamassassin.if index 589ae52..0046187 100644 --- a/refpolicy/policy/modules/services/spamassassin.if +++ b/refpolicy/policy/modules/services/spamassassin.if @@ -75,7 +75,7 @@ template(`spamassassin_per_userdomain_template',` allow $1_spamc_t $1_spamc_tmp_t:dir create_dir_perms; allow $1_spamc_t $1_spamc_tmp_t:file create_file_perms; - files_create_tmp_files($1_spamc_t, $1_spamc_tmp_t, { file dir }) + files_filetrans_tmp($1_spamc_t, $1_spamc_tmp_t, { file dir }) # Allow connecting to a local spamd allow $1_spamc_t spamd_t:tcp_socket { connectto recvfrom }; @@ -198,7 +198,7 @@ template(`spamassassin_per_userdomain_template',` allow $1_spamassassin_t $1_spamassassin_tmp_t:dir create_dir_perms; allow $1_spamassassin_t $1_spamassassin_tmp_t:file create_file_perms; - files_create_tmp_files($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) + files_filetrans_tmp($1_spamassassin_t, $1_spamassassin_tmp_t, { file dir }) allow $2 $1_spamassassin_home_t:dir { create_dir_perms relabelfrom relabelto }; allow $2 $1_spamassassin_home_t:file { create_file_perms relabelfrom relabelto }; diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te index 7773c99..db4955f 100644 --- a/refpolicy/policy/modules/services/spamassassin.te +++ b/refpolicy/policy/modules/services/spamassassin.te @@ -51,11 +51,11 @@ allow spamd_t self:udp_socket create_socket_perms; allow spamd_t spamd_tmp_t:dir create_dir_perms; allow spamd_t spamd_tmp_t:file create_file_perms; -files_create_tmp_files(spamd_t, spamd_tmp_t, { file dir }) +files_filetrans_tmp(spamd_t, spamd_tmp_t, { file dir }) allow spamd_t spamd_var_run_t:file create_file_perms; allow spamd_t spamd_var_run_t:dir rw_dir_perms; -files_create_pid(spamd_t,spamd_var_run_t) +files_filetrans_pid(spamd_t,spamd_var_run_t) kernel_read_all_sysctl(spamd_t) kernel_read_system_state(spamd_t) diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index 6f63dda..60f6bc4 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -58,11 +58,11 @@ can_exec(squid_t,squid_exec_t) allow squid_t squid_log_t:file create_file_perms; allow squid_t squid_log_t:dir rw_dir_perms; -logging_create_log(squid_t,squid_log_t,{ file dir }) +logging_filetrans_log(squid_t,squid_log_t,{ file dir }) allow squid_t squid_var_run_t:file create_file_perms; allow squid_t squid_var_run_t:dir rw_dir_perms; -files_create_pid(squid_t,squid_var_run_t) +files_filetrans_pid(squid_t,squid_var_run_t) kernel_read_kernel_sysctl(squid_t) kernel_read_system_state(squid_t) diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index f804d88..0da952e 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -89,7 +89,7 @@ template(`ssh_per_userdomain_template',` # Access the ssh temporary files. allow $1_ssh_t sshd_tmp_t:dir create_dir_perms; allow $1_ssh_t sshd_tmp_t:file create_file_perms; - files_create_tmp_files($1_ssh_t, sshd_tmp_t, { file dir }) + files_filetrans_tmp($1_ssh_t, sshd_tmp_t, { file dir }) # for rsync allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; @@ -421,7 +421,7 @@ template(`ssh_server_template', ` term_create_pty($1_t,$1_devpts_t) allow $1_t $1_var_run_t:file create_file_perms; - files_create_pid($1_t,$1_var_run_t,file) + files_filetrans_pid($1_t,$1_var_run_t,file) can_exec($1_t, sshd_exec_t) diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te index 6d48614..e0697b8 100644 --- a/refpolicy/policy/modules/services/ssh.te +++ b/refpolicy/policy/modules/services/ssh.te @@ -82,7 +82,7 @@ ifdef(`targeted_policy',`',` allow sshd_t sshd_tmp_t:dir create_dir_perms; allow sshd_t sshd_tmp_t:file create_file_perms; allow sshd_t sshd_tmp_t:sock_file create_file_perms; - files_create_tmp_files(sshd_t, sshd_tmp_t, { dir file sock_file }) + files_filetrans_tmp(sshd_t, sshd_tmp_t, { dir file sock_file }) # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) @@ -209,7 +209,7 @@ ifdef(`targeted_policy',`',` allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file create_file_perms; - files_create_etc_config(ssh_keygen_t,sshd_key_t,file) + files_filetrans_etc(ssh_keygen_t,sshd_key_t,file) kernel_read_kernel_sysctl(ssh_keygen_t) diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te index 7d32a1c..923c05c 100644 --- a/refpolicy/policy/modules/services/stunnel.te +++ b/refpolicy/policy/modules/services/stunnel.te @@ -45,11 +45,11 @@ allow stunnel_t stunnel_etc_t:lnk_file { getattr