diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 34aad7e..f9a42fc 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -434,9 +434,6 @@ clean:
rm -f $(FC)
bare: clean
- find . -name *~ -exec rm -f {} \;
- find . -name "*#*" -exec rm -f {} \;
- find . -name ".*#*" -exec rm -f {} \;
rm -f $(POLXML)
rm -f $(SUPPORT)/*.pyc
rm -f $(FCSORT)
diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if
index 7a45f5a..a23dc42 100644
--- a/refpolicy/policy/modules/admin/consoletype.if
+++ b/refpolicy/policy/modules/admin/consoletype.if
@@ -1,9 +1,9 @@
#######################################
#
-# consoletype_transition(domain)
+# consoletype_domtrans(domain)
#
-define(`consoletype_transition',`
+define(`consoletype_domtrans',`
requires_block_template(`$0'_depend)
domain_auto_trans($1,consoletype_exec_t,consoletype_t)
@@ -14,7 +14,7 @@ define(`consoletype_transition',`
allow consoletype_t $1:process sigchld;
')
-define(`consoletype_transition_depend',`
+define(`consoletype_domtrans_depend',`
type consoletype_t, consoletype_exec_t;
class file rx_file_perms;
@@ -25,16 +25,16 @@ define(`consoletype_transition_depend',`
#######################################
#
-# consoletype_execute(domain)
+# consoletype_exec(domain)
#
-define(`consoletype_execute',`
+define(`consoletype_exec',`
requires_block_template(`$0'_depend)
can_exec($1,consoletype_exec_t)
')
-define(`consoletype_execute_depend',`
+define(`consoletype_exec_depend',`
type consoletype_exec_t;
class file { getattr read execute execute_no_trans };
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index a6db3cb..9f4348a 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -8,8 +8,8 @@ policy_module(consoletype, 1.0)
type consoletype_t;
type consoletype_exec_t;
-init_make_init_domain(consoletype_t,consoletype_exec_t)
-init_make_system_domain(consoletype_t,consoletype_exec_t)
+init_domain(consoletype_t,consoletype_exec_t)
+init_system_domain(consoletype_t,consoletype_exec_t)
role system_r types consoletype_t;
########################################
@@ -39,27 +39,27 @@ fs_getattr_all_fs(consoletype_t)
term_use_console(consoletype_t)
term_use_unallocated_tty(consoletype_t)
-init_use_file_descriptors(consoletype_t)
-init_script_use_pseudoterminal(consoletype_t)
-init_script_use_file_descriptors(consoletype_t)
+init_use_fd(consoletype_t)
+init_use_script_pty(consoletype_t)
+init_use_script_fd(consoletype_t)
-domain_use_widely_inheritable_file_descriptors(consoletype_t)
+domain_use_wide_inherit_fd(consoletype_t)
-files_ignore_read_rootfs_file(consoletype_t)
+files_dontaudit_read_root_file(consoletype_t)
-libraries_use_dynamic_loader(consoletype_t)
-libraries_use_shared_libraries(consoletype_t)
+libs_use_ld_so(consoletype_t)
+libs_use_shared_libs(consoletype_t)
ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(consoletype_t)
')
optional_policy(`authlogin.te', `
- authlogin_pam_read_runtime_data(consoletype_t)
+ auth_read_pam_pid(consoletype_t)
')
optional_policy(`userdomain.te',`
- userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t)
+ userdom_use_unpriv_users_fd(consoletype_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if
index 69e7872..7bf8885 100644
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@@ -2,7 +2,7 @@
## Policy for dmesg.
########################################
-##
+##
##
## Execute dmesg in the dmesg domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`dmesg_transition',`
+define(`dmesg_domtrans',`
requires_block_template(`$0'_depend)
allow $1 dmesg_exec_t:file rx_file_perms;
@@ -25,7 +25,7 @@ define(`dmesg_transition',`
allow dmesg_t $1:process sigchld;
')
-define(`dmesg_transition_depend',`
+define(`dmesg_domtrans_depend',`
type dmesg_t, dmesg_exec_t;
class file rx_file_perms;
@@ -35,7 +35,7 @@ define(`dmesg_transition_depend',`
')
########################################
-##
+##
##
## Execute dmesg in the caller domain.
##
@@ -44,14 +44,14 @@ define(`dmesg_transition_depend',`
##
##
#
-define(`dmesg_execute',`
+define(`dmesg_exec',`
requires_block_template(`$0'_depend)
can_exec($1,dmesg_exec_t)
')
-define(`dmesg_execute_depend',`
+define(`dmesg_exec_depend',`
type dmesg_exec_t;
class file { getattr read execute execute_no_trans };
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index c559527..735d869 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -8,7 +8,7 @@ policy_module(dmesg, 1.0)
type dmesg_t;
type dmesg_exec_t;
-init_make_system_domain(dmesg_t,dmesg_exec_t)
+init_system_domain(dmesg_t,dmesg_exec_t)
role system_r types dmesg_t;
########################################
@@ -29,30 +29,30 @@ kernel_change_ring_buffer_level(dmesg_t)
term_dontaudit_use_console(dmesg_t)
-domain_use_widely_inheritable_file_descriptors(dmesg_t)
+domain_use_wide_inherit_fd(dmesg_t)
-files_read_general_system_config_directory(dmesg_t)
+files_read_generic_etc_files_directory(dmesg_t)
# for when /usr is not mounted:
-files_ignore_search_isid_type_dir(dmesg_t)
+files_dontaudit_search_isid_type_dir(dmesg_t)
-init_use_file_descriptors(dmesg_t)
-init_script_use_pseudoterminal(dmesg_t)
+init_use_fd(dmesg_t)
+init_use_script_pty(dmesg_t)
-libraries_use_dynamic_loader(dmesg_t)
-libraries_use_shared_libraries(dmesg_t)
+libs_use_ld_so(dmesg_t)
+libs_use_shared_libs(dmesg_t)
-logging_send_system_log_message(dmesg_t)
-logging_write_system_logs(dmesg_t)
+logging_send_syslog_msg(dmesg_t)
+logging_write_generic_logs(dmesg_t)
miscfiles_read_localization(dmesg_t)
-userdomain_use_admin_terminals(dmesg_t)
-userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t)
+userdom_use_sysadm_terms(dmesg_t)
+userdom_dontaudit_use_unpriv_user_fd(dmesg_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(dmesg_t)
terminal_ignore_use_general_pseudoterminal(dmesg_t)
- files_ignore_read_rootfs_file(dmesg_t)
+ files_dontaudit_read_root_file(dmesg_t)
')
optional_policy(`selinux.te',`
@@ -60,7 +60,7 @@ optional_policy(`selinux.te',`
')
optional_policy(`udev.te', `
- udev_read_database(dmesg_t)
+ udev_read_db(dmesg_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index 72fc713..7b53ac3 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -1,9 +1,9 @@
#######################################
#
-# netutils_transition(domain)
+# netutils_domtrans(domain)
#
-define(`netutils_transition',`
+define(`netutils_domtrans',`
requires_block_template(`$0'_depend)
allow $1 netutils_exec_t:file rx_file_perms;
@@ -17,7 +17,7 @@ define(`netutils_transition',`
allow netutils_t $1:process sigchld;
')
-define(`netutils_transition_depend',`
+define(`netutils_domtrans_depend',`
type netutils_t, netutils_exec_t;
class file rx_file_perms;
@@ -28,16 +28,16 @@ define(`netutils_transition_depend',`
#######################################
#
-# netutils_execute(domain)
+# netutils_exec(domain)
#
-define(`netutils_execute',`
+define(`netutils_exec',`
requires_block_template(`$0'_depend)
can_exec($1,netutils_exec_t)
')
-define(`netutils_execute_depend',`
+define(`netutils_exec_depend',`
type netutils_exec_t;
class file { getattr read execute execute_no_trans };
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 166d8bf..6f9995b 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -8,20 +8,20 @@ policy_module(devices,1.0)
type netutils_t;
type netutils_exec_t;
-init_make_system_domain(netutils_t,netutils_exec_t)
+init_system_domain(netutils_t,netutils_exec_t)
role system_r types netutils_t;
type netutils_tmp_t;
-files_make_temporary_file(netutils_tmp_t)
+files_tmp_file(netutils_tmp_t)
type ping_t; #, nscd_client_domain;
type ping_exec_t;
-init_make_system_domain(ping_t,ping_exec_t)
+init_system_domain(ping_t,ping_exec_t)
role system_r types ping_t;
type traceroute_t; #, nscd_client_domain;
type traceroute_exec_t;
-init_make_system_domain(traceroute_t,traceroute_exec_t)
+init_system_domain(traceroute_t,traceroute_exec_t)
role system_r types traceroute_t;
#
@@ -44,7 +44,7 @@ allow netutils_t self:tcp_socket create_socket_perms;
allow netutils_t netutils_tmp_t:dir create_dir_perms;
allow netutils_t netutils_tmp_t:file create_file_perms;
-files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir })
+files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir })
corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t)
@@ -59,19 +59,19 @@ corenet_udp_bind_all_nodes(netutils_t)
fs_getattr_xattr_fs(netutils_t)
-init_use_file_descriptors(netutils_t)
-init_script_use_pseudoterminal(netutils_t)
+init_use_fd(netutils_t)
+init_use_script_pty(netutils_t)
-domain_use_widely_inheritable_file_descriptors(netutils_t)
+domain_use_wide_inherit_fd(netutils_t)
-files_read_general_system_config(netutils_t)
+files_read_generic_etc_files(netutils_t)
# for nscd
-files_ignore_search_system_state_data_directory(netutils_t)
+files_dontaudit_search_var(netutils_t)
-libraries_use_dynamic_loader(netutils_t)
-libraries_use_shared_libraries(netutils_t)
+libs_use_ld_so(netutils_t)
+libs_use_shared_libs(netutils_t)
-logging_send_system_log_message(netutils_t)
+logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t)
@@ -117,17 +117,17 @@ corenet_tcp_bind_all_nodes(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
-domain_use_widely_inheritable_file_descriptors(ping_t)
+domain_use_wide_inherit_fd(ping_t)
-files_read_general_system_config(ping_t)
-files_ignore_search_system_state_data_directory(ping_t)
+files_read_generic_etc_files(ping_t)
+files_dontaudit_search_var(ping_t)
-libraries_use_dynamic_loader(ping_t)
-libraries_use_shared_libraries(ping_t)
+libs_use_ld_so(ping_t)
+libs_use_shared_libs(ping_t)
-sysnetwork_read_network_config(ping_t)
+sysnet_read_config(ping_t)
-logging_send_system_log_message(ping_t)
+logging_send_syslog_msg(ping_t)
if (user_ping) {
term_use_all_user_ttys(ping_t)
@@ -175,22 +175,22 @@ corenet_tcp_bind_all_nodes(traceroute_t)
fs_dontaudit_getattr_xattr_fs(traceroute_t)
-domain_use_widely_inheritable_file_descriptors(traceroute_t)
+domain_use_wide_inherit_fd(traceroute_t)
-files_read_general_system_config(traceroute_t)
-files_ignore_search_system_state_data_directory(traceroute_t)
+files_read_generic_etc_files(traceroute_t)
+files_dontaudit_search_var(traceroute_t)
-libraries_use_dynamic_loader(traceroute_t)
-libraries_use_shared_libraries(traceroute_t)
+libs_use_ld_so(traceroute_t)
+libs_use_shared_libs(traceroute_t)
-logging_send_system_log_message(traceroute_t)
+logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
#rules needed for nmap
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
-files_read_general_application_resources(traceroute_t)
+files_read_usr_files(traceroute_t)
if (user_ping) {
term_use_all_user_ttys(traceroute_t)
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index 77832cb..82b9fe5 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -2,7 +2,7 @@
## Policy for the RPM package manager.
########################################
-##
+##
##
## Execute rpm programs in the rpm domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`rpm_transition',`
+define(`rpm_domtrans',`
requires_block_template(`$0'_depend)
allow $1 rpm_exec_t:file rx_file_perms;
@@ -25,7 +25,7 @@ define(`rpm_transition',`
allow rpm_t $1:process sigchld;
')
-define(`rpm_transition_depend',`
+define(`rpm_domtrans_depend',`
type rpm_t, rpm_exec_t;
class file rx_file_perms;
@@ -35,7 +35,7 @@ define(`rpm_transition_depend',`
')
########################################
-##
+##
##
## Execute RPM programs in the RPM domain.
##
@@ -50,23 +50,23 @@ define(`rpm_transition_depend',`
##
##
#
-define(`rpm_transition_add_role_use_terminal',`
+define(`rpm_run',`
requires_block_template(`$0'_depend)
- rpm_transition($1)
+ rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
allow rpm_t $3:chr_file { getattr read write ioctl };
')
-define(`rpm_transition_add_role_use_terminal_depend',`
+define(`rpm_run_depend',`
type rpm_t, rpm_script_t;
class chr_file { getattr read write ioctl };
')
########################################
-##
+##
##
## Inherit and use file descriptors from RPM.
##
@@ -75,13 +75,13 @@ define(`rpm_transition_add_role_use_terminal_depend',`
##
##
#
-define(`rpm_use_file_descriptors',`
+define(`rpm_use_fd',`
requires_block_template(`$0'_depend)
allow $1 rpm_t:fd use;
')
-define(`rpm_use_file_descriptors_depend',`
+define(`rpm_use_fd_depend',`
type rpm_t;
class fd use;
@@ -110,7 +110,7 @@ define(`rpm_read_pipe_depend',`
')
########################################
-##
+##
##
## Read RPM package database.
##
@@ -119,7 +119,7 @@ define(`rpm_read_pipe_depend',`
##
##
#
-define(`rpm_read_package_database',`
+define(`rpm_read_db',`
requires_block_template(`$0'_depend)
allow $1 rpm_var_lib_t:dir r_dir_perms;
@@ -127,7 +127,7 @@ define(`rpm_read_package_database',`
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
')
-define(`rpm_read_package_database_depend',`
+define(`rpm_read_db_depend',`
type rpm_var_lib_t_t;
class dir r_dir_perms;
@@ -137,9 +137,9 @@ define(`rpm_read_package_database_depend',`
########################################
#
-# rpm_manage_package_database(domain)
+# rpm_manage_db(domain)
#
-define(`rpm_manage_package_database',`
+define(`rpm_manage_db',`
requires_block_template(`$0'_depend)
allow $1 rpm_var_lib_t:dir rw_dir_perms;
@@ -147,7 +147,7 @@ define(`rpm_manage_package_database',`
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
')
-define(`rpm_manage_package_database_depend',`
+define(`rpm_manage_db_depend',`
type rpm_var_lib_t_t;
class dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 14e8ce2..2936e1c 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -8,47 +8,47 @@ policy_module(rpm,1.0)
type rpm_t; #, admin, privmem, priv_system_role;
type rpm_exec_t;
-init_make_system_domain(rpm_t,rpm_exec_t)
-kernel_make_object_identity_change_constraint_exception(rpm_t)
-domain_make_file_descriptors_widely_inheritable(rpm_t)
+init_system_domain(rpm_t,rpm_exec_t)
+kernel_obj_id_change_exempt(rpm_t)
+domain_wide_inherit_fd(rpm_t)
role system_r types rpm_t;
type rpm_file_t;
-files_make_file(rpm_file_t)
+files_file_type(rpm_file_t)
type rpm_tmp_t;
-files_make_temporary_file(rpm_tmp_t)
+files_tmp_file(rpm_tmp_t)
type rpm_tmpfs_t;
-files_make_tmpfs_file(rpm_tmpfs_t)
+files_tmpfs_file(rpm_tmpfs_t)
type rpm_log_t;
-logging_make_log_file(rpm_log_t)
+logging_log_file(rpm_log_t)
type rpm_var_lib_t;
-files_make_file(rpm_var_lib_t)
+files_file_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
type rpm_script_t; #, admin, privmem, priv_system_role;
type rpm_script_exec_t;
-kernel_make_object_identity_change_constraint_exception(rpm_script_t)
-corecommands_make_shell_entrypoint(rpm_script_t)
-domain_make_domain(rpm_script_t)
-domain_make_entrypoint_file(rpm_t,rpm_script_t)
-domain_make_file_descriptors_widely_inheritable(rpm_script_t)
+kernel_obj_id_change_exempt(rpm_script_t)
+corecmd_shell_entry_type(rpm_script_t)
+domain_type(rpm_script_t)
+domain_entry_file(rpm_t,rpm_script_t)
+domain_wide_inherit_fd(rpm_script_t)
role system_r types rpm_script_t;
type rpm_script_tmp_t;
-files_make_temporary_file(rpm_script_tmp_t)
+files_tmp_file(rpm_script_tmp_t)
type rpm_script_tmpfs_t;
-files_make_tmpfs_file(rpm_script_tmpfs_t)
+files_tmpfs_file(rpm_script_tmpfs_t)
type rpmbuild_t;
-domain_make_domain(rpmbuild_t)
+domain_type(rpmbuild_t)
type rpmbuild_exec_t;
-domain_make_entrypoint_file(rpmbuild_t,rpmbuild_exec_t)
+domain_entry_file(rpmbuild_t,rpmbuild_exec_t)
########################################
#
@@ -75,11 +75,11 @@ allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_log_t:file create_file_perms;
-logging_create_private_log(rpm_t,rpm_log_t)
+logging_create_log(rpm_t,rpm_log_t)
allow rpm_t rpm_tmp_t:dir create_dir_perms;
allow rpm_t rpm_tmp_t:file create_file_perms;
-files_create_private_tmp_data(rpm_t, rpm_tmp_t, { file dir })
+files_create_tmp_files(rpm_t, rpm_tmp_t, { file dir })
allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
allow rpm_t rpm_tmpfs_t:file create_file_perms;
@@ -126,35 +126,35 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
-authlogin_ignore_read_shadow_passwords(rpm_t)
+auth_dontaudit_read_shadow(rpm_t)
-corecommands_execute_general_programs(rpm_t)
-corecommands_execute_system_programs(rpm_t)
-corecommands_shell_transition(rpm_t,rpm_script_t)
+corecmd_exec_bin(rpm_t)
+corecmd_exec_sbin(rpm_t)
+corecmd_domtrans_shell(rpm_t,rpm_script_t)
-domain_execute_all_entrypoint_programs(rpm_t)
-domain_read_all_domains_process_state(rpm_t)
-domain_use_widely_inheritable_file_descriptors(rpm_t)
+domain_exec_all_entry_files(rpm_t)
+domain_read_all_domains_state(rpm_t)
+domain_use_wide_inherit_fd(rpm_t)
-files_execute_system_config_script(rpm_t)
+files_exec_generic_etc_files(rpm_t)
-init_script_transition(rpm_t)
+init_domtrans_script(rpm_t)
-libraries_use_dynamic_loader(rpm_t)
-libraries_use_shared_libraries(rpm_t)
-libraries_execute_dynamic_loader(rpm_t)
-libraries_execute_library_scripts(rpm_t)
-libraries_ldconfig_transition(rpm_t)
+libs_use_ld_so(rpm_t)
+libs_use_shared_libs(rpm_t)
+libs_exec_ld_so(rpm_t)
+libs_exec_lib_files(rpm_t)
+libs_domtrans_ldconfig(rpm_t)
-logging_send_system_log_message(rpm_t)
+logging_send_syslog_msg(rpm_t)
# allow compiling and loading new policy
-selinux_manage_source_policy(rpm_t)
-selinux_manage_binary_policy(rpm_t)
+selinux_manage_src_pol(rpm_t)
+selinux_manage_binary_pol(rpm_t)
-sysnetwork_read_network_config(rpm_t)
+sysnet_read_config(rpm_t)
-userdomain_use_all_unprivileged_users_file_descriptors(rpm_t)
+userdom_use_unpriv_users_fd(rpm_t)
#cron_transition_from(rpm,rpm_exec_t)
@@ -235,11 +235,11 @@ allow rpm_script_t rpm_tmp_t:file r_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
-files_create_private_tmp_data(rpm_script_t, rpm_script_tmp_t, { file dir })
+files_create_tmp_files(rpm_script_t, rpm_script_tmp_t, { file dir })
-allow rpm_script_t rpm_script_tmpfs_t:dir rw_dir_perms;
+allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms;
allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
-allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_file_perms;
+allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms;
allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -272,41 +272,41 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
-authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t)
+auth_dontaudit_getattr_shadow(rpm_script_t)
# ideally we would not need this
-authlogin_manage_all_files_except_shadow(rpm_script_t)
+auth_manage_all_files_except_shadow(rpm_script_t)
-corecommands_execute_general_programs(rpm_script_t)
-corecommands_execute_system_programs(rpm_script_t)
+corecmd_exec_bin(rpm_script_t)
+corecmd_exec_sbin(rpm_script_t)
-domain_read_all_domains_process_state(rpm_script_t)
-domain_use_widely_inheritable_file_descriptors(rpm_script_t)
-domain_execute_all_entrypoint_programs(rpm_script_t)
+domain_read_all_domains_state(rpm_script_t)
+domain_use_wide_inherit_fd(rpm_script_t)
+domain_exec_all_entry_files(rpm_script_t)
domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t)
-files_execute_system_config_script(rpm_script_t)
-files_read_runtime_system_config(rpm_script_t)
+files_exec_generic_etc_files(rpm_script_t)
+files_read_etc_runtime_files(rpm_script_t)
-init_script_transition(rpm_script_t)
+init_domtrans_script(rpm_script_t)
-libraries_use_dynamic_loader(rpm_script_t)
-libraries_use_shared_libraries(rpm_script_t)
-libraries_execute_dynamic_loader(rpm_script_t)
-libraries_execute_library_scripts(rpm_script_t)
-libraries_ldconfig_transition(rpm_script_t)
+libs_use_ld_so(rpm_script_t)
+libs_use_shared_libs(rpm_script_t)
+libs_exec_ld_so(rpm_script_t)
+libs_exec_lib_files(rpm_script_t)
+libs_domtrans_ldconfig(rpm_script_t)
-logging_send_system_log_message(rpm_script_t)
+logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
-modutils_depmod_transition(rpm_script_t)
-modutils_insmod_transition(rpm_script_t)
+modutils_domtrans_depmod(rpm_script_t)
+modutils_domtrans_insmod(rpm_script_t)
-selinux_load_policy_transition(rpm_script_t)
-selinux_restorecon_transition(rpm_script_t)
+selinux_domtrans_loadpol(rpm_script_t)
+selinux_domtrans_restorecon(rpm_script_t)
-userdomain_use_all_users_file_descriptors(rpm_script_t)
+userdom_use_all_user_fd(rpm_script_t)
optional_policy(`bootloader.te', `
bootloader_domtrans(rpm_script_t)
@@ -354,7 +354,7 @@ kernel_compute_create_context(rpmbuild_t)
kernel_compute_relabel_context(rpmbuild_t)
kernel_compute_reachable_user_contexts(rpmbuild_t)
-selinux_read_source_policy(rpmbuild_t)
+selinux_read_src_pol(rpmbuild_t)
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if
index 1ebfcdb..a7a9037 100644
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@@ -2,7 +2,7 @@
## Policy for managing user accounts.
########################################
-##
+##
##
## Execute chfn in the chfn domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`usermanage_chfn_transition',`
+define(`usermanage_domtrans_chfn',`
requires_block_template(`$0'_depend)
allow $1 chfn_exec_t:file rx_file_perms;
@@ -25,7 +25,7 @@ define(`usermanage_chfn_transition',`
allow chfn_t $1:process sigchld;
')
-define(`usermanage_chfn_transition_depend',`
+define(`usermanage_domtrans_chfn_depend',`
type chfn_t, chfn_exec_t;
class file rx_file_perms;
@@ -35,7 +35,7 @@ define(`usermanage_chfn_transition_depend',`
')
########################################
-##
+##
##
## Execute chfn in the chfn domain, and
## allow the specified role the chfn domain.
@@ -51,22 +51,22 @@ define(`usermanage_chfn_transition_depend',`
##
##
#
-define(`usermanage_chfn_transition_add_role_use_terminal',`
+define(`usermanage_run_chfn',`
requires_block_template(`$0'_depend)
- usermanage_chfn_transition($1)
+ usermanage_domtrans_chfn($1)
role $2 types chfn_t;
allow chfn_t $3:chr_file { getattr read write ioctl };
')
-define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
+define(`usermanage_run_chfn_depend',`
type chfn_t;
class chr_file { getattr read write ioctl };
')
########################################
-##
+##
##
## Execute groupadd in the groupadd domain.
##
@@ -75,7 +75,7 @@ define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
##
##
#
-define(`usermanage_groupadd_transition',`
+define(`usermanage_domtrans_groupadd',`
requires_block_template(`$0'_depend)
domain_auto_trans($1,groupadd_exec_t,groupadd_t)
@@ -86,7 +86,7 @@ define(`usermanage_groupadd_transition',`
allow groupadd_t $1:process sigchld;
')
-define(`usermanage_groupadd_transition_depend',`
+define(`usermanage_domtrans_groupadd_depend',`
type groupadd_t, groupadd_exec_t;
class file rx_file_perms;
@@ -96,7 +96,7 @@ define(`usermanage_groupadd_transition_depend',`
')
########################################
-##
+##
##
## Execute groupadd in the groupadd domain, and
## allow the specified role the groupadd domain.
@@ -112,22 +112,22 @@ define(`usermanage_groupadd_transition_depend',`
##
##
#
-define(`usermanage_groupadd_transition_add_role_use_terminal',`
+define(`usermanage_run_groupadd',`
requires_block_template(`$0'_depend)
- usermanage_groupadd_transition($1)
+ usermanage_domtrans_groupadd($1)
role $2 types groupadd_t;
allow groupadd_t $3:chr_file { getattr read write ioctl };
')
-define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
+define(`usermanage_run_groupadd_depend',`
type groupadd_t;
class chr_file { getattr read write ioctl };
')
########################################
-##
+##
##
## Execute passwd in the passwd domain.
##
@@ -136,7 +136,7 @@ define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
##
##
#
-define(`usermanage_passwd_transition',`
+define(`usermanage_domtrans_passwd',`
requires_block_template(`$0'_depend)
allow $1 passwd_exec_t:file rx_file_perms;
@@ -150,7 +150,7 @@ define(`usermanage_passwd_transition',`
allow passwd_t $1:process sigchld;
')
-define(`usermanage_passwd_transition_depend',`
+define(`usermanage_domtrans_passwd_depend',`
type passwd_t, passwd_exec_t;
class file rx_file_perms;
@@ -160,7 +160,7 @@ define(`usermanage_passwd_transition_depend',`
')
########################################
-##
+##
##
## Execute passwd in the passwd domain, and
## allow the specified role the passwd domain.
@@ -176,22 +176,22 @@ define(`usermanage_passwd_transition_depend',`
##
##
#
-define(`usermanage_passwd_transition_add_role_use_terminal',`
+define(`usermanage_run_passwd',`
requires_block_template(`$0'_depend)
- usermanage_passwd_transition($1)
+ usermanage_domtrans_passwd($1)
role $2 types passwd_t;
allow passwd_t $3:chr_file { getattr read write ioctl };
')
-define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
+define(`usermanage_run_passwd_depend',`
type passwd_t;
class chr_file { getattr read write ioctl };
')
########################################
-##
+##
##
## Execute useradd in the useradd domain.
##
@@ -200,7 +200,7 @@ define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
##
##
#
-define(`usermanage_useradd_transition',`
+define(`usermanage_domtrans_useradd',`
requires_block_template(`$0'_depend)
allow $1 useradd_exec_t:file rx_file_perms;
@@ -214,7 +214,7 @@ define(`usermanage_useradd_transition',`
allow useradd_t $1:process sigchld;
')
-define(`usermanage_useradd_transition_depend',`
+define(`usermanage_domtrans_useradd_depend',`
type useradd_t, useradd_exec_t;
class file rx_file_perms;
@@ -224,7 +224,7 @@ define(`usermanage_useradd_transition_depend',`
')
########################################
-##
+##
##
## Execute useradd in the useradd domain, and
## allow the specified role the useradd domain.
@@ -240,15 +240,15 @@ define(`usermanage_useradd_transition_depend',`
##
##
#
-define(`usermanage_useradd_transition_add_role_use_terminal',`
+define(`usermanage_run_useradd',`
requires_block_template(`$0'_depend)
- usermanage_useradd_transition($1)
+ usermanage_domtrans_useradd($1)
role $2 types useradd_t;
allow useradd_t $3:chr_file { getattr read write ioctl };
')
-define(`usermanage_useradd_transition_add_role_use_terminal_depend',`
+define(`usermanage_run_useradd_depend',`
type useradd_t;
class chr_file { getattr read write ioctl };
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 5da06a4..1e41365 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -7,54 +7,54 @@ policy_module(usermanage,1.0)
#
type admin_passwd_exec_t;
-files_make_file(admin_passwd_exec_t)
+files_file_type(admin_passwd_exec_t)
type chfn_t;
-kernel_make_object_identity_change_constraint_exception(chfn_t)
-domain_make_domain(chfn_t)
+kernel_obj_id_change_exempt(chfn_t)
+domain_type(chfn_t)
role system_r types chfn_t;
type chfn_exec_t;
-domain_make_entrypoint_file(chfn_t,chfn_exec_t)
+domain_entry_file(chfn_t,chfn_exec_t)
type crack_t;
role system_r types crack_t;
type crack_exec_t;
-domain_make_entrypoint_file(crack_t,crack_exec_t)
+domain_entry_file(crack_t,crack_exec_t)
type crack_db_t; #, usercanread;
-files_make_file(crack_db_t)
+files_file_type(crack_db_t)
type crack_tmp_t;
-files_make_temporary_file(crack_tmp_t)
+files_tmp_file(crack_tmp_t)
type groupadd_t; #, nscd_client_domain;
type groupadd_exec_t;
-kernel_make_object_identity_change_constraint_exception(groupadd_t)
-init_make_system_domain(groupadd_t,groupadd_exec_t)
+kernel_obj_id_change_exempt(groupadd_t)
+init_system_domain(groupadd_t,groupadd_exec_t)
role system_r types groupadd_t;
type passwd_t;
-kernel_make_object_identity_change_constraint_exception(passwd_t)
-domain_make_domain(passwd_t)
+kernel_obj_id_change_exempt(passwd_t)
+domain_type(passwd_t)
role system_r types passwd_t;
type passwd_exec_t;
-domain_make_entrypoint_file(passwd_t,passwd_exec_t)
+domain_entry_file(passwd_t,passwd_exec_t)
type sysadm_passwd_t;
-kernel_make_object_identity_change_constraint_exception(sysadm_passwd_t)
-domain_make_domain(sysadm_passwd_t)
-domain_make_entrypoint_file(sysadm_passwd_t,admin_passwd_exec_t)
+kernel_obj_id_change_exempt(sysadm_passwd_t)
+domain_type(sysadm_passwd_t)
+domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
type sysadm_passwd_tmp_t;
-files_make_file(sysadm_passwd_tmp_t)
+files_file_type(sysadm_passwd_tmp_t)
type useradd_t; # nscd_client_domain;
type useradd_exec_t;
-kernel_make_object_identity_change_constraint_exception(useradd_t)
-init_make_system_domain(useradd_t,useradd_exec_t)
+kernel_obj_id_change_exempt(useradd_t)
+init_system_domain(useradd_t,useradd_exec_t)
role system_r types useradd_t;
########################################
@@ -94,22 +94,22 @@ dev_read_urand(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
-init_script_ignore_modify_runtime_data(chfn_t)
+init_dontaudit_rw_script_pid(chfn_t)
-domain_use_widely_inheritable_file_descriptors(chfn_t)
+domain_use_wide_inherit_fd(chfn_t)
-files_manage_general_system_config(chfn_t)
-files_read_runtime_system_config(chfn_t)
+files_manage_generic_etc_files(chfn_t)
+files_read_etc_runtime_files(chfn_t)
-libraries_use_dynamic_loader(chfn_t)
-libraries_use_shared_libraries(chfn_t)
+libs_use_ld_so(chfn_t)
+libs_use_shared_libs(chfn_t)
miscfiles_read_localization(chfn_t)
-logging_send_system_log_message(chfn_t)
+logging_send_syslog_msg(chfn_t)
-authlogin_check_password_transition(chfn_t)
-authlogin_ignore_read_shadow_passwords(chfn_t)
+auth_domtrans_chk_passwd(chfn_t)
+auth_dontaudit_read_shadow(chfn_t)
ifdef(`TODO',`
role sysadm_r types chfn_t;
@@ -152,11 +152,11 @@ allow crack_t self:fifo_file rw_file_perms;
allow crack_t crack_db_t:dir rw_dir_perms;
allow crack_t crack_db_t:file create_file_perms;
allow crack_t crack_db_t:lnk_file create_file_perms;
-files_search_system_state_data_directory(crack_t)
+files_search_var(crack_t)
allow crack_t crack_tmp_t:dir create_dir_perms;
allow crack_t crack_tmp_t:file create_file_perms;
-files_create_private_tmp_data(crack_t, crack_tmp_t, { file dir })
+files_create_tmp_files(crack_t, crack_tmp_t, { file dir })
kernel_read_system_state(crack_t)
@@ -165,17 +165,17 @@ dev_read_urand(crack_t)
fs_getattr_xattr_fs(crack_t)
-files_read_general_system_config(crack_t)
-files_read_runtime_system_config(crack_t)
+files_read_generic_etc_files(crack_t)
+files_read_etc_runtime_files(crack_t)
# for dictionaries
-files_read_general_application_resources(crack_t)
+files_read_usr_files(crack_t)
-corecommands_execute_general_programs(crack_t)
+corecmd_exec_bin(crack_t)
-libraries_use_dynamic_loader(crack_t)
-libraries_use_shared_libraries(crack_t)
+libs_use_ld_so(crack_t)
+libs_use_shared_libs(crack_t)
-logging_send_system_log_message(crack_t)
+logging_send_syslog_msg(crack_t)
ifdef(`TODO',`
ifdef(`crond.te', `
@@ -222,26 +222,26 @@ fs_getattr_xattr_fs(groupadd_t)
term_use_all_user_ttys(groupadd_t)
term_use_all_user_ptys(groupadd_t)
-init_use_file_descriptors(groupadd_t)
-init_script_read_runtime_data(groupadd_t)
+init_use_fd(groupadd_t)
+init_read_script_pid(groupadd_t)
-domain_use_widely_inheritable_file_descriptors(groupadd_t)
+domain_use_wide_inherit_fd(groupadd_t)
-files_manage_general_system_config(groupadd_t)
+files_manage_generic_etc_files(groupadd_t)
-libraries_use_dynamic_loader(groupadd_t)
-libraries_use_shared_libraries(groupadd_t)
+libs_use_ld_so(groupadd_t)
+libs_use_shared_libs(groupadd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
-corecommands_execute_general_programs(groupadd_t)
-corecommands_execute_system_programs(groupadd_t)
+corecmd_exec_bin(groupadd_t)
+corecmd_exec_sbin(groupadd_t)
-logging_send_system_log_message(groupadd_t)
+logging_send_syslog_msg(groupadd_t)
miscfiles_read_localization(groupadd_t)
-authlogin_manage_shadow_passwords(groupadd_t)
-authlogin_modify_last_login_log(groupadd_t)
+auth_manage_shadow(groupadd_t)
+auth_rw_lastlog(groupadd_t)
selinux_read_config(groupadd_t)
@@ -299,21 +299,21 @@ fs_getattr_xattr_fs(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
-init_script_ignore_modify_runtime_data(passwd_t)
+init_dontaudit_rw_script_pid(passwd_t)
-domain_use_widely_inheritable_file_descriptors(passwd_t)
+domain_use_wide_inherit_fd(passwd_t)
-files_read_runtime_system_config(passwd_t)
-files_manage_general_system_config(passwd_t)
+files_read_etc_runtime_files(passwd_t)
+files_manage_generic_etc_files(passwd_t)
-libraries_use_dynamic_loader(passwd_t)
-libraries_use_shared_libraries(passwd_t)
+libs_use_ld_so(passwd_t)
+libs_use_shared_libs(passwd_t)
-logging_send_system_log_message(passwd_t)
+logging_send_syslog_msg(passwd_t)
miscfiles_read_localization(passwd_t)
-authlogin_manage_shadow_passwords(passwd_t)
+auth_manage_shadow(passwd_t)
ifdef(`TODO',`
@@ -379,8 +379,8 @@ allow sysadm_passwd_t self:msg { send receive };
# allow vipw to create temporary files under /var/tmp/vi.recover
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
-files_create_private_tmp_data(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
-files_search_system_state_data_directory(sysadm_passwd_t)
+files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
+files_search_var(sysadm_passwd_t)
kernel_get_selinuxfs_mount_point(sysadm_passwd_t)
kernel_validate_context(sysadm_passwd_t)
@@ -401,26 +401,26 @@ term_use_all_user_ptys(sysadm_passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
-init_script_ignore_modify_runtime_data(sysadm_passwd_t)
+init_dontaudit_rw_script_pid(sysadm_passwd_t)
-domain_use_widely_inheritable_file_descriptors(sysadm_passwd_t)
+domain_use_wide_inherit_fd(sysadm_passwd_t)
-files_manage_general_system_config(sysadm_passwd_t)
-files_read_runtime_system_config(sysadm_passwd_t)
+files_manage_generic_etc_files(sysadm_passwd_t)
+files_read_etc_runtime_files(sysadm_passwd_t)
# allow vipw to exec the editor
-corecommands_execute_general_programs(sysadm_passwd_t)
-corecommands_execute_shell(sysadm_passwd_t)
-files_read_general_application_resources(sysadm_passwd_t)
+corecmd_exec_bin(sysadm_passwd_t)
+corecmd_exec_shell(sysadm_passwd_t)
+files_read_usr_files(sysadm_passwd_t)
-libraries_use_dynamic_loader(sysadm_passwd_t)
-libraries_use_shared_libraries(sysadm_passwd_t)
+libs_use_ld_so(sysadm_passwd_t)
+libs_use_shared_libs(sysadm_passwd_t)
miscfiles_read_localization(sysadm_passwd_t)
-logging_send_system_log_message(sysadm_passwd_t)
+logging_send_syslog_msg(sysadm_passwd_t)
-authlogin_manage_shadow_passwords(sysadm_passwd_t)
+auth_manage_shadow(sysadm_passwd_t)
ifdef(`TODO',`
role sysadm_r types sysadm_passwd_t;
@@ -488,29 +488,29 @@ fs_getattr_xattr_fs(useradd_t)
term_use_all_user_ttys(useradd_t)
term_use_all_user_ptys(useradd_t)
-init_use_file_descriptors(useradd_t)
-init_script_modify_runtime_data(useradd_t)
+init_use_fd(useradd_t)
+init_rw_script_pid(useradd_t)
-domain_use_widely_inheritable_file_descriptors(useradd_t)
+domain_use_wide_inherit_fd(useradd_t)
-files_manage_general_system_config(useradd_t)
+files_manage_generic_etc_files(useradd_t)
-libraries_use_dynamic_loader(useradd_t)
-libraries_use_shared_libraries(useradd_t)
+libs_use_ld_so(useradd_t)
+libs_use_shared_libs(useradd_t)
-corecommands_execute_shell(useradd_t)
+corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
-corecommands_execute_general_programs(useradd_t)
-corecommands_execute_system_programs(useradd_t)
+corecmd_exec_bin(useradd_t)
+corecmd_exec_sbin(useradd_t)
miscfiles_read_localization(useradd_t)
selinux_read_config(useradd_t)
-logging_send_system_log_message(useradd_t)
+logging_send_syslog_msg(useradd_t)
-authlogin_manage_shadow_passwords(useradd_t)
-authlogin_modify_last_login_log(useradd_t)
+auth_manage_shadow(useradd_t)
+auth_rw_lastlog(useradd_t)
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 3aec203..6e25d42 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -14,27 +14,27 @@ define(`gpg_per_userdomain_template',`
#
type $1_gpg_t;
- domain_make_domain($1_gpg_t)
- domain_make_entrypoint_file($1_gpg_t,gpg_exec_t)
+ domain_type($1_gpg_t)
+ domain_entry_file($1_gpg_t,gpg_exec_t)
role $1_r types $1_gpg_t;
type $1_gpg_agent_t;
- domain_make_domain($1_gpg_agent_t)
- domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t)
+ domain_type($1_gpg_agent_t)
+ domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t)
role $1_r types $1_gpg_agent_t;
type $1_gpg_agent_tmp_t;
- files_make_temporary_file($1_gpg_agent_tmp_t)
+ files_tmp_file($1_gpg_agent_tmp_t)
type $1_gpg_secret_t; #, $1_file_type;
- files_make_file($1_gpg_secret_t)
+ files_file_type($1_gpg_secret_t)
type $1_gpg_helper_t;
- domain_make_domain($1_gpg_helper_t)
+ domain_type($1_gpg_helper_t)
role $1_r types $1_gpg_helper_t;
type $1_gpg_pinentry_t;
- domain_make_domain($1_gpg_pinentry_t)
+ domain_type($1_gpg_pinentry_t)
role $1_r types $1_gpg_pinentry_t;
########################################
@@ -81,23 +81,23 @@ define(`gpg_per_userdomain_template',`
fs_getattr_xattr_fs($1_gpg_t)
- files_read_general_system_config($1_gpg_t)
- files_read_general_application_resources($1_gpg_t)
+ files_read_generic_etc_files($1_gpg_t)
+ files_read_usr_files($1_gpg_t)
- libraries_use_shared_libraries($1_gpg_t)
- libraries_use_dynamic_loader($1_gpg_t)
+ libs_use_shared_libs($1_gpg_t)
+ libs_use_ld_so($1_gpg_t)
miscfiles_read_localization($1_gpg_t)
- logging_send_system_log_message($1_gpg_t)
+ logging_send_syslog_msg($1_gpg_t)
- sysnetwork_read_network_config($1_gpg_t)
+ sysnet_read_config($1_gpg_t)
# Legacy
if (allow_gpg_execstack) {
allow $1_gpg_t self:process execmem;
- libraries_legacy_use_shared_libraries($1_gpg_t)
- libraries_legacy_use_dynamic_loader($1_gpg_t)
+ libs_legacy_use_shared_libs($1_gpg_t)
+ libs_legacy_use_ld_so($1_gpg_t)
miscfiles_legacy_read_localization($1_gpg_t)