read }; allow stunnel_t stunnel_tmp_t:dir create_dir_perms; allow stunnel_t stunnel_tmp_t:file create_file_perms; -files_create_tmp_files(stunnel_t, stunnel_tmp_t, { file dir }) +files_filetrans_tmp(stunnel_t, stunnel_tmp_t, { file dir }) allow stunnel_t stunnel_var_run_t:file create_file_perms; allow stunnel_t stunnel_var_run_t:dir rw_dir_perms; -files_create_pid(stunnel_t,stunnel_var_run_t) +files_filetrans_pid(stunnel_t,stunnel_var_run_t) kernel_read_kernel_sysctl(stunnel_t) kernel_read_system_state(stunnel_t) diff --git a/refpolicy/policy/modules/services/sysstat.te b/refpolicy/policy/modules/services/sysstat.te index 9ebcf3d..09dbf0b 100644 --- a/refpolicy/policy/modules/services/sysstat.te +++ b/refpolicy/policy/modules/services/sysstat.te @@ -27,7 +27,7 @@ can_exec(sysstat_t, sysstat_exec_t) allow sysstat_t sysstat_log_t:file create_file_perms; allow sysstat_t sysstat_log_t:dir rw_dir_perms; -logging_create_log(sysstat_t,sysstat_log_t,{ file dir }) +logging_filetrans_log(sysstat_t,sysstat_log_t,{ file dir }) # get info from /proc kernel_read_system_state(sysstat_t) diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te index 5a27b85..186d25f 100644 --- a/refpolicy/policy/modules/services/tcpd.te +++ b/refpolicy/policy/modules/services/tcpd.te @@ -21,7 +21,7 @@ allow tcpd_t self:tcp_socket create_stream_socket_perms; allow tcpd_t tcpd_tmp_t:dir create_dir_perms; allow tcpd_t tcpd_tmp_t:file create_file_perms; -files_create_tmp_files(tcpd_t, tcpd_tmp_t, { file dir }) +files_filetrans_tmp(tcpd_t, tcpd_tmp_t, { file dir }) corenet_raw_sendrecv_all_if(tcpd_t) corenet_tcp_sendrecv_all_if(tcpd_t) diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te index e46462a..30526a8 100644 --- a/refpolicy/policy/modules/services/telnet.te +++ b/refpolicy/policy/modules/services/telnet.te @@ -39,11 +39,11 @@ term_create_pty(telnetd_t,telnetd_devpts_t) allow telnetd_t telnetd_tmp_t:dir create_dir_perms; allow telnetd_t telnetd_tmp_t:file create_file_perms; -files_create_tmp_files(telnetd_t, telnetd_tmp_t, { file dir }) +files_filetrans_tmp(telnetd_t, telnetd_tmp_t, { file dir }) allow telnetd_t telnetd_var_run_t:file create_file_perms; allow telnetd_t telnetd_var_run_t:dir rw_dir_perms; -files_create_pid(telnetd_t,telnetd_var_run_t) +files_filetrans_pid(telnetd_t,telnetd_var_run_t) kernel_read_kernel_sysctl(telnetd_t) kernel_read_system_state(telnetd_t) diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te index 1a8c100..682a604 100644 --- a/refpolicy/policy/modules/services/tftp.te +++ b/refpolicy/policy/modules/services/tftp.te @@ -35,7 +35,7 @@ allow tftpd_t tftpdir_t:lnk_file { getattr read }; allow tftpd_t tftpd_var_run_t:file create_file_perms; allow tftpd_t tftpd_var_run_t:dir rw_dir_perms; -files_create_pid(tftpd_t,tftpd_var_run_t) +files_filetrans_pid(tftpd_t,tftpd_var_run_t) kernel_read_kernel_sysctl(tftpd_t) kernel_list_proc(tftpd_t) diff --git a/refpolicy/policy/modules/services/timidity.te b/refpolicy/policy/modules/services/timidity.te index a4bcec4..0b236cd 100644 --- a/refpolicy/policy/modules/services/timidity.te +++ b/refpolicy/policy/modules/services/timidity.te @@ -33,7 +33,7 @@ allow timidity_t timidity_tmpfs_t:file create_file_perms; allow timidity_t timidity_tmpfs_t:lnk_file create_lnk_perms; allow timidity_t timidity_tmpfs_t:sock_file create_file_perms; allow timidity_t timidity_tmpfs_t:fifo_file create_file_perms; -fs_create_tmpfs_data(timidity_t,timidity_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_filetrans_tmpfs(timidity_t,timidity_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctl(timidity_t) # read /proc/cpuinfo diff --git a/refpolicy/policy/modules/services/uucp.te b/refpolicy/policy/modules/services/uucp.te index 1da82ca..3e47d75 100644 --- a/refpolicy/policy/modules/services/uucp.te +++ b/refpolicy/policy/modules/services/uucp.te @@ -41,7 +41,7 @@ allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow uucpd_t uucpd_log_t:file create_file_perms; allow uucpd_t uucpd_log_t:dir { rw_dir_perms setattr }; -logging_create_log(uucpd_t,uucpd_log_t,{ file dir }) +logging_filetrans_log(uucpd_t,uucpd_log_t,{ file dir }) allow uucpd_t uucpd_ro_t:dir r_dir_perms; allow uucpd_t uucpd_ro_t:file r_file_perms; @@ -57,11 +57,11 @@ allow uucpd_t uucpd_spool_t:lnk_file create_lnk_perms; allow uucpd_t uucpd_tmp_t:dir create_dir_perms; allow