# Not quite sure why this is needed...
allow $1_gpg_t gpg_exec_t:file execmod;
@@ -188,14 +188,14 @@ define(`gpg_per_userdomain_template',`
dev_read_urand($1_gpg_helper_t)
- files_read_general_system_config($1_gpg_helper_t)
+ files_read_generic_etc_files($1_gpg_helper_t)
# for nscd
- files_ignore_search_system_state_data_directory($1_gpg_helper_t)
+ files_dontaudit_search_var($1_gpg_helper_t)
- libraries_use_dynamic_loader($1_gpg_helper_t)
- libraries_use_shared_libraries($1_gpg_helper_t)
+ libs_use_ld_so($1_gpg_helper_t)
+ libs_use_shared_libs($1_gpg_helper_t)
- sysnetwork_read_network_config($1_gpg_helper_t)
+ sysnet_read_config($1_gpg_helper_t)
ifdef(`TODO',`
@@ -230,12 +230,12 @@ define(`gpg_per_userdomain_template',`
allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
- files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
+ files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
- domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t)
+ domain_use_wide_inherit_fd($1_gpg_agent_t)
- libraries_use_dynamic_loader($1_gpg_agent_t)
- libraries_use_shared_libraries($1_gpg_agent_t)
+ libs_use_ld_so($1_gpg_agent_t)
+ libs_use_shared_libs($1_gpg_agent_t)
miscfiles_read_localization($1_gpg_agent_t)
@@ -297,12 +297,12 @@ define(`gpg_per_userdomain_template',`
# read /proc/meminfo
kernel_read_system_state($1_gpg_pinentry_t)
- files_read_general_application_resources($1_gpg_pinentry_t)
+ files_read_usr_files($1_gpg_pinentry_t)
# read /etc/X11/qtrc
- files_read_general_system_config($1_gpg_pinentry_t)
+ files_read_generic_etc_files($1_gpg_pinentry_t)
- libraries_use_dynamic_loader($1_gpg_pinentry_t)
- libraries_use_shared_libraries($1_gpg_pinentry_t)
+ libs_use_ld_so($1_gpg_pinentry_t)
+ libs_use_shared_libs($1_gpg_pinentry_t)
miscfiles_read_fonts($1_gpg_pinentry_t)
miscfiles_read_localization($1_gpg_pinentry_t)
diff --git a/refpolicy/policy/modules/apps/gpg.te b/refpolicy/policy/modules/apps/gpg.te
index 112b554..0bc46d2 100644
--- a/refpolicy/policy/modules/apps/gpg.te
+++ b/refpolicy/policy/modules/apps/gpg.te
@@ -12,16 +12,16 @@ bool allow_gpg_execstack false;
# Type for gpg or pgp executables.
type gpg_exec_t;
type gpg_helper_exec_t;
-files_make_file(gpg_exec_t)
-files_make_file(gpg_helper_exec_t)
+files_file_type(gpg_exec_t)
+files_file_type(gpg_helper_exec_t)
# Type for the gpg-agent executable.
type gpg_agent_exec_t;
-files_make_file(gpg_agent_exec_t)
+files_file_type(gpg_agent_exec_t)
# type for the pinentry executable
type pinentry_exec_t;
-files_make_file(pinentry_exec_t)
+files_file_type(pinentry_exec_t)
#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 4e8befc..ffbfd27 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -412,11 +412,11 @@ define(`bootloader_write_kernel_modules',`
allow $1 modules_object_t:dir r_dir_perms;
allow $1 modules_object_t:file { write append };
- typeattribute $1 can_modify_kernel_modules;
+ typeattribute $1 rw_kern_modules;
')
define(`bootloader_write_kernel_modules_depend',`
- attribute can_modify_kernel_modules;
+ attribute rw_kern_modules;
type modules_object_t;
@@ -441,11 +441,11 @@ define(`bootloader_manage_kernel_modules',`
allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
allow $1 modules_object_t:dir rw_dir_perms;
- typeattribute $1 can_modify_kernel_modules;
+ typeattribute $1 rw_kern_modules;
')
define(`bootloader_manage_kernel_modules_depend',`
- attribute can_modify_kernel_modules;
+ attribute rw_kern_modules;
type modules_object_t;
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 4abffc5..3e4ea33 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -6,14 +6,14 @@ policy_module(bootloader,1.0)
# Declarations
#
-attribute can_modify_kernel_modules;
+attribute rw_kern_modules;
#
# boot_t is the type for files in /boot
#
type boot_t;
-files_make_file(boot_t)
-files_make_mountpoint(boot_t)
+files_file_type(boot_t)
+files_mountpoint(boot_t)
#
# boot_runtime_t is the type for /boot/kernel.h,
@@ -21,41 +21,41 @@ files_make_mountpoint(boot_t)
# only for Red Hat
#
type boot_runtime_t;
-files_make_file(boot_runtime_t)
+files_file_type(boot_runtime_t)
type bootloader_t;
-domain_make_domain(bootloader_t)
+domain_type(bootloader_t)
role system_r types bootloader_t;
type bootloader_exec_t;
-domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
+domain_entry_file(bootloader_t,bootloader_exec_t)
#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
#
type bootloader_etc_t alias etc_bootloader_t;
-files_make_file(bootloader_etc_t)
+files_file_type(bootloader_etc_t)
#
# The temp file is used for initrd creation;
# it consists of files and device nodes
#
type bootloader_tmp_t;
-files_make_temporary_file(bootloader_tmp_t)
+files_tmp_file(bootloader_tmp_t)
dev_node(bootloader_tmp_t)
# kernel modules
type modules_object_t;
-files_make_file(modules_object_t)
+files_file_type(modules_object_t)
-neverallow ~can_modify_kernel_modules modules_object_t:file { create append write };
+neverallow ~rw_kern_modules modules_object_t:file { create append write };
#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
-files_make_file(system_map_t)
+files_file_type(system_map_t)
########################################
#
@@ -73,16 +73,16 @@ allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
allow bootloader_t bootloader_etc_t:file r_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-#files_create_private_config(bootloader_t,bootloader_etc_t)
+#files_create_etc_config(bootloader_t,bootloader_etc_t)
allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
allow bootloader_t bootloader_tmp_t:file create_file_perms;
allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
-files_create_private_tmp_data(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
+files_create_tmp_files(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?)
-files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t)
+files_create_root(bootloader_t,bootloader_tmp_t)
allow bootloader_t modules_object_t:dir r_dir_perms;
allow bootloader_t modules_object_t:file r_file_perms;
@@ -110,34 +110,34 @@ fs_getattr_xattr_fs(bootloader_t)
term_getattr_all_user_ttys(bootloader_t)
-init_get_control_channel_attributes(bootloader_t)
-init_script_use_pseudoterminal(bootloader_t)
-init_script_use_file_descriptors(bootloader_t)
+init_getattr_initctl(bootloader_t)
+init_use_script_pty(bootloader_t)
+init_use_script_fd(bootloader_t)
-domain_use_widely_inheritable_file_descriptors(bootloader_t)
+domain_use_wide_inherit_fd(bootloader_t)
-libraries_use_dynamic_loader(bootloader_t)
-libraries_use_shared_libraries(bootloader_t)
-libraries_read_library_resources(bootloader_t)
+libs_use_ld_so(bootloader_t)
+libs_use_shared_libs(bootloader_t)
+libs_read_lib(bootloader_t)
-files_read_general_system_config(bootloader_t)
-files_read_runtime_system_config(bootloader_t)
-files_read_system_source_code(bootloader_t)
-files_read_general_application_resources(bootloader_t)
+files_read_generic_etc_files(bootloader_t)
+files_read_etc_runtime_files(bootloader_t)
+files_read_usr_src(bootloader_t)
+files_read_usr_files(bootloader_t)
# for nscd
-files_ignore_search_runtime_data_directory(bootloader_t)
+files_dontaudit_search_pids(bootloader_t)
-corecommands_execute_general_programs(bootloader_t)
-corecommands_execute_system_programs(bootloader_t)
-corecommands_execute_shell(bootloader_t)
+corecmd_exec_bin(bootloader_t)
+corecmd_exec_sbin(bootloader_t)
+corecmd_exec_shell(bootloader_t)
-logging_send_system_log_message(bootloader_t)
-logging_modify_system_logs(bootloader_t)
+logging_send_syslog_msg(bootloader_t)
+logging_rw_generic_logs(bootloader_t)
miscfiles_read_localization(bootloader_t)
-selinux_read_binary_policy(bootloader_t)
-selinux_read_load_policy_binary(bootloader_t)
+selinux_read_binary_pol(bootloader_t)
+selinux_read_loadpol(bootloader_t)
ifdef(`distro_debian', `
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
@@ -153,10 +153,10 @@ ifdef(`distro_redhat', `
allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
# mkinitrd mount initrd on bootloader temp dir
- files_make_mountpoint(bootloader_tmp_t)
+ files_mountpoint(bootloader_tmp_t)
# for mke2fs
- mount_transition(bootloader_t)
+ mount_domtrans(bootloader_t)
')
optional_policy(`filesystemtools.te', `
@@ -168,17 +168,17 @@ optional_policy(`filesystemtools.te', `
optional_policy(`lvm.te', `
dev_rw_lvm_control(bootloader_t)
- lvm_transition(bootloader_t)
+ lvm_domtrans(bootloader_t)
lvm_read_config(bootloader_t)
')
optional_policy(`modutils.te',`
- modutils_insmod_execute(insmod_t)
+ modutils_exec_insmod(insmod_t)
modutils_read_kernel_module_dependencies(bootloader_t)
- modutils_read_kernel_module_loading_config(bootloader_t)
- modutils_insmod_execute(bootloader_t)
- modutils_depmod_execute(bootloader_t)
- modutils_update_modules_execute(bootloader_t)
+ modutils_read_module_conf(bootloader_t)
+ modutils_exec_insmod(bootloader_t)
+ modutils_exec_depmod(bootloader_t)
+ modutils_exec_update_mods(bootloader_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 57e90d9..250bd01 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -7,13 +7,13 @@ attribute port_type;
attribute reserved_port_type;
type ppp_device_t;
-devices_make_device_node(ppp_device_t)
+dev_node(ppp_device_t)
#
# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
#
type tun_tap_device_t;
-devices_make_device_node(tun_tap_device_t)
+dev_node(tun_tap_device_t)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 4678fe3..a1d9555 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -154,6 +154,28 @@ define(`dev_create_dir_depend',`
')
########################################
+##
+##
+## Allow full relabeling (to and from) of directories in /dev.
+##
+##
+## Domain allowed to relabel.
+##
+##
+#
+define(`dev_relabel_dev_dirs',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
+')
+
+define(`dev_relabel_dev_dirs_depend',`
+ type device_t;
+
+ class dir { r_dir_perms relabelfrom relabelto };
+')
+
+########################################
##
##
## Dontaudit getattr on generic pipes.
@@ -209,13 +231,13 @@ define(`ddev_getattr_generic_blk_file_depend',`
##
##
#
-define(`ddev_dontaudit_getattr_generic_blk_files',`
+define(`dev_dontaudit_getattr_generic_blk_file',`
requires_block_template(`$0'_depend)
dontaudit $1 device_t:blk_file getattr;
')
-define(`dev_dontaudit_getattr_generic_blk_files_depend',`
+define(`dev_dontaudit_getattr_generic_blk_file_depend',`
type device_t;
class blk_file getattr;
@@ -258,7 +280,7 @@ define(`dev_manage_generic_blk_file_depend',`
define(`dev_create_generic_chr_file',`
requires_block_template(`$0'_depend)
- allow $1 device_t:dir { getattr search read write add_name };
+ allow $1 device_t:dir ra_dir_perms;
allow $1 device_t:chr_file create;
allow $1 self:capability mknod;
@@ -267,7 +289,7 @@ define(`dev_create_generic_chr_file',`
define(`dev_create_generic_chr_file_depend',`
type device_t;
- class dir { getattr search read write add_name };
+ class dir ra_dir_perms;
class chr_file create;
class capability mknod;
')
@@ -312,7 +334,7 @@ define(`dev_dontaudit_getattr_generic_chr_file',`
dontaudit $1 device_t:chr_file getattr;
')
-define(`dev_dontaudit_getattr_generic_chr_file',`
+define(`dev_dontaudit_getattr_generic_chr_file_depend',`
type device_t;
class chr_file getattr;
@@ -369,7 +391,7 @@ define(`dev_manage_generic_symlinks_depend',`
')
########################################
-##
+##
##
## Create, delete, read, and write device nodes in device directories.
##
@@ -378,7 +400,7 @@ define(`dev_manage_generic_symlinks_depend',`
##
##
#
-define(`dev_manage_all_dev_nodes',`
+define(`dev_manage_dev_nodes',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
@@ -398,7 +420,7 @@ define(`dev_manage_all_dev_nodes',`
typeattribute $1 memory_raw_write;
')
-define(`dev_manage_all_dev_nodes_depend',`
+define(`dev_manage_dev_nodes_depend',`
attribute device_node, memory_raw_read, memory_raw_write;
type device_t;
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index ec67e7a..b69faa2 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -9,8 +9,8 @@ attribute memory_raw_write;
# device_t is the type of /dev.
#
type device_t;
-files_make_file(device_t)
-files_make_mountpoint(device_t)
+files_file_type(device_t)
+files_mountpoint(device_t)
fs_associate_tmpfs(device_t)
# Only directories and symlinks should be labeled device_t.
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 3f46cbb..5a8b530 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -62,7 +62,7 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
# tmpfs_t is the type for tmpfs filesystems
#
type tmpfs_t, fs_type;
-files_make_file(tmpfs_t)
+files_file_type(tmpfs_t)
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
@@ -124,7 +124,7 @@ allow removable_t noxattrfs:filesystem associate;
# and their files.
#
type nfs_t, fs_type, noxattrfs;
-files_make_mountpoint(nfs_t)
+files_mountpoint(nfs_t)
allow nfs_t self:filesystem associate;
genfscon nfs / context_template(system_u:object_r:nfs_t,s0)
genfscon nfs4 / context_template(system_u:object_r:nfs_t,s0)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 4087a5b..1284c68 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -130,7 +130,7 @@ define(`kernel_dontaudit_use_fd_depend',`
')
########################################
-##
+##
##
## Makes caller an exception to the constraint preventing
## changing of user identity.
@@ -140,18 +140,18 @@ define(`kernel_dontaudit_use_fd_depend',`
##
##
#
-define(`kernel_make_process_identity_change_constraint_exception',`
+define(`kernel_subj_id_change_exempt',`
requires_block_template(`$0'_depend)
typeattribute $1 can_change_process_identity;
')
-define(`kernel_make_process_identity_change_constraint_exception_depend',`
+define(`kernel_subj_id_change_exempt_depend',`
attribute can_change_process_identity;
')
########################################
-##
+##
##
## Makes caller an exception to the constraint preventing
## changing of role.
@@ -161,18 +161,18 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',`
##
##
#
-define(`kernel_make_role_change_constraint_exception',`
+define(`kernel_role_change_exempt',`
requires_block_template(`$0'_depend)
typeattribute $1 can_change_process_role;
')
-define(`kernel_make_role_change_constraint_exception_depend',`
+define(`kernel_role_change_exempt_depend',`
attribute can_change_process_role;
')
########################################
-##
+##
##
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
@@ -182,13 +182,13 @@ define(`kernel_make_role_change_constraint_exception_depend',`
##
##
#
-define(`kernel_make_object_identity_change_constraint_exception',`
+define(`kernel_obj_id_change_exempt',`
requires_block_template(`$0'_depend)
typeattribute $1 can_change_object_identity;
')
-define(`kernel_make_object_identity_change_constraint_exception_depend',`
+define(`kernel_obj_id_change_exempt_depend',`
attribute can_change_object_identity;
')
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 1ec123f..8881b13 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -19,7 +19,7 @@ attribute can_change_object_identity;
#
type kernel_t, can_load_kernmodule, can_load_policy;
role system_r types kernel_t;
-domain_make_domain(kernel_t)
+domain_type(kernel_t)
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
#
@@ -63,7 +63,7 @@ genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
# sysfs_t is the type for /sys
#
type sysfs_t;
-files_make_mountpoint(sysfs_t)
+files_mountpoint(sysfs_t)
fs_make_fs(sysfs_t)
genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
@@ -72,7 +72,7 @@ genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
#
type proc_t;
-files_make_mountpoint(proc_t)
+files_mountpoint(proc_t)
fs_make_fs(proc_t)
genfscon proc / context_template(system_u:object_r:proc_t,s0)
genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0)
@@ -107,13 +107,13 @@ genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0)
# /proc/sys directory, base directory of sysctls
type sysctl_t;
-files_make_mountpoint(sysctl_t)
+files_mountpoint(sysctl_t)
sid sysctl context_template(system_u:object_r:sysctl_t,s0)
genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
# /proc/sys/fs directory and files
type sysctl_fs_t;
-files_make_mountpoint(sysctl_fs_t)
+files_mountpoint(sysctl_fs_t)
genfscon proc /sys/fs context_template(system_u:object_r:sysctl_fs_t,s0)
# /proc/sys/kernel directory and files
@@ -148,7 +148,7 @@ genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0)
# usbfs_t is the type for /proc/bus/usb
#
type usbfs_t alias usbdevfs_t;
-files_make_mountpoint(usbfs_t)
+files_mountpoint(usbfs_t)
fs_make_noxattr_fs(usbfs_t)
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
@@ -206,26 +206,26 @@ term_use_console(kernel_t)
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
-corecommands_execute_shell(kernel_t)
-corecommands_read_system_programs_directory(kernel_t)
+corecmd_exec_shell(kernel_t)
+corecmd_list_sbin(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
-corecommands_execute_general_programs(kernel_t)
+corecmd_exec_bin(kernel_t)
domain_signal_all_domains(kernel_t)
-files_read_root_dir(kernel_t)
-files_list_home_directories(kernel_t)
-files_read_general_application_resources(kernel_t)
+files_list_root(kernel_t)
+files_list_home(kernel_t)
+files_read_usr_files(kernel_t)
init_sigchld(kernel_t)
-libraries_use_dynamic_loader(kernel_t)
-libraries_use_shared_libraries(kernel_t)
+libs_use_ld_so(kernel_t)
+libs_use_shared_libs(kernel_t)
-logging_send_system_log_message(kernel_t)
+logging_send_syslog_msg(kernel_t)
selinux_read_config(kernel_t)
-selinux_read_binary_policy(kernel_t)
+selinux_read_binary_pol(kernel_t)
neverallow ~can_load_policy security_t:security load_policy;
neverallow ~can_setenforce security_t:security setenforce;
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 7bc26ea..d497365 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -33,6 +33,9 @@ define(`term_pty_depend',`
## pty type. This allows it to be relabeled via
## type change by login programs such as ssh.
##
+##
+## The type of the user domain associated with
+## this pty.
##
## An object type that will applied to a pty.
##
@@ -42,7 +45,7 @@ define(`term_user_pty',`
requires_block_template(`$0'_depend)
term_pty($1)
- typeattribute $1 server_ptynode;
+ type_change $1 server_ptynode:chr_file $2;
')
define(`term_user_pty_depend',`
@@ -683,7 +686,7 @@ define(`term_dontaudit_getattr_all_user_ttys_depend',`
define(`term_setattr_all_user_ttys',`
requires_block_template(`$0'_depend)
- devices_list_device_nodes($1)
+ dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file setattr;
')
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index 5b94446..83bedfc 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -21,7 +21,7 @@ dev_node(console_device_t)
# the type of the root directory of the file system.
#
type devpts_t;
-files_make_mountpoint(devpts_t)
+files_mountpoint(devpts_t)
fs_make_fs(devpts_t)
fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0);
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index c4fa652..a1f9c7c 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -8,16 +8,16 @@ define(`cron_per_userdomain_template',`
# Type of user crontabs once moved to cron spool.
type $1_cron_spool_t;
- files_make_file($1_cron_spool_t)
+ files_file_type($1_cron_spool_t)
type $1_crond_t; # user_crond_domain;
- domain_make_domain($1_crond_t);
- corecommands_make_shell_entrypoint($1_crond_t)
+ domain_type($1_crond_t);
+ corecmd_shell_entry_type($1_crond_t)
role $1_r types $1_crond_t;
type $1_crontab_t;
- domain_make_domain($1_crontab_t)
- domain_make_entrypoint_file($1_crontab_t,crontab_exec_t)
+ domain_type($1_crontab_t)
+ domain_entry_file($1_crontab_t,crontab_exec_t)
role $1_r types $1_crontab_t;
##############################
@@ -72,24 +72,24 @@ define(`cron_per_userdomain_template',`
fs_getattr_all_fs($1_crond_t)
- domain_execute_all_entrypoint_programs($1_crond_t)
+ domain_exec_all_entry_files($1_crond_t)
- files_read_general_application_resources($1_crond_t)
- files_execute_system_config_script($1_crond_t)
+ files_read_usr_files($1_crond_t)
+ files_exec_generic_etc_files($1_crond_t)
# for nscd:
- files_ignore_search_runtime_data_directory($1_crond_t)
+ files_dontaudit_search_pids($1_crond_t)
- corecommands_execute_general_programs($1_crond_t)
- corecommands_execute_system_programs($1_crond_t)
+ corecmd_exec_bin($1_crond_t)
+ corecmd_exec_sbin($1_crond_t)
- libraries_use_dynamic_loader($1_crond_t)
- libraries_use_shared_libraries($1_crond_t)
- libraries_execute_library_scripts($1_crond_t)
- libraries_execute_dynamic_loader($1_crond_t)
+ libs_use_ld_so($1_crond_t)
+ libs_use_shared_libs($1_crond_t)
+ libs_exec_lib_files($1_crond_t)
+ libs_exec_ld_so($1_crond_t)
- files_read_runtime_system_config($1_crond_t)
+ files_read_etc_runtime_files($1_crond_t)
- logging_search_system_log_directory($1_crond_t)
+ logging_search_logs($1_crond_t)
selinux_read_config($1_crond_t)
@@ -155,14 +155,14 @@ define(`cron_per_userdomain_template',`
fs_getattr_xattr_fs($1_crontab_t)
- domain_use_widely_inheritable_file_descriptors($1_crontab_t)
+ domain_use_wide_inherit_fd($1_crontab_t)
- files_read_general_system_config($1_crontab_t)
+ files_read_generic_etc_files($1_crontab_t)
- libraries_use_dynamic_loader($1_crontab_t)
- libraries_use_shared_libraries($1_crontab_t)
+ libs_use_ld_so($1_crontab_t)
+ libs_use_shared_libs($1_crontab_t)
- logging_send_system_log_message($1_crontab_t)
+ logging_send_syslog_msg($1_crontab_t)
miscfiles_read_localization($1_crontab_t)
@@ -218,7 +218,7 @@ define(`cron_per_userdomain_template',`
#
define(`cron_admin_template',`
- logging_read_system_logs($1_crond_t)
+ logging_read_generic_logs($1_crond_t)
# Allow our crontab domain to unlink a user cron spool file.
#allow $1_crontab_t user_cron_spool_t:file unlink;
@@ -241,15 +241,15 @@ define(`cron_admin_template',`
########################################
#
-# cron_modify_log(domain)
+# cron_rw_log(domain)
#
-define(`cron_modify_log',`
+define(`cron_rw_log',`
requires_block_template(`$0'_depend)
allow $1 crond_log_t:file rw_file_perms;
')
-define(`cron_modify_log_depend',`
+define(`cron_rw_log_depend',`
type crond_log_t;
class file rw_file_perms;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index e5e35fd..525fff2 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -10,39 +10,39 @@ policy_module(cron, 1.0)
bool cron_can_relabel false;
type anacron_exec_t;
-files_make_file(anacron_exec_t)
+files_file_type(anacron_exec_t)
type cron_spool_t;
-files_make_file(cron_spool_t)
+files_file_type(cron_spool_t)
type crond_t; #, privmail, nscd_client_domain
type crond_exec_t;
-init_make_daemon_domain(crond_t,crond_exec_t)
-domain_make_file_descriptors_widely_inheritable(crond_t)
+init_daemon_domain(crond_t,crond_exec_t)
+domain_wide_inherit_fd(crond_t)
type crond_log_t;
-logging_make_log_file(crond_log_t)
+logging_log_file(crond_log_t)
type crond_tmp_t;
-files_make_temporary_file(crond_tmp_t)
+files_tmp_file(crond_tmp_t)
type crond_var_run_t;
-files_make_daemon_runtime_file(crond_var_run_t)
+files_pid_file(crond_var_run_t)
type crontab_exec_t;
-files_make_file(crontab_exec_t)
+files_file_type(crontab_exec_t)
type system_cron_spool_t;
type system_crond_t; #, privmail, nscd_client_domain;
-init_make_daemon_domain(system_crond_t,anacron_exec_t)
-corecommands_make_shell_entrypoint(system_crond_t)
+init_daemon_domain(system_crond_t,anacron_exec_t)
+corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t;
type system_crond_lock_t;
-files_make_lock_file(system_crond_lock_t)
+files_lock_file(system_crond_lock_t)
type system_crond_tmp_t;
-files_make_temporary_file(system_crond_tmp_t)
+files_tmp_file(system_crond_tmp_t)
########################################
#
@@ -67,11 +67,11 @@ allow crond_t self:msg { send receive };
allow crond_t crond_log_t:file create_file_perms;
allow crond_t crond_var_run_t:file create_file_perms;
-files_create_daemon_runtime_data(crond_t,crond_var_run_t)
+files_create_pid(crond_t,crond_var_run_t)
allow crond_t crond_tmp_t:dir create_dir_perms;
allow crond_t crond_tmp_t:file create_file_perms;
-files_create_private_tmp_data(crond_t, crond_tmp_t, { file dir })
+files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
allow crond_t cron_spool_t:dir r_dir_perms;
allow crond_t cron_spool_t:file r_file_perms;
@@ -94,23 +94,23 @@ fs_getattr_all_fs(crond_t)
term_dontaudit_use_console(crond_t)
# need auth_chkpwd to check for locked accounts.
-authlogin_check_password_transition(crond_t)
+auth_domtrans_chk_passwd(crond_t)
-corecommands_execute_shell(crond_t)
-corecommands_read_system_programs_directory(crond_t)
+corecmd_exec_shell(crond_t)
+corecmd_list_sbin(crond_t)
-domain_use_widely_inheritable_file_descriptors(crond_t)
+domain_use_wide_inherit_fd(crond_t)
-files_read_general_system_config(crond_t)
-files_read_system_spools(crond_t)
+files_read_generic_etc_files(crond_t)
+files_read_spools(crond_t)
-init_use_file_descriptors(crond_t)
-init_script_use_pseudoterminal(crond_t)
+init_use_fd(crond_t)
+init_use_script_pty(crond_t)
-libraries_use_dynamic_loader(crond_t)
-libraries_use_shared_libraries(crond_t)
+libs_use_ld_so(crond_t)
+libs_use_shared_libs(crond_t)
-logging_send_system_log_message(crond_t)
+logging_send_syslog_msg(crond_t)
selinux_read_config(crond_t)
selinux_read_default_contexts(crond_t)
@@ -118,7 +118,7 @@ selinux_newrole_sigchld(crond_t)
miscfiles_read_localization(crond_t)
-userdomain_use_all_unprivileged_users_file_descriptors(crond_t)
+userdom_use_unpriv_users_fd(crond_t)
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file create_file_perms;
@@ -127,11 +127,11 @@ tunable_policy(`fcron_crond', `
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(crond_t)
terminal_ignore_use_general_pseudoterminal(crond_t)
- files_ignore_read_rootfs_file(crond_t)
+ files_dontaudit_read_root_file(crond_t)
')
optional_policy(`udev.te', `
- udev_read_database(crond_t)
+ udev_read_db(crond_t)
')
ifdef(`TODO',`
@@ -212,11 +212,11 @@ allow system_crond_t crond_t:process sigchld;
# Write /var/lock/makewhatis.lock.
allow system_crond_t system_crond_lock_t:file create_file_perms;
-files_create_private_lock_file(system_crond_t,system_crond_lock_t)
+files_create_lock_file(system_crond_t,system_crond_lock_t)
# write temporary files
allow system_crond_t system_crond_tmp_t:file create_file_perms;
-files_create_private_tmp_data(system_crond_t,system_crond_tmp_t)
+files_create_tmp_files(system_crond_t,system_crond_tmp_t)
# write temporary files in crond tmp dir:
allow system_crond_t crond_tmp_t:dir rw_dir_perms;
@@ -228,7 +228,7 @@ allow system_crond_t cron_spool_t:file r_file_perms;
# Access crond log files
allow system_crond_t crond_log_t:file create_file_perms;
-logging_create_private_log(system_crond_t,crond_log_t)
+logging_create_log(system_crond_t,crond_log_t)
kernel_read_kernel_sysctl(system_crond_t)
kernel_read_system_state(system_crond_t)
@@ -255,45 +255,45 @@ dev_read_urand(system_crond_t)
fs_getattr_all_fs(system_crond_t)
fs_getattr_all_files(system_crond_t)
-init_use_file_descriptors(system_crond_t)
-init_script_use_file_descriptors(system_crond_t)
-init_script_use_pseudoterminal(system_crond_t)
-init_script_read_runtime_data(system_crond_t)
-init_script_ignore_modify_runtime_data(system_crond_t)
+init_use_fd(system_crond_t)
+init_use_script_fd(system_crond_t)
+init_use_script_pty(system_crond_t)
+init_read_script_pid(system_crond_t)
+init_dontaudit_rw_script_pid(system_crond_t)
-domain_execute_all_entrypoint_programs(system_crond_t)
+domain_exec_all_entry_files(system_crond_t)
-files_execute_system_config_script(system_crond_t)
-files_read_general_system_config(system_crond_t)
-files_read_runtime_system_config(system_crond_t)
-files_read_all_directories(system_crond_t)
-files_get_all_file_attributes(system_crond_t)
-files_read_general_application_resources(system_crond_t)
+files_exec_generic_etc_files(system_crond_t)
+files_read_generic_etc_files(system_crond_t)
+files_read_etc_runtime_files(system_crond_t)
+files_list_all_dirs(system_crond_t)
+files_getattr_all_files(system_crond_t)
+files_read_usr_files(system_crond_t)
# for nscd:
-files_ignore_search_runtime_data_directory(system_crond_t)
+files_dontaudit_search_pids(system_crond_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
-files_manage_system_spools(system_crond_t)
+files_manage_spools(system_crond_t)
-corecommands_execute_general_programs(system_crond_t)
-corecommands_execute_system_programs(system_crond_t)
+corecmd_exec_bin(system_crond_t)
+corecmd_exec_sbin(system_crond_t)
-libraries_use_dynamic_loader(system_crond_t)
-libraries_use_shared_libraries(system_crond_t)
-libraries_execute_library_scripts(system_crond_t)
-libraries_execute_dynamic_loader(system_crond_t)
+libs_use_ld_so(system_crond_t)
+libs_use_shared_libs(system_crond_t)
+libs_exec_lib_files(system_crond_t)
+libs_exec_ld_so(system_crond_t)
-logging_read_system_logs(system_crond_t)
-logging_send_system_log_message(system_crond_t)
+logging_read_generic_logs(system_crond_t)
+logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
miscfiles_read_man_pages(system_crond_t)
-miscfiles_manage_man_page_cache(system_crond_t)
+miscfiles_rw_man_cache(system_crond_t)
selinux_read_config(system_crond_t)
if (cron_can_relabel) {
- selinux_setfiles_transition(system_crond_t)
+ selinux_domtrans_setfiles(system_crond_t)
} else {
kernel_get_selinuxfs_mount_point(system_crond_t)
kernel_validate_context(system_crond_t)
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index f68b726..61978f4 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -11,11 +11,11 @@ define(`mta_per_userdomain_template',`
requires_block_template(`$0'_depend)
type $1_mail_t; # , user_mail_domain, nscd_client_domain;
- domain_make_domain($1_mail_t)
+ domain_type($1_mail_t)
role $1_r types $1_mail_t;
type $1_mail_tmp_t;
- files_make_temporary_file($1_mail_tmp_t)
+ files_tmp_file($1_mail_tmp_t)
##############################
#
@@ -50,20 +50,20 @@ define(`mta_per_userdomain_template',`
corenet_tcp_sendrecv_all_ports($1_mail_t)
corenet_tcp_bind_all_nodes($1_mail_t)
- domain_use_widely_inheritable_file_descriptors($1_mail_t)
+ domain_use_wide_inherit_fd($1_mail_t)
- libraries_use_dynamic_loader($1_mail_t)
- libraries_use_shared_libraries($1_mail_t)
+ libs_use_ld_so($1_mail_t)
+ libs_use_shared_libs($1_mail_t)
- corecommands_execute_general_programs($1_mail_t)
+ corecmd_exec_bin($1_mail_t)
- files_read_general_system_config($1_mail_t)
+ files_read_generic_etc_files($1_mail_t)
- logging_send_system_log_message($1_mail_t)
+ logging_send_syslog_msg($1_mail_t)
miscfiles_read_localization($1_mail_t)
- sysnetwork_read_network_config($1_mail_t)
+ sysnet_read_config($1_mail_t)
tunable_policy(`use_dns',`
allow $1_mail_t self:udp_socket create_socket_perms;
@@ -142,30 +142,30 @@ define(`mta_per_userdomain_template_depend',`
#######################################
#
-# mta_make_mailserver_domain(domain,entrypointtype)
+# mta_mailserver(domain,entrypointtype)
#
-define(`mta_make_mailserver_domain',`
+define(`mta_mailserver',`
requires_block_template(`$0'_depend)
- init_make_daemon_domain($1,$2)
+ init_daemon_domain($1,$2)
typeattribute $1 mailserver_domain;
')
-define(`mta_make_mailserver_domain_depend',`
+define(`mta_mailserver_depend',`
attribute mailserver_domain;
')
#######################################
#
-# mta_make_sendmail_mailserver_domain(domain,entrypointtype)
+# mta_sendmail_mailserver(domain,entrypointtype)
#
-define(`mta_make_sendmail_mailserver_domain',`
+define(`mta_sendmail_mailserver',`
requires_block_template(`$0'_depend)
- mta_make_mailserver_domain($1,sendmail_exec_t)
+ mta_mailserver($1,sendmail_exec_t)
')
-define(`mta_make_sendmail_mailserver_domain_depend',`
+define(`mta_sendmail_mailserver_depend',`
type sendmail_exec_t;
')
@@ -197,22 +197,22 @@ define(`mta_send_mail_depend',`
#######################################
#
-# mta_execute(domain)
+# mta_exec(domain)
#
-define(`mta_execute',`
+define(`mta_exec',`
requires_block_template(`$0'_depend)
can_exec($1, sendmail_exec_t)
')
-define(`mta_execute_depend',`
+define(`mta_exec_depend',`
type sendmail_exec_t;
class file { getattr read execute execute_no_trans };
')