uucpd_t uucpd_tmp_t:file create_file_perms; -files_create_tmp_files(uucpd_t, uucpd_tmp_t, { file dir }) +files_filetrans_tmp(uucpd_t, uucpd_tmp_t, { file dir }) allow uucpd_t uucpd_var_run_t:file create_file_perms; allow uucpd_t uucpd_var_run_t:dir rw_dir_perms; -files_create_pid(uucpd_t,uucpd_var_run_t) +files_filetrans_pid(uucpd_t,uucpd_var_run_t) kernel_read_kernel_sysctl(uucpd_t) kernel_read_system_state(uucpd_t) diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te index 62086a6..b27ecd5 100644 --- a/refpolicy/policy/modules/services/xdm.te +++ b/refpolicy/policy/modules/services/xdm.te @@ -79,23 +79,23 @@ ifdef(`targeted_policy',` unconfined_domtrans(xdm_t) ',` allow xdm_t xdm_lock_t:file create_file_perms; - files_create_lock(xdm_t,xdm_lock_t) + files_filetrans_lock(xdm_t,xdm_lock_t) allow xdm_t xdm_tmp_t:dir create_dir_perms; allow xdm_t xdm_tmp_t:file create_file_perms; allow xdm_t xdm_tmp_t:file create_file_perms; - files_create_tmp_files(xdm_t, xdm_tmp_t, { file dir sock_file }) + files_filetrans_tmp(xdm_t, xdm_tmp_t, { file dir sock_file }) allow xdm_t xdm_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; allow xdm_t xdm_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow xdm_t xdm_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow xdm_t xdm_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow xdm_t xdm_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_create_tmpfs_data(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + fs_filetrans_tmpfs(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) allow xdm_t xdm_var_lib_t:file create_file_perms; allow xdm_t xdm_var_lib_t:dir create_dir_perms; - files_create_var_lib(xdm_t,xdm_var_lib_t) + files_filetrans_var_lib(xdm_t,xdm_var_lib_t) ') optional_policy(`locallogin',` diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te index 0ee64e1..b703f3b 100644 --- a/refpolicy/policy/modules/services/xfs.te +++ b/refpolicy/policy/modules/services/xfs.te @@ -29,11 +29,11 @@ allow xfs_t self:unix_dgram_socket create_socket_perms; allow xfs_t xfs_tmp_t:dir create_dir_perms; allow xfs_t xfs_tmp_t:sock_file create_file_perms; -files_create_tmp_files(xfs_t, xfs_tmp_t, { sock_file dir }) +files_filetrans_tmp(xfs_t, xfs_tmp_t, { sock_file dir }) allow xfs_t xfs_var_run_t:file create_file_perms; allow xfs_t xfs_var_run_t:dir rw_dir_perms; -files_create_pid(xfs_t,xfs_var_run_t) +files_filetrans_pid(xfs_t,xfs_var_run_t) # Bind to /tmp/.font-unix/fs-1. # cjp: I do not believe this has an effect. @@ -70,7 +70,7 @@ userdom_dontaudit_search_sysadm_home_dir(xfs_t) ifdef(`distro_debian',` # for /tmp/.font-unix/fs7100 - init_create_script_tmp(xfs_t,xfs_tmp_t,sock_file) + init_filetrans_script_tmp(xfs_t,xfs_tmp_t,sock_file) ') ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index f79adad..3c379fb 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -45,16 +45,16 @@ allow zebra_t zebra_conf_t:lnk_file { getattr read }; allow zebra_t zebra_log_t:file create_file_perms; allow zebra_t zebra_log_t:sock_file create_file_perms; allow zebra_t zebra_log_t:dir { rw_dir_perms setattr }; -logging_create_log(zebra_t,zebra_log_t,{ sock_file file dir }) +logging_filetrans_log(zebra_t,zebra_log_t,{ sock_file file dir }) # /tmp/.bgpd is such a bad idea! allow zebra_t zebra_tmp_t:sock_file create_file_perms; -files_create_tmp_files(zebra_t,zebra_tmp_t,sock_file) +files_filetrans_tmp(zebra_t,zebra_tmp_t,sock_file) allow zebra_t zebra_var_run_t:file manage_file_perms; allow zebra_t zebra_var_run_t:sock_file manage_file_perms; allow zebra_t zebra_var_run_t:dir rw_dir_perms; -files_create_pid(zebra_t,zebra_var_run_t, { file sock_file }) +files_filetrans_pid(zebra_t,zebra_var_run_t, { file sock_file }) kernel_read_system_state(zebra_t) kernel_read_kernel_sysctl(zebra_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 96307b3..02b91c1 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -396,7 +396,7 @@ interface(`auth_manage_shadow',` ') allow $1 shadow_t:file create_file_perms; - files_create_etc_config($1,shadow_t,file) + files_filetrans_etc($1,shadow_t,file) typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; ') @@ -993,14 +993,14 @@ interface(`auth_rw_login_records',` ####################################### # -# auth_create_login_records(domain) +# auth_filetrans_login_records(domain) # -interface(`auth_create_login_records',` +interface(`auth_filetrans_login_records',` gen_require(` type