########################################
-##
+##
##
## Read mail address aliases.
##
@@ -221,13 +221,13 @@ define(`mta_execute_depend',`
##
##
#
-define(`mta_read_mail_aliases',`
+define(`mta_read_aliases',`
requires_block_template(`$0'_depend)
allow $1 etc_aliases_t:file r_file_perms;
')
-define(`mta_read_mail_aliases_depend',`
+define(`mta_read_aliases_depend',`
type etc_aliases_t;
class file r_file_perms;
@@ -235,15 +235,15 @@ define(`mta_read_mail_aliases_depend',`
#######################################
#
-# mta_modify_mail_aliases(domain)
+# mta_rw_aliases(domain)
#
-define(`mta_modify_mail_aliases',`
+define(`mta_rw_aliases',`
requires_block_template(`$0'_depend)
allow sendmail_t etc_aliases_t:file { rw_file_perms setattr };
')
-define(`mta_modify_mail_aliases_depend',`
+define(`mta_rw_aliases_depend',`
type etc_aliases_t;
class file { rw_file_perms setattr };
@@ -251,18 +251,18 @@ define(`mta_modify_mail_aliases_depend',`
#######################################
#
-# mta_get_mail_spool_attributes(domain)
+# mta_getattr_spool(domain)
#
-define(`mta_get_mail_spool_attributes',`
+define(`mta_getattr_spool',`
requires_block_template(`$0'_depend)
- files_search_system_spool_directory($1)
+ files_search_spool($1)
allow $1 mail_spool_t:dir r_dir_perms;
allow $1 mail_spool_t:lnk_file read;
allow $1 mail_spool_t:file getattr;
')
-define(`mta_get_mail_spool_attributes_depend',`
+define(`mta_getattr_spool_depend',`
type mail_spool_t;
class dir r_dir_perms;
@@ -272,17 +272,17 @@ define(`mta_get_mail_spool_attributes_depend',`
#######################################
#
-# mta_modify_mail_spool(domain)
+# mta_rw_spool(domain)
#
-define(`mta_modify_mail_spool',`
+define(`mta_rw_spool',`
requires_block_template(`$0'_depend)
- files_search_system_spool_directory($1)
+ files_search_spool($1)
allow $1 mail_spool_t:dir rw_dir_perms;
allow $1 mail_spool_t:file { rw_file_perms setattr };
')
-define(`mta_modify_mail_spool_depend',`
+define(`mta_rw_spool_depend',`
type mail_spool_t;
class dir rw_dir_perms;
@@ -291,17 +291,17 @@ define(`mta_modify_mail_spool_depend',`
#######################################
#
-# mta_manage_mail_spool(domain)
+# mta_manage_spool(domain)
#
-define(`mta_manage_mail_spool',`
+define(`mta_manage_spool',`
requires_block_template(`$0'_depend)
- files_search_system_spool_directory($1)
+ files_search_spool($1)
allow $1 mail_spool_t:dir rw_dir_perms;
allow $1 mail_spool_t:file create_file_perms;
')
-define(`mta_manage_mail_spool_depend',`
+define(`mta_manage_spool_depend',`
type mail_spool_t;
class dir rw_dir_perms;
@@ -310,16 +310,16 @@ define(`mta_manage_mail_spool_depend',`
#######################################
#
-# mta_manage_mail_queue(domain)
+# mta_manage_queue(domain)
#
-define(`mta_manage_mail_queue',`
+define(`mta_manage_queue',`
requires_block_template(`$0'_depend)
allow $1 mqueue_spool_t:dir rw_dir_perms;
allow $1 mqueue_spool_t:file create_file_perms;
')
-define(`mta_manage_mail_queue_depend',`
+define(`mta_manage_queue_depend',`
type mqueue_spool_t;
class dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index bbd9cf2..29ca2ea 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -7,31 +7,31 @@ policy_module(mta,1.0)
#
type etc_aliases_t;
-files_make_file(etc_aliases_t)
+files_file_type(etc_aliases_t)
type etc_mail_t;
-files_make_file(etc_mail_t)
+files_file_type(etc_mail_t)
attribute mailserver_domain;
type mqueue_spool_t;
-files_make_file(mqueue_spool_t)
+files_file_type(mqueue_spool_t)
type mail_spool_t;
-files_make_file(mail_spool_t)
+files_file_type(mail_spool_t)
type sendmail_exec_t;
-files_make_file(sendmail_exec_t)
+files_file_type(sendmail_exec_t)
type system_mail_t; #, user_mail_domain, nscd_client_domain;
-domain_make_domain(system_mail_t)
+domain_type(system_mail_t)
role system_r types system_mail_t;
ifdef(`targeted_policy',`',`
optional_policy(`sendmail.te', `
-domain_make_entrypoint_file(system_mail_t,sendmail_exec_t)
+domain_entry_file(system_mail_t,sendmail_exec_t)
', `
-init_make_system_domain(system_mail_t,sendmail_exec_t)
+init_system_domain(system_mail_t,sendmail_exec_t)
') dnl end if sendmail
') dnl end targeted_policy
@@ -64,23 +64,23 @@ dev_read_urand(system_mail_t)
fs_getattr_xattr_fs(system_mail_t)
-init_script_use_pseudoterminal(system_mail_t)
+init_use_script_pty(system_mail_t)
-files_read_runtime_system_config(system_mail_t)
-files_read_general_system_config(system_mail_t)
+files_read_etc_runtime_files(system_mail_t)
+files_read_generic_etc_files(system_mail_t)
# It wants to check for nscd
-files_ignore_search_runtime_data_directory(system_mail_t)
+files_dontaudit_search_pids(system_mail_t)
-corecommands_execute_general_programs(system_mail_t)
+corecmd_exec_bin(system_mail_t)
-libraries_use_dynamic_loader(system_mail_t)
-libraries_use_shared_libraries(system_mail_t)
+libs_use_ld_so(system_mail_t)
+libs_use_shared_libs(system_mail_t)
-logging_send_system_log_message(system_mail_t)
+logging_send_syslog_msg(system_mail_t)
miscfiles_read_localization(system_mail_t)
-sysnetwork_read_network_config(system_mail_t)
+sysnet_read_config(system_mail_t)
tunable_policy(`use_dns',`
allow system_mail_t self:udp_socket create_socket_perms;
@@ -144,14 +144,14 @@ ifdef(`targeted_policy', `
# targeted policy. We could move these rules permanantly here.
ifdef(`postfix.te', `', `
-domain_execute_all_entrypoint_programs(system_mail_t)
-files_execute_system_config_script(system_mail_t)
-corecommands_execute_general_programs(system_mail_t)
-corecommands_execute_system_programs(system_mail_t)
-libraries_use_dynamic_loader(system_mail_t)
-libraries_use_shared_libraries(system_mail_t)
-libraries_execute_dynamic_loader(system_mail_t)
-libraries_execute_library_scripts(system_mail_t)
+domain_exec_all_entry_files(system_mail_t)
+files_exec_generic_etc_files(system_mail_t)
+corecmd_exec_bin(system_mail_t)
+corecmd_exec_sbin(system_mail_t)
+libs_use_ld_so(system_mail_t)
+libs_use_shared_libs(system_mail_t)
+libs_exec_ld_so(system_mail_t)
+libs_exec_lib_files(system_mail_t)
')
allow system_mail_t { var_t var_spool_t }:dir getattr;
diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if
index 9ba5235..6d41c70 100644
--- a/refpolicy/policy/modules/services/remotelogin.if
+++ b/refpolicy/policy/modules/services/remotelogin.if
@@ -14,7 +14,7 @@
define(`remotelogin_domtrans',`
requires_block_template(`$0'_depend)
- authlogin_login_program_transition($1,remote_login_t)
+ auth_domtrans_login_program($1,remote_login_t)
')
define(`remotelogin_domtrans_depend',`
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index c99007c..bde3757 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -7,16 +7,16 @@ policy_module(authlogin,1.0)
#
type remote_login_t; #, nscd_client_domain;
-kernel_make_object_identity_change_constraint_exception(remote_login_t)
-kernel_make_process_identity_change_constraint_exception(remote_login_t)
-kernel_make_role_change_constraint_exception(remote_login_t)
-domain_make_domain(remote_login_t)
-domain_make_file_descriptors_widely_inheritable(remote_login_t)
-authlogin_make_login_program_entrypoint(remote_login_t)
+kernel_obj_id_change_exempt(remote_login_t)
+kernel_subj_id_change_exempt(remote_login_t)
+kernel_role_change_exempt(remote_login_t)
+domain_type(remote_login_t)
+domain_wide_inherit_fd(remote_login_t)
+auth_login_entry_type(remote_login_t)
role system_r types remote_login_t;
type remote_login_tmp_t;
-files_make_temporary_file(remote_login_tmp_t)
+files_tmp_file(remote_login_tmp_t)
########################################
#
@@ -39,7 +39,7 @@ allow remote_login_t self:msg { send receive };
allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
allow remote_login_t remote_login_tmp_t:file create_file_perms;
-files_create_private_tmp_data(remote_login_t, remote_login_tmp_t, { file dir })
+files_create_tmp_files(remote_login_t, remote_login_tmp_t, { file dir })
kernel_read_system_state(remote_login_t)
kernel_read_kernel_sysctl(remote_login_t)
@@ -55,29 +55,29 @@ dev_read_urand(remote_login_t)
fs_getattr_xattr_fs(remote_login_t)
-init_script_modify_runtime_data(remote_login_t)
+init_rw_script_pid(remote_login_t)
-domain_read_all_entrypoint_programs(remote_login_t)
+domain_read_all_entry_files(remote_login_t)
-files_read_general_system_config(remote_login_t)
-files_read_runtime_system_config(remote_login_t)
-files_list_home_directories(remote_login_t)
-files_read_general_application_resources(remote_login_t)
+files_read_generic_etc_files(remote_login_t)
+files_read_etc_runtime_files(remote_login_t)
+files_list_home(remote_login_t)
+files_read_usr_files(remote_login_t)
-libraries_use_dynamic_loader(remote_login_t)
-libraries_use_shared_libraries(remote_login_t)
+libs_use_ld_so(remote_login_t)
+libs_use_shared_libs(remote_login_t)
-logging_send_system_log_message(remote_login_t)
+logging_send_syslog_msg(remote_login_t)
selinux_read_config(remote_login_t)
selinux_read_default_contexts(remote_login_t)
-authlogin_check_password_transition(remote_login_t)
-authlogin_ignore_read_shadow_passwords(remote_login_t)
-authlogin_modify_login_records(remote_login_t)
-authlogin_modify_last_login_log(remote_login_t)
-authlogin_pam_execute(remote_login_t)
-authlogin_pam_console_manage_runtime_data(remote_login_t)
+auth_domtrans_chk_passwd(remote_login_t)
+auth_dontaudit_read_shadow(remote_login_t)
+auth_rw_login_records(remote_login_t)
+auth_rw_lastlog(remote_login_t)
+auth_exec_pam(remote_login_t)
+auth_manage_pam_console_data(remote_login_t)
miscfiles_read_localization(remote_login_t)
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 03308e2..4fe5d0c 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -7,16 +7,16 @@ policy_module(sendmail,1.0)
#
type sendmail_t; # , nscd_client_domain, mta_delivery_agent, mail_server_sender', nosysadm)
-mta_make_sendmail_mailserver_domain(sendmail_t)
+mta_sendmail_mailserver(sendmail_t)
type sendmail_log_t;
-logging_make_log_file(sendmail_log_t)
+logging_log_file(sendmail_log_t)
type sendmail_tmp_t;
-files_make_temporary_file(sendmail_tmp_t)
+files_tmp_file(sendmail_tmp_t)
type sendmail_var_run_t;
-files_make_daemon_runtime_file(sendmail_var_run_t)
+files_pid_file(sendmail_var_run_t)
########################################
#
@@ -30,14 +30,14 @@ allow sendmail_t self:unix_dgram_socket create_socket_perms;
allow sendmail_t sendmail_log_t:file create_file_perms;
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
-logging_create_private_log(sendmail_t,sendmail_log_t,{ file dir })
+logging_create_log(sendmail_t,sendmail_log_t,{ file dir })
allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
allow sendmail_t sendmail_tmp_t:file create_file_perms;
-files_create_private_tmp_data(sendmail_t, sendmail_tmp_t, { file dir })
+files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
-files_create_daemon_runtime_data(sendmail_t,sendmail_var_run_t)
+files_create_pid(sendmail_t,sendmail_var_run_t)
kernel_read_kernel_sysctl(sendmail_t)
kernel_read_hardware_state(sendmail_t)
@@ -60,38 +60,38 @@ fs_getattr_all_fs(sendmail_t)
term_dontaudit_use_console(sendmail_t)
-init_use_file_descriptors(sendmail_t)
-init_script_use_pseudoterminal(sendmail_t)
+init_use_fd(sendmail_t)
+init_use_script_pty(sendmail_t)
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
-init_script_read_runtime_data(sendmail_t)
-init_script_ignore_write_runtime_data(sendmail_t)
+init_read_script_pid(sendmail_t)
+init_dontaudit_write_script_pid(sendmail_t)
-domain_use_widely_inheritable_file_descriptors(sendmail_t)
+domain_use_wide_inherit_fd(sendmail_t)
-files_read_general_system_config(sendmail_t)
-files_search_system_spool_directory(sendmail_t)
+files_read_generic_etc_files(sendmail_t)
+files_search_spool(sendmail_t)
-logging_send_system_log_message(sendmail_t)
+logging_send_syslog_msg(sendmail_t)
-libraries_use_dynamic_loader(sendmail_t)
-libraries_use_shared_libraries(sendmail_t)
+libs_use_ld_so(sendmail_t)
+libs_use_shared_libs(sendmail_t)
# Read /usr/lib/sasl2/.*
-libraries_read_library_resources(sendmail_t)
+libs_read_lib(sendmail_t)
miscfiles_read_localization(sendmail_t)
# Write to /etc/aliases and /etc/mail.
-mta_modify_mail_aliases(sendmail_t)
+mta_rw_aliases(sendmail_t)
# Write to /var/spool/mail and /var/spool/mqueue.
-mta_manage_mail_queue(sendmail_t)
-mta_manage_mail_spool(sendmail_t)
+mta_manage_queue(sendmail_t)
+mta_manage_spool(sendmail_t)
-sysnetwork_read_network_config(sendmail_t)
+sysnet_read_config(sendmail_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(sendmail_t)
terminal_ignore_use_general_pseudoterminal(sendmail_t)
- files_ignore_read_rootfs_file(sendmail_t)
+ files_dontaudit_read_root_file(sendmail_t)
')
optional_policy(`selinux.te',`
@@ -99,7 +99,7 @@ optional_policy(`selinux.te',`
')
optional_policy(`udev.te', `
- udev_read_database(sendmail_t)
+ udev_read_db(sendmail_t)
')
ifdef(`TODO',`
@@ -143,7 +143,7 @@ dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr sear
# Run procmail in its own domain, if defined.
ifdef(`procmail.te',`
-corecommands_search_general_programs_directory(sendmail_t)
+corecmd_search_bin(sendmail_t)
procmail_transition(sendmail_t)
domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 4c80d38..ad00964 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -26,15 +26,15 @@ define(`authlogin_per_userdomain_template',`
requires_block_template(`$0'_depend)
type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
- domain_make_domain($1_chkpwd_t)
- domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t)
+ domain_type($1_chkpwd_t)
+ domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
role $1_r types $1_chkpwd_t;
role $1_r types system_chkpwd_t;
allow $1_chkpwd_t self:capability setuid;
allow $1_chkpwd_t self:process getattr;
- files_read_general_system_config_directory($1_chkpwd_t)
+ files_read_generic_etc_files_directory($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
# is_selinux_enabled
@@ -42,16 +42,16 @@ define(`authlogin_per_userdomain_template',`
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
- domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
+ domain_use_wide_inherit_fd($1_chkpwd_t)
- libraries_use_dynamic_loader($1_chkpwd_t)
- libraries_use_shared_libraries($1_chkpwd_t)
+ libs_use_ld_so($1_chkpwd_t)
+ libs_use_shared_libs($1_chkpwd_t)
- files_read_general_system_config($1_chkpwd_t)
+ files_read_generic_etc_files($1_chkpwd_t)
# for nscd
- files_ignore_search_system_state_data_directory($1_chkpwd_t)
+ files_dontaudit_search_var($1_chkpwd_t)
- logging_send_system_log_message($1_chkpwd_t)
+ logging_send_syslog_msg($1_chkpwd_t)
miscfiles_read_localization($1_chkpwd_t)
@@ -84,11 +84,11 @@ define(`authlogin_per_userdomain_template',`
corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
corenet_udp_bind_all_nodes($1_chkpwd_t)
corenet_udp_sendrecv_dns_port($1_chkpwd_t)
- sysnetwork_read_network_config($1_chkpwd_t)
+ sysnet_read_config($1_chkpwd_t)
')
optional_policy(`selinux.te',`
- selinux_newrole_use_file_descriptors($1_chkpwd_t)
+ selinux_use_newrole_fd($1_chkpwd_t)
')
') dnl end authlogin_per_userdomain_template
@@ -108,7 +108,7 @@ define(`authlogin_per_userdomain_template_depend',`
')
########################################
-##
+##
##
##
##
@@ -123,20 +123,20 @@ define(`authlogin_per_userdomain_template_depend',`
#######################################
#
-# authlogin_make_login_program_entrypoint(domain)
+# auth_login_entry_type(domain)
#
-define(`authlogin_make_login_program_entrypoint',`
+define(`auth_login_entry_type',`
requires_block_template(`$0'_depend)
- domain_make_entrypoint_file($1,login_exec_t)
+ domain_entry_file($1,login_exec_t)
')
-define(`authlogin_make_login_program_entrypoint_depend',`
+define(`auth_login_entry_type_depend',`
type login_exec_t;
')
########################################
-##
+##
##
## Execute a login_program in the target domain.
##
@@ -148,7 +148,7 @@ define(`authlogin_make_login_program_entrypoint_depend',`
##
##
#
-define(`authlogin_login_program_transition',`
+define(`auth_domtrans_login_program',`
requires_block_template(`$0'_depend)
# FIXME: search bin_t
@@ -163,7 +163,7 @@ define(`authlogin_login_program_transition',`
allow $2 $1:process sigchld;
')
-define(`authlogin_login_program_transition_depend',`
+define(`auth_domtrans_login_program_depend',`
type login_exec_t;
class file rx_file_perms;
@@ -173,7 +173,7 @@ define(`authlogin_login_program_transition_depend',`
')
########################################
-##
+##
##
##
##
@@ -187,9 +187,9 @@ define(`authlogin_login_program_transition_depend',`
#
#######################################
#
-# authlogin_check_password_transition(domain)
+# auth_domtrans_chk_passwd(domain)
#
-define(`authlogin_check_password_transition',`
+define(`auth_domtrans_chk_passwd',`
requires_block_template(`$0'_depend)
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
@@ -213,11 +213,11 @@ define(`authlogin_check_password_transition',`
corenet_raw_sendrecv_all_nodes($1)
corenet_udp_bind_all_nodes($1)
corenet_udp_sendrecv_dns_port($1)
- sysnetwork_read_network_config($1)
+ sysnet_read_config($1)
')
')
-define(`authlogin_check_password_transition_depend',`
+define(`auth_domtrans_chk_passwd_depend',`
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
class file rx_file_perms;
@@ -228,7 +228,7 @@ define(`authlogin_check_password_transition_depend',`
')
########################################
-##
+##
##
##
##
@@ -242,22 +242,22 @@ define(`authlogin_check_password_transition_depend',`
#
#######################################
#
-# authlogin_ignore_get_shadow_passwords_attributes(domain)
+# auth_dontaudit_getattr_shadow(domain)
#
-define(`authlogin_ignore_get_shadow_passwords_attributes',`
+define(`auth_dontaudit_getattr_shadow',`
requires_block_template(`$0'_depend)
dontaudit $1 shadow_t:file getattr;
')
-define(`authlogin_ignore_get_shadow_passwords_attributes_depend',`
+define(`auth_dontaudit_getattr_shadow_depend',`
type shadow_t;
class file stat_file_perms;
')
########################################
-##
+##
##
##
##
@@ -271,17 +271,17 @@ define(`authlogin_ignore_get_shadow_passwords_attributes_depend',`
#
#######################################
#
-# authlogin_read_shadow_passwords(domain)
+# auth_read_shadow(domain)
#
-define(`authlogin_read_shadow_passwords',`
+define(`auth_read_shadow',`
requires_block_template(`$0'_depend)
- files_read_general_system_config_directory($1)
+ files_read_generic_etc_files_directory($1)
allow $1 shadow_t:file r_file_perms;
typeattribute $1 can_read_shadow_passwords;
')
-define(`authlogin_read_shadow_passwords_depend',`
+define(`auth_read_shadow_depend',`
attribute can_read_shadow_passwords;
type shadow_t;
@@ -290,7 +290,7 @@ define(`authlogin_read_shadow_passwords_depend',`
')
########################################
-##
+##
##
##
##
@@ -304,22 +304,22 @@ define(`authlogin_read_shadow_passwords_depend',`
#
#######################################
#
-# authlogin_ignore_read_shadow_passwords(domain)
+# auth_dontaudit_read_shadow(domain)
#
-define(`authlogin_ignore_read_shadow_passwords',`
+define(`auth_dontaudit_read_shadow',`
requires_block_template(`$0'_depend)
dontaudit $1 shadow_t:file { getattr read };
')
-define(`authlogin_ignore_read_shadow_passwords_depend',`
+define(`auth_dontaudit_read_shadow_depend',`
type shadow_t;
class file r_file_perms;
')
########################################
-##
+##
##
##
##
@@ -333,17 +333,17 @@ define(`authlogin_ignore_read_shadow_passwords_depend',`
#
#######################################
#
-# authlogin_modify_shadow_passwords(domain)
+# auth_rw_shadow(domain)
#
-define(`authlogin_modify_shadow_passwords',`
+define(`auth_rw_shadow',`
requires_block_template(`$0'_depend)
- files_read_general_system_config_directory($1)
+ files_read_generic_etc_files_directory($1)
allow $1 shadow_t:file rw_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
')
-define(`authlogin_modify_shadow_passwords_depend',`
+define(`auth_rw_shadow_depend',`
attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t;
@@ -352,18 +352,18 @@ define(`authlogin_modify_shadow_passwords_depend',`
#######################################
#
-# authlogin_manage_shadow_passwords(domain)
+# auth_manage_shadow(domain)
#
-define(`authlogin_manage_shadow_passwords',`
+define(`auth_manage_shadow',`
requires_block_template(`$0'_depend)
allow $1 shadow_t:file create_file_perms;
- files_create_private_config($1,shadow_t,file)
+ files_create_etc_config($1,shadow_t,file)
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
')
-define(`authlogin_manage_shadow_passwords_depend',`
+define(`auth_manage_shadow_depend',`
attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t;
@@ -373,17 +373,17 @@ define(`authlogin_manage_shadow_passwords_depend',`
#######################################
#
-# authlogin_relabel_to_shadow_passwords(domain)
+# auth_relabelto_shadow(domain)
#
-define(`authlogin_relabel_to_shadow_passwords',`
+define(`auth_relabelto_shadow',`
requires_block_template(`$0'_depend)
- files_search_general_system_config_directory($1)
+ files_search_etc($1)
allow $1 shadow_t:file relabelto;
typeattribute $1 can_relabelto_shadow_passwords;
')
-define(`authlogin_relabel_to_shadow_passwords_depend',`
+define(`auth_relabelto_shadow_depend',`
attribute can_relabelto_shadow_passwords;
type shadow_t;
@@ -393,16 +393,16 @@ define(`authlogin_relabel_to_shadow_passwords_depend',`
#######################################
#
-# authlogin_modify_login_failure_records(domain)
+# auth_rw_faillog(domain)
#
-define(`authlogin_modify_login_failure_records',`
+define(`auth_rw_faillog',`
requires_block_template(`$0'_depend)
allow $1 faillog_t:file rw_file_perms;
- logging_search_system_log_directory($1)
+ logging_search_logs($1)
')
-define(`authlogin_modify_login_failure_records_depend',`
+define(`auth_rw_faillog_depend',`
type faillog_t;
class file rw_file_perms;
@@ -410,23 +410,23 @@ define(`authlogin_modify_login_failure_records_depend',`
#######################################
#
-# authlogin_modify_last_login_log(domain)
+# auth_rw_lastlog(domain)
#
-define(`authlogin_modify_last_login_log',`
+define(`auth_rw_lastlog',`
requires_block_template(`$0'_depend)
- logging_search_system_log_directory($1)
+ logging_search_logs($1)
allow $1 lastlog_t:file { getattr read write setattr };
')
-define(`authlogin_modify_last_login_log_depend',`
+define(`auth_rw_lastlog_depend',`
type lastlog_t;
class file { getattr read write setattr };
')
########################################
-##
+##
##
## Execute pam programs in the pam domain.
##
@@ -435,7 +435,7 @@ define(`authlogin_modify_last_login_log_depend',`
##
##
#
-define(`authlogin_pam_transition',`
+define(`auth_domtrans_pam',`
requires_block_template(`$0'_depend)
domain_auto_trans($1,pam_exec_t,pam_t)
@@ -446,7 +446,7 @@ define(`authlogin_pam_transition',`
allow pam_t $1:process sigchld;
')
-define(`authlogin_pam_transition_depend',`
+define(`auth_domtrans_pam_depend',`
type pam_t, pam_exec_t;
class file rx_file_perms;
@@ -456,7 +456,7 @@ define(`authlogin_pam_transition_depend',`
')
########################################
-##
+##
##
## Execute pam programs in the PAM domain.
##
@@ -471,22 +471,22 @@ define(`authlogin_pam_transition_depend',`
##
##
#
-define(`authlogin_pam_transition_add_role_use_terminal',`
+define(`auth_run_pam',`
requires_block_template(`$0'_depend)
- authlogin_pam_transition($1)
+ auth_domtrans_pam($1)
role $2 types pam_t;
allow pam_t $3:chr_file rw_file_perms;
')
-define(`authlogin_pam_transition_add_role_use_terminal_depend',`
+define(`auth_run_pam_depend',`
type pam_t;
class chr_file rw_file_perms;
')
########################################
-##
+##
##
##
##
@@ -500,15 +500,15 @@ define(`authlogin_pam_transition_add_role_use_terminal_depend',`
#
#######################################
#
-# authlogin_pam_execute(domain)
+# auth_exec_pam(domain)
#
-define(`authlogin_pam_execute',`
+define(`auth_exec_pam',`
requires_block_template(`$0'_depend)
can_exec($1,pam_exec_t)
')
-define(`authlogin_pam_execute_depend',`
+define(`auth_exec_pam_depend',`
type pam_exec_t;
class file { getattr read execute execute_no_trans };
@@ -516,18 +516,18 @@ define(`authlogin_pam_execute_depend',`
#######################################
#
-# authlogin_pam_read_runtime_data(domain)
+# auth_read_pam_pid(domain)
#
-define(`authlogin_pam_read_runtime_data',`
+define(`auth_read_pam_pid',`
requires_block_template(`$0'_depend)
- files_search_system_state_data_directory($1)
- files_search_runtime_data_directory($1)
+ files_search_var($1)
+ files_search_pids($1)
allow $1 pam_var_run_t:dir r_dir_perms;
allow $1 pam_var_run_t:file r_file_perms;
')
-define(`authlogin_pam_read_runtime_data_depend',`
+define(`auth_read_pam_pid_depend',`
type pam_var_run_t;
class dir r_dir_perms;
@@ -535,7 +535,7 @@ define(`authlogin_pam_read_runtime_data_depend',`
')
########################################
-##
+##
##
##
##
@@ -549,18 +549,18 @@ define(`authlogin_pam_read_runtime_data_depend',`
#
#######################################
#
-# authlogin_pam_remove_runtime_data(domain)
+# auth_delete_pam_pid(domain)
#
-define(`authlogin_pam_remove_runtime_data',`
+define(`auth_delete_pam_pid',`
requires_block_template(`$0'_depend)
- files_search_system_state_data_directory($1)
- files_search_runtime_data_directory($1)
+ files_search_var($1)
+ files_search_pids($1)
allow $1 pam_var_run_t:dir { getattr search read write remove_name };
allow $1 pam_var_run_t:file { getattr unlink };
')
-define(`authlogin_pam_remove_runtime_data_depend',`
+define(`auth_delete_pam_pid_depend',`
type pam_var_run_t;
class dir { getattr search read write remove_name };
@@ -569,9 +569,9 @@ define(`authlogin_pam_remove_runtime_data_depend',`
#######################################
#
-# authlogin_pam_console_transition(domain)
+# auth_domtrans_pam_console(domain)
#
-define(`authlogin_pam_console_transition',`
+define(`auth_domtrans_pam_console',`
requires_block_template(`$0'_depend)
domain_auto_trans($1,pam_console_exec_t,pam_console_t)
@@ -582,7 +582,7 @@ define(`authlogin_pam_console_transition',`
allow pam_console_t $1:process sigchld;
')
-define(`authlogin_pam_console_transition_depend',`
+define(`auth_domtrans_pam_console_depend',`
type pam_console_t, pam_console_exec_t;
class file rx_file_perms;
@@ -592,7 +592,7 @@ define(`authlogin_pam_console_transition_depend',`
')
########################################
-##
+##
##
##
##
@@ -606,17 +606,17 @@ define(`authlogin_pam_console_transition_depend',`
#
#######################################
#
-# authlogin_pam_console_read_runtime_data_dir(domain)
+# auth_list_pam_console_data(domain)
#
-define(`authlogin_pam_console_read_runtime_data_dir',`
+define(`auth_list_pam_console_data',`
requires_block_template(`$0'_depend)
- files_search_system_state_data_directory($1)
- files_search_runtime_data_directory($1)
+ files_search_var($1)
+ files_search_pids($1)
allow $1 pam_var_console_t:dir r_dir_perms;
')
-define(`authlogin_pam_console_read_runtime_data_dir_depend',`
+define(`auth_list_pam_console_data_depend',`
type pam_var_console_t;
class dir r_dir_perms;
@@ -624,18 +624,18 @@ define(`authlogin_pam_console_read_runtime_data_dir_depend',`
#######################################
#
-# authlogin_pam_console_read_runtime_data(domain)
+# auth_read_pam_console_data(domain)
#
-define(`authlogin_pam_console_read_runtime_data',`
+define(`auth_read_pam_console_data',`
requires_block_template(`$0'_depend)
- files_search_system_state_data_directory($1)
- files_search_runtime_data_directory($1)
+ files_search_var($1)
+ files_search_pids($1)
allow $1 pam_var_console_t:dir r_dir_perms;
allow $1 pam_var_console_t:file r_file_perms;
')
-define(`authlogin_pam_console_read_runtime_data_depend',`
+define(`auth_read_pam_console_data_depend',`
type pam_var_console_t;
class dir r_dir_perms;
@@ -644,19 +644,19 @@ define(`authlogin_pam_console_read_runtime_data_depend',`
#######################################
#
-# authlogin_pam_console_manage_runtime_data(domain)
+# auth_manage_pam_console_data(domain)
#
-define(`authlogin_pam_console_manage_runtime_data',`
+define(`auth_manage_pam_console_data',`
requires_block_template(`$0'_depend)
- files_search_system_state_data_directory($1)
- files_search_runtime_data_directory($1)
+ files_search_var($1)
+ files_search_pids($1)
allow $1 pam_var_console_t:dir rw_dir_perms;
allow $1 pam_var_console_t:file create_file_perms;
allow $1 pam_var_console_t:lnk_file create_lnk_perms;
')
-define(`authlogin_pam_console_manage_runtime_data_depend',`
+define(`auth_manage_pam_console_data_depend',`
type pam_var_console_t;
class dir rw_dir_perms;
@@ -665,7 +665,7 @@ define(`authlogin_pam_console_manage_runtime_data_depend',`
')
########################################
-##
+##
##
## Relabel all files on the filesystem, except
## the shadow passwords and listed exceptions.
@@ -680,18 +680,18 @@ define(`authlogin_pam_console_manage_runtime_data_depend',`
##
#
-define(`authlogin_relabel_all_files_except_shadow',`
+define(`auth_relabel_all_files_except_shadow',`
requires_block_template(`$0'_depend)
files_relabel_all_files($1,$2 -shadow_t)
')
-define(`authlogin_relabel_all_files_except_shadow_depend',`
+define(`auth_relabel_all_files_except_shadow_depend',`
type shadow_t;
')
########################################
-##
+##
##
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
@@ -706,18 +706,18 @@ define(`authlogin_relabel_all_files_except_shadow_depend',`
##
#
-define(`authlogin_manage_all_files_except_shadow',`
+define(`auth_manage_all_files_except_shadow',`
requires_block_template(`$0'_depend)
files_manage_all_files($1,$2 -shadow_t)
')
-define(`authlogin_manage_all_files_except_shadow_depend',`
+define(`auth_manage_all_files_except_shadow_depend',`
type shadow_t;
')
########################################
-##
+##
##
## Execute utempter programs in the utempter domain.
##
@@ -726,7 +726,7 @@ define(`authlogin_manage_all_files_except_shadow_depend',`
##
##
#
-define(`authlogin_utempter_transition',`
+define(`auth_domtrans_utempter',`
requires_block_template(`$0'_depend)
domain_auto_trans($1,utempter_exec_t,utempter_t)
@@ -737,7 +737,7 @@ define(`authlogin_utempter_transition',`
allow utempter_t $1:process sigchld;
')
-define(`authlogin_utempter_transition_depend',`
+define(`auth_domtrans_utempter_depend',`
type utempter_t, utempter_exec_t;
class file rx_file_perms;
@@ -747,7 +747,7 @@ define(`authlogin_utempter_transition_depend',`
')
########################################
-##
+##
##
## Execute utempter programs in the utempter domain.
##
@@ -762,22 +762,22 @@ define(`authlogin_utempter_transition_depend',`
##
##
#
-define(`authlogin_utempter_transition_add_role_use_terminal',`
+define(`auth_run_utempter',`
requires_block_template(`$0'_depend)
- authlogin_utempter_transition($1)
+ auth_domtrans_utempter($1)
role $2 types utempter_t;
allow utempter_t $3:chr_file rw_file_perms;
')
-define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
+define(`auth_run_utempter_depend',`
type utempter_t;
class chr_file rw_file_perms;
')
########################################
-##
+##
##
##
##
@@ -791,23 +791,23 @@ define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
#
#######################################
#
-# authlogin_read_login_records(domain)
+# auth_read_login_records(domain)
#
-define(`authlogin_read_login_records',`
+define(`auth_read_login_records',`
requires_block_template(`$0'_depend)
- logging_search_system_log_directory($1)
+ logging_search_logs($1)
allow $1 wtmp_t:file r_file_perms;
')
-define(`authlogin_read_login_records_depend',`
+define(`auth_read_login_records_depend',`
type wtmp_t;
class file r_file_perms;
')
########################################
-##
+##
##
##
##
@@ -818,15 +818,15 @@ define(`authlogin_read_login_records_depend',`
#
#######################################
#
-# authlogin_ignore_write_login_records(domain)
+# auth_dontaudit_write_login_records(domain)
#
-define(`authlogin_ignore_write_login_records',`
+define(`auth_dontaudit_write_login_records',`
requires_block_template(`$0'_depend)
dontaudit $1 wtmp_t:file write;
')
-define(`authlogin_read_login_records_depend',`
+define(`auth_read_login_records_depend',`
type wtmp_t;
class file write;
@@ -834,16 +834,16 @@ define(`authlogin_read_login_records_depend',`
#######################################
#
-# authlogin_modify_login_records(domain)
+# auth_rw_login_records(domain)
#
-define(`authlogin_modify_login_records',`
+define(`auth_rw_login_records',`
requires_block_template(`$0'_depend)
allow $1 wtmp_t:file rw_file_perms;
- logging_search_system_log_directory($1)
+ logging_search_logs($1)
')
-define(`authlogin_modify_login_records_depend',`
+define(`auth_rw_login_records_depend',`
type wtmp_t;
class file rw_file_perms;
')
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index e530bf8..5af1281 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -11,59 +11,59 @@ attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
type chkpwd_exec_t;
-files_make_file(chkpwd_exec_t)
+files_file_type(chkpwd_exec_t)
type faillog_t;
-logging_make_log_file(faillog_t)
+logging_log_file(faillog_t)
type lastlog_t;
-logging_make_log_file(lastlog_t)
+logging_log_file(lastlog_t)
type login_exec_t;
-files_make_file(login_exec_t)
+files_file_type(login_exec_t)
type pam_console_t;
type pam_console_exec_t;
-init_make_system_domain(pam_console_t,pam_console_exec_t)
+init_system_domain(pam_console_t,pam_console_exec_t)
role system_r types pam_console_t;
-domain_make_entrypoint_file(pam_console_t,pam_console_exec_t)
+domain_entry_file(pam_console_t,pam_console_exec_t)
type pam_t; #, nscd_client_domain;
-domain_make_domain(pam_t)
+domain_type(pam_t)
role system_r types pam_t;
type pam_exec_t;
-domain_make_entrypoint_file(pam_t,pam_exec_t)
+domain_entry_file(pam_t,pam_exec_t)
type pam_tmp_t;
-files_make_temporary_file(pam_tmp_t)
+files_tmp_file(pam_tmp_t)
type pam_var_console_t; #, nscd_client_domain
-files_make_file(pam_var_console_t)
+files_file_type(pam_var_console_t)
type pam_var_run_t;
-files_make_daemon_runtime_file(pam_var_run_t)
+files_pid_file(pam_var_run_t)
type shadow_t;
-files_make_file(shadow_t)
+files_file_type(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
-domain_make_domain(system_chkpwd_t)
-domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t)
+domain_type(system_chkpwd_t)
+domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
role system_r types system_chkpwd_t;
type utempter_t; #, nscd_client_domain;
-domain_make_domain(utempter_t)
+domain_type(utempter_t)
type utempter_exec_t;
-domain_make_entrypoint_file(utempter_t,utempter_exec_t)
+domain_entry_file(utempter_t,utempter_exec_t)
type wtmp_t;
-logging_make_log_file(wtmp_t)
+logging_log_file(wtmp_t)
########################################
#
@@ -89,27 +89,27 @@ allow pam_t pam_var_run_t:file { getattr read unlink };
allow pam_t pam_tmp_t:dir create_dir_perms;
allow pam_t pam_tmp_t:file create_file_perms;
-files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
+files_create_tmp_files(pam_t, pam_tmp_t, { file dir })
kernel_read_system_state(pam_t)
term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t)
-init_script_ignore_modify_runtime_data(pam_t)
+init_dontaudit_rw_script_pid(pam_t)
-files_read_general_system_config(pam_t)
-files_read_runtime_data_directory(pam_t)
+files_read_generic_etc_files(pam_t)
+files_list_pids(pam_t)
-libraries_use_dynamic_loader(pam_t)
-libraries_use_shared_libraries(pam_t)
+libs_use_ld_so(pam_t)
+libs_use_shared_libs(pam_t)
-logging_send_system_log_message(pam_t)
+logging_send_syslog_msg(pam_t)
-userdomain_use_all_unprivileged_users_file_descriptors(pam_t)
+userdom_use_unpriv_users_fd(pam_t)
optional_policy(`locallogin.te',`
- locallogin_use_file_descriptors(pam_t)
+ locallogin_use_fd(pam_t)
')
ifdef(`TODO',`
@@ -151,38 +151,38 @@ term_use_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
-init_use_file_descriptors(pam_console_t)
-init_use_file_descriptors(pam_console_t)
-init_script_use_pseudoterminal(pam_console_t)
+init_use_fd(pam_console_t)
+init_use_fd(pam_console_t)
+init_use_script_pty(pam_console_t)
-domain_use_widely_inheritable_file_descriptors(pam_console_t)
+domain_use_wide_inherit_fd(pam_console_t)
-files_read_general_system_config(pam_console_t)
-files_search_runtime_data_directory(pam_console_t)
-files_read_mnt_dir(pam_console_t)
+files_read_generic_etc_files(pam_console_t)
+files_search_pids(pam_console_t)
+files_list_mnt(pam_console_t)
-libraries_use_dynamic_loader(pam_console_t)
-libraries_use_shared_libraries(pam_console_t)
+libs_use_ld_so(pam_console_t)
+libs_use_shared_libs(pam_console_t)
-logging_send_system_log_message(pam_console_t)
+logging_send_syslog_msg(pam_console_t)
selinux_read_file_contexts(pam_console_t)
-userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t)
+userdom_dontaudit_use_unpriv_user_fd(pam_console_t)
ifdef(`direct_sysadm_daemon', `
- userdomain_dontaudit_use_admin_terminals(pam_console_t)
+ userdom_dontaudit_use_sysadm_terms(pam_console_t)
')
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(pam_console_t)
terminal_ignore_use_general_pseudoterminal(pam_console_t)
- files_ignore_read_rootfs_file(pam_console_t)
+ files_dontaudit_read_root_file(pam_console_t)
')
optional_policy(`hotplug.te', `
- hotplug_use_file_descriptors(pam_console_t)
- hotplug_ignore_search_config_directory(pam_console_t)
+ hotplug_use_fd(pam_console_t)
+ hotplug_dontaudit_search_config(pam_console_t)
')
optional_policy(`selinux.te',`
@@ -190,7 +190,7 @@ selinux_newrole_sigchld(pam_console_t)
')
optional_policy(`udev.te', `
- udev_read_database(pam_console_t)
+ udev_read_db(pam_console_t)
')
ifdef(`TODO',`
@@ -240,14 +240,14 @@ fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
term_use_unallocated_tty(system_chkpwd_t)
-files_read_general_system_config(system_chkpwd_t)
+files_read_generic_etc_files(system_chkpwd_t)
# for nscd
-files_ignore_search_system_state_data_directory(system_chkpwd_t)
+files_dontaudit_search_var(system_chkpwd_t)
-libraries_use_dynamic_loader(system_chkpwd_t)
-libraries_use_shared_libraries(system_chkpwd_t)
+libs_use_ld_so(system_chkpwd_t)
+libs_use_shared_libs(system_chkpwd_t)
-logging_send_system_log_message(system_chkpwd_t)
+logging_send_syslog_msg(system_chkpwd_t)
miscfiles_read_localization(system_chkpwd_t)
@@ -261,7 +261,7 @@ tunable_policy(`use_dns',`
corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
corenet_udp_bind_all_nodes(system_chkpwd_t)
corenet_udp_sendrecv_dns_port(system_chkpwd_t)
- sysnetwork_read_network_config(system_chkpwd_t)
+ sysnet_read_config(system_chkpwd_t)
')
ifdef(`TODO',`
@@ -288,16 +288,16 @@ term_dontaudit_use_all_user_ttys(utempter_t)
term_dontaudit_use_all_user_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
-init_script_modify_runtime_data(utempter_t)
+init_rw_script_pid(utempter_t)
-files_read_general_system_config(utempter_t)
+files_read_generic_etc_files(utempter_t)
-domain_use_widely_inheritable_file_descriptors(utempter_t)
+domain_use_wide_inherit_fd(utempter_t)
-libraries_use_dynamic_loader(utempter_t)
-libraries_use_shared_libraries(utempter_t)
+libs_use_ld_so(utempter_t)
+libs_use_shared_libs(utempter_t)
-logging_search_system_log_directory(utempter_t)
+logging_search_logs(utempter_t)
ifdef(`TODO',`
# Allow utemper to write to /tmp/.xses-*
diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if
index d370d8c..01af3c6 100644
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@@ -2,7 +2,7 @@
## Policy for reading and setting the hardware clock.
########################################
-##
+##
##
## Execute hwclock in the clock domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`clock_transition',`
+define(`clock_domtrans',`
requires_block_template(`$0'_depend)
domain_auto_trans($1,hwclock_exec_t,hwclock_t)
@@ -22,7 +22,7 @@ define(`clock_transition',`
allow hwclock_t $1:process sigchld;
')
-define(`clock_transition_depend',`
+define(`clock_domtrans_depend',`
type hwclock_t, hwclock_exec_t;
class file rx_file_perms;
@@ -32,7 +32,7 @@ define(`clock_transition_depend',`
')