wtmp_t; ') - logging_create_log($1,wtmp_t,file) + logging_filetrans_log($1,wtmp_t,file) ') ####################################### diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 60b3ee8..920a183 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -96,7 +96,7 @@ allow pam_t pam_var_run_t:file { getattr read unlink }; allow pam_t pam_tmp_t:dir create_dir_perms; allow pam_t pam_tmp_t:file create_file_perms; -files_create_tmp_files(pam_t, pam_tmp_t, { file dir }) +files_filetrans_tmp(pam_t, pam_tmp_t, { file dir }) kernel_read_system_state(pam_t) diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index b7e6a2a..5fb87f0 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -42,7 +42,7 @@ can_exec(fsadm_t, fsadm_exec_t) allow fsadm_t fsadm_tmp_t:dir create_dir_perms; allow fsadm_t fsadm_tmp_t:file create_file_perms; -files_create_tmp_files(fsadm_t, fsadm_tmp_t, { file dir }) +files_filetrans_tmp(fsadm_t, fsadm_tmp_t, { file dir }) # Enable swapping to files allow fsadm_t swapfile_t:file { getattr swapon }; diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 7eeb20c..2dc83c8 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -44,21 +44,21 @@ allow getty_t self:process { getpgid getsession signal_perms }; allow getty_t getty_etc_t:dir r_dir_perms; allow getty_t getty_etc_t:file r_file_perms; allow getty_t getty_etc_t:lnk_file { getattr read }; -files_create_etc_config(getty_t,getty_etc_t,{ file dir }) +files_filetrans_etc(getty_t,getty_etc_t,{ file dir }) allow getty_t getty_lock_t:file create_file_perms; -files_create_lock(getty_t,getty_lock_t) +files_filetrans_lock(getty_t,getty_lock_t) allow getty_t getty_log_t:file create_file_perms; -logging_create_log(getty_t,getty_log_t) +logging_filetrans_log(getty_t,getty_log_t) allow getty_t getty_tmp_t:file create_file_perms; allow getty_t getty_tmp_t:dir create_dir_perms; -files_create_tmp_files(getty_t,getty_tmp_t,{ file dir }) +files_filetrans_tmp(getty_t,getty_tmp_t,{ file dir }) allow getty_t getty_var_run_t:file create_file_perms; allow getty_t getty_var_run_t:dir rw_dir_perms; -files_create_pid(getty_t,getty_var_run_t) +files_filetrans_pid(getty_t,getty_var_run_t) kernel_list_proc(getty_t) kernel_read_proc_symlinks(getty_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index d01fb75..d767b9e 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -43,7 +43,7 @@ can_exec(hotplug_t,hotplug_exec_t) allow hotplug_t hotplug_var_run_t:file manage_file_perms; allow hotplug_t hotplug_var_run_t:dir rw_dir_perms; -files_create_pid(hotplug_t,hotplug_var_run_t) +files_filetrans_pid(hotplug_t,hotplug_var_run_t) kernel_sigchld(hotplug_t) kernel_setpgid(hotplug_t) diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 0a6f645..ebd5801 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -750,7 +750,7 @@ interface(`init_rw_script_tmp_files',` ## The object class. If not specified, file is used. ## # -interface(`init_create_script_tmp',` +interface(`init_filetrans_script_tmp',` gen_require(` type initrc_tmp_t; ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 75c1fff..308a0b8 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -104,11 +104,11 @@ allow init_t initrc_t:unix_stream_socket connectto; # For /var/run/shutdown.pid. allow init_t init_var_run_t:file { create getattr read append write setattr unlink }; -files_create_pid(init_t,init_var_run_t) +files_filetrans_pid(init_t,init_var_run_t) allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink }; fs_associate_tmpfs(initctl_t) -dev_create_dev_node(init_t,initctl_t,fifo_file) +dev_filetrans_dev_node(init_t,initctl_t,fifo_file) # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; @@ -171,7 +171,7 @@ miscfiles_read_localization(init_t) ifdef(`distro_redhat',` fs_use_tmpfs_chr_dev(init_t) - fs_create_tmpfs_data(init_t,initctl_t,fifo_file) + fs_filetrans_tmpfs(init_t,initctl_t,fifo_file) ') ifdef(`targeted_policy',` @@ -228,12 +228,12 @@ allow initrc_t initrc_state_t:file create_file_perms; allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename }; allow initrc_t initrc_var_run_t:file create_file_perms; -files_create_pid(initrc_t,initrc_var_run_t) +files_filetrans_pid(initrc_t,initrc_var_run_t) can_exec(initrc_t,initrc_tmp_t) allow initrc_t initrc_tmp_t:file