########################################
-##
+##
##
## Execute hwclock in the clock domain, and
## allow the specified role the hwclock domain.
@@ -48,22 +48,22 @@ define(`clock_transition_depend',`
##
##
#
-define(`clock_transition_add_role_use_terminal',`
+define(`clock_run',`
requires_block_template(`$0'_depend)
- clock_transition($1)
+ clock_domtrans($1)
role $2 types hwclock_t;
allow hwclock_t $3:chr_file { getattr read write ioctl };
')
-define(`clock_transition_add_role_use_terminal_depend',`
+define(`clock_run_depend',`
type hwclock_t;
class chr_file { getattr read write ioctl };
')
########################################
-##
+##
##
## Execute hwclock
##
@@ -72,20 +72,20 @@ define(`clock_transition_add_role_use_terminal_depend',`
##
##
#
-define(`clock_execute',`
+define(`clock_exec',`
requires_block_template(`$0'_depend)
can_exec($1,hwclock_exec_t)
')
-define(`clock_execute_depend',`
+define(`clock_exec_depend',`
type hwclock_exec_t;
class file { getattr read execute execute_no_trans };
')
########################################
-##
+##
##
## Allow executing domain to modify clock drift
##
@@ -94,14 +94,14 @@ define(`clock_execute_depend',`
##
##
#
-define(`clock_modify_drift_records',`
+define(`clock_rw_adjtime',`
requires_block_template(`$0'_depend)
allow $1 adjtime_t:file rw_file_perms;
- files_read_general_system_config_directory($1)
+ files_read_generic_etc_files_directory($1)
')
-define(`clock_modify_drift_records_depend',`
+define(`clock_rw_adjtime_depend',`
type adjtime_t;
class file rw_file_perms;
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 96e4097..6cad75b 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -7,11 +7,11 @@ policy_module(clock,1.0)
#
type adjtime_t;
-files_make_file(adjtime_t)
+files_file_type(adjtime_t)
type hwclock_t;
type hwclock_exec_t;
-init_make_system_domain(hwclock_t,hwclock_exec_t)
+init_system_domain(hwclock_t,hwclock_exec_t)
role system_r types hwclock_t;
########################################
@@ -41,26 +41,26 @@ term_use_unallocated_tty(hwclock_t)
term_use_all_user_ttys(hwclock_t)
term_use_all_user_ptys(hwclock_t)
-init_use_file_descriptors(hwclock_t)
-init_script_use_pseudoterminal(hwclock_t)
+init_use_fd(hwclock_t)
+init_use_script_pty(hwclock_t)
-domain_use_widely_inheritable_file_descriptors(hwclock_t)
+domain_use_wide_inherit_fd(hwclock_t)
-files_read_general_system_config_directory(hwclock_t)
+files_read_generic_etc_files_directory(hwclock_t)
# for when /usr is not mounted:
-files_ignore_search_isid_type_dir(hwclock_t)
+files_dontaudit_search_isid_type_dir(hwclock_t)
-libraries_use_dynamic_loader(hwclock_t)
-libraries_use_shared_libraries(hwclock_t)
+libs_use_ld_so(hwclock_t)
+libs_use_shared_libs(hwclock_t)
-logging_send_system_log_message(hwclock_t)
+logging_send_syslog_msg(hwclock_t)
miscfiles_read_localization(hwclock_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(hwclock_t)
terminal_ignore_use_general_pseudoterminal(hwclock_t)
- files_ignore_read_rootfs_file(hwclock_t)
+ files_dontaudit_read_root_file(hwclock_t)
')
optional_policy(`selinux.te',`
@@ -68,11 +68,11 @@ optional_policy(`selinux.te',`
')
optional_policy(`udev.te', `
- udev_read_database(hwclock_t)
+ udev_read_db(hwclock_t)
')
optional_policy(`userdomain.te',`
- userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t)
+ userdom_dontaudit_use_unpriv_user_fd(hwclock_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index 579d489..529a4c6 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -6,29 +6,29 @@
#######################################
#
-# corecommands_make_shell_entrypoint(domain)
+# corecmd_shell_entry_type(domain)
#
-define(`corecommands_make_shell_entrypoint',`
+define(`corecmd_shell_entry_type',`
requires_block_template(`$0'_depend)
- domain_make_entrypoint_file($1,shell_exec_t)
+ domain_entry_file($1,shell_exec_t)
')
-define(`corecommands_make_shell_entrypoint_depend',`
+define(`corecmd_shell_entry_type_depend',`
type shell_exec_t;
')
########################################
#
-# corecommands_search_general_programs_directory(domain)
+# corecmd_search_bin(domain)
#
-define(`corecommands_search_general_programs_directory',`
+define(`corecmd_search_bin',`
requires_block_template(`$0'_depend)
allow $1 bin_t:dir search;
')
-define(`corecommands_search_general_programs_directory_depend',`
+define(`corecmd_search_bin_depend',`
type bin_t;
class dir search;
@@ -36,15 +36,15 @@ define(`corecommands_search_general_programs_directory_depend',`
########################################
#
-# corecommands_read_general_programs_directory(domain)
+# corecmd_list_bin(domain)
#
-define(`corecommands_read_general_programs_directory',`
+define(`corecmd_list_bin',`
requires_block_template(`$0'_depend)
allow $1 bin_t:dir r_dir_perms;
')
-define(`corecommands_read_general_programs_directory_depend',`
+define(`corecmd_list_bin_depend',`
type bin_t;
class dir r_dir_perms;
@@ -52,9 +52,9 @@ define(`corecommands_read_general_programs_directory_depend',`
########################################
#
-# corecommands_execute_general_programs(domain)
+# corecmd_exec_bin(domain)
#
-define(`corecommands_execute_general_programs',`
+define(`corecmd_exec_bin',`
requires_block_template(`$0'_depend)
allow $1 bin_t:dir r_dir_perms;
@@ -63,7 +63,7 @@ define(`corecommands_execute_general_programs',`
')
-define(`corecommands_execute_general_programs_depend',`
+define(`corecmd_exec_bin_depend',`
type bin_t;
class dir r_dir_perms;
@@ -73,15 +73,15 @@ define(`corecommands_execute_general_programs_depend',`
########################################
#
-# corecommands_search_system_programs_directory(domain)
+# corecmd_search_sbin(domain)
#
-define(`corecommands_search_system_programs_directory',`
+define(`corecmd_search_sbin',`
requires_block_template(`$0'_depend)
allow $1 sbin_t:dir search;
')
-define(`corecommands_search_system_programs_directory_depend',`
+define(`corecmd_search_sbin_depend',`
type sbin_t;
class dir search;
@@ -89,15 +89,15 @@ define(`corecommands_search_system_programs_directory_depend',`
########################################
#
-# corecommands_read_system_programs_directory(domain)
+# corecmd_list_sbin(domain)
#
-define(`corecommands_read_system_programs_directory',`
+define(`corecmd_list_sbin',`
requires_block_template(`$0'_depend)
allow $1 sbin_t:dir r_dir_perms;
')
-define(`corecommands_read_system_programs_directory_depend',`
+define(`corecmd_list_sbin_depend',`
type sbin_t;
class dir r_dir_perms;
@@ -105,15 +105,15 @@ define(`corecommands_read_system_programs_directory_depend',`
########################################
#
-# corecommands_ignore_get_system_programs_attributes(domain)
+# corecmd_dontaudit_getattr_sbin_file(domain)
#
-define(`corecommands_ignore_get_system_programs_attributes',`
+define(`corecmd_dontaudit_getattr_sbin_file',`
requires_block_template(`$0'_depend)
allow $1 sbin_t:file getattr;
')
-define(`corecommands_ignore_get_system_programs_attributes_depend',`
+define(`corecmd_dontaudit_getattr_sbin_file_depend',`
type sbin_t;
class file getattr;
@@ -121,9 +121,9 @@ define(`corecommands_ignore_get_system_programs_attributes_depend',`
########################################
#
-# corecommands_execute_system_programs(domain)
+# corecmd_exec_sbin(domain)
#
-define(`corecommands_execute_system_programs',`
+define(`corecmd_exec_sbin',`
requires_block_template(`$0'_depend)
allow $1 sbin_t:dir r_dir_perms;
@@ -132,7 +132,7 @@ define(`corecommands_execute_system_programs',`
')
-define(`corecommands_execute_system_programs_depend',`
+define(`corecmd_exec_sbin_depend',`
type sbin_t;
class dir r_dir_perms;
@@ -142,9 +142,9 @@ define(`corecommands_execute_system_programs_depend',`
########################################
#
-# corecommands_execute_shell(domain)
+# corecmd_exec_shell(domain)
#
-define(`corecommands_execute_shell',`
+define(`corecmd_exec_shell',`
requires_block_template(`$0'_depend)
allow $1 bin_t:dir r_dir_perms;
@@ -152,7 +152,7 @@ define(`corecommands_execute_shell',`
can_exec($1,shell_exec_t)
')
-define(`corecommands_execute_shell_depend',`
+define(`corecmd_exec_shell_depend',`
type bin_t, shell_exec_t;
class dir r_dir_perms;
@@ -162,9 +162,9 @@ define(`corecommands_execute_shell_depend',`
########################################
#
-# corecommands_execute_ls(domain)
+# corecmd_exec_ls(domain)
#
-define(`corecommands_execute_ls',`
+define(`corecmd_exec_ls',`
requires_block_template(`$0'_depend)
allow $1 bin_t:dir r_dir_perms;
@@ -172,7 +172,7 @@ define(`corecommands_execute_ls',`
can_exec($1,ls_exec_t)
')
-define(`corecommands_execute_shell_depend',`
+define(`corecmd_exec_shell_depend',`
type bin_t, ls_exec_t;
class dir r_dir_perms;
@@ -181,7 +181,7 @@ define(`corecommands_execute_shell_depend',`
')
########################################
-##
+##
##
## Execute a shell in the target domain. This
## is an explicit transition, requiring the
@@ -195,7 +195,7 @@ define(`corecommands_execute_shell_depend',`
##
##
#
-define(`corecommands_shell_explicit_transition',`
+define(`corecmd_shell_spec_domtrans',`
requires_block_template(`$0'_depend)
allow $1 bin_t:dir r_dir_perms;
@@ -209,7 +209,7 @@ define(`corecommands_shell_explicit_transition',`
allow $2 $1:process sigchld;
')
-define(`corecommands_shell_explicit_transition_depend',`
+define(`corecmd_shell_spec_domtrans_depend',`
type bin_t, shell_exec_t;
class dir r_dir_perms;
@@ -221,7 +221,7 @@ define(`corecommands_shell_explicit_transition_depend',`
')
########################################
-##
+##
##
## Execute a shell in the target domain.
##
@@ -233,29 +233,29 @@ define(`corecommands_shell_explicit_transition_depend',`
##
##
#
-define(`corecommands_shell_transition',`
+define(`corecmd_domtrans_shell',`
requires_block_template(`$0'_depend)
- corecommands_shell_explicit_transition($1,$2)
+ corecmd_shell_spec_domtrans($1,$2)
type_transition $1 shell_exec_t:process $2;
')
-define(`corecommands_shell_transition_depend',`
+define(`corecmd_domtrans_shell_depend',`
type shell_exec_t;
')
########################################
#
-# corecommands_chroot(domain)
+# corecmd_chroot_exec_chroot(domain)
#
-define(`corecommands_chroot',`
+define(`corecmd_chroot_exec_chroot',`
requires_block_template(`$0'_depend)
allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
allow $1 self:capability sys_chroot;
')
-define(`corecommands_chroot_depend',`
+define(`corecmd_chroot_exec_chroot_depend',`
type chroot_exec_t;
class file { getattr read execute execute_no_trans };
diff --git a/refpolicy/policy/modules/system/corecommands.te b/refpolicy/policy/modules/system/corecommands.te
index 47d960d..8c49c97 100644
--- a/refpolicy/policy/modules/system/corecommands.te
+++ b/refpolicy/policy/modules/system/corecommands.te
@@ -5,25 +5,25 @@ policy_module(corecommands,1.0)
# bin_t is the type of files in the system bin directories.
#
type bin_t;
-files_make_file(bin_t)
+files_file_type(bin_t)
#
# sbin_t is the type of files in the system sbin directories.
#
type sbin_t;
-files_make_file(sbin_t)
+files_file_type(sbin_t)
#
# ls_exec_t is the type of the ls program.
#
type ls_exec_t;
-files_make_file(ls_exec_t)
+files_file_type(ls_exec_t)
#
# shell_exec_t is the type of user shells such as /bin/bash.
#
type shell_exec_t;
-files_make_file(shell_exec_t)
+files_file_type(shell_exec_t)
type chroot_exec_t;
-files_make_file(chroot_exec_t)
+files_file_type(chroot_exec_t)
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index e92f28d..ab6cc0d 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -3,9 +3,9 @@
########################################
#
-# domain_make_base_domain(domain)
+# domain_base_domain_type(domain)
#
-define(`domain_make_base_domain',`
+define(`domain_base_domain_type',`
requires_block_template(`$0'_depend)
# mark as a domain
@@ -19,7 +19,7 @@ define(`domain_make_base_domain',`
allow $1 self:process { fork sigchld };
')
-define(`domain_make_base_domain_depend',`
+define(`domain_base_domain_type_depend',`
attribute domain;
class dir r_dir_perms;
@@ -29,11 +29,11 @@ define(`domain_make_base_domain_depend',`
########################################
#
-# domain_make_domain(domain)
+# domain_type(domain)
#
-define(`domain_make_domain',`
+define(`domain_type',`
# start with basic domain
- domain_make_base_domain($1)
+ domain_base_domain_type($1)
# Use trusted objects in /dev
dev_rw_null_dev($1)
@@ -41,31 +41,31 @@ define(`domain_make_domain',`
term_use_controlling_term($1)
# read the root directory
- files_read_root_dir($1)
+ files_list_root($1)
# send init a sigchld
init_sigchld($1)
# this seems highly questionable:
optional_policy(`rpm.te',`
- rpm_use_file_descriptors($1)
+ rpm_use_fd($1)
rpm_read_pipe($1)
')
')
########################################
#
-# domain_make_entrypoint_file(domain,entrypointfile)
+# domain_entry_file(domain,entrypointfile)
#
-define(`domain_make_entrypoint_file',`
+define(`domain_entry_file',`
requires_block_template(`$0'_depend)
- files_make_file($2)
+ files_file_type($2)
allow $1 $2:file entrypoint;
typeattribute $2 entry_type;
')
-define(`domain_make_entrypoint_file_depend',`
+define(`domain_entry_file_depend',`
attribute entry_type;
class file entrypoint;
@@ -73,29 +73,29 @@ define(`domain_make_entrypoint_file_depend',`
########################################
#
-# domain_make_file_descriptors_widely_inheritable(domain)
+# domain_wide_inherit_fd(domain)
#
-define(`domain_make_file_descriptors_widely_inheritable',`
+define(`domain_wide_inherit_fd',`
requires_block_template(`$0'_depend)
typeattribute $1 privfd;
')
-define(`domain_make_file_descriptors_widely_inheritable_depend',`
+define(`domain_wide_inherit_fd_depend',`
attribute privfd;
')
########################################
#
-# domain_use_widely_inheritable_file_descriptors(domain)
+# domain_use_wide_inherit_fd(domain)
#
-define(`domain_use_widely_inheritable_file_descriptors',`
+define(`domain_use_wide_inherit_fd',`
requires_block_template(`$0'_depend)
allow $1 privfd:fd use;
')
-define(`domain_use_widely_inheritable_file_descriptors_depend',`
+define(`domain_use_wide_inherit_fd_depend',`
attribute privfd;
class fd use;
@@ -103,15 +103,15 @@ define(`domain_use_widely_inheritable_file_descriptors_depend',`
########################################
#
-# domain_ignore_use_widely_inheritable_file_descriptors(domain)
+# domain_dontaudit_use_wide_inherit_fd(domain)
#
-define(`domain_ignore_use_widely_inheritable_file_descriptors',`
+define(`domain_dontaudit_use_wide_inherit_fd',`
requires_block_template(`$0'_depend)
dontaudit $1 privfd:fd use;
')
-define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
+define(`domain_dontaudit_use_wide_inherit_fd_depend',`
attribute privfd;
class fd use;
@@ -119,15 +119,15 @@ define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
########################################
#
-# domain_set_all_domains_priorities(domain)
+# domain_setpriority_all_domains(domain)
#
-define(`domain_set_all_domains_priorities',`
+define(`domain_setpriority_all_domains',`
requires_block_template(`$0'_depend)
allow $1 domain:process setsched;
')
-define(`domain_set_all_domains_priorities_depend',`
+define(`domain_setpriority_all_domains_depend',`
attribute domain;
class process setsched;
@@ -246,7 +246,7 @@ define(`domain_kill_all_domains_depend',`
')
########################################
-##
+##
##
## Read the process state (/proc/pid) of all domains.
##
@@ -255,7 +255,7 @@ define(`domain_kill_all_domains_depend',`
##
##
#
-define(`domain_read_all_domains_process_state',`
+define(`domain_read_all_domains_state',`
requires_block_template(`$0'_depend)
allow $1 domain:dir r_dir_perms;
@@ -270,7 +270,7 @@ define(`domain_read_all_domains_process_state',`
dontaudit $1 domain:process ptrace;
')
-define(`domain_read_all_domains_process_state_depend',`
+define(`domain_read_all_domains_state_depend',`
attribute domain;
class dir r_dir_perms;
@@ -280,7 +280,7 @@ define(`domain_read_all_domains_process_state_depend',`
')
########################################
-##
+##
##
## Do not audit attempts to read the process state
## directories of all domains.
@@ -290,13 +290,13 @@ define(`domain_read_all_domains_process_state_depend',`
##
##
#
-define(`domain_ignore_read_all_domains_process_dirs',`
+define(`domain_dontaudit_list_all_domains_proc',`
requires_block_template(`$0'_depend)
dontaudit $1 domain:dir r_dir_perms;
')
-define(`domain_ignore_read_all_domains_process_dirs_depend',`
+define(`domain_dontaudit_list_all_domains_proc_depend',`
attribute domain;
class dir r_dir_perms;
@@ -304,7 +304,7 @@ define(`domain_ignore_read_all_domains_process_dirs_depend',`
########################################
-##
+##
##
## Get the session ID of all domains.
##
@@ -313,20 +313,20 @@ define(`domain_ignore_read_all_domains_process_dirs_depend',`
##
##
#
-define(`domain_get_all_domains_session_id',`
+define(`domain_getsession_all_domains',`
requires_block_template(`$0'_depend)
allow $1 domain:process getsession;
')
-define(`domain_get_all_domains_session_id_depend',`
+define(`domain_getsession_all_domains_depend',`
attribute domain;
class process getsession;
')
########################################
-##
+##
##
## Do not audit attempts to get the attributes
## of all domains UDP sockets.
@@ -336,20 +336,20 @@ define(`domain_get_all_domains_session_id_depend',`
##
##
#
-define(`domain_ignore_get_all_domains_udp_socket_attributes',`
+define(`domain_dontaudit_getattr_all_udp_sockets',`
requires_block_template(`$0'_depend)
dontaudit $1 domain:udp_socket getattr;
')
-define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
+define(`domain_dontaudit_getattr_all_udp_sockets_depend',`
attribute domain;
class udp_socket getattr;
')
########################################
-##
+##
##
## Do not audit attempts to get the attributes
## of all domains TCP sockets.
@@ -359,20 +359,20 @@ define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
##
##
#
-define(`domain_ignore_get_all_domains_tcp_socket_attributes',`
+define(`domain_dontaudit_getattr_all_tcp_sockets',`
requires_block_template(`$0'_depend)
dontaudit $1 domain:tcp_socket getattr;
')
-define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
+define(`domain_dontaudit_getattr_all_tcp_sockets_depend',`
attribute domain;
class tcp_socket getattr;
')
########################################
-##
+##
##
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
@@ -382,20 +382,20 @@ define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
##
##
#
-define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',`
+define(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
requires_block_template(`$0'_depend)
dontaudit $1 domain:unix_dgram_socket getattr;
')
-define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
+define(`domain_dontaudit_getattr_all_unix_dgram_sockets_depend',`
attribute domain;
class unix_dgram_socket getattr;
')
########################################
-##
+##
##
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
@@ -405,13 +405,13 @@ define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
##
##
#
-define(`domain_ignore_get_all_domains_pipe_attributes',`
+define(`domain_dontaudit_getattr_all_unnamed_pipes',`
requires_block_template(`$0'_depend)
dontaudit $1 domain:fifo_file getattr;
')
-define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
+define(`domain_dontaudit_getattr_all_unnamed_pipes_depend',`
attribute domain;
class fifo_file getattr;
@@ -419,16 +419,16 @@ define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
########################################
#
-# domain_execute_all_entrypoint_programs(domain)
+# domain_exec_all_entry_files(domain)
#
-define(`domain_execute_all_entrypoint_programs',`
+define(`domain_exec_all_entry_files',`
requires_block_template(`$0'_depend)
can_exec($1,entry_type)
')
-define(`domain_execute_all_entrypoint_programs_depend',`
+define(`domain_exec_all_entry_files_depend',`
attribute entry_type;
class file { getattr read ioctl lock execute execute_no_trans };
@@ -436,16 +436,16 @@ define(`domain_execute_all_entrypoint_programs_depend',`
########################################
#
-# domain_read_all_entrypoint_programs(domain)
+# domain_read_all_entry_files(domain)
#
-define(`domain_read_all_entrypoint_programs',`
+define(`domain_read_all_entry_files',`
requires_block_template(`$0'_depend)
allow $1 entry_type:lnk_file r_file_perms;
allow $1 entry_type:file r_file_perms;
')
-define(`domain_read_all_entrypoint_programs_depend',`
+define(`domain_read_all_entry_files_depend',`
attribute entry_type;
class file r_file_perms;
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 4b633c3..6e8e673 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -3,9 +3,9 @@
########################################
#
-# files_make_file(type)
+# files_file_type(type)
#
-define(`files_make_file',`
+define(`files_file_type',`
requires_block_template(`$0'_depend)
fs_associate($1)
@@ -13,72 +13,72 @@ define(`files_make_file',`
typeattribute $1 file_type;
')
-define(`files_make_file_depend',`
+define(`files_file_type_depend',`
attribute file_type;
')
########################################
#
-# files_make_lock_file(type)
+# files_lock_file(type)
#
-define(`files_make_lock_file',`
+define(`files_lock_file',`
requires_block_template(`$0'_depend)
- files_make_file($1)
+ files_file_type($1)
typeattribute $1 lockfile;
')
-define(`files_make_lock_file_depend',`
+define(`files_lock_file_depend',`
attribute lockfile;
')
########################################
#
-# files_make_mountpoint(type)
+# files_mountpoint(type)
#
-define(`files_make_mountpoint',`
+define(`files_mountpoint',`
requires_block_template(`$0'_depend)
- files_make_file($1)
+ files_file_type($1)
typeattribute $1 mountpoint;
')
-define(`files_make_mountpoint_depend',`
+define(`files_mountpoint_depend',`
attribute mountpoint;
')
########################################
#
-# files_make_daemon_runtime_file(type)
+# files_pid_file(type)
#
-define(`files_make_daemon_runtime_file',`
+define(`files_pid_file',`
requires_block_template(`$0'_depend)
- files_make_file($1)
+ files_file_type($1)
typeattribute $1 pidfile;
')
-define(`files_make_daemon_runtime_file_depend',`
+define(`files_pid_file_depend',`
attribute pidfile;
')
########################################
#
-# files_make_temporary_file(type)
+# files_tmp_file(type)
#
-define(`files_make_temporary_file',`
+define(`files_tmp_file',`
requires_block_template(`$0'_depend)
- files_make_file($1)
+ files_file_type($1)
typeattribute $1 tmpfile;
')
-define(`files_make_temporary_file_depend',`
+define(`files_tmp_file_depend',`
attribute tmpfile;
')
########################################
-##
+##
##
## Transform the type into a file, for use on a
## virtual memory filesystem (tmpfs).
@@ -88,23 +88,23 @@ define(`files_make_temporary_file_depend',`
##
##
#
-define(`files_make_tmpfs_file',`
+define(`files_tmpfs_file',`
requires_block_template(`$0'_depend)
- files_make_file($1)
+ files_file_type($1)
fs_associate_tmpfs($1)
typeattribute $1 tmpfsfile;
')
-define(`files_make_tmpfs_file_depend',`
+define(`files_tmpfs_file_depend',`
attribute tmpfsfile;
')
########################################
#
-# files_get_all_file_attributes(domain)
+# files_getattr_all_files(domain)
-define(`files_get_all_file_attributes',`
+define(`files_getattr_all_files',`
requires_block_template(`$0'_depend)
allow $1 file_type:dir { search getattr };
@@ -114,7 +114,7 @@ define(`files_get_all_file_attributes',`
allow $1 file_type:sock_file getattr;
')
-define(`files_get_all_file_attributes_depend',`
+define(`files_getattr_all_files_depend',`
attribute file_type;
class dir { search getattr };
@@ -151,7 +151,7 @@ define(`files_relabel_all_files',`
allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
# satisfy the assertions:
- selinux_relabelto_binary_policy($1)
+ selinux_relabelto_binary_pol($1)
')
define(`files_relabel_all_files_depend',`
@@ -191,7 +191,7 @@ define(`files_manage_all_files',`
allow $1 { file_type $2 }:sock_file create_file_perms;
# satisfy the assertions:
- selinux_write_binary_policy($1)
+ selinux_write_binary_pol($1)
bootloader_manage_kernel_modules($1)
')
@@ -207,15 +207,15 @@ define(`files_manage_all_files_depend',`
########################################
#
-# files_search_all_directories(domain)
+# files_search_all_dirs(domain)
#
-define(`files_search_all_directories',`
+define(`files_search_all_dirs',`
requires_block_template(`$0'_depend)
allow $1 file_type:dir search;
')
-define(`files_search_all_directories_depend',`
+define(`files_search_all_dirs_depend',`
attribute file_type;
class dir search;
@@ -223,15 +223,15 @@ define(`files_search_all_directories_depend',`
########################################
#
-# files_read_all_directories(domain)
+# files_list_all_dirs(domain)
#
-define(`files_read_all_directories',`
+define(`files_list_all_dirs',`
requires_block_template(`$0'_depend)
allow $1 file_type:dir r_dir_perms;
')
-define(`files_read_all_directories_depend',`
+define(`files_list_all_dirs_depend',`
attribute file_type;
class dir r_dir_perms;
@@ -239,15 +239,15 @@ define(`files_read_all_directories_depend',`
########################################
#
-# files_ignore_search_all_directories(domain)
+# files_dontaudit_search_all_dirs(domain)
#
-define(`files_ignore_search_all_directories',`
+define(`files_dontaudit_search_all_dirs',`
requires_block_template(`$0'_depend)
dontaudit $1 file_type:dir search;
')
-define(`files_ignore_search_all_directories_depend',`
+define(`files_dontaudit_search_all_dirs_depend',`
attribute file_type;
class dir search;
@@ -303,15 +303,15 @@ define(`files_unmount_all_file_type_fs_depend',`
########################################
#
-# files_mount_on_all_mountpoints(domain)
+# files_mounton_all_mountpoints(domain)
#
-define(`files_mount_on_all_mountpoints',`
+define(`files_mounton_all_mountpoints',`
requires_block_template(`$0'_depend)
allow $1 mountpoint:dir { getattr search mounton };
')
-define(`files_mount_on_all_mountpoints_depend',`
+define(`files_mounton_all_mountpoints_depend',`
attribute mountpoint;
class dir { getattr search mounton };
@@ -319,16 +319,16 @@ define(`files_mount_on_all_mountpoints_depend',`
########################################
#
-# files_read_root_dir(domain)
+# files_list_root(domain)
#
-define(`files_read_root_dir',`
+define(`files_list_root',`
requires_block_template(`$0'_depend)
allow $1 root_t:dir r_dir_perms;
allow $1 root_t:lnk_file r_file_perms;
')
-define(`files_read_root_dir_depend',`
+define(`files_list_root_depend',`
type root_t;
class dir r_dir_perms;
@@ -336,32 +336,69 @@ define(`files_read_root_dir_depend',`
')
########################################
+##
+##
+## Create an object in the root directory, with a private
+## type. If no object class is specified, the
+## default is file.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The type of the object to be created. If no type
+## is specified, the type of the root directory will
+## be used.
+##
+##
+## The object class of the object being created. If
+## no class is specified, file will be used.
+##
+##
#
-# files_create_root_dir_entry(domain)
-#
-define(`files_create_root_dir_entry',`
+define(`files_create_root',`
requires_block_template(`$0'_depend)
- allow $1 root_t:dir ra_dir_perms;
+ allow $1 root_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ ifelse(`$2',`',`
+ allow $1 root_t:file create_file_perms;
+ ',`
+ type_transition $1 root_t:file $2;
+ ')
+ ',`
+ ifelse(`$2',`',`
+ allow $1 root_t:$3 create_file_perms;
+ ',`
+ type_transition $1 root_t:$3 $2;
+ ')
+ ')
')
-define(`files_create_root_dir_entry_depend',`
+define(`files_create_root_depend',`
type root_t;
- class dir ra_dir_perms;
+ class dir create_dir_perms;
+ class file create_file_perms;
+ class lnk_file create_lnk_perms;
+ class fifo_file create_file_perms;
+ class sock_file create_file_perms;
+ class blk_file create_file_perms;
+ class chr_file create_file_perms;
')
########################################
#
-# files_ignore_read_rootfs_file(domain)
+# files_dontaudit_read_root_file(domain)
#
-define(`files_ignore_read_rootfs_file',`
+define(`files_dontaudit_read_root_file',`
requires_block_template(`$0'_depend)
dontaudit $1 root_t:file read;
')
-define(`files_ignore_read_rootfs_file_depend',`
+define(`files_dontaudit_read_root_file_depend',`
type root_t;
class file read;
@@ -369,15 +406,15 @@ define(`files_ignore_read_rootfs_file_depend',`
########################################
#
-# files_ignore_modify_rootfs_file(domain)
+# files_dontaudit_rw_root_file(domain)
#
-define(`files_ignore_modify_rootfs_file',`
+define(`files_dontaudit_rw_root_file',`
requires_block_template(`$0'_depend)
dontaudit $1 root_t:file { read write };
')
-define(`files_ignore_modify_rootfs_file_depend',`
+define(`files_dontaudit_rw_root_file_depend',`
type root_t;
class file { read write };
@@ -385,67 +422,31 @@ define(`files_ignore_modify_rootfs_file_depend',`
########################################
#
-# files_ignore_modify_rootfs_device(domain)
+# files_dontaudit_rw_root_chr_dev(domain)
#
-define(`files_ignore_modify_rootfs_device',`
+define(`files_dontaudit_rw_root_chr_dev',`
requires_block_template(`$0'_depend)
dontaudit $1 root_t:chr_file { read write };
')
-define(`files_ignore_modify_rootfs_device_depend',`
+define(`files_dontaudit_rw_root_chr_dev_depend',`
type root_t;
class chr_file { read write };
')
########################################
-##
-##
-## Create an object in the root directory, with a private
-## type. If no object class is specified, the
-## default is file.
-##
-##
-## The type of the process performing this action.
-##
-##
-## The type of the object to be created.
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-define(`files_create_private_root_dir_entry',`
- requires_block_template(`$0'_depend)
-
- allow $1 root_t:dir rw_dir_perms;
-
- ifelse(`$3',`',`
- type_transition $1 root_t:file $2;
- ',`
- type_transition $1 root_t:$3 $2;
- ') dnl end ifelse
-')
-
-define(`files_create_private_root_dir_entry_depend',`
-type root_t;
-
-class dir rw_dir_perms;
-')
-
-########################################
#
-# files_remove_root_dir_entry(domain)
+# files_delete_root_dir_entry(domain)
#
-define(`files_remove_root_dir_entry',`
+define(`files_delete_root_dir_entry',`
requires_block_template(`$0'_depend)
allow $1 root_t:dir rw_dir_perms;
')
-define(`files_remove_root_dir_entry_depend',`
+define(`files_delete_root_dir_entry_depend',`
type root_t;
class dir rw_dir_perms;
@@ -453,15 +454,15 @@ define(`files_remove_root_dir_entry_depend',`
########################################
#
-# files_unmount_root_fs(domain)
+# files_unmount_rootfs(domain)
#
-define(`files_unmount_root_fs',`
+define(`files_unmount_rootfs',`
requires_block_template(`$0'_depend)
allow $1 root_t:filesystem unmount;
')
-define(`files_unmount_root_fs_depend',`
+define(`files_unmount_rootfs_depend',`
type root_t;
class filesystem unmount;
@@ -469,15 +470,15 @@ define(`files_unmount_root_fs_depend',`
########################################
#
-# files_search_general_system_config_directory(domain)
+# files_search_etc(domain)
#
-define(`files_search_general_system_config_directory',`
+define(`files_search_etc',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir search;
')
-define(`files_search_general_system_config_directory_depend',`
+define(`files_search_etc_depend',`
type etc_t;
class dir search;
@@ -485,15 +486,15 @@ define(`files_search_general_system_config_directory_depend',`
########################################
#
-# files_read_general_system_config_directory(domain)
+# files_read_generic_etc_files_directory(domain)
#
-define(`files_read_general_system_config_directory',`
+define(`files_read_generic_etc_files_directory',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir r_dir_perms;
')
-define(`files_read_general_system_config_directory_depend',`
+define(`files_read_generic_etc_files_directory_depend',`
type etc_t;
class dir r_dir_perms;
@@ -501,9 +502,9 @@ define(`files_read_general_system_config_directory_depend',`
########################################
#
-# files_read_general_system_config(domain)
+# files_read_generic_etc_files(domain)
#
-define(`files_read_general_system_config',`
+define(`files_read_generic_etc_files',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir r_dir_perms;
@@ -511,7 +512,7 @@ define(`files_read_general_system_config',`
allow $1 etc_t:lnk_file r_file_perms;
')
-define(`files_read_general_system_config_depend',`
+define(`files_read_generic_etc_files_depend',`
type etc_t;
class dir r_dir_perms;
@@ -521,9 +522,9 @@ define(`files_read_general_system_config_depend',`
########################################
#
-# files_modify_general_system_config(domain)
+# files_rw_generic_etc_files(domain)
#
-define(`files_modify_general_system_config',`
+define(`files_rw_generic_etc_files',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir r_dir_perms;
@@ -531,7 +532,7 @@ define(`files_modify_general_system_config',`
allow $1 etc_t:lnk_file r_file_perms;
')
-define(`files_modify_general_system_config_depend',`
+define(`files_rw_generic_etc_files_depend',`
type etc_t;
class dir r_dir_perms;
@@ -541,9 +542,9 @@ define(`files_modify_general_system_config_depend',`
########################################
#
-# files_manage_general_system_config(domain)
+# files_manage_generic_etc_files(domain)
#
-define(`files_manage_general_system_config',`
+define(`files_manage_generic_etc_files',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir rw_dir_perms;
@@ -551,7 +552,7 @@ define(`files_manage_general_system_config',`
allow $1 etc_t:lnk_file r_file_perms;
')
-define(`files_manage_general_system_config_depend',`
+define(`files_manage_generic_etc_files_depend',`
type etc_t;
class dir rw_dir_perms;
@@ -560,7 +561,7 @@ define(`files_manage_general_system_config_depend',`
')
########################################
-##
+##
##
## Delete system configuration files in /etc.
##
@@ -569,14 +570,14 @@ define(`files_manage_general_system_config_depend',`
##
##
#
-define(`files_remove_general_system_config',`
+define(`files_delete_generic_etc_files',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir rw_dir_perms;
allow $1 etc_t:file unlink;
')
-define(`files_remove_general_system_config_depend',`
+define(`files_delete_generic_etc_files_depend',`
type etc_t;
class dir rw_dir_perms;
@@ -585,9 +586,9 @@ define(`files_remove_general_system_config_depend',`
########################################
#
-# files_execute_system_config_script(domain)
+# files_exec_generic_etc_files(domain)
#
-define(`files_execute_system_config_script',`
+define(`files_exec_generic_etc_files',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir r_dir_perms;
@@ -596,7 +597,7 @@ define(`files_execute_system_config_script',`
')
-define(`files_execute_system_config_script_depend',`
+define(`files_exec_generic_etc_files_depend',`
type etc_t;
class dir r_dir_perms;
@@ -627,9 +628,9 @@ define(`files_create_boot_flag_depend',`
########################################
#
-# files_manage_runtime_system_config(type)
+# files_manage_etc_runtime_files(type)
#
-define(`files_manage_runtime_system_config',`
+define(`files_manage_etc_runtime_files',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir rw_dir_perms;
@@ -637,7 +638,7 @@ define(`files_manage_runtime_system_config',`
type_transition $1 etc_t:file etc_runtime_t;
')
-define(`files_manage_runtime_system_config_depend',`
+define(`files_manage_etc_runtime_files_depend',`
type etc_t, etc_runtime_t;
class dir rw_dir_perms;
@@ -646,16 +647,16 @@ define(`files_manage_runtime_system_config_depend',`
########################################
#
-# files_read_runtime_system_config(domain)
+# files_read_etc_runtime_files(domain)
#
-define(`files_read_runtime_system_config',`
+define(`files_read_etc_runtime_files',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir r_dir_perms;
allow $1 etc_runtime_t:file r_file_perms;
')
-define(`files_read_runtime_system_config_depend',`
+define(`files_read_etc_runtime_files_depend',`
type etc_t, etc_runtime_t;
class dir r_dir_perms;
@@ -664,9 +665,9 @@ define(`files_read_runtime_system_config_depend',`
########################################
#
-# files_create_private_config(domain,privatetype,[class(es)])
+# files_create_etc_config(domain,privatetype,[class(es)])
#
-define(`files_create_private_config',`
+define(`files_create_etc_config',`
requires_block_template(`$0'_depend)
allow $1 etc_t:dir rw_dir_perms;
@@ -677,7 +678,7 @@ define(`files_create_private_config',`
')
')
-define(`files_create_private_config_depend',`
+define(`files_create_etc_config_depend',`
type etc_t;
class dir rw_dir_perms;
@@ -685,15 +686,15 @@ class dir rw_dir_perms;
########################################
#
-# files_modify_isid_type_dir(domain)
+# files_rw_isid_type_dir(domain)
#
-define(`files_modify_isid_type_dir',`
+define(`files_rw_isid_type_dir',`
requires_block_template(`$0'_depend)
allow $1 file_t:dir rw_dir_perms;
')
-define(`files_modify_isid_type_dir_depend',`
+define(`files_rw_isid_type_dir_depend',`
type file_t;
class dir rw_dir_perms;
@@ -701,15 +702,15 @@ define(`files_modify_isid_type_dir_depend',`
########################################
#
-# files_ignore_get_isid_type_dir_attrib(domain)
+# files_dontaudit_getattr_isid_type_dir(domain)
#
-define(`files_ignore_get_isid_type_dir_attrib',`
+define(`files_dontaudit_getattr_isid_type_dir',`
requires_block_template(`$0'_depend)
dontaudit $1 file_t:dir search;
')
-define(`files_ignore_get_isid_type_dir_attrib_depend',`
+define(`files_dontaudit_getattr_isid_type_dir_depend',`
type file_t;
class dir search;
@@ -717,22 +718,22 @@ define(`files_ignore_get_isid_type_dir_attrib_depend',`
########################################
#
-# files_ignore_search_isid_type_dir(domain)
+# files_dontaudit_search_isid_type_dir(domain)
#
-define(`files_ignore_search_isid_type_dir',`
+define(`files_dontaudit_search_isid_type_dir',`
requires_block_template(`$0'_depend)
dontaudit $1 file_t:dir search;
')
-define(`files_ignore_search_isid_type_dir_depend',`
+define(`files_dontaudit_search_isid_type_dir_depend',`
type file_t;
class dir search;
')