create_file_perms; allow initrc_t initrc_tmp_t:dir create_dir_perms; -files_create_tmp_files(initrc_t,initrc_tmp_t, { file dir }) +files_filetrans_tmp(initrc_t,initrc_tmp_t, { file dir }) kernel_read_system_state(initrc_t) kernel_read_software_raid_state(initrc_t) @@ -389,7 +389,7 @@ userdom_use_sysadm_terms(initrc_t) ifdef(`distro_debian', ` dev_setattr_dev_dir(initrc_t) - fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir) + fs_filetrans_tmpfs(initrc_t,initrc_var_run_t,dir) # for storing state under /dev/shm fs_setattr_tmpfs_dir(initrc_t) diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te index 9faed4e..acdcab8 100644 --- a/refpolicy/policy/modules/system/ipsec.te +++ b/refpolicy/policy/modules/system/ipsec.te @@ -57,7 +57,7 @@ allow ipsec_t ipsec_key_file_t:lnk_file r_file_perms; allow ipsec_t ipsec_var_run_t:file create_file_perms; allow ipsec_t ipsec_var_run_t:sock_file create_file_perms; -files_create_pid(ipsec_t,ipsec_var_run_t,{ file sock_file }) +files_filetrans_pid(ipsec_t,ipsec_var_run_t,{ file sock_file }) can_exec(ipsec_t, ipsec_mgmt_exec_t) @@ -156,17 +156,17 @@ allow ipsec_mgmt_t self:key_socket { create setopt }; allow ipsec_mgmt_t self:fifo_file rw_file_perms; allow ipsec_mgmt_t ipsec_mgmt_lock_t:file create_file_perms; -files_create_lock(ipsec_mgmt_t,ipsec_mgmt_lock_t) +files_filetrans_lock(ipsec_mgmt_t,ipsec_mgmt_lock_t) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file create_file_perms; -files_create_pid(ipsec_mgmt_t,ipsec_mgmt_var_run_t) +files_filetrans_pid(ipsec_mgmt_t,ipsec_mgmt_var_run_t) allow ipsec_mgmt_t ipsec_var_run_t:dir rw_dir_perms; allow ipsec_mgmt_t ipsec_var_run_t:file create_file_perms; allow ipsec_mgmt_t ipsec_var_run_t:lnk_file create_lnk_perms; allow ipsec_mgmt_t ipsec_var_run_t:sock_file create_file_perms; -files_create_pid(ipsec_mgmt_t,ipsec_var_run_t,sock_file) +files_filetrans_pid(ipsec_mgmt_t,ipsec_var_run_t,sock_file) # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file @@ -182,7 +182,7 @@ allow ipsec_mgmt_t ipsec_key_file_t:dir rw_dir_perms; allow ipsec_mgmt_t ipsec_key_file_t:lnk_file create_lnk_perms; # cjp: combo of file_type_auto_trans and rw_dir_create_file allow ipsec_mgmt_t ipsec_key_file_t:file create_file_perms; -files_create_etc_config(ipsec_mgmt_t,ipsec_key_file_t) +files_filetrans_etc(ipsec_mgmt_t,ipsec_key_file_t) # whack needs to connect to pluto allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write }; diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te index d2bb830..83a49ab 100644 --- a/refpolicy/policy/modules/system/iptables.te +++ b/refpolicy/policy/modules/system/iptables.te @@ -27,13 +27,13 @@ dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t iptables_var_run_t:dir rw_dir_perms; -files_create_pid(iptables_t,iptables_var_run_t) +files_filetrans_pid(iptables_t,iptables_var_run_t) can_exec(iptables_t,iptables_exec_t) allow iptables_t iptables_tmp_t:dir create_dir_perms; allow iptables_t iptables_tmp_t:file create_file_perms; -files_create_tmp_files(iptables_t, iptables_tmp_t, { file dir }) +files_filetrans_tmp(iptables_t, iptables_tmp_t, { file dir }) allow iptables_t self:rawip_socket create_socket_perms; diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te index e5b3020..dd5d7b8 100644 --- a/refpolicy/policy/modules/system/libraries.te +++ b/refpolicy/policy/modules/system/libraries.te @@ -55,7 +55,7 @@ init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; allow ldconfig_t ld_so_cache_t:file create_file_perms; -files_create_etc_config(ldconfig_t,ld_so_cache_t,file) +files_filetrans_etc(ldconfig_t,ld_so_cache_t,file) allow ldconfig_t lib_t:dir rw_dir_perms; allow ldconfig_t lib_t:lnk_file { getattr create read unlink }; diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index d4aac08..2f7d3fb 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -52,11 +52,11 @@ allow local_login_t self:msgq create_msgq_perms; allow local_login_t self:msg { send receive }; allow local_login_t local_login_lock_t:file create_file_perms; -files_create_lock(local_login_t,local_login_lock_t) +files_filetrans_lock(local_login_t,local_login_lock_t) allow local_login_t local_login_tmp_t:dir create_dir_perms; allow local_login_t local_login_tmp_t:file create_file_perms; -files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir }) +files_filetrans_tmp(local_login_t, local_login_tmp_t, { file dir }) kernel_read_system_state(local_login_t) kernel_read_kernel_sysctl(local_login_t) diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index f99a955..bb1f079 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -86,9 +86,9 @@ interface(`logging_domtrans_syslog',` ######################################## # -# logging_create_log(domain,privatetype,[class(es)]) +# logging_filetrans_log(domain,privatetype,[class(es)]) # -interface(`logging_create_log',` +interface(`logging_filetrans_log',` gen_require(` type var_log_t; class dir rw_dir_perms; diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 64625b2..fc66ecf 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -123,7 +123,7 @@ allow auditd_t var_log_t:dir search; allow auditd_t auditd_var_run_t:file create_file_perms; allow auditd_t auditd_var_run_t:dir rw_dir_perms; -files_create_pid(auditd_t,auditd_var_run_t) +files_filetrans_pid(auditd_t,auditd_var_run_t) kernel_read_kernel_sysctl(auditd_t) kernel_list_proc(auditd_t) @@ -191,11 +191,11 @@ allow klogd_t self:process signal_perms; allow klogd_t klogd_tmp_t:file create_file_perms; allow klogd_t klogd_tmp_t:dir create_dir_perms; -files_create_tmp_files(klogd_t,klogd_tmp_t,{ file dir }) +files_filetrans_tmp(klogd_t,klogd_tmp_t,{ file dir }) allow klogd_t klogd_var_run_t:file create_file_perms; allow klogd_t klogd_var_run_t:dir rw_dir_perms; -files_create_pid(klogd_t,klogd_var_run_t) +files_filetrans_pid(klogd_t,klogd_var_run_t) kernel_read_system_state(klogd_t) kernel_read_messages(klogd_t) @@ -267,7 +267,7 @@ allow syslogd_t self:udp_socket { connected_socket_perms connect }; # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file create_file_perms; -files_create_pid(syslogd_t,devlog_t,sock_file) +files_filetrans_pid(syslogd_t,devlog_t,sock_file) # cjp: I belive these are not needed: allow syslogd_t devlog_t:unix_stream_socket name_bind; allow syslogd_t devlog_t:unix_dgram_socket name_bind; @@ -281,15 +281,15 @@ allow syslogd_t var_log_t:dir { create setattr }; # manage temporary files allow syslogd_t syslogd_tmp_t:file create_file_perms; allow syslogd_t syslogd_tmp_t:dir create_dir_perms; -files_create_tmp_files(syslogd_t,syslogd_tmp_t,{ dir file }) +files_filetrans_tmp(syslogd_t,syslogd_tmp_t,{ dir file }) allow syslogd_t syslogd_var_run_t:file create_file_perms; -files_create_pid(syslogd_t,syslogd_var_run_t,file) +files_filetrans_pid(syslogd_t,syslogd_var_run_t,file) # manage pid file allow syslogd_t syslogd_var_run_t:file create_file_perms; allow syslogd_t syslogd_var_run_t:dir rw_dir_perms; -files_create_pid(syslogd_t,syslogd_var_run_t) +files_filetrans_pid(syslogd_t,syslogd_var_run_t) kernel_read_kernel_sysctl(syslogd_t) kernel_read_proc_symlinks(syslogd_t) @@ -299,7 +299,7 @@ kernel_read_messages(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) -dev_create_dev_node(syslogd_t,devlog_t,sock_file) +dev_filetrans_dev_node(syslogd_t,devlog_t,sock_file) dev_read_sysfs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -351,7 +351,7 @@ userdom_dontaudit_search_sysadm_home_dir(syslogd_t) ifdef(`distro_suse',` # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel - files_create_var_lib(syslogd_t,devlog_t,sock_file) + files_filetrans_var_lib(syslogd_t,devlog_t,sock_file) ') ifdef(`targeted_policy',` diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index 67d1916..6bf2646 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -51,7 +51,7 @@ allow clvmd_t self:udp_socket create_socket_perms; allow clvmd_t clvmd_var_run_t:file create_file_perms; allow clvmd_t clvmd_var_run_t:dir rw_dir_perms; -files_create_pid(clvmd_t,clvmd_var_run_t) +files_filetrans_pid(clvmd_t,clvmd_var_run_t) kernel_read_kernel_sysctl(clvmd_t) kernel_list_proc(clvmd_t) @@ -135,7 +135,7 @@ allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t lvm_tmp_t:dir create_dir_perms; allow lvm_t lvm_tmp_t:file create_file_perms; -files_create_tmp_files(lvm_t, lvm_tmp_t, { file dir }) +files_filetrans_tmp(lvm_t, lvm_tmp_t, { file dir }) # /lib/lvm- holds the actual LVM binaries (and symlinks) allow lvm_t lvm_exec_t:dir search; @@ -147,11 +147,11 @@ can_exec(lvm_t, lvm_exec_t) # Creating lock files allow lvm_t lvm_lock_t:dir rw_dir_perms; allow lvm_t lvm_lock_t:file create_file_perms; -files_create_lock(lvm_t,lvm_lock_t) +files_filetrans_lock(lvm_t,lvm_lock_t) allow