########################################
-##
+##
##
## Get listing home home directories.
##
@@ -741,13 +742,13 @@ define(`files_ignore_search_isid_type_dir_depend',`
##
##
#
-define(`files_list_home_directories',`
+define(`files_list_home',`
requires_block_template(`$0'_depend)
allow $1 home_root_t:dir r_dir_perms;
')
-define(`files_list_home_directories_depend',`
+define(`files_list_home_depend',`
type home_root_t;
class dir r_dir_perms;
@@ -755,15 +756,15 @@ define(`files_list_home_directories_depend',`
########################################
#
-# files_read_mnt_dir(domain)
+# files_list_mnt(domain)
#
-define(`files_read_mnt_dir',`
+define(`files_list_mnt',`
requires_block_template(`$0'_depend)
allow $1 mnt_t:dir r_dir_perms;
')
-define(`files_read_runtime_system_config_depend',`
+define(`files_read_etc_runtime_files_depend',`
type mnt_t;
class dir r_dir_perms;
@@ -771,9 +772,9 @@ define(`files_read_runtime_system_config_depend',`
########################################
#
-# files_create_private_tmp_data(domain,private_type,[object class(es)])
+# files_create_tmp_files(domain,private_type,[object class(es)])
#
-define(`files_create_private_tmp_data',`
+define(`files_create_tmp_files',`
requires_block_template(`$0'_depend)
allow $1 tmp_t:dir rw_dir_perms;
@@ -785,7 +786,7 @@ define(`files_create_private_tmp_data',`
')
')
-define(`files_create_private_tmp_data_depend',`
+define(`files_create_tmp_files_depend',`
type tmp_t;
class dir rw_dir_perms;
@@ -793,9 +794,9 @@ define(`files_create_private_tmp_data_depend',`
########################################
#
-# files_remove_all_tmp_data(domain)
+# files_delete_all_tmp_files(domain)
#
-define(`files_remove_all_tmp_data',`
+define(`files_delete_all_tmp_files',`
requires_block_template(`$0'_depend)
allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
@@ -805,7 +806,7 @@ define(`files_remove_all_tmp_data',`
allow $1 tmpfile:sock_file { getattr unlink };
')
-define(`files_remove_all_tmp_data_depend',`
+define(`files_delete_all_tmp_files_depend',`
attribute tmpfile;
class dir { getattr search read write add_name remove_name rmdir };
@@ -817,15 +818,15 @@ define(`files_remove_all_tmp_data_depend',`
########################################
#
-# files_search_general_application_resources_dir(domain)
+# files_search_usr(domain)
#
-define(`files_search_general_application_resources_dir',`
+define(`files_search_usr',`
requires_block_template(`$0'_depend)
allow $1 usr_t:dir search;
')
-define(`files_search_general_application_resources_dir_depend',`
+define(`files_search_usr_depend',`
type usr_t;
class dir search;
@@ -833,16 +834,16 @@ define(`files_search_general_application_resources_dir_depend',`
########################################
#
-# files_read_general_application_resources(domain)
+# files_read_usr_files(domain)
#
-define(`files_read_general_application_resources',`
+define(`files_read_usr_files',`
requires_block_template(`$0'_depend)
allow $1 usr_t:dir r_dir_perms;
allow $1 usr_t:{ file lnk_file } r_file_perms;
')
-define(`files_read_general_application_resources_depend',`
+define(`files_read_usr_files_depend',`
type usr_t;
class dir r_dir_perms;
@@ -851,7 +852,7 @@ define(`files_read_general_application_resources_depend',`
')
########################################
-##
+##
##
## Execute programs in /usr/src in the caller domain.
##
@@ -860,7 +861,7 @@ define(`files_read_general_application_resources_depend',`
##
##
#
-define(`files_execute_system_source_code_scripts',`
+define(`files_exec_usr_files',`
requires_block_template(`$0'_depend)
allow $1 usr_t:dir search;
@@ -870,7 +871,7 @@ define(`files_execute_system_source_code_scripts',`
')
-define(`files_read_system_source_code_depend',`
+define(`files_read_usr_src_depend',`
type usr_t, src_t;
class dir r_dir_perms;
@@ -880,9 +881,9 @@ define(`files_read_system_source_code_depend',`
########################################
#
-# files_read_system_source_code(domain)
+# files_read_usr_src(domain)
#
-define(`files_read_system_source_code',`
+define(`files_read_usr_src',`
requires_block_template(`$0'_depend)
allow $1 usr_t:dir search;
@@ -890,7 +891,7 @@ define(`files_read_system_source_code',`
allow $1 src_t:{ file lnk_file } r_file_perms;
')
-define(`files_read_system_source_code_depend',`
+define(`files_read_usr_src_depend',`
type usr_t, src_t;
class dir r_dir_perms;
@@ -900,15 +901,15 @@ define(`files_read_system_source_code_depend',`
########################################
#
-# files_search_system_state_data_directory(domain)
+# files_search_var(domain)
#
-define(`files_search_system_state_data_directory',`
+define(`files_search_var',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
')
-define(`files_search_system_state_data_directory_depend',`
+define(`files_search_var_depend',`
type var_t;
class dir search;
@@ -916,15 +917,15 @@ define(`files_search_system_state_data_directory_depend',`
########################################
#
-# files_ignore_search_system_state_data_directory(domain)
+# files_dontaudit_search_var(domain)
#
-define(`files_ignore_search_system_state_data_directory',`
+define(`files_dontaudit_search_var',`
requires_block_template(`$0'_depend)
dontaudit $1 var_t:dir search;
')
-define(`files_ignore_search_system_state_data_directory_depend',`
+define(`files_dontaudit_search_var_depend',`
type var_t;
class dir search;
@@ -932,9 +933,9 @@ define(`files_ignore_search_system_state_data_directory_depend',`
########################################
#
-# files_manage_pseudorandom_saved_seed(domain)
+# files_manage_urandom_seed(domain)
#
-define(`files_manage_pseudorandom_saved_seed',`
+define(`files_manage_urandom_seed',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
@@ -942,7 +943,7 @@ define(`files_manage_pseudorandom_saved_seed',`
allow $1 var_lib_t:file { getattr create read write setattr unlink };
')
-define(`files_manage_pseudorandom_saved_seed_depend',`
+define(`files_manage_urandom_seed_depend',`
type var_t, var_lib_t;
class dir rw_file_perms;
@@ -951,16 +952,16 @@ define(`files_manage_pseudorandom_saved_seed_depend',`
########################################
#
-# files_get_system_lock_file_attributes(domain)
+# files_getattr_generic_lock_files(domain)
#
-define(`files_get_system_lock_file_attributes',`
+define(`files_getattr_generic_lock_files',`
requires_block_template(`$0'_depend)
allow $1 var_lock_t:dir r_dir_perms;
allow $1 var_lock_t:file getattr;
')
-define(`files_get_system_lock_file_attributes_depend',`
+define(`files_getattr_generic_lock_files_depend',`
type var_lock_t;
class dir r_dir_perms;
@@ -969,16 +970,16 @@ define(`files_get_system_lock_file_attributes_depend',`
########################################
#
-# files_manage_system_lock_files(domain)
+# files_manage_generic_lock_files(domain)
#
-define(`files_manage_system_lock_files',`
+define(`files_manage_generic_lock_files',`
requires_block_template(`$0'_depend)
allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
allow $1 var_lock_t:file { getattr create read write setattr unlink };
')
-define(`files_manage_system_lock_files_depend',`
+define(`files_manage_generic_lock_files_depend',`
type var_lock_t;
class dir { getattr search create read write setattr add_name remove_name rmdir };
@@ -987,16 +988,16 @@ define(`files_manage_system_lock_files_depend',`
########################################
#
-# files_remove_all_lock_files(domain)
+# files_delete_all_lock_files(domain)
#
-define(`files_remove_all_lock_files',`
+define(`files_delete_all_lock_files',`
requires_block_template(`$0'_depend)
allow $1 lockfile:dir rw_dir_perms;
allow $1 lockfile:file { getattr unlink };
')
-define(`files_remove_all_lock_files_depend',`
+define(`files_delete_all_lock_files_depend',`
attribute lockfile;
class dir rw_dir_perms;
@@ -1005,9 +1006,9 @@ define(`files_remove_all_lock_files_depend',`
########################################
#
-# files_create_private_lock_file(domain,private_type,[object class(es)])
+# files_create_lock_file(domain,private_type,[object class(es)])
#
-define(`files_create_private_lock_file',`
+define(`files_create_lock_file',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
@@ -1020,7 +1021,7 @@ define(`files_create_private_lock_file',`
')
')
-define(`files_create_private_lock_file_depend',`
+define(`files_create_lock_file_depend',`
type var_t, var_lock_t;
class dir rw_dir_perms;
@@ -1028,16 +1029,16 @@ define(`files_create_private_lock_file_depend',`
########################################
#
-# files_search_runtime_data_directory(domain)
+# files_search_pids(domain)
#
-define(`files_search_runtime_data_directory',`
+define(`files_search_pids',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
allow $1 var_run_t:dir search;
')
-define(`files_search_runtime_data_directory_depend',`
+define(`files_search_pids_depend',`
type var_t, var_run_t;
class dir search;
@@ -1045,15 +1046,15 @@ define(`files_search_runtime_data_directory_depend',`
########################################
#
-# files_ignore_search_runtime_data_directory(domain)
+# files_dontaudit_search_pids(domain)
#
-define(`files_ignore_search_runtime_data_directory',`
+define(`files_dontaudit_search_pids',`
requires_block_template(`$0'_depend)
allow $1 var_run_t:dir search;
')
-define(`files_ignore_search_runtime_data_directory_depend',`
+define(`files_dontaudit_search_pids_depend',`
type var_run_t;
class dir search;
@@ -1061,16 +1062,16 @@ define(`files_ignore_search_runtime_data_directory_depend',`
########################################
#
-# files_read_runtime_data_directory(domain)
+# files_list_pids(domain)
#
-define(`files_read_runtime_data_directory',`
+define(`files_list_pids',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
allow $1 var_run_t:dir r_dir_perms;
')
-define(`files_read_runtime_data_directory_depend',`
+define(`files_list_pids_depend',`
type var_t, var_run_t;
class dir r_dir_perms;
@@ -1078,9 +1079,9 @@ define(`files_read_runtime_data_directory_depend',`
########################################
#
-# files_create_daemon_runtime_data(domain,pidfile,[object class(es)])
+# files_create_pid(domain,pidfile,[object class(es)])
#
-define(`files_create_daemon_runtime_data',`
+define(`files_create_pid',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
@@ -1093,7 +1094,7 @@ define(`files_create_daemon_runtime_data',`
')
')
-define(`files_create_daemon_runtime_data_depend',`
+define(`files_create_pid_depend',`
type var_t, var_run_t;
class dir rw_dir_perms;
@@ -1101,9 +1102,9 @@ define(`files_create_daemon_runtime_data_depend',`
########################################
#
-# files_modify_system_runtime_data(domain)
+# files_rw_generic_pids(domain)
#
-define(`files_modify_system_runtime_data',`
+define(`files_rw_generic_pids',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
@@ -1111,7 +1112,7 @@ define(`files_modify_system_runtime_data',`
allow $1 var_run_t:file rw_file_perms;
')
-define(`files_modify_system_runtime_data_depend',`
+define(`files_rw_generic_pids_depend',`
type var_t, var_run_t;
class dir r_dir_perms;
@@ -1119,7 +1120,7 @@ define(`files_modify_system_runtime_data_depend',`
')
########################################
-##
+##
##
## Do not audit attempts to write to daemon runtime data files.
##
@@ -1129,20 +1130,20 @@ define(`files_modify_system_runtime_data_depend',`
##
#
-define(`files_ignore_write_all_daemon_runtime_data',`
+define(`files_dontaudit_write_all_pids',`
requires_block_template(`$0'_depend)
dontaudit $1 pidfile:file write;
')
-define(`files_ignore_write_all_daemon_runtime_data_depend',`
+define(`files_dontaudit_write_all_pids_depend',`
attribute pidfile;
class file write;
')
########################################
-##
+##
##
## Do not audit attempts to ioctl daemon runtime data files.
##
@@ -1152,13 +1153,13 @@ define(`files_ignore_write_all_daemon_runtime_data_depend',`
##
#
-define(`files_ignore_ioctl_all_daemon_runtime_data',`
+define(`files_dontaudit_ioctl_all_pids',`
requires_block_template(`$0'_depend)
dontaudit $1 pidfile:file ioctl;
')
-define(`files_ignore_ioctl_all_daemon_runtime_data_depend',`
+define(`files_dontaudit_ioctl_all_pids_depend',`
attribute pidfile;
class file ioctl;
@@ -1166,9 +1167,9 @@ define(`files_ignore_ioctl_all_daemon_runtime_data_depend',`
########################################
#
-# files_read_all_daemon_runtime_data(domain)
+# files_read_all_pids(domain)
#
-define(`files_read_all_daemon_runtime_data',`
+define(`files_read_all_pids',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
@@ -1176,7 +1177,7 @@ define(`files_read_all_daemon_runtime_data',`
allow $1 pidfile:file r_file_perms;
')
-define(`files_read_all_daemon_runtime_data_depend',`
+define(`files_read_all_pids_depend',`
attribute pidfile;
type var_t;
@@ -1186,9 +1187,9 @@ define(`files_read_all_daemon_runtime_data_depend',`
########################################
#
-# files_remove_all_daemon_runtime_data(domain)
+# files_delete_all_pids(domain)
#
-define(`files_remove_all_daemon_runtime_data',`
+define(`files_delete_all_pids',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
@@ -1199,7 +1200,7 @@ define(`files_remove_all_daemon_runtime_data',`
allow $1 pidfile:sock_file { getattr unlink };
')
-define(`files_remove_all_daemon_runtime_data_depend',`
+define(`files_delete_all_pids_depend',`
attribute pidfile;
type var_t, var_run_t;
@@ -1212,16 +1213,16 @@ define(`files_remove_all_daemon_runtime_data_depend',`
########################################
#
-# files_search_system_spool_directory(domain)
+# files_search_spool(domain)
#
-define(`files_search_system_spool_directory',`
+define(`files_search_spool',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
allow $1 var_spool_t:dir search;
')
-define(`files_search_system_spool_directory_depend',`
+define(`files_search_spool_depend',`
type var_t, var_spool_t;
class dir search;
@@ -1229,16 +1230,16 @@ define(`files_search_system_spool_directory_depend',`
########################################
#
-# files_read_system_spool_directory(domain)
+# files_list_spool(domain)
#
-define(`files_read_system_spool_directory',`
+define(`files_list_spool',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
allow $1 var_spool_t:dir r_dir_perms;
')
-define(`files_read_system_spool_directory_depend',`
+define(`files_list_spool_depend',`
type var_t, var_spool_t;
class dir r_dir_perms;
@@ -1246,9 +1247,9 @@ define(`files_read_system_spool_directory_depend',`
########################################
#
-# files_read_system_spools(domain)
+# files_read_spools(domain)
#
-define(`files_read_system_spools',`
+define(`files_read_spools',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
@@ -1256,7 +1257,7 @@ define(`files_read_system_spools',`
allow $1 var_spool_t:file r_file_perms;
')
-define(`files_read_system_spools_depend',`
+define(`files_read_spools_depend',`
type var_t, var_spool_t;
class dir r_dir_perms;
@@ -1265,9 +1266,9 @@ define(`files_read_system_spools_depend',`
########################################
#
-# files_manage_system_spools(domain)
+# files_manage_spools(domain)
#
-define(`files_manage_system_spools',`
+define(`files_manage_spools',`
requires_block_template(`$0'_depend)
allow $1 var_t:dir search;
@@ -1275,7 +1276,7 @@ define(`files_manage_system_spools',`
allow $1 var_spool_t:file create_file_perms;
')
-define(`files_manage_system_spools_depend',`
+define(`files_manage_spools_depend',`
type var_t, var_spool_t;
class dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if
index 4bfe180..8a68f0d 100644
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@@ -2,7 +2,7 @@
## Policy for getty.
########################################
-##
+##
##
## Execute gettys in the getty domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`getty_transition',`
+define(`getty_domtrans',`
requires_block_template(`$0'_depend)
allow $1 getty_exec_t:file { getattr read execute };
@@ -25,7 +25,7 @@ define(`getty_transition',`
allow getty_t $1:process sigchld;
')
-define(`getty_transition_depend',`
+define(`getty_domtrans_depend',`
type getty_t, getty_exec_t;
class file { getattr read execute };
@@ -35,7 +35,7 @@ define(`getty_transition_depend',`
')
########################################
-##
+##
##
## Allow process to read getty log file.
##
@@ -44,20 +44,20 @@ define(`getty_transition_depend',`
##
##
#
-define(`getty_read_log_file',`
+define(`getty_read_log',`
requires_block_template(`$0'_depend)
allow $1 getty_log_t:file { getattr read };
')
-define(`getty_read_log_file_depend',`
+define(`getty_read_log_depend',`
type getty_log_t;
class file { getattr read };
')
########################################
-##
+##
##
## Allow process to read getty config file.
##
@@ -66,20 +66,20 @@ define(`getty_read_log_file_depend',`
##
##
#
-define(`getty_read_config_file',`
+define(`getty_read_config',`
requires_block_template(`$0'_depend)
allow $1 getty_etc_t:file { getattr read };
')
-define(`getty_read_config_file_depend',`
+define(`getty_read_config_depend',`
type getty_etc_t;
class file { getattr read };
')
########################################
-##
+##
##
## Allow process to edit getty config file.
##
@@ -88,13 +88,13 @@ define(`getty_read_config_file_depend',`
##
##
#
-define(`getty_modify_config_file',`
+define(`getty_modify_config',`
requires_block_template(`$0'_depend)
allow $1 getty_etc_t:file { getattr read write };
')
-define(`getty_modify_config_file_depend',`
+define(`getty_modify_config_depend',`
type getty_etc_t;
class file { getattr read write };
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index aafc77d..46e3772 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -8,17 +8,17 @@ policy_module(getty,1.0)
type getty_t;
type getty_exec_t;
-init_make_init_domain(getty_t,getty_exec_t)
-domain_make_file_descriptors_widely_inheritable(getty_t)
+init_domain(getty_t,getty_exec_t)
+domain_wide_inherit_fd(getty_t)
type getty_etc_t;
typealias getty_etc_t alias etc_getty_t;
type getty_log_t;
-logging_make_log_file(getty_log_t)
+logging_log_file(getty_log_t)
type getty_tmp_t;
-files_make_temporary_file(getty_tmp_t)
+files_tmp_file(getty_tmp_t)
########################################
#
@@ -34,11 +34,11 @@ allow getty_t self:process { getpgid getsession };
allow getty_t getty_etc_t:dir r_dir_perms;
allow getty_t getty_etc_t:file r_file_perms;
-files_create_private_config(getty_t,getty_etc_t,{ file dir })
+files_create_etc_config(getty_t,getty_etc_t,{ file dir })
allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
-files_create_private_tmp_data(getty_t,getty_tmp_t,{ file dir })
+files_create_tmp_files(getty_t,getty_tmp_t,{ file dir })
allow getty_t getty_log_t:file { getattr append setattr };
@@ -54,23 +54,23 @@ term_setattr_all_user_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
-authlogin_modify_login_records(getty_t)
+auth_rw_login_records(getty_t)
-corecommands_search_general_programs_directory(getty_t)
+corecmd_search_bin(getty_t)
-files_modify_system_runtime_data(getty_t)
-files_manage_system_lock_files(getty_t)
-files_read_runtime_system_config(getty_t)
-files_read_general_system_config(getty_t)
+files_rw_generic_pids(getty_t)
+files_manage_generic_lock_files(getty_t)
+files_read_etc_runtime_files(getty_t)
+files_read_generic_etc_files(getty_t)
-init_script_modify_runtime_data(getty_t)
-init_script_use_pseudoterminal(getty_t)
+init_rw_script_pid(getty_t)
+init_use_script_pty(getty_t)
-libraries_use_dynamic_loader(getty_t)
-libraries_use_shared_libraries(getty_t)
+libs_use_ld_so(getty_t)
+libs_use_shared_libs(getty_t)
-locallogin_transition(getty_t)
+locallogin_domtrans(getty_t)
-logging_send_system_log_message(getty_t)
+logging_send_syslog_msg(getty_t)
miscfiles_read_localization(getty_t)
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index 6197994..272ae12 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -2,7 +2,7 @@
## Policy for changing the system host name.
########################################
-##
+##
##
## Execute hostname in the hostname domain.
##
@@ -12,7 +12,7 @@
##
##
#
-define(`hostname_transition',`
+define(`hostname_domtrans',`
requires_block_template(`$0'_depend)
allow $1 hostname_exec_t:file rx_file_perms;
@@ -26,7 +26,7 @@ define(`hostname_transition',`
allow hostname_t $1:process sigchld;
')
-define(`hostname_transition_depend',`
+define(`hostname_domtrans_depend',`
type hostname_t, hostname_exec_t;
class file rx_file_perms;
@@ -36,7 +36,7 @@ define(`hostname_transition_depend',`
')
########################################
-##
+##
##
## Execute hostname in the hostname domain, and
## allow the specified role the hostname domain.
@@ -53,22 +53,22 @@ define(`hostname_transition_depend',`
##
##
#
-define(`hostname_transition_add_role_use_terminal',`
+define(`hostname_run',`
requires_block_template(`$0'_depend)
- hostname_transition($1)
+ hostname_domtrans($1)
role $2 types hostname_t;
allow hostname_t $3:chr_file { getattr read write ioctl };
')
-define(`hostname_transition_add_role_use_terminal_depend',`
+define(`hostname_run_depend',`
type hostname_t;
class chr_file { getattr read write ioctl };
')
########################################
-##
+##
##
## Execute hostname in the hostname domain, and
## Has a sigchld signal backchannel.
@@ -80,16 +80,16 @@ define(`hostname_transition_add_role_use_terminal_depend',`
#
#######################################
#
-# hostname_execute(domain)
+# hostname_exec(domain)
#
-define(`hostname_execute',`
+define(`hostname_exec',`
requires_block_template(`$0'_depend)
can_exec($1,hostname_exec_t)
')
-define(`hostname_execute_depend',`
+define(`hostname_exec_depend',`
type hostname_exec_t;
class file { getattr read execute execute_no_trans };
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 3353e17..ae17162 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -8,7 +8,7 @@ policy_module(hostname,1.0)
type hostname_t;
type hostname_exec_t;
-init_make_system_domain(hostname_t,hostname_exec_t)
+init_system_domain(hostname_t,hostname_exec_t)
role system_r types hostname_t;
@@ -23,36 +23,36 @@ allow hostname_t self:process { sigchld sigkill sigstop signull signal };
allow hostname_t self:capability sys_admin;
dontaudit hostname_t self:capability sys_tty_config;
-sysnetwork_read_network_config(hostname_t)
+sysnet_read_config(hostname_t)
kernel_read_kernel_sysctl(hostname_t)
kernel_read_hardware_state(hostname_t)
kernel_dontaudit_use_fd(hostname_t)
-files_read_general_system_config(hostname_t)
-files_ignore_search_system_state_data_directory(hostname_t)
+files_read_generic_etc_files(hostname_t)
+files_dontaudit_search_var(hostname_t)
fs_getattr_xattr_fs(hostname_t)
term_dontaudit_use_console(hostname_t)
term_use_all_user_ttys(hostname_t)
term_use_all_user_ptys(hostname_t)
-init_use_file_descriptors(hostname_t)
-init_script_use_pseudoterminal(hostname_t)
+init_use_fd(hostname_t)
+init_use_script_pty(hostname_t)
-domain_use_widely_inheritable_file_descriptors(hostname_t)
+domain_use_wide_inherit_fd(hostname_t)
# for when /usr is not mounted:
-files_ignore_search_isid_type_dir(hostname_t)
+files_dontaudit_search_isid_type_dir(hostname_t)
-libraries_use_dynamic_loader(hostname_t)
-libraries_use_shared_libraries(hostname_t)
+libs_use_ld_so(hostname_t)
+libs_use_shared_libs(hostname_t)
-logging_send_system_log_message(hostname_t)
+logging_send_syslog_msg(hostname_t)
miscfiles_read_localization(hostname_t)
-userdomain_use_all_users_file_descriptors(hostname_t)
+userdom_use_all_user_fd(hostname_t)
ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(hostname_t)
@@ -61,7 +61,7 @@ ifdef(`distro_redhat', `
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(hostname_t)
terminal_ignore_use_general_pseudoterminal(hostname_t)
- files_ignore_read_rootfs_file(hostname_t)
+ files_dontaudit_read_root_file(hostname_t)
')
tunable_policy(`use_dns',`
@@ -72,11 +72,11 @@ tunable_policy(`use_dns',`
corenet_raw_sendrecv_all_nodes(hostname_t)
corenet_udp_bind_all_nodes(hostname_t)
corenet_udp_sendrecv_dns_port(hostname_t)
- sysnetwork_read_network_config(hostname_t)
+ sysnet_read_config(hostname_t)
')
optional_policy(`hotplug.te',`
- hotplug_ignore_use_file_descriptors(hostname_t)
+ hotplug_dontaudit_use_fd(hostname_t)
')
optional_policy(`selinux.te',`
@@ -84,7 +84,7 @@ optional_policy(`selinux.te',`
')
optional_policy(`udev.te', `
- udev_read_database(hostname_t)
+ udev_read_db(hostname_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index c80095a..6f0b15f 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -6,9 +6,9 @@
#######################################
#
-# hotplug_transition(domain)
+# hotplug_domtrans(domain)
#
-define(`hotplug_transition',`
+define(`hotplug_domtrans',`
requires_block_template(`$0'_depend)
allow $1 hotplug_exec_t:file rx_file_perms;
@@ -22,7 +22,7 @@ define(`hotplug_transition',`
allow hotplug_t $1:process sigchld;
')
-define(`hotplug_transition_depend',`
+define(`hotplug_domtrans_depend',`
type hotplug_t, hotplug_exec_t;
class file rx_file_perms;
@@ -33,16 +33,16 @@ define(`hotplug_transition_depend',`
#######################################
#
-# hotplug_execute(domain)
+# hotplug_exec(domain)
#
-define(`hotplug_execute',`
+define(`hotplug_exec',`
requires_block_template(`$0'_depend)
can_exec($1,hotplug_exec_t)
')
-define(`hotplug_execute_depend',`
+define(`hotplug_exec_depend',`
type hotplug_t;
class file { getattr read execute execute_no_trans };
@@ -50,15 +50,15 @@ define(`hotplug_execute_depend',`
#######################################
#
-# hotplug_use_file_descriptors(domain)
+# hotplug_use_fd(domain)
#
-define(`hotplug_use_file_descriptors',`
+define(`hotplug_use_fd',`
requires_block_template(`$0'_depend)
allow $1 hotplug_t:fd use;
')
-define(`hotplug_use_file_descriptors_depend',`
+define(`hotplug_use_fd_depend',`
type hotplug_t;
class fd use;
@@ -66,15 +66,15 @@ define(`hotplug_use_file_descriptors_depend',`
#######################################
#
-# hotplug_ignore_use_file_descriptors(domain)
+# hotplug_dontaudit_use_fd(domain)
#
-define(`hotplug_ignore_use_file_descriptors',`
+define(`hotplug_dontaudit_use_fd',`
requires_block_template(`$0'_depend)
dontaudit $1 hotplug_t:fd use;
')
-define(`hotplug_ignore_use_file_descriptors_depend',`
+define(`hotplug_dontaudit_use_fd_depend',`
type hotplug_t;
class fd use;
@@ -82,15 +82,15 @@ define(`hotplug_ignore_use_file_descriptors_depend',`
########################################
#
-# hotplug_ignore_search_config_directory(domain)
+# hotplug_dontaudit_search_config(domain)
#
-define(`hotplug_ignore_search_config_directory',`
+define(`hotplug_dontaudit_search_config',`
requires_block_template(`$0'_depend)
dontaudit $1 hotplug_etc_t:dir search;
')
-define(`hotplug_ignore_search_config_directory_depend',`
+define(`hotplug_dontaudit_search_config_depend',`
type hotplug_etc_t;
class dir search;
@@ -109,7 +109,7 @@ define(`hotplug_ignore_search_config_directory_depend',`
define(`hotplug_read_config',`
requires_block_template(`$0'_depend)
- files_search_general_system_config_directory($1)
+ files_search_etc($1)
allow $1 hotplug_etc_t:file r_file_perms;
allow $1 hotplug_etc_t:dir r_dir_perms;
allow $1 hotplug_etc_t:lnk_file r_file_perms;
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 50252fe..6e59141 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -9,13 +9,13 @@ policy_module(hotplug, 1.0)
type hotplug_t;
type hotplug_exec_t;
kernel_userland_entry(hotplug_t,hotplug_exec_t)
-init_make_system_domain(hotplug_t,hotplug_exec_t)
+init_system_domain(hotplug_t,hotplug_exec_t)
type hotplug_etc_t; #, usercanread;
-files_make_file(hotplug_etc_t)
+files_file_type(hotplug_etc_t)
type hotplug_var_run_t;
-files_make_daemon_runtime_file(hotplug_var_run_t)
+files_pid_file(hotplug_var_run_t)
########################################
#
@@ -41,7 +41,7 @@ allow hotplug_t hotplug_exec_t:file { getattr read ioctl execute execute_no_tran
allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
-files_create_daemon_runtime_data(hotplug_t,hotplug_var_run_t)
+files_create_pid(hotplug_t,hotplug_var_run_t)
kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t)
@@ -68,71 +68,71 @@ storage_set_removable_device_attributes(hotplug_t)
term_dontaudit_use_console(hotplug_t)
-corecommands_execute_general_programs(hotplug_t)
-corecommands_execute_shell(hotplug_t)
-corecommands_execute_system_programs(hotplug_t)
+corecmd_exec_bin(hotplug_t)
+corecmd_exec_shell(hotplug_t)
+corecmd_exec_sbin(hotplug_t)
-domain_use_widely_inheritable_file_descriptors(hotplug_t)
+domain_use_wide_inherit_fd(hotplug_t)
-files_read_general_system_config(hotplug_t)
-files_manage_runtime_system_config(hotplug_t)
-files_execute_system_config_script(hotplug_t)
+files_read_generic_etc_files(hotplug_t)
+files_manage_etc_runtime_files(hotplug_t)
+files_exec_generic_etc_files(hotplug_t)
# for when filesystems are not mounted early in the boot:
-files_ignore_search_isid_type_dir(hotplug_t)
+files_dontaudit_search_isid_type_dir(hotplug_t)
-init_use_file_descriptors(hotplug_t)
-init_script_use_pseudoterminal(hotplug_t)
-init_script_read_process_state(hotplug_t)
+init_use_fd(hotplug_t)
+init_use_script_pty(hotplug_t)
+init_read_script_process_state(hotplug_t)
# Allow hotplug (including /sbin/ifup-local) to start/stop services and
# run sendmail -q
-init_script_transition(hotplug_t)
+init_domtrans_script(hotplug_t)
# kernel threads inherit from shared descriptor table used by init
-init_ignore_use_control_channel(hotplug_t)
+init_dontaudit_use_initctl(hotplug_t)
-logging_send_system_log_message(hotplug_t)
-logging_search_system_log_directory(hotplug_t)
+logging_send_syslog_msg(hotplug_t)
+logging_search_logs(hotplug_t)
-libraries_use_dynamic_loader(hotplug_t)
-libraries_use_shared_libraries(hotplug_t)
+libs_use_ld_so(hotplug_t)
+libs_use_shared_libs(hotplug_t)
# Read /usr/lib/gconv/.*
-libraries_read_library_resources(hotplug_t)
+libs_read_lib(hotplug_t)
-modutils_insmod_transition(hotplug_t)
+modutils_domtrans_insmod(hotplug_t)
modutils_read_kernel_module_dependencies(hotplug_t)
miscfiles_read_localization(hotplug_t)
-mount_transition(hotplug_t)
+mount_domtrans(hotplug_t)
-sysnetwork_read_network_config(hotplug_t)
+sysnet_read_config(hotplug_t)
-userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
+userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
ifdef(`distro_redhat', `
optional_policy(`netutils.te', `
# for arping used for static IP addresses on PCMCIA ethernet
- netutils_transition(hotplug_t)
+ netutils_domtrans(hotplug_t)
fs_use_tmpfs_character_devices(hotplug_t)
')
- files_get_system_lock_file_attributes(hotplug_t)
+ files_getattr_generic_lock_files(hotplug_t)
')
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(hotplug_t)
terminal_ignore_use_general_pseudoterminal(hotplug_t)
- files_ignore_read_rootfs_file(hotplug_t)
+ files_dontaudit_read_root_file(hotplug_t)
')
optional_policy(`consoletype.te',`
- consoletype_transition(hotplug_t)
+ consoletype_domtrans(hotplug_t)
')
optional_policy(`hostname.te',`
- hostname_execute(hotplug_t)
+ hostname_exec(hotplug_t)
')
optional_policy(`iptables.te',`
- iptables_transition(hotplug_t)
+ iptables_domtrans(hotplug_t)
')
optional_policy(`mta.te', `
@@ -144,12 +144,12 @@ optional_policy(`selinux.te',`
')
optional_policy(`sysnetwork.te',`
- sysnetwork_ifconfig_transition(hotplug_t)
+ sysnet_domtrans_ifconfig(hotplug_t)
')
optional_policy(`udev.te', `
- udev_transition(hotplug_t)
- udev_read_database(hotplug_t)
+ udev_domtrans(hotplug_t)
+ udev_read_db(hotplug_t)
')
optional_policy(`updfstab.te', `
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index bf0b733..68427f0 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -3,13 +3,13 @@
########################################
#
-# init_make_init_domain(domain,entrypointfile)
+# init_domain(domain,entrypointfile)
#
-define(`init_make_init_domain',`
+define(`init_domain',`
requires_block_template(`$0'_depend)
- domain_make_domain($1)
- domain_make_entrypoint_file($1,$2)
+ domain_type($1)
+ domain_entry_file($1,$2)
role system_r types $1;
@@ -27,11 +27,11 @@ define(`init_make_init_domain',`
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd($1)
- files_ignore_read_rootfs_file($1)
+ files_dontaudit_read_root_file($1)
')
')
-define(`init_make_init_domain_depend',`
+define(`init_domain_depend',`
type init_t;
class file rx_file_perms;
class fd use;
@@ -42,13 +42,13 @@ define(`init_make_init_domain_depend',`
########################################
#
-# init_make_daemon_domain(domain,entrypointfile)
+# init_daemon_domain(domain,entrypointfile)
#
-define(`init_make_daemon_domain',`
+define(`init_daemon_domain',`
requires_block_template(`$0'_depend)
- domain_make_domain($1)
- domain_make_entrypoint_file($1,$2)
+ domain_type($1)
+ domain_entry_file($1,$2)
role system_r types $1;
@@ -66,11 +66,11 @@ define(`init_make_daemon_domain',`
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd($1)
- files_ignore_read_rootfs_file($1)
+ files_dontaudit_read_root_file($1)
')
')
-define(`init_make_daemon_domain_depend',`
+define(`init_daemon_domain_depend',`
type initrc_t;
role system_r;
@@ -83,13 +83,13 @@ define(`init_make_daemon_domain_depend',`
########################################
#
-# init_make_system_domain(domain,entrypointfile)
+# init_system_domain(domain,entrypointfile)
#
-define(`init_make_system_domain',`
+define(`init_system_domain',`
requires_block_template(`$0'_depend)
- domain_make_domain($1)
- domain_make_entrypoint_file($1,$2)
+ domain_type($1)
+ domain_entry_file($1,$2)
role system_r types $1;
@@ -107,11 +107,11 @@ define(`init_make_system_domain',`
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd($1)
- files_ignore_read_rootfs_file($1)
+ files_dontaudit_read_root_file($1)
')
')
-define(`init_make_system_domain_depend',`
+define(`init_system_domain_depend',`
type initrc_t;
role system_r;
@@ -123,9 +123,9 @@ define(`init_make_system_domain_depend',`
########################################
#
-# init_transition(domain)
+# init_domtrans(domain)
#
-define(`init_transition',`
+define(`init_domtrans',`
requires_block_template(`$0'_depend)
allow $1 init_exec_t:file rx_file_perms;
@@ -139,7 +139,7 @@ define(`init_transition',`
allow init_t $1:process sigchld;
')
-define(`init_transition_depend',`
+define(`init_domtrans_depend',`
type init_t, init_exec_t;
class file rx_file_perms;
@@ -166,15 +166,15 @@ define(`init_get_process_group_depend',`
########################################
#
-# init_get_control_channel_attributes(domain)
+# init_getattr_initctl(domain)
#
-define(`init_get_control_channel_attributes',`
+define(`init_getattr_initctl',`
requires_block_template(`$0'_depend)
allow $1 initctl_t:fifo_file getattr;
')
-define(`init_get_control_channel_attributes_depend',`
+define(`init_getattr_initctl_depend',`
type initctl_t;
class fifo_file getattr;
@@ -182,15 +182,15 @@ define(`init_get_control_channel_attributes_depend',`
########################################
#
-# init_ignore_get_control_channel_attributes(domain)
+# init_dontaudit_getattr_initctl(domain)
#
-define(`init_ignore_get_control_channel_attributes',`
+define(`init_dontaudit_getattr_initctl',`
requires_block_template(`$0'_depend)
dontaudit $1 initctl_t:fifo_file getattr;
')
-define(`init_get_control_channel_attributes_depend',`
+define(`init_getattr_initctl_depend',`
type initctl_t;
class fifo_file getattr;
@@ -198,16 +198,16 @@ define(`init_get_control_channel_attributes_depend',`
########################################
#
-# init_use_control_channel(domain)
+# init_use_initctl(domain)
#
-define(`init_use_control_channel',`
+define(`init_use_initctl',`
requires_block_template(`$0'_depend)
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_file_perms;
')
-define(`init_use_control_channel_depend',`
+define(`init_use_initctl_depend',`
type initctl_t;
class fifo_file rw_file_perms;
@@ -215,15 +215,15 @@ define(`init_use_control_channel_depend',`
########################################
#
-# init_ignore_use_control_channel(domain)
+# init_dontaudit_use_initctl(domain)
#
-define(`init_ignore_use_control_channel',`
+define(`init_dontaudit_use_initctl',`
requires_block_template(`$0'_depend)
dontaudit $1 initctl_t:fifo_file { read write };
')
-define(`init_ignore_use_control_channel_depend',`
+define(`init_dontaudit_use_initctl_depend',`
type initctl_t;
class fifo_file { read write };
@@ -247,15 +247,15 @@ define(`init_sigchld_depend',`
########################################
#
-# init_use_file_descriptors(domain)
+# init_use_fd(domain)
#
-define(`init_use_file_descriptors',`
+define(`init_use_fd',`
requires_block_template(`$0'_depend)
allow $1 init_t:fd use;
')
-define(`init_use_file_descriptors_depend',`
+define(`init_use_fd_depend',`
type init_t;
class fd use;
@@ -263,15 +263,15 @@ define(`init_use_file_descriptors_depend',`
########################################
#
-# init_ignore_use_file_descriptors(domain)
+# init_dontaudit_use_fd(domain)
#
-define(`init_ignore_use_file_descriptors',`
+define(`init_dontaudit_use_fd',`
requires_block_template(`$0'_depend)
dontaudit $1 init_t:fd use;
')
-define(`init_ignore_use_file_descriptors_depend',`
+define(`init_dontaudit_use_fd_depend',`
type init_t;
class fd use;
@@ -279,9 +279,9 @@ define(`init_ignore_use_file_descriptors_depend',`
########################################
#
-# init_script_transition(domain)
+# init_domtrans_script(domain)
#
-define(`init_script_transition',`
+define(`init_domtrans_script',`
requires_block_template(`$0'_depend)
allow $1 initrc_exec_t:file rx_file_perms;
@@ -295,7 +295,7 @@ define(`init_script_transition',`
allow initrc_t $1:process sigchld;
')
-define(`init_script_transition_depend',`
+define(`init_domtrans_script_depend',`
type initrc_t, initrc_exec_t;
class file rx_file_perms;
@@ -306,23 +306,23 @@ define(`init_script_transition_depend',`
########################################
#
-# init_script_execute(domain)
+# init_exec_script(domain)
#
-define(`init_script_execute',`
+define(`init_exec_script',`
requires_block_template(`$0'_depend)
can_exec($1,initrc_exec_t)
')
-define(`init_script_execute_depend',`
+define(`init_exec_script_depend',`
type initrc_exec_t;
class file { getattr read execute execute_no_trans };
')
########################################
-##
+##
##
## Read the process state (/proc/pid) of the init scripts.
##
@@ -331,7 +331,7 @@ define(`init_script_execute_depend',`
##
##
#
-define(`init_script_read_process_state',`
+define(`init_read_script_process_state',`
requires_block_template(`$0'_depend)
allow $1 initrc_t:dir r_dir_perms;
@@ -345,7 +345,7 @@ define(`init_script_read_process_state',`
dontaudit $1 initrc_t:process ptrace;
')
-define(`init_script_read_process_state_depend',`
+define(`init_read_script_process_state_depend',`
type initrc_t;
class dir r_dir_perms;
@@ -356,15 +356,15 @@ define(`init_script_read_process_state_depend',`
########################################
#
-# init_script_use_file_descriptors(domain)
+# init_use_script_fd(domain)
#
-define(`init_script_use_file_descriptors',`
+define(`init_use_script_fd',`
requires_block_template(`$0'_depend)
allow $1 initrc_t:fd use;
')
-define(`init_script_use_file_descriptors_depend',`
+define(`init_use_script_fd_depend',`
type initrc_t;
class fd use;
@@ -372,15 +372,15 @@ define(`init_script_use_file_descriptors_depend',`
########################################
#
-# init_script_ignore_use_file_descriptors(domain)
+# init_dontaudit_use_script_fd(domain)
#
-define(`init_script_ignore_use_file_descriptors',`
+define(`init_dontaudit_use_script_fd',`
requires_block_template(`$0'_depend)
dontaudit $1 initrc_t:fd use;
')
-define(`init_script_ignore_use_file_descriptors_depend',`
+define(`init_dontaudit_use_script_fd_depend',`
type initrc_t;
class fd use;
@@ -388,15 +388,15 @@ define(`init_script_ignore_use_file_descriptors_depend',`
########################################
#
-# init_script_get_process_group(domain)
+# init_get_script_process_group(domain)
#
-define(`init_script_get_process_group',`
+define(`init_get_script_process_group',`
requires_block_template(`$0'_depend)
allow $1 initrc_t:process getpgid;
')
-define(`init_script_get_process_group_depend',`
+define(`init_get_script_process_group_depend',`
type initrc_t;
class process getpgid;
@@ -404,16 +404,16 @@ define(`init_script_get_process_group_depend',`
########################################
#
-# init_script_use_pseudoterminal(domain)
+# init_use_script_pty(domain)
#
-define(`init_script_use_pseudoterminal',`
+define(`init_use_script_pty',`
requires_block_template(`$0'_depend)
term_list_ptys($1)
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
')
-define(`init_script_use_pseudoterminal_depend',`
+define(`init_use_script_pty_depend',`
type initrc_devpts_t;
class chr_file { getattr read write ioctl };
@@ -421,22 +421,22 @@ define(`init_script_use_pseudoterminal_depend',`
########################################
#
-# init_script_ignore_use_pseudoterminal(domain)
+# init_dontaudit_use_script_pty(domain)
#
-define(`init_script_ignore_use_pseudoterminal',`
+define(`init_dontaudit_use_script_pty',`
requires_block_template(`$0'_depend)
dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
')
-define(`init_script_ignore_use_pseudoterminal_depend',`
+define(`init_dontaudit_use_script_pty_depend',`
type initrc_devpts_t;
class chr_file { read write ioctl };
')