lvm_t lvm_var_run_t:file create_file_perms; allow lvm_t lvm_var_run_t:dir create_dir_perms; -files_create_pid(lvm_t,lvm_var_run_t) +files_filetrans_pid(lvm_t,lvm_var_run_t) allow lvm_t lvm_etc_t:file r_file_perms; allow lvm_t lvm_etc_t:lnk_file r_file_perms; @@ -160,7 +160,7 @@ allow lvm_t lvm_etc_t:dir rw_dir_perms; allow lvm_t lvm_metadata_t:file create_file_perms; allow lvm_t lvm_metadata_t:dir rw_dir_perms; type_transition lvm_t lvm_etc_t:file lvm_metadata_t; -files_create_etc_config(lvm_t,lvm_metadata_t,file) +files_filetrans_etc(lvm_t,lvm_metadata_t,file) kernel_read_system_state(lvm_t) kernel_read_kernel_sysctl(lvm_t) diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index c6f5368..d840f88 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -164,7 +164,7 @@ can_exec(depmod_t, depmod_exec_t) allow depmod_t modules_conf_t:file r_file_perms; allow depmod_t modules_dep_t:file create_file_perms; -bootloader_create_modules(depmod_t,modules_dep_t) +bootloader_filetrans_modules(depmod_t,modules_dep_t) kernel_read_system_state(depmod_t) @@ -226,8 +226,8 @@ can_exec(update_modules_t, update_modules_exec_t) # manage module loading configuration allow update_modules_t modules_conf_t:file create_file_perms; -bootloader_create_modules(update_modules_t,modules_conf_t) -files_create_etc_config(update_modules_t,modules_conf_t) +bootloader_filetrans_modules(update_modules_t,modules_conf_t) +files_filetrans_etc(update_modules_t,modules_conf_t) # transition to depmod domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) @@ -238,7 +238,7 @@ allow depmod_t update_modules_t:process sigchld; allow update_modules_t update_modules_tmp_t:dir create_dir_perms; allow update_modules_t update_modules_tmp_t:file create_file_perms; -files_create_tmp_files(update_modules_t, update_modules_tmp_t, { file dir }) +files_filetrans_tmp(update_modules_t, update_modules_tmp_t, { file dir }) kernel_read_kernel_sysctl(update_modules_t) kernel_read_system_state(update_modules_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 90d55d1..2197e82 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -23,7 +23,7 @@ allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown allow mount_t mount_tmp_t:file create_file_perms; allow mount_t mount_tmp_t:dir create_dir_perms; -files_create_tmp_files(mount_t,mount_tmp_t,{ file dir }) +files_filetrans_tmp(mount_t,mount_tmp_t,{ file dir }) kernel_read_system_state(mount_t) diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index 8510a92..e13d742 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -38,15 +38,15 @@ allow cardmgr_t self:unix_dgram_socket create_socket_perms; allow cardmgr_t self:unix_stream_socket create_socket_perms; allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms; -dev_create_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file) +dev_filetrans_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file) # Create stab file allow cardmgr_t cardmgr_var_lib_t:file create_file_perms; allow cardmgr_t cardmgr_var_lib_t:dir rw_dir_perms; -files_create_var_lib(cardmgr_t,cardmgr_var_lib_t) +files_filetrans_var_lib(cardmgr_t,cardmgr_var_lib_t) allow cardmgr_t cardmgr_var_run_t:file create_file_perms; -files_create_pid(cardmgr_t,cardmgr_var_run_t) +files_filetrans_pid(cardmgr_t,cardmgr_var_run_t) kernel_read_system_state(cardmgr_t) kernel_read_kernel_sysctl(cardmgr_t) @@ -114,7 +114,7 @@ modutils_domtrans_insmod(cardmgr_t) sysnet_domtrans_ifconfig(cardmgr_t) # for /etc/resolv.conf -sysnet_create_config(cardmgr_t) +sysnet_filetrans_config(cardmgr_t) sysnet_manage_config(cardmgr_t) userdom_dontaudit_use_unpriv_user_fd(cardmgr_t) diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te index 7faa6b9..cd1841c 100644 --- a/refpolicy/policy/modules/system/raid.te +++ b/refpolicy/policy/modules/system/raid.te @@ -24,7 +24,7 @@ dontaudit mdadm_t self:capability sys_tty_config; allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; allow mdadm_t mdadm_var_run_t:file create_file_perms; -files_create_pid(mdadm_t,mdadm_var_run_t) +files_filetrans_pid(mdadm_t,mdadm_var_run_t) kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctl(mdadm_t) diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 9b0a234..f2b5996 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -221,12 +221,12 @@ interface(`sysnet_dontaudit_read_config',` ## The type of the process performing this action. ## # -interface(`sysnet_create_config',` +interface(`sysnet_filetrans_config',` gen_require(` type net_conf_t; ') - files_create_etc_config($1,net_conf_t,file) + files_filetrans_etc($1,net_conf_t,file) ') ####################################### @@ -403,13 +403,14 @@ interface(`sysnet_search_dhcp_state',` ## The object class. If not specified, file is used. ## # -interface(`sysnet_create_dhcp_state',` +interface(`sysnet_filetrans_dhcp_state',` gen_require(` type dhcp_state_t; ') files_search_var_lib($1) allow $1 dhcp_state_t:dir rw_dir_perms; + ifelse(`$3',`',` type_transition $1 dhcp_state_t:file $2; ',` diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 477e0dc..7189997 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -65,17 +65,17 @@ type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t; # create pid file allow dhcpc_t dhcpc_var_run_t:file create_file_perms; allow dhcpc_t dhcpc_var_run_t:dir rw_dir_perms; -files_create_pid(dhcpc_t,dhcpc_var_run_t) +files_filetrans_pid(dhcpc_t,dhcpc_var_run_t) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. allow dhcpc_t net_conf_t:file create_file_perms; -files_create_etc_config(dhcpc_t,net_conf_t,file) +files_filetrans_etc(dhcpc_t,net_conf_t,file) # create temp files allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms; allow dhcpc_t dhcpc_tmp_t:file create_file_perms; -files_create_tmp_files(dhcpc_t, dhcpc_tmp_t, { file dir }) +files_filetrans_tmp(dhcpc_t, dhcpc_tmp_t, { file dir }) can_exec(dhcpc_t, dhcpc_exec_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 9cbbc99..20c89c2 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -66,11 +66,11 @@ allow udev_t udev_etc_t:file r_file_perms; # create udev database in /dev/.udevdb allow udev_t udev_tbl_t:file create_file_perms; -dev_create_dev_node(udev_t,udev_tbl_t,file) +dev_filetrans_dev_node(udev_t,udev_tbl_t,file) allow udev_t udev_var_run_t:file create_file_perms; allow udev_t udev_var_run_t:dir rw_dir_perms; -files_create_pid(udev_t,udev_var_run_t) +files_filetrans_pid(udev_t,udev_var_run_t) kernel_read_system_state(udev_t) kernel_getattr_core(udev_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 9efc0d5..ada44f4 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -120,7 +120,7 @@ template(`base_user_template',` allow $1_t $1_tmp_t:dir create_dir_perms; allow $1_t $1_tmp_t:sock_file create_file_perms; allow $1_t $1_tmp_t:fifo_file create_file_perms; - files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set }) + files_filetrans_tmp($1_t, $1_tmp_t, { dir notdevfile_class_set }) # Bind to a Unix domain socket in /tmp. # cjp: this is combination is not checked and should be removed @@ -131,7 +131,7 @@ template(`base_user_template',` allow $1_t $1_tmpfs_t:lnk_file create_lnk_perms; allow $1_t $1_tmpfs_t:sock_file create_file_perms; allow $1_t $1_tmpfs_t:fifo_file create_file_perms; - fs_create_tmpfs_data($1_t,$1_tmpfs_t, { dir notdevfile_class_set } ) + fs_filetrans_tmpfs($1_t,$1_tmpfs_t, { dir notdevfile_class_set } ) allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms }; @@ -3039,12 +3039,12 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',` ## Domain allowed access. ## # -interface(`userdom_create_generic_user_home_dir',` +interface(`userdom_filetrans_generic_user_home_dir',` gen_require(` type user_home_dir_t; ') - files_create_home_dirs($1,user_home_dir_t) + files_filetrans_home($1,user_home_dir_t) ') ######################################## @@ -3093,7 +3093,7 @@ interface(`userdom_manage_generic_user_home_dir',` ## If not specified, file is used. ## # -interface(`userdom_create_generic_user_home',` +interface(`userdom_filetrans_generic_user_home',` gen_require(` type user_home_dir_t, user_home_t; ') @@ -3534,5 +3534,5 @@ interface(`userdom_unconfined',` ') allow $1 user_home_dir_t:dir create_dir_perms; - files_create_home_dirs($1,user_home_dir_t) + files_filetrans_home($1,user_home_dir_t) ') diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 321064d..a4a0801 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -140,7 +140,7 @@ ifdef(`targeted_policy',` # Add/remove user home directories allow sysadm_t user_home_dir_t:dir create_dir_perms; - files_create_home_dirs(sysadm_t,user_home_dir_t) + files_filetrans_home(sysadm_t,user_home_dir_t) mls_process_read_up(sysadm_t)