########################################
-##
+##
##
## Read and write init script temporary data.
##
@@ -445,14 +445,14 @@ define(`init_script_ignore_use_pseudoterminal_depend',`
##
##
#
-define(`init_script_modify_temporary_data',`
+define(`init_rw_script_tmp_files',`
requires_block_template(`$0'_depend)
# FIXME: read tmp_t
allow $1 initrc_tmp_t:file rw_file_perms;
')
-define(`init_script_modify_temporary_data_depend',`
+define(`init_rw_script_tmp_files_depend',`
type initrc_var_run_t;
class file rw_file_perms;
@@ -460,16 +460,16 @@ define(`init_script_modify_temporary_data_depend',`
########################################
#
-# init_script_read_runtime_data(domain)
+# init_read_script_pid(domain)
#
-define(`init_script_read_runtime_data',`
+define(`init_read_script_pid',`
requires_block_template(`$0'_depend)
- files_read_runtime_data_directory($1)
+ files_list_pids($1)
allow $1 initrc_var_run_t:file r_file_perms;
')
-define(`init_script_read_runtime_data_depend',`
+define(`init_read_script_pid_depend',`
type initrc_var_run_t;
class file r_file_perms;
@@ -477,15 +477,15 @@ define(`init_script_read_runtime_data_depend',`
########################################
#
-# init_script_ignore_write_runtime_data(domain)
+# init_dontaudit_write_script_pid(domain)
#
-define(`init_script_ignore_write_runtime_data',`
+define(`init_dontaudit_write_script_pid',`
requires_block_template(`$0'_depend)
dontaudit $1 initrc_var_run_t:file { write lock };
')
-define(`init_script_ignore_write_runtime_data_depend',`
+define(`init_dontaudit_write_script_pid_depend',`
type initrc_var_run_t;
class file { write lock };
@@ -493,16 +493,16 @@ define(`init_script_ignore_write_runtime_data_depend',`
########################################
#
-# init_script_modify_runtime_data(domain)
+# init_rw_script_pid(domain)
#
-define(`init_script_modify_runtime_data',`
+define(`init_rw_script_pid',`
requires_block_template(`$0'_depend)
- files_read_runtime_data_directory($1)
+ files_list_pids($1)
allow $1 initrc_var_run_t:file rw_file_perms;
')
-define(`init_script_modify_runtime_data_depend',`
+define(`init_rw_script_pid_depend',`
type initrc_var_run_t;
class file rw_file_perms;
@@ -510,15 +510,15 @@ define(`init_script_modify_runtime_data_depend',`
########################################
#
-# init_script_ignore_modify_runtime_data(domain)
+# init_dontaudit_rw_script_pid(domain)
#
-define(`init_script_ignore_modify_runtime_data',`
+define(`init_dontaudit_rw_script_pid',`
requires_block_template(`$0'_depend)
dontaudit $1 initrc_var_run_t:file { getattr read write append };
')
-define(`init_script_ignore_modify_runtime_data_depend',`
+define(`init_dontaudit_rw_script_pid_depend',`
type initrc_var_run_t;
class file rw_file_perms;
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 7bf5cef..929da00 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -10,7 +10,7 @@ policy_module(init,1.0)
# init_t is the domain of the init process.
#
type init_t;
-domain_make_domain(init_t)
+domain_type(init_t)
role system_r types init_t;
#
@@ -18,13 +18,13 @@ role system_r types init_t;
#
type init_exec_t;
kernel_userland_entry(init_t,init_exec_t)
-domain_make_entrypoint_file(init_t,init_exec_t)
+domain_entry_file(init_t,init_exec_t)
#
# init_var_run_t is the type for /var/run/shutdown.pid.
#
type init_var_run_t;
-files_make_daemon_runtime_file(init_var_run_t)
+files_pid_file(init_var_run_t)
#
# initctl_t is the type of the named pipe created
@@ -32,14 +32,14 @@ files_make_daemon_runtime_file(init_var_run_t)
# to communicate with init.
#
type initctl_t;
-files_make_file(initctl_t)
+files_file_type(initctl_t)
type initrc_t;
-domain_make_domain(initrc_t)
+domain_type(initrc_t)
role system_r types initrc_t;
type initrc_exec_t;
-domain_make_entrypoint_file(initrc_t,initrc_exec_t)
+domain_entry_file(initrc_t,initrc_exec_t)
type initrc_devpts_t;
fs_associate(initrc_devpts_t)
@@ -47,13 +47,13 @@ fs_associate_noxattr(initrc_devpts_t)
term_pty(initrc_devpts_t)
type initrc_var_run_t;
-files_make_daemon_runtime_file(initrc_var_run_t)
+files_pid_file(initrc_var_run_t)
type initrc_state_t;
-files_make_file(initrc_state_t)
+files_file_type(initrc_state_t)
type initrc_tmp_t;
-files_make_temporary_file(initrc_tmp_t)
+files_tmp_file(initrc_tmp_t)
########################################
#
@@ -67,7 +67,7 @@ allow init_t self:capability ~sys_module;
# sys_tty_config
# kill: now provided by domain_kill_all_domains()
# setuid (from /sbin/shutdown)
-# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
+# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
allow init_t self:fifo_file rw_file_perms;
@@ -76,7 +76,7 @@ allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
-files_create_daemon_runtime_data(init_t,init_var_run_t)
+files_create_pid(init_t,init_var_run_t)
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
fs_associate_tmpfs(initctl_t)
@@ -95,9 +95,9 @@ kernel_share_state(init_t)
term_use_all_terms(init_t)
-corecommands_chroot(init_t)
-corecommands_execute_general_programs(init_t)
-corecommands_execute_system_programs(init_t)
+corecmd_chroot_exec_chroot(init_t)
+corecmd_exec_bin(init_t)
+corecmd_exec_sbin(init_t)
domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
@@ -106,22 +106,22 @@ domain_sigstop_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
-files_read_general_system_config(init_t)
-files_modify_system_runtime_data(init_t)
-files_ignore_search_isid_type_dir(init_t)
-files_manage_runtime_system_config(init_t)
+files_read_generic_etc_files(init_t)
+files_rw_generic_pids(init_t)
+files_dontaudit_search_isid_type_dir(init_t)
+files_manage_etc_runtime_files(init_t)
# Run /etc/X11/prefdm:
-files_execute_system_config_script(init_t)
+files_exec_generic_etc_files(init_t)
# file descriptors inherited from the rootfs:
-files_ignore_modify_rootfs_file(init_t)
-files_ignore_modify_rootfs_device(init_t)
+files_dontaudit_rw_root_file(init_t)
+files_dontaudit_rw_root_chr_dev(init_t)
-libraries_use_dynamic_loader(init_t)
-libraries_use_shared_libraries(init_t)
-libraries_modify_dynamic_loader_cache(init_t)
+libs_use_ld_so(init_t)
+libs_use_shared_libs(init_t)
+libs_rw_ld_so_cache(init_t)
-logging_send_system_log_message(init_t)
-logging_modify_system_logs(init_t)
+logging_send_syslog_msg(init_t)
+logging_rw_generic_logs(init_t)
selinux_read_config(init_t)
@@ -133,12 +133,12 @@ ifdef(`distro_redhat',`
')
optional_policy(`authlogin.te',`
- authlogin_modify_login_records(init_t)
+ auth_rw_login_records(init_t)
')
# Run the shell in the sysadm_t domain for single-user mode.
optional_policy(`userdomain.te',`
- userdomain_sysadm_shell_transition(init_t)
+ userdom_shell_domtrans_sysadm(init_t)
')
########################################
@@ -167,11 +167,11 @@ allow initrc_t initrc_state_t:file create_file_perms;
allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
allow initrc_t initrc_var_run_t:file create_file_perms;
-files_create_daemon_runtime_data(initrc_t,initrc_var_run_t)
+files_create_pid(initrc_t,initrc_var_run_t)
allow initrc_t initrc_tmp_t:file create_file_perms;
allow initrc_t initrc_tmp_t:dir create_dir_perms;
-files_create_private_tmp_data(initrc_t,initrc_tmp_t, { file dir })
+files_create_tmp_files(initrc_t,initrc_tmp_t, { file dir })
kernel_read_system_state(initrc_t)
kernel_read_software_raid_state(initrc_t)
@@ -230,16 +230,16 @@ storage_set_removable_device_attributes(initrc_t)
term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
-authlogin_modify_login_records(initrc_t)
-authlogin_modify_last_login_log(initrc_t)
-authlogin_pam_read_runtime_data(initrc_t)
-authlogin_pam_remove_runtime_data(initrc_t)
-authlogin_pam_console_read_runtime_data_dir(initrc_t)
+auth_rw_login_records(initrc_t)
+auth_rw_lastlog(initrc_t)
+auth_read_pam_pid(initrc_t)
+auth_delete_pam_pid(initrc_t)
+auth_list_pam_console_data(initrc_t)
-corecommands_execute_general_programs(initrc_t)
-corecommands_execute_system_programs(initrc_t)
-corecommands_execute_shell(initrc_t)
-corecommands_execute_ls(initrc_t)
+corecmd_exec_bin(initrc_t)
+corecmd_exec_sbin(initrc_t)
+corecmd_exec_shell(initrc_t)
+corecmd_exec_ls(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
@@ -247,53 +247,53 @@ domain_signull_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
-domain_read_all_domains_process_state(initrc_t)
-domain_get_all_domains_session_id(initrc_t)
-domain_use_widely_inheritable_file_descriptors(initrc_t)
+domain_read_all_domains_state(initrc_t)
+domain_getsession_all_domains(initrc_t)
+domain_use_wide_inherit_fd(initrc_t)
# for lsof which is used by alsa shutdown:
-domain_ignore_get_all_domains_udp_socket_attributes(initrc_t)
-domain_ignore_get_all_domains_tcp_socket_attributes(initrc_t)
-domain_ignore_get_all_domains_unix_dgram_socket_attributes(initrc_t)
-domain_ignore_get_all_domains_pipe_attributes(initrc_t)
-
-files_get_all_file_attributes(initrc_t)
-files_remove_all_tmp_data(initrc_t)
-files_remove_all_lock_files(initrc_t)
-files_read_all_daemon_runtime_data(initrc_t)
-files_remove_all_daemon_runtime_data(initrc_t)
-files_read_general_system_config(initrc_t)
-files_manage_runtime_system_config(initrc_t)
-files_manage_system_lock_files(initrc_t)
-files_execute_system_config_script(initrc_t)
-files_read_general_application_resources(initrc_t)
-files_manage_pseudorandom_saved_seed(initrc_t)
-files_manage_system_spools(initrc_t)
-
-libraries_modify_dynamic_loader_cache(initrc_t)
-libraries_use_dynamic_loader(initrc_t)
-libraries_use_shared_libraries(initrc_t)
-libraries_execute_library_scripts(initrc_t)
-
-logging_send_system_log_message(initrc_t)
-logging_modify_system_logs(initrc_t)
+domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
+domain_dontaudit_getattr_all_unix_dgram_sockets(initrc_t)
+domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
+
+files_getattr_all_files(initrc_t)
+files_delete_all_tmp_files(initrc_t)
+files_delete_all_lock_files(initrc_t)
+files_read_all_pids(initrc_t)
+files_delete_all_pids(initrc_t)
+files_read_generic_etc_files(initrc_t)
+files_manage_etc_runtime_files(initrc_t)
+files_manage_generic_lock_files(initrc_t)
+files_exec_generic_etc_files(initrc_t)
+files_read_usr_files(initrc_t)
+files_manage_urandom_seed(initrc_t)
+files_manage_spools(initrc_t)
+
+libs_rw_ld_so_cache(initrc_t)
+libs_use_ld_so(initrc_t)
+libs_use_shared_libs(initrc_t)
+libs_exec_lib_files(initrc_t)
+
+logging_send_syslog_msg(initrc_t)
+logging_rw_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
miscfiles_read_localization(initrc_t)
-modutils_read_kernel_module_loading_config(initrc_t)
+modutils_read_module_conf(initrc_t)
selinux_read_config(initrc_t)
-sysnetwork_read_network_config(initrc_t)
+sysnet_read_config(initrc_t)
-udev_modify_database(initrc_t)
+udev_rw_db(initrc_t)
-userdomain_read_all_users_data(initrc_t)
+userdom_read_all_user_data(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
-userdomain_use_admin_terminals(initrc_t)
+userdom_use_sysadm_terms(initrc_t)
ifdef(`distro_debian', `
fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
@@ -306,7 +306,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
kernel_dontaudit_use_fd(initrc_t)
- files_ignore_read_rootfs_file(initrc_t)
+ files_dontaudit_read_root_file(initrc_t)
kernel_set_enforcement_mode(initrc_t)
@@ -329,7 +329,7 @@ ifdef(`distro_redhat',`
files_create_boot_flag(initrc_t)
# readahead asks for these
- mta_read_mail_aliases(initrc_t)
+ mta_read_aliases(initrc_t)
')
optional_policy(`hotplug.te',`
@@ -349,7 +349,7 @@ optional_policy(`lvm.te',`
')
optional_policy(`rhgb.te',`
- corecommands_make_shell_entrypoint(initrc_t)
+ corecmd_shell_entry_type(initrc_t)
')
optional_policy(`rpm.te',`
@@ -357,13 +357,13 @@ optional_policy(`rpm.te',`
kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t)
# for a bug in rm
- files_ignore_write_all_daemon_runtime_data(initrc_t)
+ files_dontaudit_write_all_pids(initrc_t)
# bash tries ioctl for some reason
- files_ignore_ioctl_all_daemon_runtime_data(initrc_t)
+ files_dontaudit_ioctl_all_pids(initrc_t)
# why is this needed:
- rpm_manage_package_database(initrc_t)
+ rpm_manage_db(initrc_t)
') dnl end rpm.te
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if
index 2774065..53eee21 100644
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@@ -2,7 +2,7 @@
## Policy for iptables.
########################################
-##
+##
##
## Execute iptables in the iptables domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`iptables_transition',`
+define(`iptables_domtrans',`
requires_block_template(`$0'_depend)
allow $1 iptables_exec_t:file rx_file_perms;
@@ -25,7 +25,7 @@ define(`iptables_transition',`
allow iptables_t $1:process sigchld;
')
-define(`iptables_transition_depend',`
+define(`iptables_domtrans_depend',`
type iptables_t, iptables_exec_t;
class file rx_file_perms;
@@ -35,7 +35,7 @@ define(`iptables_transition_depend',`
')
########################################
-##
+##
##
## Execute iptables in the iptables domain, and
## allow the specified role the iptables domain.
@@ -51,22 +51,22 @@ define(`iptables_transition_depend',`
##
##
#
-define(`iptables_transition_add_role_use_terminal',`
+define(`iptables_run',`
requires_block_template(`$0'_depend)
- iptables_transition($1)
+ iptables_domtrans($1)
role $2 types iptables_t;
allow iptables_t $3:chr_file { getattr read write ioctl };
')
-define(`iptables_transition_add_role_use_terminal_depend',`
+define(`iptables_run_depend',`
type iptables_t;
class chr_file { getattr read write ioctl };
')
########################################
-##
+##
##
## Execute iptables in the caller domain.
##
@@ -75,14 +75,14 @@ define(`iptables_transition_add_role_use_terminal_depend',`
##
##
#
-define(`iptables_execute',`
+define(`iptables_exec',`
requires_block_template(`$0'_depend)
can_exec($1,iptables_exec_t)
')
-define(`iptables_execute_depend',`
+define(`iptables_exec_depend',`
type iptables_t, iptables_exec_t;
class file { getattr read execute execute_no_trans };
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 3576220..c2b04e8 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -8,14 +8,14 @@ policy_module(iptables, 1.0)
type iptables_t;
type iptables_exec_t;
-init_make_system_domain(iptables_t,iptables_exec_t)
+init_system_domain(iptables_t,iptables_exec_t)
role system_r types iptables_t;
type iptables_tmp_t;
-files_make_temporary_file(iptables_tmp_t)
+files_tmp_file(iptables_tmp_t)
type iptables_var_run_t;
-files_make_daemon_runtime_file(iptables_var_run_t)
+files_pid_file(iptables_var_run_t)
########################################
#
@@ -27,13 +27,13 @@ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t iptables_var_run_t:dir rw_dir_perms;
-files_create_daemon_runtime_data(iptables_t,iptables_var_run_t)
+files_create_pid(iptables_t,iptables_var_run_t)
can_exec(iptables_t,iptables_exec_t)
allow iptables_t iptables_tmp_t:dir create_dir_perms;
allow iptables_t iptables_tmp_t:file create_file_perms;
-files_create_private_tmp_data(iptables_t, iptables_tmp_t, { file dir })
+files_create_tmp_files(iptables_t, iptables_tmp_t, { file dir })
allow iptables_t self:rawip_socket create_socket_perms;
@@ -48,27 +48,27 @@ fs_getattr_xattr_fs(iptables_t)
term_dontaudit_use_console(iptables_t)
-domain_use_widely_inheritable_file_descriptors(iptables_t)
+domain_use_wide_inherit_fd(iptables_t)
-files_read_general_system_config(iptables_t)
+files_read_generic_etc_files(iptables_t)
-init_use_file_descriptors(iptables_t)
-init_script_use_pseudoterminal(iptables_t)
+init_use_fd(iptables_t)
+init_use_script_pty(iptables_t)
# to allow rules to be saved on reboot:
-init_script_modify_temporary_data(iptables_t)
+init_rw_script_tmp_files(iptables_t)
-libraries_use_dynamic_loader(iptables_t)
-libraries_use_shared_libraries(iptables_t)
+libs_use_ld_so(iptables_t)
+libs_use_shared_libs(iptables_t)
-logging_send_system_log_message(iptables_t)
+logging_send_syslog_msg(iptables_t)
# system-config-network appends to /var/log
#logging_append_system_logs(iptables_t)
miscfiles_read_localization(iptables_t)
-sysnetwork_ifconfig_transition(iptables_t)
+sysnet_domtrans_ifconfig(iptables_t)
-userdomain_use_all_users_file_descriptors(iptables_t)
+userdom_use_all_user_fd(iptables_t)
tunable_policy(`use_dns',`
allow iptables_t self:udp_socket create_socket_perms;
@@ -80,12 +80,12 @@ tunable_policy(`use_dns',`
corenet_udp_bind_all_nodes(iptables_t)
corenet_udp_sendrecv_dns_port(iptables_t)
- sysnetwork_read_network_config(iptables_t)
+ sysnet_read_config(iptables_t)
')
optional_policy(`modutils.te', `
- corecommands_search_system_programs_directory(iptables_t)
- modutils_insmod_transition(iptables_t)
+ corecmd_search_sbin(iptables_t)
+ modutils_domtrans_insmod(iptables_t)
')
optional_policy(`selinux.te',`
@@ -93,14 +93,14 @@ optional_policy(`selinux.te',`
')
optional_policy(`udev.te', `
- udev_read_database(iptables_t)
+ udev_read_db(iptables_t)
')
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(iptables_t)
terminal_ignore_use_general_pseudoterminal(iptables_t)
- files_ignore_read_rootfs_file(iptables_t)
+ files_dontaudit_read_root_file(iptables_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index df3a2b8..0490095 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -2,7 +2,7 @@
## Policy for system libraries.
########################################
-##
+##
##
## Execute ldconfig in the ldconfig domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`libraries_ldconfig_transition',`
+define(`libs_domtrans_ldconfig',`
requires_block_template(`$0'_depend)
domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
@@ -22,7 +22,7 @@ define(`libraries_ldconfig_transition',`
allow ldconfig_t $1:process sigchld;
')
-define(`libraries_ldconfig_transition_depend',`
+define(`libs_domtrans_ldconfig_depend',`
type ldconfig_t, ldconfig_exec_t;
class file rx_file_perms;
@@ -32,7 +32,7 @@ define(`libraries_ldconfig_transition_depend',`
')
########################################
-##
+##
##
## Execute ldconfig in the ldconfig domain.
##
@@ -47,22 +47,22 @@ define(`libraries_ldconfig_transition_depend',`
##
##
#
-define(`libraries_ldconfig_transition_add_role_use_terminal',`
+define(`libs_run_ldconfig',`
requires_block_template(`$0'_depend)
- libraries_ldconfig_transition($1)
+ libs_domtrans_ldconfig($1)
role $2 types ldconfig_t;
allow ldconfig_t $3:chr_file { getattr read write ioctl };
')
-define(`libraries_ldconfig_transition_add_role_use_terminal_depend',`
+define(`libs_run_ldconfig_depend',`
type ldconfig_t;
class chr_file { getattr read write ioctl };
')
########################################
-##
+##
##
## Use the dynamic link/loader for automatic loading
## of shared libraries.
@@ -72,10 +72,10 @@ define(`libraries_ldconfig_transition_add_role_use_terminal_depend',`
##
##
#
-define(`libraries_use_dynamic_loader',`
+define(`libs_use_ld_so',`
requires_block_template(`$0'_depend)
- files_read_general_system_config_directory($1)
+ files_read_generic_etc_files_directory($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 ld_so_t:lnk_file r_file_perms;
@@ -83,7 +83,7 @@ define(`libraries_use_dynamic_loader',`
allow $1 ld_so_cache_t:file r_file_perms;
')
-define(`libraries_use_dynamic_loader_depend',`
+define(`libs_use_ld_so_depend',`
type lib_t, ld_so_t, ld_so_cache_t;
class dir r_dir_perms;
@@ -92,7 +92,7 @@ define(`libraries_use_dynamic_loader_depend',`
')
########################################
-##
+##
##
## Use the dynamic link/loader for automatic loading
## of shared libraries with legacy support.
@@ -102,22 +102,22 @@ define(`libraries_use_dynamic_loader_depend',`
##
##
#
-define(`libraries_legacy_use_dynamic_loader',`
+define(`libs_legacy_use_ld_so',`
requires_block_template(`$0'_depend)
- libraries_use_dynamic_loader($1)
+ libs_use_ld_so($1)
allow $1 ld_so_t:file execmod;
allow $1 ld_so_cache_t:file execute;
')
-define(`libraries_legacy_use_dynamic_loader_depend',`
+define(`libs_legacy_use_ld_so_depend',`
type ld_so_t, ld_so_cache_t;
class file { execute execmod };
')
########################################
-##
+##
##
## Execute the dynamic link/loader in the caller's
## domain. This is commonly needed for the
@@ -131,7 +131,7 @@ define(`libraries_legacy_use_dynamic_loader_depend',`
##
##
#
-define(`libraries_execute_dynamic_loader',`
+define(`libs_exec_ld_so',`
requires_block_template(`$0'_depend)
allow $1 lib_t:dir r_dir_perms;
@@ -140,7 +140,7 @@ define(`libraries_execute_dynamic_loader',`
allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
')
-define(`libraries_execute_dynamic_loader_depend',`
+define(`libs_exec_ld_so_depend',`
type lib_t, ld_so_t;
class dir r_dir_perms;
@@ -149,7 +149,7 @@ define(`libraries_execute_dynamic_loader_depend',`
')
########################################
-##
+##
##
## Modify the dynamic link/loader's cached listing
## of shared libraries.
@@ -159,21 +159,21 @@ define(`libraries_execute_dynamic_loader_depend',`
##
##
#
-define(`libraries_modify_dynamic_loader_cache',`
+define(`libs_rw_ld_so_cache',`
requires_block_template(`$0'_depend)
- files_read_general_system_config_directory($1)
+ files_read_generic_etc_files_directory($1)
allow $1 ld_so_cache_t:file rw_file_perms;
')
-define(`libraries_modify_dynamic_loader_cache_depend',`
+define(`libs_rw_ld_so_cache_depend',`
type ld_so_cache_t;
class file rw_file_perms;
')
########################################
-##
+##
##
## Read files in the library directories, such
## as static libraries.
@@ -183,14 +183,14 @@ define(`libraries_modify_dynamic_loader_cache_depend',`
##
##
#
-define(`libraries_read_library_resources',`
+define(`libs_read_lib',`
requires_block_template(`$0'_depend)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:{ file lnk_file } r_file_perms;
')
-define(`libraries_read_library_resources_depend',`
+define(`libs_read_lib_depend',`
type lib_t;
class dir r_dir_perms;
@@ -199,7 +199,7 @@ define(`libraries_read_library_resources_depend',`
')
########################################
-##
+##
##
## Execute library scripts in the caller domain.
##
@@ -208,7 +208,7 @@ define(`libraries_read_library_resources_depend',`
##
##
#
-define(`libraries_execute_library_scripts',`
+define(`libs_exec_lib_files',`
requires_block_template(`$0'_depend)
allow $1 lib_t:dir r_dir_perms;
@@ -216,7 +216,7 @@ define(`libraries_execute_library_scripts',`
allow $1 lib_t:file { getattr read execute execute_no_trans };
')
-define(`libraries_execute_library_scripts_depend',`
+define(`libs_exec_lib_files_depend',`
type lib_t;
class dir r_dir_perms;
@@ -225,7 +225,7 @@ define(`libraries_execute_library_scripts_depend',`
')
########################################
-##
+##
##
## Load and execute functions from shared libraries.
##
@@ -234,17 +234,17 @@ define(`libraries_execute_library_scripts_depend',`
##
##
#
-define(`libraries_use_shared_libraries',`
+define(`libs_use_shared_libs',`
requires_block_template(`$0'_depend)
- files_search_general_application_resources_dir($1)
+ files_search_usr($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
')
-define(`libraries_use_shared_libraries_depend',`
+define(`libs_use_shared_libs_depend',`
type lib_t, shlib_t, texrel_shlib_t;
class dir r_dir_perms;
@@ -253,7 +253,7 @@ define(`libraries_use_shared_libraries_depend',`
')
########################################
-##
+##
##
## Load and execute functions from shared libraries,
## with legacy support.
@@ -263,14 +263,14 @@ define(`libraries_use_shared_libraries_depend',`
##
##
#
-define(`libraries_legacy_use_shared_libraries',`
+define(`libs_legacy_use_shared_libs',`
requires_block_template(`$0'_depend)
- libraries_use_shared_libraries($1)
+ libs_use_shared_libs($1)
allow $1 { shlib_t texrel_shlib_t }:file execmod;
')
-define(`libraries_legacy_use_shared_libraries_depend',`
+define(`libs_legacy_use_shared_libs_depend',`
type shlib_t, texrel_shlib_t;
class file execmod;
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 7dea914..4b34dae 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -10,33 +10,33 @@ policy_module(libraries,1.0)
# ld_so_cache_t is the type of /etc/ld.so.cache.
#
type ld_so_cache_t;
-files_make_file(ld_so_cache_t)
+files_file_type(ld_so_cache_t)
#
# ld_so_t is the type of the system dynamic loaders.
#
type ld_so_t;
-files_make_file(ld_so_t)
+files_file_type(ld_so_t)
#
# lib_t is the type of files in the system lib directories.
#
type lib_t;
-files_make_file(lib_t)
+files_file_type(lib_t)
#
# shlib_t is the type of shared objects in the system lib
# directories.
#
type shlib_t;
-files_make_file(shlib_t)
+files_file_type(shlib_t)
#
# texrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
type texrel_shlib_t;
-files_make_file(texrel_shlib_t)
+files_file_type(texrel_shlib_t)
########################################
#
@@ -44,11 +44,11 @@ files_make_file(texrel_shlib_t)
#
type ldconfig_t;
type ldconfig_exec_t;
-init_make_system_domain(ldconfig_t,ldconfig_exec_t)
+init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
allow ldconfig_t ld_so_cache_t:file create_file_perms;
-files_create_private_config(ldconfig_t,ld_so_cache_t,file)
+files_create_etc_config(ldconfig_t,ld_so_cache_t,file)
allow ldconfig_t lib_t:dir rw_dir_perms;
allow ldconfig_t lib_t:lnk_file { getattr create read unlink };
@@ -62,17 +62,17 @@ kernel_read_system_state(ldconfig_t)
fs_getattr_xattr_fs(ldconfig_t)
-domain_use_widely_inheritable_file_descriptors(ldconfig_t)
+domain_use_wide_inherit_fd(ldconfig_t)
-files_read_general_system_config(ldconfig_t)
+files_read_generic_etc_files(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled:
-files_remove_general_system_config(ldconfig_t)
+files_delete_generic_etc_files(ldconfig_t)
-init_script_use_pseudoterminal(ldconfig_t)
+init_use_script_pty(ldconfig_t)
-logging_send_system_log_message(ldconfig_t)
+logging_send_syslog_msg(ldconfig_t)
-userdomain_use_all_users_file_descriptors(ldconfig_t)
+userdom_use_all_user_fd(ldconfig_t)
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if
index aade7aa..f7db31f 100644
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@@ -2,7 +2,7 @@
## Policy for local logins.
########################################
-##
+##
##
## Execute local logins in the locallogin domain.
##
@@ -11,18 +11,18 @@
##
##
#
-define(`locallogin_transition',`
+define(`locallogin_domtrans',`
requires_block_template(`$0'_depend)
- authlogin_login_program_transition($1,local_login_t)
+ auth_domtrans_login_program($1,local_login_t)
')
-define(`locallogin_transition_depend',`
+define(`locallogin_domtrans_depend',`
type local_login_t;
')
########################################
-##
+##
##
## Allow processes to inherit local login file descriptors
##
@@ -33,15 +33,15 @@ define(`locallogin_transition_depend',`
#
########################################
#
-# locallogin_use_file_descriptors(domain)
+# locallogin_use_fd(domain)
#
-define(`locallogin_use_file_descriptors',`
+define(`locallogin_use_fd',`
requires_block_template(`$0'_depend)
allow $1 local_login_t:fd use;
')
-define(`locallogin_use_file_descriptors_depend',`
+define(`locallogin_use_fd_depend',`
type local_login_t;
class fd use;
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 6c41572..6745937 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -7,25 +7,25 @@ policy_module(locallogin,1.0)
#
type local_login_t; #, nscd_client_domain;
-kernel_make_object_identity_change_constraint_exception(local_login_t)
-kernel_make_process_identity_change_constraint_exception(local_login_t)
-kernel_make_role_change_constraint_exception(local_login_t)
-authlogin_make_login_program_entrypoint(local_login_t)
-domain_make_domain(local_login_t)
-domain_make_file_descriptors_widely_inheritable(local_login_t)
+kernel_obj_id_change_exempt(local_login_t)
+kernel_subj_id_change_exempt(local_login_t)
+kernel_role_change_exempt(local_login_t)
+auth_login_entry_type(local_login_t)
+domain_type(local_login_t)
+domain_wide_inherit_fd(local_login_t)
role system_r types local_login_t;
type local_login_tmp_t;
-files_make_file(local_login_tmp_t)
+files_file_type(local_login_tmp_t)
type sulogin_t;
type sulogin_exec_t;
-kernel_make_object_identity_change_constraint_exception(sulogin_t)
-kernel_make_process_identity_change_constraint_exception(sulogin_t)
-kernel_make_role_change_constraint_exception(sulogin_t)
-domain_make_file_descriptors_widely_inheritable(sulogin_t)
-init_make_init_domain(sulogin_t,sulogin_exec_t)
-init_make_system_domain(sulogin_t,sulogin_exec_t)
+kernel_obj_id_change_exempt(sulogin_t)
+kernel_subj_id_change_exempt(sulogin_t)
+kernel_role_change_exempt(sulogin_t)
+domain_wide_inherit_fd(sulogin_t)
+init_domain(sulogin_t,sulogin_exec_t)
+init_system_domain(sulogin_t,sulogin_exec_t)
role system_r types sulogin_t;
########################################
@@ -49,7 +49,7 @@ allow local_login_t self:msg { send receive };
allow local_login_t local_login_tmp_t:dir create_dir_perms;
allow local_login_t local_login_tmp_t:file create_file_perms;
-files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir })
+files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctl(local_login_t)
@@ -70,47 +70,47 @@ term_relabel_all_user_ttys(local_login_t)
term_setattr_all_user_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t)
-authlogin_check_password_transition(local_login_t)
-authlogin_ignore_read_shadow_passwords(local_login_t)
-authlogin_modify_login_records(local_login_t)
-authlogin_modify_last_login_log(local_login_t)
-authlogin_modify_login_failure_records(local_login_t)
-authlogin_pam_execute(local_login_t)
-authlogin_pam_console_manage_runtime_data(local_login_t)
+auth_domtrans_chk_passwd(local_login_t)
+auth_dontaudit_read_shadow(local_login_t)
+auth_rw_login_records(local_login_t)
+auth_rw_lastlog(local_login_t)
+auth_rw_faillog(local_login_t)
+auth_exec_pam(local_login_t)
+auth_manage_pam_console_data(local_login_t)
-domain_read_all_entrypoint_programs(local_login_t)
+domain_read_all_entry_files(local_login_t)
-files_read_general_system_config(local_login_t)
-files_read_runtime_system_config(local_login_t)
-files_read_general_application_resources(local_login_t)
-files_manage_system_lock_files(var_lock_t)
+files_read_generic_etc_files(local_login_t)
+files_read_etc_runtime_files(local_login_t)
+files_read_usr_files(local_login_t)
+files_manage_generic_lock_files(var_lock_t)
-init_script_modify_runtime_data(local_login_t)
-init_ignore_use_file_descriptors(local_login_t)
+init_rw_script_pid(local_login_t)
+init_dontaudit_use_fd(local_login_t)
-libraries_use_dynamic_loader(local_login_t)
-libraries_use_shared_libraries(local_login_t)
+libs_use_ld_so(local_login_t)
+libs_use_shared_libs(local_login_t)
-logging_send_system_log_message(local_login_t)
+logging_send_syslog_msg(local_login_t)
miscfiles_read_localization(local_login_t)
selinux_read_config(local_login_t)
selinux_read_default_contexts(local_login_t)
-userdomain_all_users_explicit_transition(local_login_t)
-userdomain_signal_all_userdomains(local_login_t)
-userdomain_search_all_users_home_dirs(local_login_t)
-userdomain_use_all_unprivileged_users_file_descriptors(local_login_t)
+userdom_spec_domtrans_all_users(local_login_t)
+userdom_signal_all_users(local_login_t)
+userdom_search_all_users_home(local_login_t)
+userdom_use_unpriv_users_fd(local_login_t)
# Search for mail spool file.
-mta_get_mail_spool_attributes(local_login_t)
+mta_getattr_spool(local_login_t)
# Red Hat systems seem to have a stray
# fd open from the initrd
optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd(local_login_t)
- files_ignore_read_rootfs_file(local_login_t)
+ files_dontaudit_read_root_file(local_login_t)
')
ifdef(`TODO',`
@@ -210,24 +210,24 @@ allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t)
-init_script_get_process_group(sulogin_t)
+init_get_script_process_group(sulogin_t)
-files_read_general_system_config(sulogin_t)
+files_read_generic_etc_files(sulogin_t)
# because file systems are not mounted:
-files_ignore_search_isid_type_dir(sulogin_t)
+files_dontaudit_search_isid_type_dir(sulogin_t)
-libraries_use_dynamic_loader(sulogin_t)
-libraries_use_shared_libraries(sulogin_t)
+libs_use_ld_so(sulogin_t)
+libs_use_shared_libs(sulogin_t)
-logging_send_system_log_message(sulogin_t)
+logging_send_syslog_msg(sulogin_t)
selinux_read_config(sulogin_t)
selinux_read_default_contexts(sulogin_t)
-authlogin_read_shadow_passwords(sulogin_t)
+auth_read_shadow(sulogin_t)
-userdomain_sysadm_shell_transition(sulogin_t)
-userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t)
+userdom_shell_domtrans_sysadm(sulogin_t)
+userdom_use_unpriv_users_fd(sulogin_t)
# suse and debian do not use pam with sulogin...
ifdef(`monolithic_policy',`
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 6578e28..5fde11a 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -3,24 +3,24 @@
#######################################
#
-# logging_make_log_file(domain)
+# logging_log_file(domain)
#
-define(`logging_make_log_file',`
+define(`logging_log_file',`
requires_block_template(`$0'_depend)
- files_make_file($1)
+ files_file_type($1)
typeattribute $1 logfile;
')
-define(`logging_make_log_file_depend',`
+define(`logging_log_file_depend',`
attribute logfile;
')
########################################
#
-# logging_create_private_log(domain,privatetype,[class(es)])
+# logging_create_log(domain,privatetype,[class(es)])
#
-define(`logging_create_private_log',`
+define(`logging_create_log',`
requires_block_template(`$0'_depend)
allow $1 var_log_t:dir rw_dir_perms;
@@ -32,7 +32,7 @@ define(`logging_create_private_log',`
')
')
-define(`logging_create_private_log_depend',`
+define(`logging_create_log_depend',`
type var_log_t;
class dir rw_dir_perms;
@@ -40,9 +40,9 @@ define(`logging_create_private_log_depend',`
#######################################
#
-# logging_send_system_log_message(domain)
+# logging_send_syslog_msg(domain)
#
-define(`logging_send_system_log_message',`
+define(`logging_send_syslog_msg',`
requires_block_template(`$0'_depend)
allow $1 devlog_t:lnk_file read;
@@ -58,7 +58,7 @@ define(`logging_send_system_log_message',`
term_use_console($1)
')
-define(`logging_send_system_log_message_depend',`
+define(`logging_send_syslog_msg_depend',`
type syslogd_t, devlog_t;
class sock_file rw_file_perms;
@@ -67,7 +67,7 @@ define(`logging_send_system_log_message_depend',`
')
########################################
-##
+##
##
## Allows the domain to open a file in the
## log directory, but does not allow the listing
@@ -78,14 +78,14 @@ define(`logging_send_system_log_message_depend',`
##
##
#
-define(`logging_search_system_log_directory',`
+define(`logging_search_logs',`
requires_block_template(`$0'_depend)
- files_search_system_state_data_directory($1)
+ files_search_var($1)
allow $1 var_log_t:dir search;
')
-define(`logging_search_system_log_directory_depend',`
+define(`logging_search_logs_depend',`
type var_log_t;
class dir search;
@@ -93,15 +93,15 @@ define(`logging_search_system_log_directory_depend',`
#######################################
#
-# logging_ignore_get_all_logs_attributes(domain)
+# logging_dontaudit_getattr_all_logs(domain)
#
-define(`logging_ignore_get_all_logs_attributes',`
+define(`logging_dontaudit_getattr_all_logs',`
requires_block_template(`$0'_depend)
dontaudit $1 logfile:file getattr;
')
-define(`logging_ignore_get_all_logs_attributes_depend',`
+define(`logging_dontaudit_getattr_all_logs_depend',`
attribute logfile;
class file getattr;
@@ -114,7 +114,7 @@ define(`logging_ignore_get_all_logs_attributes_depend',`
define(`logging_append_all_logs',`
requires_block_template(`$0'_depend)
- files_search_system_state_data_directory($1)
+ files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 logfile:file { getattr append };
')
@@ -135,7 +135,7 @@ define(`logging_append_all_logs_depend',`
define(`logging_read_all_logs',`
requires_block_template(`$0'_depend)
- files_search_system_state_data_directory($1)
+ files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 logfile:file r_file_perms;
')
@@ -151,17 +151,17 @@ define(`logging_read_all_logs_depend',`
#######################################
#
-# logging_read_system_logs(domain)
+# logging_read_generic_logs(domain)
#
-define(`logging_read_system_logs',`
+define(`logging_read_generic_logs',`
requires_block_template(`$0'_depend)
- files_search_system_state_data_directory($1)
+ files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file r_file_perms;
')
-define(`logging_read_system_logs_depend',`
+define(`logging_read_generic_logs_depend',`
type var_log_t;
class dir r_dir_perms;
@@ -170,17 +170,17 @@ define(`logging_read_system_logs_depend',`
#######################################
#
-# logging_write_system_logs(domain)
+# logging_write_generic_logs(domain)
#
-define(`logging_write_system_logs',`
+define(`logging_write_generic_logs',`
requires_block_template(`$0'_depend)
- files_search_system_state_data_directory($1)
+ files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file { getattr write };
')
-define(`logging_write_system_logs_depend',`
+define(`logging_write_generic_logs_depend',`
type var_log_t;
class dir r_dir_perms;
@@ -189,17 +189,17 @@ define(`logging_write_system_logs_depend',`
#######################################
#
-# logging_modify_system_logs(domain)
+# logging_rw_generic_logs(domain)
#
-define(`logging_modify_system_logs',`
+define(`logging_rw_generic_logs',`
requires_block_template(`$0'_depend)
- files_search_system_state_data_directory($1)
+ files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file rw_file_perms;
')
-define(`logging_modify_system_logs_depend',`
+define(`logging_rw_generic_logs_depend',`
type var_log_t;
class dir r_dir_perms;
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 954f184..f2fe8aa 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -9,40 +9,40 @@ policy_module(logging,1.0)
attribute logfile;
type auditd_log_t;
-logging_make_log_file(auditd_t,auditd_log_t)
+logging_log_file(auditd_t,auditd_log_t)
type auditd_t;
type auditd_exec_t;
-init_make_daemon_domain(auditd_t,auditd_exec_t)
+init_daemon_domain(auditd_t,auditd_exec_t)
type auditd_var_run_t;
-files_make_daemon_runtime_file(auditd_var_run_t)
+files_pid_file(auditd_var_run_t)
type devlog_t;
-files_make_file(devlog_t)
+files_file_type(devlog_t)
type klogd_t;
type klogd_exec_t;
-init_make_daemon_domain(klogd_t,klogd_exec_t)
+init_daemon_domain(klogd_t,klogd_exec_t)
type klogd_tmp_t;
-files_make_temporary_file(klogd_tmp_t)
+files_tmp_file(klogd_tmp_t)
type klogd_var_run_t;
-files_make_daemon_runtime_file(klogd_var_run_t)
+files_pid_file(klogd_var_run_t)
type syslogd_t;
type syslogd_exec_t;
-init_make_daemon_domain(syslogd_t,syslogd_exec_t)
+init_daemon_domain(syslogd_t,syslogd_exec_t)
type syslogd_tmp_t;
-files_make_temporary_file(syslogd_tmp_t)
+files_tmp_file(syslogd_tmp_t)
type syslogd_var_run_t;
-files_make_daemon_runtime_file(syslogd_var_run_t)
+files_pid_file(syslogd_var_run_t)
type var_log_t, logfile;
-files_make_file(var_log_t)
+files_file_type(var_log_t)
########################################
#
@@ -56,7 +56,7 @@ allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_
allow auditd_t auditd_log_t:file create_file_perms;
allow auditd_t auditd_var_run_t:file create_file_perms;
-files_create_daemon_runtime_data(auditd_t,auditd_var_run_t)
+files_create_pid(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t)
kernel_read_hardware_state(auditd_t)
@@ -65,24 +65,24 @@ fs_getattr_all_fs(auditd_t)
term_dontaudit_use_console(auditd_t)
-init_use_file_descriptors(auditd_t)
-init_script_use_pseudoterminal(auditd_t)
+init_use_fd(auditd_t)
+init_use_script_pty(auditd_t)
-domain_use_widely_inheritable_file_descriptors(auditd_t)
+domain_use_wide_inherit_fd(auditd_t)
-files_read_general_system_config(auditd_t)
+files_read_generic_etc_files(auditd_t)
-logging_send_system_log_message(auditd_t)
+logging_send_syslog_msg(auditd_t)
-libraries_use_dynamic_loader(auditd_t)
-libraries_use_shared_libraries(auditd_t)
+libs_use_ld_so(auditd_t)
+libs_use_shared_libs(auditd_t)
miscfiles_read_localization(auditd_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(auditd_t)
terminal_ignore_use_general_pseudoterminal(auditd_t)
- files_ignore_read_rootfs_file(auditd_t)
+ files_dontaudit_read_root_file(auditd_t)
')
optional_policy(`selinux.te',`
@@ -90,7 +90,7 @@ optional_policy(`selinux.te',`
')
optional_policy(`udev.te', `
- udev_read_database(auditd_t)
+ udev_read_db(auditd_t)
')
ifdef(`TODO',`
@@ -115,7 +115,7 @@ allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
#
allow klogd_t klogd_tmp_t:file create_file_perms;
-files_create_private_tmp_data(klogd_t,klogd_tmp_t)
+files_create_tmp_files(klogd_t,klogd_tmp_t)
allow klogd_t klogd_var_run_t:file create_file_perms;
@@ -134,17 +134,17 @@ dev_read_raw_memory(klogd_t)
fs_getattr_all_fs(klogd_t)
-files_create_daemon_runtime_data(klogd_t,klogd_var_run_t)
-files_read_runtime_system_config(klogd_t)
+files_create_pid(klogd_t,klogd_var_run_t)
+files_read_etc_runtime_files(klogd_t)
# read /etc/nsswitch.conf
-files_read_general_system_config(klogd_t)
+files_read_generic_etc_files(klogd_t)
-init_use_file_descriptors(klogd_t)
+init_use_fd(klogd_t)
-libraries_use_dynamic_loader(klogd_t)
-libraries_use_shared_libraries(klogd_t)
+libs_use_ld_so(klogd_t)
+libs_use_shared_libs(klogd_t)
-logging_send_system_log_message(klogd_t)
+logging_send_syslog_msg(klogd_t)
miscfiles_read_localization(klogd_t)
@@ -170,21 +170,21 @@ allow syslogd_t var_log_t:file create_file_perms;
# manage temporary files
allow syslogd_t syslogd_tmp_t:file create_file_perms;
-files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
+files_create_tmp_files(syslogd_t,syslogd_tmp_t)
allow syslogd_t syslogd_var_run_t:file create_file_perms;
-files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
+files_create_pid(syslogd_t,syslogd_var_run_t,file)
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file create_file_perms;
-files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
+files_create_pid(syslogd_t,devlog_t,sock_file)
# I belive these are not needed:
allow syslogd_t devlog_t:unix_stream_socket name_bind;
allow syslogd_t devlog_t:unix_dgram_socket name_bind;
# manage pid file
allow syslogd_t syslogd_var_run_t:file create_file_perms;
-files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t)
+files_create_pid(syslogd_t,syslogd_var_run_t)
kernel_read_hardware_state(syslogd_t)
kernel_read_kernel_sysctl(syslogd_t)
@@ -196,8 +196,8 @@ term_dontaudit_use_console(syslogd_t)
term_write_unallocated_ttys(syslogd_t)
# for sending messages to logged in users
-init_script_read_runtime_data(syslogd_t)
-init_script_ignore_write_runtime_data(syslogd_t)
+init_read_script_pid(syslogd_t)
+init_dontaudit_write_script_pid(syslogd_t)
term_write_all_user_ttys(syslogd_t)
corenet_raw_sendrecv_all_if(syslogd_t)
@@ -210,26 +210,26 @@ corenet_udp_bind_syslogd_port(syslogd_t)
fs_getattr_all_fs(syslogd_t)
-init_use_file_descriptors(syslogd_t)
-init_script_use_pseudoterminal(syslogd_t)
+init_use_fd(syslogd_t)
+init_use_script_pty(syslogd_t)
-domain_use_widely_inheritable_file_descriptors(syslogd_t)
+domain_use_wide_inherit_fd(syslogd_t)
-files_read_general_system_config(syslogd_t)
+files_read_generic_etc_files(syslogd_t)
-libraries_use_dynamic_loader(syslogd_t)
-libraries_use_shared_libraries(syslogd_t)
+libs_use_ld_so(syslogd_t)
+libs_use_shared_libs(syslogd_t)
-sysnetwork_read_network_config(syslogd_t)
+sysnet_read_config(syslogd_t)
miscfiles_read_localization(syslogd_t)
-userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t)
+userdom_dontaudit_use_unpriv_user_fd(syslogd_t)
#
# /initrd is not umounted before minilog starts
#
-files_ignore_search_isid_type_dir(syslogd_t)
+files_dontaudit_search_isid_type_dir(syslogd_t)
#allow syslogd_t tmpfs_t:dir search;
#dontaudit syslogd_t unlabeled_t:file read;
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
@@ -246,7 +246,7 @@ ifdef(`klogd.te', `', `
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(syslogd_t)
terminal_ignore_use_general_pseudoterminal(syslogd_t)
- files_ignore_read_rootfs_file(syslogd_t)
+ files_dontaudit_read_root_file(syslogd_t)
')
optional_policy(`selinux.te',`
@@ -254,11 +254,11 @@ optional_policy(`selinux.te',`
')
optional_policy(`udev.te', `
- udev_read_database(syslogd_t)
+ udev_read_db(syslogd_t)
')
optional_policy(`cron.te',`
- cron_modify_log(syslogd_t)
+ cron_rw_log(syslogd_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if
index db73920..007c608 100644
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@@ -2,7 +2,7 @@
## Policy for logical volume management programs.
########################################
-##
+##
##
## Execute lvm programs in the lvm domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`lvm_transition',`
+define(`lvm_domtrans',`
requires_block_template(`$0'_depend)
domain_auto_trans($1, lvm_exec_t, lvm_t)
@@ -22,7 +22,7 @@ define(`lvm_transition',`
allow lvm_t $1:process sigchld;
')
-define(`lvm_transition_depend',`
+define(`lvm_domtrans_depend',`
type lvm_t, lvm_exec_t;
class file { getattr read execute };
@@ -32,7 +32,7 @@ define(`lvm_transition_depend',`
')
########################################
-##
+##
##
## Execute lvm programs in the lvm domain.
##
@@ -47,15 +47,15 @@ define(`lvm_transition_depend',`
##
##
#
-define(`lvm_transition_add_role_use_terminal',`
+define(`lvm_run',`
requires_block_template(`$0'_depend)
- lvm_transition($1)
+ lvm_domtrans($1)
role $2 types lvm_t;
allow lvm_t $3:chr_file { getattr read write ioctl };
')
-define(`lvm_transition_add_role_use_terminal_depend',`
+define(`lvm_run_depend',`
type lvm_t;
class chr_file { getattr read write ioctl };
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 3c7a83a..82f9752 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -8,23 +8,23 @@ policy_module(lvm,1.0)
type lvm_t;
type lvm_exec_t;
-init_make_system_domain(lvm_t,lvm_exec_t)
+init_system_domain(lvm_t,lvm_exec_t)
# needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin
-kernel_make_object_identity_change_constraint_exception(lvm_t)
+kernel_obj_id_change_exempt(lvm_t)
role system_r types lvm_t;
type lvm_etc_t;
-files_make_file(lvm_etc_t)
+files_file_type(lvm_etc_t)
type lvm_lock_t;
-files_make_lock_file(lvm_lock_t)
+files_lock_file(lvm_lock_t)
type lvm_metadata_t;
-files_make_file(lvm_metadata_t)
+files_file_type(lvm_metadata_t)
type lvm_tmp_t;
-files_make_temporary_file(lvm_tmp_t)
+files_tmp_file(lvm_tmp_t)
########################################
#
@@ -45,7 +45,7 @@ allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t lvm_tmp_t:dir create_dir_perms;
allow lvm_t lvm_tmp_t:file create_file_perms;
-files_create_private_tmp_data(lvm_t, lvm_tmp_t, { file dir })
+files_create_tmp_files(lvm_t, lvm_tmp_t, { file dir })
# /lib/lvm- holds the actual LVM binaries (and symlinks)
allow lvm_t lvm_exec_t:dir search;
@@ -57,7 +57,7 @@ can_exec(lvm_t, lvm_exec_t)
# Creating lock files
allow lvm_t lvm_lock_t:dir rw_dir_perms;
allow lvm_t lvm_lock_t:file create_file_perms;
-files_create_private_lock_file(lvm_t,lvm_lock_t)
+files_create_lock_file(lvm_t,lvm_lock_t)
allow lvm_t lvm_etc_t:file r_file_perms;
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
@@ -66,7 +66,7 @@ allow lvm_t lvm_etc_t:dir rw_dir_perms;
allow lvm_t lvm_metadata_t:file create_file_perms;
allow lvm_t lvm_metadata_t:dir rw_dir_perms;
type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
-files_create_private_config(lvm_t,lvm_metadata_t,file)
+files_create_etc_config(lvm_t,lvm_metadata_t,file)
kernel_read_system_state(lvm_t)
kernel_get_selinuxfs_mount_point(lvm_t)
@@ -89,8 +89,8 @@ dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
dev_manage_generic_symlinks(lvm_t)
-devices_relabel_dev_dirs(lvm_t)
-devices_manage_generic_block_device(lvm_t)
+dev_relabel_dev_dirs(lvm_t)
+dev_manage_generic_blk_file(lvm_t)
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
dev_dontaudit_getattr_all_chr_files(lvm_t)
@@ -110,25 +110,25 @@ storage_create_fixed_disk_dev_entry(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
-corecommands_search_system_programs_directory(lvm_t)
-corecommands_ignore_get_system_programs_attributes(lvm_t)
+corecmd_search_sbin(lvm_t)
+corecmd_dontaudit_getattr_sbin_file(lvm_t)
-domain_use_widely_inheritable_file_descriptors(lvm_t)
+domain_use_wide_inherit_fd(lvm_t)
-files_search_system_state_data_directory(lvm_t)
-files_read_general_system_config(lvm_t)
-files_read_runtime_system_config(lvm_t)
+files_search_var(lvm_t)
+files_read_generic_etc_files(lvm_t)
+files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
-files_ignore_search_isid_type_dir(lvm_t)
+files_dontaudit_search_isid_type_dir(lvm_t)
-init_use_file_descriptors(lvm_t)
-init_ignore_get_control_channel_attributes(lvm_t)
-init_script_use_pseudoterminal(lvm_t)
+init_use_fd(lvm_t)
+init_dontaudit_getattr_initctl(lvm_t)
+init_use_script_pty(lvm_t)
-libraries_use_dynamic_loader(lvm_t)
-libraries_use_shared_libraries(lvm_t)
+libs_use_ld_so(lvm_t)
+libs_use_shared_libs(lvm_t)
-logging_send_system_log_message(lvm_t)
+logging_send_syslog_msg(lvm_t)
miscfiles_read_localization(lvm_t)
@@ -138,14 +138,14 @@ selinux_newrole_sigchld(lvm_t)
ifdef(`distro_redhat',`
# this is from the initrd:
- files_modify_isid_type_dir(lvm_t)
+ files_rw_isid_type_dir(lvm_t)
')
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(lvm_t)
terminal_ignore_use_general_pseudoterminal(lvm_t)
- files_ignore_read_rootfs_file(lvm_t)
+ files_dontaudit_read_root_file(lvm_t)
')
optional_policy(`bootloader.te',`
@@ -153,7 +153,7 @@ optional_policy(`bootloader.te',`
')
optional_policy(`udev.te', `
- udev_read_database(lvm_t)
+ udev_read_db(lvm_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index 1a671b9..cca062f 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -2,7 +2,7 @@
## Miscelaneous files.
########################################
-##
+##
##
## Allow process to create files and dirs in /var/cache/man
## and /var/catman/
@@ -15,7 +15,7 @@
##
##
#
-define(`miscfiles_manage_man_page_cache',`
+define(`miscfiles_rw_man_cache',`
requires_block_template(`$0'_depend)
# FIXME: search var_t dir
@@ -23,7 +23,7 @@ define(`miscfiles_manage_man_page_cache',`
allow $1 catman_t:file create_file_perms;
')
-define(`miscfiles_manage_man_page_cache_depend',`
+define(`miscfiles_rw_man_cache_depend',`
type catman_t;
class dir create_dir_perms;
@@ -83,7 +83,7 @@ define(`miscfiles_read_localization',`
allow $1 locale_t:file r_file_perms;
# why?
- libraries_read_library_resources($1)
+ libs_read_lib($1)
')
define(`miscfiles_read_localization_depend',`
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index 76438d7..c275451 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -5,41 +5,41 @@ policy_module(miscfiles,1.0)
# catman_t is the type for /var/catman.
#
type catman_t; # , tmpfile;
-files_make_file(catman_t)
+files_file_type(catman_t)
#
# cert_t is the type of files in the system certs directories.
#
type cert_t;
-files_make_file(cert_t)
+files_file_type(cert_t)
#
# fonts_t is the type of various font
# files in /usr
#
type fonts_t;
-files_make_file(fonts_t)
+files_file_type(fonts_t)
#
# locale_t is the type for system localization
#
type locale_t;
-files_make_file(locale_t)
+files_file_type(locale_t)
#
# man_t is the type for the man directories.
#
type man_t;
-files_make_file(man_t)
+files_file_type(man_t)
#
# Base type for the tests directory.
#
type test_file_t;
-files_make_file(test_file_t)
+files_file_type(test_file_t)
#
# for /var/{spool,lib}/texmf index files
#
type tetex_data_t; # , tmpfile;
-files_make_file(tetex_data_t)
+files_file_type(tetex_data_t)
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index 1ce9857..567d30d 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -26,7 +26,7 @@ define(`modutils_read_kernel_module_dependencies_depend',`
')
########################################
-##
+##
##
## Read the configuration options used when
## loading modules.
@@ -36,20 +36,20 @@ define(`modutils_read_kernel_module_dependencies_depend',`
##
##
#
-define(`modutils_read_kernel_module_loading_config',`
+define(`modutils_read_module_conf',`
requires_block_template(`$0'_depend)
allow $1 modules_conf_t:file r_file_perms;
')
-define(`modutils_read_kernel_module_loading_config_depend',`
+define(`modutils_read_module_conf_depend',`
type modules_conf_t;
class file r_file_perms;
')
########################################
-##
+##
##
## Execute insmod in the insmod domain. Has a
## sigchld backchannel.
@@ -59,7 +59,7 @@ define(`modutils_read_kernel_module_loading_config_depend',`
##
##
#
-define(`modutils_insmod_transition',`
+define(`modutils_domtrans_insmod',`
requires_block_template(`$0'_depend)
domain_auto_trans($1, insmod_exec_t, insmod_t)
@@ -70,7 +70,7 @@ define(`modutils_insmod_transition',`
allow insmod_t $1:process sigchld;
')
-define(`modutils_insmod_transition_depend',`
+define(`modutils_domtrans_insmod_depend',`
type insmod_t;
class file { getattr read execute };
@@ -80,7 +80,7 @@ define(`modutils_insmod_transition_depend',`
')
########################################
-##
+##
##
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
@@ -98,15 +98,15 @@ define(`modutils_insmod_transition_depend',`
##
##
#
-define(`modutils_insmod_transition_add_role_use_terminal',`
+define(`modutils_run_insmod',`
requires_block_template(`$0'_depend)
- modutils_insmod_transition($1)
+ modutils_domtrans_insmod($1)
role $2 types insmod_t;
allow insmod_t $3:chr_file { getattr read write ioctl };
')
-define(`modutils_insmod_transition_add_role_use_terminal_depend',`
+define(`modutils_run_insmod_depend',`
type insmod_t;
class chr_file { getattr read write ioctl };
@@ -114,22 +114,22 @@ define(`modutils_insmod_transition_add_role_use_terminal_depend',`
########################################
#
-# modutils_insmod_execute(domain)
+# modutils_exec_insmod(domain)
#
-define(`modutils_insmod_execute',`
+define(`modutils_exec_insmod',`
requires_block_template(`$0'_depend)
can_exec($1, insmod_exec_t)
')
-define(`modutils_insmod_execute_depend',`
+define(`modutils_exec_insmod_depend',`
type insmod_t;
class file { getattr read execute execute_no_trans };
')
########################################
-##
+##
##
## Execute depmod in the depmod domain.
##
@@ -138,7 +138,7 @@ define(`modutils_insmod_execute_depend',`
##
##
#
-define(`modutils_depmod_transition',`
+define(`modutils_domtrans_depmod',`
requires_block_template(`$0'_depend)
domain_auto_trans($1, depmod_exec_t, depmod_t)
@@ -149,7 +149,7 @@ define(`modutils_depmod_transition',`
allow depmod_t $1:process sigchld;
')
-define(`modutils_depmod_transition_depend',`
+define(`modutils_domtrans_depmod_depend',`
type depmod_t;
class file { getattr read execute };
@@ -159,7 +159,7 @@ define(`modutils_depmod_transition_depend',`
')
########################################
-##
+##
##
## Execute depmod in the depmod domain.
##
@@ -174,15 +174,15 @@ define(`modutils_depmod_transition_depend',`
##
##
#
-define(`modutils_depmod_transition_add_role_use_terminal',`
+define(`modutils_run_depmod',`
requires_block_template(`$0'_depend)
- modutils_depmod_transition($1)
+ modutils_domtrans_depmod($1)
role $2 types insmod_t;
allow insmod_t $3:chr_file { getattr read write ioctl };
')
-define(`modutils_depmod_transition_add_role_use_terminal_depend',`
+define(`modutils_run_depmod_depend',`
type depmod_t;
class chr_file { getattr read write ioctl };
@@ -190,22 +190,22 @@ define(`modutils_depmod_transition_add_role_use_terminal_depend',`
########################################
#
-# modutils_depmod_execute(domain)
+# modutils_exec_depmod(domain)
#
-define(`modutils_depmod_execute',`
+define(`modutils_exec_depmod',`
requires_block_template(`$0'_depend)
can_exec($1, depmod_exec_t)
')
-define(`modutils_depmod_execute_depend',`
+define(`modutils_exec_depmod_depend',`
type depmod_t;
class file { getattr read execute execute_no_trans };
')
########################################
-##
+##
##
## Execute depmod in the depmod domain.
##
@@ -214,7 +214,7 @@ define(`modutils_depmod_execute_depend',`
##
##
#
-define(`modutils_update_modules_transition',`
+define(`modutils_domtrans_update_mods',`
requires_block_template(`$0'_depend)
domain_auto_trans($1, update_modules_exec_t, update_modules_t)
@@ -225,7 +225,7 @@ define(`modutils_update_modules_transition',`
allow update_modules_t $1:process sigchld;
')
-define(`modutils_update_modules_transition_depend',`
+define(`modutils_domtrans_update_mods_depend',`
type update_modules_t;
class file { getattr read execute };
@@ -235,7 +235,7 @@ define(`modutils_update_modules_transition_depend',`
')
########################################
-##
+##
##
## Execute update_modules in the update_modules domain.
##
@@ -250,15 +250,15 @@ define(`modutils_update_modules_transition_depend',`
##
##
#
-define(`modutils_update_modules_transition_add_role_use_terminal',`
+define(`modutils_run_update_mods',`
requires_block_template(`$0'_depend)
- modutils_update_modules_transition($1)
+ modutils_domtrans_update_mods($1)
role $2 types update_modules_t;
allow update_modules_t $3:chr_file rw_file_perms;
')
-define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
+define(`modutils_run_update_mods_depend',`
type update_modules_t;
class chr_file rw_file_perms;
@@ -266,15 +266,15 @@ define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
########################################
#
-# modutils_update_modules_execute(domain)
+# modutils_exec_update_mods(domain)
#
-define(`modutils_update_modules_execute',`
+define(`modutils_exec_update_mods',`
requires_block_template(`$0'_depend)
can_exec($1, update_modules_exec_t)
')
-define(`modutils_update_modules_execute_depend',`
+define(`modutils_exec_update_mods_depend',`
type update_modules_t;
class file { getattr read execute execute_no_trans };
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index cde351f..d9cdace 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -8,30 +8,30 @@ policy_module(modutils,1.0)
# module loading config
type modules_conf_t;
-files_make_file(modules_conf_t)
+files_file_type(modules_conf_t)
# module dependencies
type modules_dep_t;
-files_make_file(modules_dep_t)
+files_file_type(modules_dep_t)
type insmod_t;
type insmod_exec_t;
kernel_userland_entry(insmod_t,insmod_exec_t)
-init_make_system_domain(insmod_t,insmod_exec_t)
+init_system_domain(insmod_t,insmod_exec_t)
role system_r types insmod_t;
type depmod_t;
type depmod_exec_t;
-init_make_system_domain(depmod_t,depmod_exec_t)
+init_system_domain(depmod_t,depmod_exec_t)
role system_r types depmod_t;
type update_modules_t;
type update_modules_exec_t;
-init_make_system_domain(update_modules_t,update_modules_exec_t)
+init_system_domain(update_modules_t,update_modules_exec_t)
role system_r types update_modules_t;
type update_modules_tmp_t;
-files_make_temporary_file(update_modules_tmp_t)
+files_tmp_file(update_modules_tmp_t)
########################################
#
@@ -68,37 +68,37 @@ dev_rw_agp_dev(insmod_t)
fs_getattr_xattr_fs(insmod_t)
-corecommands_execute_general_programs(insmod_t)
-corecommands_execute_system_programs(insmod_t)
-corecommands_execute_shell(insmod_t)
+corecmd_exec_bin(insmod_t)
+corecmd_exec_sbin(insmod_t)
+corecmd_exec_shell(insmod_t)
domain_signal_all_domains(insmod_t)
-domain_use_widely_inheritable_file_descriptors(insmod_t)
+domain_use_wide_inherit_fd(insmod_t)
-files_read_runtime_system_config(insmod_t)
-files_read_general_system_config(insmod_t)
-files_read_general_application_resources(insmod_t)
-files_execute_system_config_script(insmod_t)
+files_read_etc_runtime_files(insmod_t)
+files_read_generic_etc_files(insmod_t)
+files_read_usr_files(insmod_t)
+files_exec_generic_etc_files(insmod_t)
# for nscd:
-files_ignore_search_runtime_data_directory(insmod_t)
+files_dontaudit_search_pids(insmod_t)
# for when /var is not mounted early in the boot:
-files_ignore_search_isid_type_dir(insmod_t)
+files_dontaudit_search_isid_type_dir(insmod_t)
-init_use_control_channel(insmod_t)
-init_use_file_descriptors(insmod_t)
-init_script_use_file_descriptors(insmod_t)
-init_script_use_pseudoterminal(insmod_t)
+init_use_initctl(insmod_t)
+init_use_fd(insmod_t)
+init_use_script_fd(insmod_t)
+init_use_script_pty(insmod_t)
-libraries_use_dynamic_loader(insmod_t)
-libraries_use_shared_libraries(insmod_t)
+libs_use_ld_so(insmod_t)
+libs_use_shared_libs(insmod_t)
-logging_send_system_log_message(insmod_t)
-logging_search_system_log_directory(insmod_t)
+logging_send_syslog_msg(insmod_t)
+logging_search_logs(insmod_t)
miscfiles_read_localization(insmod_t)
optional_policy(`mount.te',`
- mount_transition(insmod_t)
+ mount_domtrans(insmod_t)
')
ifdef(`TODO',`
@@ -138,18 +138,18 @@ term_use_console(depmod_t)
bootloader_read_kernel_symbol_table(depmod_t)
bootloader_read_kernel_modules(depmod_t)
-init_use_file_descriptors(depmod_t)
-init_script_use_file_descriptors(depmod_t)
-init_script_use_pseudoterminal(depmod_t)
+init_use_fd(depmod_t)
+init_use_script_fd(depmod_t)
+init_use_script_pty(depmod_t)
-domain_use_widely_inheritable_file_descriptors(depmod_t)
+domain_use_wide_inherit_fd(depmod_t)
-files_read_runtime_system_config(depmod_t)
-files_read_general_system_config(depmod_t)
-files_read_system_source_code(depmod_t)
+files_read_etc_runtime_files(depmod_t)
+files_read_generic_etc_files(depmod_t)
+files_read_usr_src(depmod_t)
-libraries_use_dynamic_loader(depmod_t)
-libraries_use_shared_libraries(depmod_t)
+libs_use_ld_so(depmod_t)
+libs_use_shared_libs(depmod_t)
ifdef(`TODO',`
@@ -177,14 +177,14 @@ can_exec(update_modules_t, update_modules_exec_t)
# manage module loading configuration
allow update_modules_t modules_conf_t:file create_file_perms;
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
-files_create_private_config(update_modules_t,modules_conf_t)
+files_create_etc_config(update_modules_t,modules_conf_t)
# transition to depmod
domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
allow update_modules_t update_modules_tmp_t:file create_file_perms;
-files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir })
+files_create_tmp_files(update_modules_t, update_modules_tmp_t, { file dir })
kernel_read_kernel_sysctl(update_modules_t)
kernel_read_system_state(update_modules_t)
@@ -195,24 +195,24 @@ fs_getattr_xattr_fs(update_modules_t)
term_use_console(update_modules_t)
-init_use_file_descriptors(depmod_t)
-init_script_use_file_descriptors(depmod_t)
-init_script_use_pseudoterminal(depmod_t)
+init_use_fd(depmod_t)
+init_use_script_fd(depmod_t)
+init_use_script_pty(depmod_t)
-domain_use_widely_inheritable_file_descriptors(depmod_t)
+domain_use_wide_inherit_fd(depmod_t)
-files_read_runtime_system_config(update_modules_t)
-files_read_general_system_config(update_modules_t)
-files_execute_system_config_script(update_modules_t)
+files_read_etc_runtime_files(update_modules_t)
+files_read_generic_etc_files(update_modules_t)
+files_exec_generic_etc_files(update_modules_t)
-corecommands_execute_general_programs(update_modules_t)
-corecommands_execute_system_programs(update_modules_t)
-corecommands_execute_shell(update_modules_t)
+corecmd_exec_bin(update_modules_t)
+corecmd_exec_sbin(update_modules_t)
+corecmd_exec_shell(update_modules_t)
-libraries_use_dynamic_loader(update_modules_t)
-libraries_use_shared_libraries(update_modules_t)
+libs_use_ld_so(update_modules_t)
+libs_use_shared_libs(update_modules_t)
-logging_send_system_log_message(update_modules_t)
+logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if
index c9b9228..69457c8 100644
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@@ -2,7 +2,7 @@
## Policy for mount.
########################################
-##
+##
##
## Execute mount in the mount domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`mount_transition',`
+define(`mount_domtrans',`
requires_block_template(`$0'_depend)
allow $1 mount_exec_t:file rx_file_perms;
@@ -25,7 +25,7 @@ define(`mount_transition',`
allow mount_t $1:process sigchld;
')
-define(`mount_transition_depend',`
+define(`mount_domtrans_depend',`
type mount_t, mount_exec_t;
class file rx_file_perms;
@@ -35,7 +35,7 @@ define(`mount_transition_depend',`
')
########################################
-##
+##
##
## Execute mount in the mount domain, and
## allow the specified role the mount domain,
@@ -52,22 +52,22 @@ define(`mount_transition_depend',`
##
##
#
-define(`mount_transition_add_role_use_terminal',`
+define(`mount_run',`
requires_block_template(`$0'_depend)
- mount_transition($1)
+ mount_domtrans($1)
role $2 types mount_t;
allow mount_t $3:chr_file rw_file_perms;
')
-define(`mount_transition_add_role_use_terminal_depend',`
+define(`mount_run_depend',`
type mount_t;
class chr_file rw_file_perms;
')
########################################
-##
+##
##
## Use file descriptors for mount.
##
@@ -76,13 +76,13 @@ define(`mount_transition_add_role_use_terminal_depend',`
##
##
#
-define(`mount_use_file_descriptors',`
+define(`mount_use_fd',`
requires_block_template(`$0'_depend)
allow $1 mount_t:fd use;
')
-define(`mount_use_file_descriptors_depend',`
+define(`mount_use_fd_depend',`
type mount_t;
class fd use;
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index aaa9565..8e9737b 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,11 +1,11 @@
type mount_t;
type mount_exec_t;
-init_make_system_domain(mount_t,mount_exec_t)
+init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
type mount_tmp_t;
-files_make_temporary_file(mount_tmp_t)
+files_tmp_file(mount_tmp_t)
########################################
#
@@ -16,7 +16,7 @@ allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown
allow mount_t mount_tmp_t:file create_file_perms;
allow mount_t mount_tmp_t:dir create_dir_perms;
-files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
+files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
kernel_read_system_state(mount_t)
kernel_dontaudit_use_fd(mount_t)
@@ -41,39 +41,39 @@ fs_relabelfrom_xattr_fs(mount_t)
term_use_console(mount_t)
# required for mount.smbfs
-corecommands_execute_system_programs(mount_t)
-corecommands_execute_general_programs(mount_t)
+corecmd_exec_sbin(mount_t)
+corecmd_exec_bin(mount_t)
-domain_use_widely_inheritable_file_descriptors(mount_t)
+domain_use_wide_inherit_fd(mount_t)
-files_search_all_directories(mount_t)
-files_read_general_system_config(mount_t)
-files_manage_runtime_system_config(mount_t)
-files_mount_on_all_mountpoints(mount_t)
-files_unmount_root_fs(mount_t)
+files_search_all_dirs(mount_t)
+files_read_generic_etc_files(mount_t)
+files_manage_etc_runtime_files(mount_t)
+files_mounton_all_mountpoints(mount_t)
+files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
files_relabelto_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
-init_use_file_descriptors(mount_t)
-init_script_use_pseudoterminal(mount_t)
+init_use_fd(mount_t)
+init_use_script_pty(mount_t)
-libraries_use_dynamic_loader(mount_t)
-libraries_use_shared_libraries(mount_t)
+libs_use_ld_so(mount_t)
+libs_use_shared_libs(mount_t)
-logging_send_system_log_message(mount_t)
+logging_send_syslog_msg(mount_t)
miscfiles_read_localization(mount_t)
-userdomain_use_all_users_file_descriptors(mount_t)
+userdom_use_all_user_fd(mount_t)
ifdef(`distro_redhat',`
fs_use_tmpfs_character_devices(mount_t)
allow mount_t tmpfs_t:dir mounton;
optional_policy(`authlogin.te',`
- authlogin_pam_console_read_runtime_data(mount_t)
+ auth_read_pam_console_data(mount_t)
# mount config by default sets fscontext=removable_t
fs_relabelfrom_dos_fs(mount_t)
')
@@ -103,7 +103,7 @@ optional_policy(`portmap.te', `
ifdef(`TODO',`
# this goes to the nfs/rpc module
-files_make_mountpoint(var_lib_nfs_t)
+files_mountpoint(var_lib_nfs_t)
# TODO: Need to examine this further. Not sure how to handle this
#type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if
index f3defc7..78fbf0d 100644
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@@ -2,7 +2,7 @@
## Policy for SELinux policy and userland applications.
#######################################
-##
+##
##
## Execute checkpolicy in the checkpolicy domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`selinux_checkpolicy_transition',`
+define(`selinux_domtrans_checkpol',`
requires_block_template(`$0'_depend)
allow $1 checkpolicy_exec_t:file rx_file_perms;
@@ -25,7 +25,7 @@ define(`selinux_checkpolicy_transition',`
allow checkpolicy_t $1:process sigchld;
')
-define(`selinux_checkpolicy_transition_depend',`
+define(`selinux_domtrans_checkpol_depend',`
type checkpolicy_t, checkpolicy_exec_t;
class file rx_file_perms
@@ -35,7 +35,7 @@ define(`selinux_checkpolicy_transition_depend',`
')
########################################
-##
+##
##
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
@@ -53,15 +53,15 @@ define(`selinux_checkpolicy_transition_depend',`
##
##
#
-define(`selinux_checkpolicy_transition_add_role_use_terminal',`
+define(`selinux_run_checkpol',`
requires_block_template(`$0'_depend)
- selinux_checkpolicy_transition($1)
+ selinux_domtrans_checkpol($1)
role $2 types checkpolicy_t;
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
+define(`selinux_run_checkpol_depend',`
type checkpolicy_t;
class chr_file { getattr read write ioctl };
@@ -69,22 +69,22 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
#######################################
#
-# selinux_checkpolicy_execute(domain)
+# selinux_exec_checkpol(domain)
#
-define(`selinux_checkpolicy_execute',`
+define(`selinux_exec_checkpol',`
requires_block_template(`$0'_depend)
can_exec($1,checkpolicy_exec_t)
')
-define(`selinux_checkpolicy_execute_depend',`
+define(`selinux_exec_checkpol_depend',`
type checkpolicy_exec_t;
class file { rx_file_perms execute_no_trans };
')
#######################################
-##
+##
##
## Execute load_policy in the load_policy domain.
##
@@ -93,7 +93,7 @@ define(`selinux_checkpolicy_execute_depend',`
##
##
#
-define(`selinux_load_policy_transition',`
+define(`selinux_domtrans_loadpol',`
requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file rx_file_perms;
@@ -107,7 +107,7 @@ define(`selinux_load_policy_transition',`
allow load_policy_t $1:process sigchld;
')
-define(`selinux_load_policy_transition_depend',`
+define(`selinux_domtrans_loadpol_depend',`
type load_policy_t, load_policy_exec_t;
class file rx_file_perms;
@@ -117,7 +117,7 @@ define(`selinux_load_policy_transition_depend',`
')
########################################
-##
+##
##
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
@@ -135,15 +135,15 @@ define(`selinux_load_policy_transition_depend',`
##
##
#
-define(`selinux_load_policy_transition_add_role_use_terminal',`
+define(`selinux_run_loadpol',`
requires_block_template(`$0'_depend)
- selinux_load_policy_transition($1)
+ selinux_domtrans_loadpol($1)
role $2 types load_policy_t;
allow load_policy_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
+define(`selinux_run_loadpol_depend',`
type load_policy_t;
class chr_file { getattr read write ioctl };
@@ -151,15 +151,15 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
#######################################
#
-# selinux_load_policy_execute(domain)
+# selinux_exec_loadpol(domain)
#
-define(`selinux_load_policy_execute',`
+define(`selinux_exec_loadpol',`
requires_block_template(`$0'_depend)
can_exec($1,load_policy_exec_t)
')
-define(`selinux_load_policy_execute_depend',`
+define(`selinux_exec_loadpol_depend',`
type load_policy_exec_t;
class file { rx_file_perms execute_no_trans };
@@ -167,22 +167,22 @@ define(`selinux_load_policy_execute_depend',`
#######################################
#
-# selinux_read_load_policy_binary(domain)
+# selinux_read_loadpol(domain)
#
-define(`selinux_read_load_policy_binary',`
+define(`selinux_read_loadpol',`
requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file r_file_perms;
')
-define(`selinux_read_load_policy_binary_depend',`
+define(`selinux_read_loadpol_depend',`
type load_policy_exec_t;
class file r_file_perms
')
#######################################
-##
+##
##
## Execute newrole in the load_policy domain.
##
@@ -191,7 +191,7 @@ define(`selinux_read_load_policy_binary_depend',`
##
##
#
-define(`selinux_newrole_transition',`
+define(`selinux_domtrans_newrole',`
requires_block_template(`$0'_depend)
allow $1 newrole_exec_t:file rx_file_perms;
@@ -205,7 +205,7 @@ define(`selinux_newrole_transition',`
allow newrole_t $1:process sigchld;
')
-define(`selinux_newrole_transition_depend',`
+define(`selinux_domtrans_newrole_depend',`
type newrole_t, newrole_exec_t;
class file rx_file_perms;
@@ -215,7 +215,7 @@ define(`selinux_newrole_transition_depend',`
')
########################################
-##
+##
##
## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain,
@@ -232,15 +232,15 @@ define(`selinux_newrole_transition_depend',`
##
##
#
-define(`selinux_newrole_transition_add_role_use_terminal',`
+define(`selinux_run_newrole',`
requires_block_template(`$0'_depend)
- selinux_newrole_transition($1)
+ selinux_domtrans_newrole($1)
role $2 types newrole_t;
allow newrole_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_newrole_transition_add_role_use_terminal_depend',`
+define(`selinux_run_newrole_depend',`
type newrole_t;
class chr_file { getattr read write ioctl };
@@ -248,22 +248,22 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
#######################################
#
-# selinux_newrole_execute(domain)
+# selinux_exec_newrole(domain)
#
-define(`selinux_newrole_execute',`
+define(`selinux_exec_newrole',`
requires_block_template(`$0'_depend)
can_exec($1,newrole_exec_t)
')
-define(`selinux_newrole_execute_depend',`
+define(`selinux_exec_newrole_depend',`
type newrole_t, newrole_exec_t;
class file { rx_file_perms execute_no_trans };
')
########################################
-##
+##
##
## Do not audit the caller attempts to send
## a signal to newrole.
@@ -273,13 +273,13 @@ define(`selinux_newrole_execute_depend',`
##
##
#
-define(`selinux_newrole_ignore_signal',`
+define(`selinux_dontaudit_newrole_signal',`
requires_block_template(`$0'_depend)
dontaudit $1 newrole_t:process signal;
')
-define(`selinux_newrole_ignore_signal_depend',`
+define(`selinux_dontaudit_newrole_signal_depend',`
type newrole_t;
class process signal;
@@ -303,22 +303,22 @@ define(`selinux_newrole_sigchld_depend',`
#######################################
#
-# selinux_newrole_use_file_descriptors(domain)
+# selinux_use_newrole_fd(domain)
#
-define(`selinux_newrole_use_file_descriptors',`
+define(`selinux_use_newrole_fd',`
requires_block_template(`$0'_depend)
allow $1 newrole_t:fd use;
')
-define(`selinux_newrole_use_file_descriptors_depend',`
+define(`selinux_use_newrole_fd_depend',`
type newrole_t;
class fd use;
')
#######################################
-##
+##
##
## Execute restorecon in the restorecon domain.
##
@@ -327,7 +327,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
##
##
#
-define(`selinux_restorecon_transition',`
+define(`selinux_domtrans_restorecon',`
requires_block_template(`$0'_depend)
allow $1 restorecon_exec_t:file rx_file_perms;
@@ -341,7 +341,7 @@ define(`selinux_restorecon_transition',`
allow restorecon_t $1:process sigchld;
')
-define(`selinux_restorecon_transition_depend',`
+define(`selinux_domtrans_restorecon_depend',`
type restorecon_t, restorecon_exec_t;
class file rx_file_perms;
@@ -351,7 +351,7 @@ define(`selinux_restorecon_transition_depend',`
')
########################################
-##
+##
##
## Execute restorecon in the restorecon domain, and
## allow the specified role the restorecon domain,
@@ -368,15 +368,15 @@ define(`selinux_restorecon_transition_depend',`
##
##
#
-define(`selinux_restorecon_transition_add_role_use_terminal',`
+define(`selinux_run_restorecon',`
requires_block_template(`$0'_depend)
- selinux_restorecon_transition($1)
+ selinux_domtrans_restorecon($1)
role $2 types restorecon_t;
allow restorecon_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
+define(`selinux_run_restorecon_depend',`
type restorecon_t;
class chr_file { getattr read write ioctl };
@@ -384,21 +384,21 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
#######################################
#
-# selinux_restorecon_execute(domain)
+# selinux_exec_restorecon(domain)
#
-define(`selinux_restorecon_execute',`
+define(`selinux_exec_restorecon',`
requires_block_template(`$0'_depend)
can_exec($1,restorecon_exec_t)
')
-define(`selinux_restorecon_execute_depend',`
+define(`selinux_exec_restorecon_depend',`
type restorecon_t, restorecon_exec_t;
class file { rx_file_perms execute_no_trans };
')
########################################
-##
+##
##
## Execute run_init in the run_init domain.
##
@@ -407,7 +407,7 @@ define(`selinux_restorecon_execute_depend',`
##
##
#
-define(`selinux_run_init_transition',`
+define(`selinux_domtrans_runinit',`
requires_block_template(`$0'_depend)
allow $1 run_init_exec_t:file rx_file_perms;
@@ -421,7 +421,7 @@ define(`selinux_run_init_transition',`
allow run_init_t $1:process sigchld;
')
-define(`selinux_run_init_transition_depend',`
+define(`selinux_domtrans_runinit_depend',`
type run_init_t, run_init_exec_t;
class file rx_file_perms;
@@ -431,7 +431,7 @@ define(`selinux_run_init_transition_depend',`
')
########################################
-##
+##
##
## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain,
@@ -448,15 +448,15 @@ define(`selinux_run_init_transition_depend',`
##
##
#
-define(`selinux_run_init_transition_add_role_use_terminal',`
+define(`selinux_run_runinit',`
requires_block_template(`$0'_depend)
- selinux_run_init_transition($1)
+ selinux_domtrans_runinit($1)
role $2 types run_init_t;
allow run_init_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_run_init_transition_add_role_use_terminal_depend',`
+define(`selinux_run_runinit_depend',`
type run_init_t;
class chr_file { getattr read write ioctl };
@@ -464,22 +464,22 @@ define(`selinux_run_init_transition_add_role_use_terminal_depend',`
########################################
#
-# selinux_run_init_use_file_descriptors(domain)
+# selinux_use_runinit_fd(domain)
#
-define(`selinux_run_init_use_file_descriptors',`
+define(`selinux_use_runinit_fd',`
requires_block_template(`$0'_depend)
allow $1 run_init_t:fd use;
')
-define(`selinux_run_init_use_file_descriptors_depend',`
+define(`selinux_use_runinit_fd_depend',`
type run_init_t;
class fd use;
')
########################################
-##
+##
##
## Execute setfiles in the setfiles domain.
##
@@ -488,7 +488,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
##
##
#
-define(`selinux_setfiles_transition',`
+define(`selinux_domtrans_setfiles',`
requires_block_template(`$0'_depend)
allow $1 setfiles_exec_t:file rx_file_perms;
@@ -502,7 +502,7 @@ define(`selinux_setfiles_transition',`
allow setfiles_t $1:process sigchld;
')
-define(`selinux_setfiles_transition_depend',`
+define(`selinux_domtrans_setfiles_depend',`
type setfiles_t, setfiles_exec_t;
class file rx_file_perms;
@@ -512,7 +512,7 @@ define(`selinux_setfiles_transition_depend',`
')
########################################
-##
+##
##
## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain,
@@ -529,15 +529,15 @@ define(`selinux_setfiles_transition_depend',`
##
##
#
-define(`selinux_setfiles_transition_add_role_use_terminal',`
+define(`selinux_run_setfiles',`
requires_block_template(`$0'_depend)
- selinux_setfiles_transition($1)
+ selinux_domtrans_setfiles($1)
role $2 types setfiles_t;
allow setfiles_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
+define(`selinux_run_setfiles_depend',`
type setfiles_t;
class chr_file { getattr read write ioctl };
@@ -545,15 +545,15 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
#######################################
#
-# selinux_setfiles_execute(domain)
+# selinux_exec_setfiles(domain)
#
-define(`selinux_setfiles_execute',`
+define(`selinux_exec_setfiles',`
requires_block_template(`$0'_depend)
can_exec($1,setfiles_exec_t)
')
-define(`selinux_setfiles_execute_depend',`
+define(`selinux_exec_setfiles_depend',`
type setfiles_exec_t;
class file { rx_file_perms execute_no_trans };
@@ -617,16 +617,16 @@ define(`selinux_read_file_contexts_depend',`
########################################
#
-# selinux_read_binary_policy(domain)
+# selinux_read_binary_pol(domain)
#
-define(`selinux_read_binary_policy',`
+define(`selinux_read_binary_pol',`
requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file r_file_perms;
')
-define(`selinux_read_binary_policy_depend',`
+define(`selinux_read_binary_pol_depend',`
type policy_config_t;
class dir r_dir_perms;
@@ -635,9 +635,9 @@ define(`selinux_read_binary_policy_depend',`
########################################
#
-# selinux_write_binary_policy(domain)
+# selinux_write_binary_pol(domain)
#
-define(`selinux_write_binary_policy',`
+define(`selinux_write_binary_pol',`
requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir rw_dir_perms;
@@ -645,7 +645,7 @@ define(`selinux_write_binary_policy',`
typeattribute $1 can_write_binary_policy;
')
-define(`selinux_write_binary_policy_depend',`
+define(`selinux_write_binary_pol_depend',`
attribute can_write_binary_policy;
type policy_config_t;
@@ -655,7 +655,7 @@ define(`selinux_write_binary_policy_depend',`
')
########################################
-##
+##
##
## Allow the caller to relabel a file to the binary policy type.
##
@@ -664,14 +664,14 @@ define(`selinux_write_binary_policy_depend',`
##
##
#
-define(`selinux_relabelto_binary_policy',`
+define(`selinux_relabelto_binary_pol',`
requires_block_template(`$0'_depend)
allow $1 policy_config_t:file relabelto;
typeattribute $1 can_relabelto_binary_policy;
')
-define(`selinux_relabelto_binary_policy_depend',`
+define(`selinux_relabelto_binary_pol_depend',`
attribute can_relabelto_binary_policy;
type policy_config_t;
@@ -681,9 +681,9 @@ define(`selinux_relabelto_binary_policy_depend',`
########################################
#
-# selinux_manage_binary_policy(domain)
+# selinux_manage_binary_pol(domain)
#
-define(`selinux_manage_binary_policy',`
+define(`selinux_manage_binary_pol',`
requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir
@@ -693,7 +693,7 @@ define(`selinux_manage_binary_policy',`
typeattribute $1 can_write_binary_policy;
')
-define(`selinux_manage_binary_policy_depend',`
+define(`selinux_manage_binary_pol_depend',`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
@@ -703,9 +703,9 @@ define(`selinux_manage_binary_policy_depend',`
########################################
#
-# selinux_read_source_policy(domain)
+# selinux_read_src_pol(domain)
#
-define(`selinux_read_source_policy',`
+define(`selinux_read_src_pol',`
requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir
@@ -714,7 +714,7 @@ define(`selinux_read_source_policy',`
allow $1 policy_src_t:file r_file_perms;
')
-define(`selinux_read_source_policy_depend',`
+define(`selinux_read_src_pol_depend',`
type selinux_config_t, policy_src_t;
class dir r_dir_perms;
@@ -723,9 +723,9 @@ define(`selinux_read_source_policy_depend',`
########################################
#
-# selinux_manage_source_policy(domain)
+# selinux_manage_src_pol(domain)
#
-define(`selinux_manage_source_policy',`
+define(`selinux_manage_src_pol',`
requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir
@@ -734,7 +734,7 @@ define(`selinux_manage_source_policy',`
allow $1 policy_src_t:file create_file_perms;
')
-define(`selinux_manage_source_policy_depend',`
+define(`selinux_manage_src_pol_depend',`
type selinux_config_t, policy_src_t;
class dir create_dir_perms;
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index ab8e283..4926625 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -10,48 +10,48 @@ attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;
type checkpolicy_t, can_write_binary_policy;
-domain_make_domain(checkpolicy_t)
+domain_type(checkpolicy_t)
role system_r types checkpolicy_t;
type checkpolicy_exec_t;
-domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t)
+domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
#
# default_context_t is the type applied to
# /etc/selinux/*/contexts/*
#
type default_context_t;
-files_make_file(default_context_t)
+files_file_type(default_context_t)
#
# file_context_t is the type applied to
# /etc/selinux/*/contexts/files
#
type file_context_t;
-files_make_file(file_context_t)
+files_file_type(file_context_t)
type load_policy_t;
-domain_make_domain(load_policy_t)
+domain_type(load_policy_t)
role system_r types load_policy_t;
type load_policy_exec_t;
-domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
+domain_entry_file(load_policy_t,load_policy_exec_t)
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
-kernel_make_role_change_constraint_exception(newrole_t)
-kernel_make_object_identity_change_constraint_exception(newrole_t)
-domain_make_domain(newrole_t)
-domain_make_file_descriptors_widely_inheritable(newrole_t)
+kernel_role_change_exempt(newrole_t)
+kernel_obj_id_change_exempt(newrole_t)
+domain_type(newrole_t)
+domain_wide_inherit_fd(newrole_t)
type newrole_exec_t;
-domain_make_entrypoint_file(newrole_t,newrole_exec_t)
+domain_entry_file(newrole_t,newrole_exec_t)
#
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
type policy_config_t;
-files_make_file(policy_config_t)
+files_file_type(policy_config_t)
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
neverallow ~can_write_binary_policy policy_config_t:file { write append };
@@ -61,34 +61,34 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
# files.
#
type policy_src_t;
-files_make_file(policy_src_t)
+files_file_type(policy_src_t)
type restorecon_t, can_relabelto_binary_policy;
type restorecon_exec_t;
-kernel_make_object_identity_change_constraint_exception(restorecon_t)
-init_make_system_domain(restorecon_t,restorecon_exec_t)
+kernel_obj_id_change_exempt(restorecon_t)
+init_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t;
type run_init_t;
-domain_make_domain(run_init_t)
+domain_type(run_init_t)
type run_init_exec_t;
-domain_make_entrypoint_file(run_init_t,run_init_exec_t)
+domain_entry_file(run_init_t,run_init_exec_t)
#
# selinux_config_t is the type applied to
# /etc/selinux/config
#
type selinux_config_t;
-files_make_file(selinux_config_t)
+files_file_type(selinux_config_t)
type setfiles_t, can_relabelto_binary_policy;
-kernel_make_object_identity_change_constraint_exception(setfiles_t)
-domain_make_domain(setfiles_t)
+kernel_obj_id_change_exempt(setfiles_t)
+domain_type(setfiles_t)
role system_r types setfiles_t;
type setfiles_exec_t;
-domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
+domain_entry_file(setfiles_t,setfiles_exec_t)
########################################
#
@@ -115,18 +115,18 @@ fs_getattr_xattr_fs(checkpolicy_t)
term_use_console(checkpolicy_t)
-domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
+domain_use_wide_inherit_fd(checkpolicy_t)
# directory search permissions for path to source and binary policy files
-files_search_general_system_config_directory(checkpolicy_t)
+files_search_etc(checkpolicy_t)
-init_use_file_descriptors(checkpolicy_t)
-init_script_use_pseudoterminal(checkpolicy_t)
+init_use_fd(checkpolicy_t)
+init_use_script_pty(checkpolicy_t)
-libraries_use_dynamic_loader(checkpolicy_t)
-libraries_use_shared_libraries(checkpolicy_t)
+libs_use_ld_so(checkpolicy_t)
+libs_use_shared_libs(checkpolicy_t)
-userdomain_use_all_users_file_descriptors(checkpolicy_t)
+userdom_use_all_user_fd(checkpolicy_t)
ifdef(`TODO',`
# Read the devpts root directory.
@@ -158,19 +158,19 @@ fs_getattr_xattr_fs(load_policy_t)
term_use_console(load_policy_t)
term_list_ptys(load_policy_t)
-init_script_use_file_descriptors(load_policy_t)
-init_script_use_pseudoterminal(load_policy_t)
+init_use_script_fd(load_policy_t)
+init_use_script_pty(load_policy_t)
-domain_use_widely_inheritable_file_descriptors(load_policy_t)
+domain_use_wide_inherit_fd(load_policy_t)
-files_search_general_system_config_directory(load_policy_t)
+files_search_etc(load_policy_t)
-libraries_use_dynamic_loader(load_policy_t)
-libraries_use_shared_libraries(load_policy_t)
+libs_use_ld_so(load_policy_t)
+libs_use_shared_libs(load_policy_t)
miscfiles_read_localization(load_policy_t)
-userdomain_use_all_users_file_descriptors(load_policy_t)
+userdom_use_all_user_fd(load_policy_t)
########################################
#
@@ -210,23 +210,23 @@ fs_getattr_xattr_fs(newrole_t)
term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t)
-authlogin_check_password_transition(newrole_t)
+auth_domtrans_chk_passwd(newrole_t)
-domain_use_widely_inheritable_file_descriptors(newrole_t)
+domain_use_wide_inherit_fd(newrole_t)
# Write to utmp.
-init_script_modify_runtime_data(newrole_t)
+init_rw_script_pid(newrole_t)
-files_read_general_system_config(newrole_t)
+files_read_generic_etc_files(newrole_t)
-libraries_use_dynamic_loader(newrole_t)
-libraries_use_shared_libraries(newrole_t)
+libs_use_ld_so(newrole_t)
+libs_use_shared_libs(newrole_t)
-logging_send_system_log_message(newrole_t)
+logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
-userdomain_use_all_unprivileged_users_file_descriptors(newrole_t)
+userdom_use_unpriv_users_fd(newrole_t)
ifdef(`TODO',`
@@ -291,23 +291,23 @@ fs_getattr_xattr_fs(restorecon_t)
term_use_unallocated_tty(restorecon_t)
-init_use_file_descriptors(restorecon_t)
-init_script_use_pseudoterminal(restorecon_t)
+init_use_fd(restorecon_t)
+init_use_script_pty(restorecon_t)
-domain_use_widely_inheritable_file_descriptors(restorecon_t)
+domain_use_wide_inherit_fd(restorecon_t)
-files_read_runtime_system_config(restorecon_t)
-files_read_general_system_config(restorecon_t)
+files_read_etc_runtime_files(restorecon_t)
+files_read_generic_etc_files(restorecon_t)
-libraries_use_dynamic_loader(restorecon_t)
-libraries_use_shared_libraries(restorecon_t)
+libs_use_ld_so(restorecon_t)
+libs_use_shared_libs(restorecon_t)
-logging_send_system_log_message(restorecon_t)
+logging_send_syslog_msg(restorecon_t)
-userdomain_use_all_users_file_descriptors(restorecon_t)
+userdom_use_all_user_fd(restorecon_t)
optional_policy(`hotplug.te',`
- hotplug_use_file_descriptors(restorecon_t)
+ hotplug_use_fd(restorecon_t)
')
# relabeling rules
@@ -315,9 +315,9 @@ kernel_relabel_unlabeled(restorecon_t)
dev_relabel_all_dev_nodes(restorecon_t)
files_relabel_all_files(restorecon_t)
-files_read_all_directories(restorecon_t)
+files_list_all_dirs(restorecon_t)
# this is to satisfy the assertion:
-authlogin_relabel_to_shadow_passwords(restorecon_t)
+auth_relabelto_shadow(restorecon_t)
ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(restorecon_t)
@@ -363,34 +363,34 @@ ifdef(`targeted_policy',`',`
fs_getattr_xattr_fs(run_init_t)
- dev_dontaudit_list_all_nodes(run_init_t)
+ dev_dontaudit_list_all_dev_nodes(run_init_t)
term_dontaudit_list_ptys(run_init_t)
- authlogin_check_password_transition(run_init_t)
- authlogin_ignore_read_shadow_passwords(run_init_t)
+ auth_domtrans_chk_passwd(run_init_t)
+ auth_dontaudit_read_shadow(run_init_t)
- corecommands_execute_general_programs(run_init_t)
- corecommands_execute_shell(run_init_t)
+ corecmd_exec_bin(run_init_t)
+ corecmd_exec_shell(run_init_t)
- domain_use_widely_inheritable_file_descriptors(run_init_t)
+ domain_use_wide_inherit_fd(run_init_t)
- files_read_general_system_config(run_init_t)
- files_ignore_search_all_directories(run_init_t)
+ files_read_generic_etc_files(run_init_t)
+ files_dontaudit_search_all_dirs(run_init_t)
- init_script_transition(run_init_t)
+ init_domtrans_script(run_init_t)
# for utmp
- init_script_modify_runtime_data(run_init_t)
+ init_rw_script_pid(run_init_t)
- libraries_use_dynamic_loader(run_init_t)
- libraries_use_shared_libraries(run_init_t)
+ libs_use_ld_so(run_init_t)
+ libs_use_shared_libs(run_init_t)
selinux_read_config(run_init_t)
selinux_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t)
- logging_send_system_log_message(run_init_t)
+ logging_send_syslog_msg(run_init_t)
') dnl end ifdef targeted policy
ifdef(`TODO',`
@@ -398,7 +398,7 @@ ifdef(`TODO',`
ifdef(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
- domain_make_entrypoint_file(run_init_t,initrc_exec_t)
+ domain_entry_file(run_init_t,initrc_exec_t)
')
') dnl end TODO
@@ -427,34 +427,33 @@ term_use_all_user_ttys(setfiles_t)
term_use_all_user_ptys(setfiles_t)
term_use_unallocated_tty(setfiles_t)
-init_use_file_descriptors(setfiles_t)
-init_script_use_file_descriptors(setfiles_t)
-init_script_use_pseudoterminal(setfiles_t)
+init_use_fd(setfiles_t)
+init_use_script_fd(setfiles_t)
+init_use_script_pty(setfiles_t)
-domain_use_widely_inheritable_file_descriptors(setfiles_t)
+domain_use_wide_inherit_fd(setfiles_t)
-libraries_use_dynamic_loader(setfiles_t)
-libraries_use_shared_libraries(setfiles_t)
+libs_use_ld_so(setfiles_t)
+libs_use_shared_libs(setfiles_t)
-files_read_runtime_system_config(setfiles_t)
-files_read_general_system_config(setfiles_t)
+files_read_etc_runtime_files(setfiles_t)
+files_read_generic_etc_files(setfiles_t)
-logging_send_system_log_message(setfiles_t)
+logging_send_syslog_msg(setfiles_t)
miscfiles_read_localization(setfiles_t)
-userdomain_use_all_users_file_descriptors(setfiles_t)
+userdom_use_all_user_fd(setfiles_t)
# for config files in a home directory
-userdomain_read_all_users_data(setfiles_t)
+userdom_read_all_user_data(setfiles_t)
# relabeling rules
kernel_relabel_unlabeled(setfiles_t)
dev_relabel_all_dev_nodes(setfiles_t)
-
-files_read_all_directories(setfiles_t)
+files_list_all_dirs(setfiles_t)
files_relabel_all_files(setfiles_t)
# this is to satisfy the assertion:
-authlogin_relabel_to_shadow_passwords(setfiles_t)
+auth_relabelto_shadow(setfiles_t)
ifdef(`TODO',`
# for upgrading glibc and other shared objects - without this the upgrade
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index f3defc7..78fbf0d 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -2,7 +2,7 @@
## Policy for SELinux policy and userland applications.
#######################################
-##
+##
##
## Execute checkpolicy in the checkpolicy domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`selinux_checkpolicy_transition',`
+define(`selinux_domtrans_checkpol',`
requires_block_template(`$0'_depend)
allow $1 checkpolicy_exec_t:file rx_file_perms;
@@ -25,7 +25,7 @@ define(`selinux_checkpolicy_transition',`
allow checkpolicy_t $1:process sigchld;
')
-define(`selinux_checkpolicy_transition_depend',`
+define(`selinux_domtrans_checkpol_depend',`
type checkpolicy_t, checkpolicy_exec_t;
class file rx_file_perms
@@ -35,7 +35,7 @@ define(`selinux_checkpolicy_transition_depend',`
')
########################################
-##
+##
##
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
@@ -53,15 +53,15 @@ define(`selinux_checkpolicy_transition_depend',`
##
##
#
-define(`selinux_checkpolicy_transition_add_role_use_terminal',`
+define(`selinux_run_checkpol',`
requires_block_template(`$0'_depend)
- selinux_checkpolicy_transition($1)
+ selinux_domtrans_checkpol($1)
role $2 types checkpolicy_t;
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
+define(`selinux_run_checkpol_depend',`
type checkpolicy_t;
class chr_file { getattr read write ioctl };
@@ -69,22 +69,22 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
#######################################
#
-# selinux_checkpolicy_execute(domain)
+# selinux_exec_checkpol(domain)
#
-define(`selinux_checkpolicy_execute',`
+define(`selinux_exec_checkpol',`
requires_block_template(`$0'_depend)
can_exec($1,checkpolicy_exec_t)
')
-define(`selinux_checkpolicy_execute_depend',`
+define(`selinux_exec_checkpol_depend',`
type checkpolicy_exec_t;
class file { rx_file_perms execute_no_trans };
')
#######################################
-##
+##
##
## Execute load_policy in the load_policy domain.
##
@@ -93,7 +93,7 @@ define(`selinux_checkpolicy_execute_depend',`
##
##
#
-define(`selinux_load_policy_transition',`
+define(`selinux_domtrans_loadpol',`
requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file rx_file_perms;
@@ -107,7 +107,7 @@ define(`selinux_load_policy_transition',`
allow load_policy_t $1:process sigchld;
')
-define(`selinux_load_policy_transition_depend',`
+define(`selinux_domtrans_loadpol_depend',`
type load_policy_t, load_policy_exec_t;
class file rx_file_perms;
@@ -117,7 +117,7 @@ define(`selinux_load_policy_transition_depend',`
')
########################################
-##
+##
##
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
@@ -135,15 +135,15 @@ define(`selinux_load_policy_transition_depend',`
##
##
#
-define(`selinux_load_policy_transition_add_role_use_terminal',`
+define(`selinux_run_loadpol',`
requires_block_template(`$0'_depend)
- selinux_load_policy_transition($1)
+ selinux_domtrans_loadpol($1)
role $2 types load_policy_t;
allow load_policy_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
+define(`selinux_run_loadpol_depend',`
type load_policy_t;
class chr_file { getattr read write ioctl };
@@ -151,15 +151,15 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
#######################################
#
-# selinux_load_policy_execute(domain)
+# selinux_exec_loadpol(domain)
#
-define(`selinux_load_policy_execute',`
+define(`selinux_exec_loadpol',`
requires_block_template(`$0'_depend)
can_exec($1,load_policy_exec_t)
')
-define(`selinux_load_policy_execute_depend',`
+define(`selinux_exec_loadpol_depend',`
type load_policy_exec_t;
class file { rx_file_perms execute_no_trans };
@@ -167,22 +167,22 @@ define(`selinux_load_policy_execute_depend',`
#######################################
#
-# selinux_read_load_policy_binary(domain)
+# selinux_read_loadpol(domain)
#
-define(`selinux_read_load_policy_binary',`
+define(`selinux_read_loadpol',`
requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file r_file_perms;
')
-define(`selinux_read_load_policy_binary_depend',`
+define(`selinux_read_loadpol_depend',`
type load_policy_exec_t;
class file r_file_perms
')
#######################################
-##
+##
##
## Execute newrole in the load_policy domain.
##
@@ -191,7 +191,7 @@ define(`selinux_read_load_policy_binary_depend',`
##
##
#
-define(`selinux_newrole_transition',`
+define(`selinux_domtrans_newrole',`
requires_block_template(`$0'_depend)
allow $1 newrole_exec_t:file rx_file_perms;
@@ -205,7 +205,7 @@ define(`selinux_newrole_transition',`
allow newrole_t $1:process sigchld;
')
-define(`selinux_newrole_transition_depend',`
+define(`selinux_domtrans_newrole_depend',`
type newrole_t, newrole_exec_t;
class file rx_file_perms;
@@ -215,7 +215,7 @@ define(`selinux_newrole_transition_depend',`
')
########################################
-##
+##
##
## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain,
@@ -232,15 +232,15 @@ define(`selinux_newrole_transition_depend',`
##
##
#
-define(`selinux_newrole_transition_add_role_use_terminal',`
+define(`selinux_run_newrole',`
requires_block_template(`$0'_depend)
- selinux_newrole_transition($1)
+ selinux_domtrans_newrole($1)
role $2 types newrole_t;
allow newrole_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_newrole_transition_add_role_use_terminal_depend',`
+define(`selinux_run_newrole_depend',`
type newrole_t;
class chr_file { getattr read write ioctl };
@@ -248,22 +248,22 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
#######################################
#
-# selinux_newrole_execute(domain)
+# selinux_exec_newrole(domain)
#
-define(`selinux_newrole_execute',`
+define(`selinux_exec_newrole',`
requires_block_template(`$0'_depend)
can_exec($1,newrole_exec_t)
')
-define(`selinux_newrole_execute_depend',`
+define(`selinux_exec_newrole_depend',`
type newrole_t, newrole_exec_t;
class file { rx_file_perms execute_no_trans };
')
########################################
-##
+##
##
## Do not audit the caller attempts to send
## a signal to newrole.
@@ -273,13 +273,13 @@ define(`selinux_newrole_execute_depend',`
##
##
#
-define(`selinux_newrole_ignore_signal',`
+define(`selinux_dontaudit_newrole_signal',`
requires_block_template(`$0'_depend)
dontaudit $1 newrole_t:process signal;
')
-define(`selinux_newrole_ignore_signal_depend',`
+define(`selinux_dontaudit_newrole_signal_depend',`
type newrole_t;
class process signal;
@@ -303,22 +303,22 @@ define(`selinux_newrole_sigchld_depend',`
#######################################
#
-# selinux_newrole_use_file_descriptors(domain)
+# selinux_use_newrole_fd(domain)
#
-define(`selinux_newrole_use_file_descriptors',`
+define(`selinux_use_newrole_fd',`
requires_block_template(`$0'_depend)
allow $1 newrole_t:fd use;
')
-define(`selinux_newrole_use_file_descriptors_depend',`
+define(`selinux_use_newrole_fd_depend',`
type newrole_t;
class fd use;
')
#######################################
-##
+##
##
## Execute restorecon in the restorecon domain.
##
@@ -327,7 +327,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
##
##
#
-define(`selinux_restorecon_transition',`
+define(`selinux_domtrans_restorecon',`
requires_block_template(`$0'_depend)
allow $1 restorecon_exec_t:file rx_file_perms;
@@ -341,7 +341,7 @@ define(`selinux_restorecon_transition',`
allow restorecon_t $1:process sigchld;
')
-define(`selinux_restorecon_transition_depend',`
+define(`selinux_domtrans_restorecon_depend',`
type restorecon_t, restorecon_exec_t;
class file rx_file_perms;
@@ -351,7 +351,7 @@ define(`selinux_restorecon_transition_depend',`
')
########################################
-##
+##
##
## Execute restorecon in the restorecon domain, and
## allow the specified role the restorecon domain,
@@ -368,15 +368,15 @@ define(`selinux_restorecon_transition_depend',`
##
##
#
-define(`selinux_restorecon_transition_add_role_use_terminal',`
+define(`selinux_run_restorecon',`
requires_block_template(`$0'_depend)
- selinux_restorecon_transition($1)
+ selinux_domtrans_restorecon($1)
role $2 types restorecon_t;
allow restorecon_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
+define(`selinux_run_restorecon_depend',`
type restorecon_t;
class chr_file { getattr read write ioctl };
@@ -384,21 +384,21 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
#######################################
#
-# selinux_restorecon_execute(domain)
+# selinux_exec_restorecon(domain)
#
-define(`selinux_restorecon_execute',`
+define(`selinux_exec_restorecon',`
requires_block_template(`$0'_depend)
can_exec($1,restorecon_exec_t)
')
-define(`selinux_restorecon_execute_depend',`
+define(`selinux_exec_restorecon_depend',`
type restorecon_t, restorecon_exec_t;
class file { rx_file_perms execute_no_trans };
')
########################################
-##
+##
##
## Execute run_init in the run_init domain.
##
@@ -407,7 +407,7 @@ define(`selinux_restorecon_execute_depend',`
##
##
#
-define(`selinux_run_init_transition',`
+define(`selinux_domtrans_runinit',`
requires_block_template(`$0'_depend)
allow $1 run_init_exec_t:file rx_file_perms;
@@ -421,7 +421,7 @@ define(`selinux_run_init_transition',`
allow run_init_t $1:process sigchld;
')
-define(`selinux_run_init_transition_depend',`
+define(`selinux_domtrans_runinit_depend',`
type run_init_t, run_init_exec_t;
class file rx_file_perms;
@@ -431,7 +431,7 @@ define(`selinux_run_init_transition_depend',`
')
########################################
-##
+##
##
## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain,
@@ -448,15 +448,15 @@ define(`selinux_run_init_transition_depend',`
##
##
#
-define(`selinux_run_init_transition_add_role_use_terminal',`
+define(`selinux_run_runinit',`
requires_block_template(`$0'_depend)
- selinux_run_init_transition($1)
+ selinux_domtrans_runinit($1)
role $2 types run_init_t;
allow run_init_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_run_init_transition_add_role_use_terminal_depend',`
+define(`selinux_run_runinit_depend',`
type run_init_t;
class chr_file { getattr read write ioctl };
@@ -464,22 +464,22 @@ define(`selinux_run_init_transition_add_role_use_terminal_depend',`
########################################
#
-# selinux_run_init_use_file_descriptors(domain)
+# selinux_use_runinit_fd(domain)
#
-define(`selinux_run_init_use_file_descriptors',`
+define(`selinux_use_runinit_fd',`
requires_block_template(`$0'_depend)
allow $1 run_init_t:fd use;
')
-define(`selinux_run_init_use_file_descriptors_depend',`
+define(`selinux_use_runinit_fd_depend',`
type run_init_t;
class fd use;
')
########################################
-##
+##
##
## Execute setfiles in the setfiles domain.
##
@@ -488,7 +488,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
##
##
#
-define(`selinux_setfiles_transition',`
+define(`selinux_domtrans_setfiles',`
requires_block_template(`$0'_depend)
allow $1 setfiles_exec_t:file rx_file_perms;
@@ -502,7 +502,7 @@ define(`selinux_setfiles_transition',`
allow setfiles_t $1:process sigchld;
')
-define(`selinux_setfiles_transition_depend',`
+define(`selinux_domtrans_setfiles_depend',`
type setfiles_t, setfiles_exec_t;
class file rx_file_perms;
@@ -512,7 +512,7 @@ define(`selinux_setfiles_transition_depend',`
')
########################################
-##
+##
##
## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain,
@@ -529,15 +529,15 @@ define(`selinux_setfiles_transition_depend',`
##
##
#
-define(`selinux_setfiles_transition_add_role_use_terminal',`
+define(`selinux_run_setfiles',`
requires_block_template(`$0'_depend)
- selinux_setfiles_transition($1)
+ selinux_domtrans_setfiles($1)
role $2 types setfiles_t;
allow setfiles_t $3:chr_file { getattr read write ioctl };
')
-define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
+define(`selinux_run_setfiles_depend',`
type setfiles_t;
class chr_file { getattr read write ioctl };
@@ -545,15 +545,15 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
#######################################
#
-# selinux_setfiles_execute(domain)
+# selinux_exec_setfiles(domain)
#
-define(`selinux_setfiles_execute',`
+define(`selinux_exec_setfiles',`
requires_block_template(`$0'_depend)
can_exec($1,setfiles_exec_t)
')
-define(`selinux_setfiles_execute_depend',`
+define(`selinux_exec_setfiles_depend',`
type setfiles_exec_t;
class file { rx_file_perms execute_no_trans };
@@ -617,16 +617,16 @@ define(`selinux_read_file_contexts_depend',`
########################################
#
-# selinux_read_binary_policy(domain)
+# selinux_read_binary_pol(domain)
#
-define(`selinux_read_binary_policy',`
+define(`selinux_read_binary_pol',`
requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file r_file_perms;
')
-define(`selinux_read_binary_policy_depend',`
+define(`selinux_read_binary_pol_depend',`
type policy_config_t;
class dir r_dir_perms;
@@ -635,9 +635,9 @@ define(`selinux_read_binary_policy_depend',`
########################################
#
-# selinux_write_binary_policy(domain)
+# selinux_write_binary_pol(domain)
#
-define(`selinux_write_binary_policy',`
+define(`selinux_write_binary_pol',`
requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir rw_dir_perms;
@@ -645,7 +645,7 @@ define(`selinux_write_binary_policy',`
typeattribute $1 can_write_binary_policy;
')
-define(`selinux_write_binary_policy_depend',`
+define(`selinux_write_binary_pol_depend',`
attribute can_write_binary_policy;
type policy_config_t;
@@ -655,7 +655,7 @@ define(`selinux_write_binary_policy_depend',`
')
########################################
-##
+##
##
## Allow the caller to relabel a file to the binary policy type.
##
@@ -664,14 +664,14 @@ define(`selinux_write_binary_policy_depend',`
##
##
#
-define(`selinux_relabelto_binary_policy',`
+define(`selinux_relabelto_binary_pol',`
requires_block_template(`$0'_depend)
allow $1 policy_config_t:file relabelto;
typeattribute $1 can_relabelto_binary_policy;
')
-define(`selinux_relabelto_binary_policy_depend',`
+define(`selinux_relabelto_binary_pol_depend',`
attribute can_relabelto_binary_policy;
type policy_config_t;
@@ -681,9 +681,9 @@ define(`selinux_relabelto_binary_policy_depend',`
########################################
#
-# selinux_manage_binary_policy(domain)
+# selinux_manage_binary_pol(domain)
#
-define(`selinux_manage_binary_policy',`
+define(`selinux_manage_binary_pol',`
requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir
@@ -693,7 +693,7 @@ define(`selinux_manage_binary_policy',`
typeattribute $1 can_write_binary_policy;
')
-define(`selinux_manage_binary_policy_depend',`
+define(`selinux_manage_binary_pol_depend',`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
@@ -703,9 +703,9 @@ define(`selinux_manage_binary_policy_depend',`
########################################
#
-# selinux_read_source_policy(domain)
+# selinux_read_src_pol(domain)
#
-define(`selinux_read_source_policy',`
+define(`selinux_read_src_pol',`
requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir
@@ -714,7 +714,7 @@ define(`selinux_read_source_policy',`
allow $1 policy_src_t:file r_file_perms;
')
-define(`selinux_read_source_policy_depend',`
+define(`selinux_read_src_pol_depend',`
type selinux_config_t, policy_src_t;
class dir r_dir_perms;
@@ -723,9 +723,9 @@ define(`selinux_read_source_policy_depend',`
########################################
#
-# selinux_manage_source_policy(domain)
+# selinux_manage_src_pol(domain)
#
-define(`selinux_manage_source_policy',`
+define(`selinux_manage_src_pol',`
requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir
@@ -734,7 +734,7 @@ define(`selinux_manage_source_policy',`
allow $1 policy_src_t:file create_file_perms;
')
-define(`selinux_manage_source_policy_depend',`
+define(`selinux_manage_src_pol_depend',`
type selinux_config_t, policy_src_t;
class dir create_dir_perms;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index ab8e283..4926625 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -10,48 +10,48 @@ attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;
type checkpolicy_t, can_write_binary_policy;
-domain_make_domain(checkpolicy_t)
+domain_type(checkpolicy_t)
role system_r types checkpolicy_t;
type checkpolicy_exec_t;
-domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t)
+domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
#
# default_context_t is the type applied to
# /etc/selinux/*/contexts/*
#
type default_context_t;
-files_make_file(default_context_t)
+files_file_type(default_context_t)
#
# file_context_t is the type applied to
# /etc/selinux/*/contexts/files
#
type file_context_t;
-files_make_file(file_context_t)
+files_file_type(file_context_t)
type load_policy_t;
-domain_make_domain(load_policy_t)
+domain_type(load_policy_t)
role system_r types load_policy_t;
type load_policy_exec_t;
-domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
+domain_entry_file(load_policy_t,load_policy_exec_t)
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
-kernel_make_role_change_constraint_exception(newrole_t)
-kernel_make_object_identity_change_constraint_exception(newrole_t)
-domain_make_domain(newrole_t)
-domain_make_file_descriptors_widely_inheritable(newrole_t)
+kernel_role_change_exempt(newrole_t)
+kernel_obj_id_change_exempt(newrole_t)
+domain_type(newrole_t)
+domain_wide_inherit_fd(newrole_t)
type newrole_exec_t;
-domain_make_entrypoint_file(newrole_t,newrole_exec_t)
+domain_entry_file(newrole_t,newrole_exec_t)
#
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
type policy_config_t;
-files_make_file(policy_config_t)
+files_file_type(policy_config_t)
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
neverallow ~can_write_binary_policy policy_config_t:file { write append };
@@ -61,34 +61,34 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
# files.
#
type policy_src_t;
-files_make_file(policy_src_t)
+files_file_type(policy_src_t)
type restorecon_t, can_relabelto_binary_policy;
type restorecon_exec_t;
-kernel_make_object_identity_change_constraint_exception(restorecon_t)
-init_make_system_domain(restorecon_t,restorecon_exec_t)
+kernel_obj_id_change_exempt(restorecon_t)
+init_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t;
type run_init_t;
-domain_make_domain(run_init_t)
+domain_type(run_init_t)
type run_init_exec_t;
-domain_make_entrypoint_file(run_init_t,run_init_exec_t)
+domain_entry_file(run_init_t,run_init_exec_t)
#
# selinux_config_t is the type applied to
# /etc/selinux/config
#
type selinux_config_t;
-files_make_file(selinux_config_t)
+files_file_type(selinux_config_t)
type setfiles_t, can_relabelto_binary_policy;
-kernel_make_object_identity_change_constraint_exception(setfiles_t)
-domain_make_domain(setfiles_t)
+kernel_obj_id_change_exempt(setfiles_t)
+domain_type(setfiles_t)
role system_r types setfiles_t;
type setfiles_exec_t;
-domain_make_entrypoint_file(setfiles_t,setfiles_exec_t)
+domain_entry_file(setfiles_t,setfiles_exec_t)
########################################
#
@@ -115,18 +115,18 @@ fs_getattr_xattr_fs(checkpolicy_t)
term_use_console(checkpolicy_t)
-domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
+domain_use_wide_inherit_fd(checkpolicy_t)
# directory search permissions for path to source and binary policy files
-files_search_general_system_config_directory(checkpolicy_t)
+files_search_etc(checkpolicy_t)
-init_use_file_descriptors(checkpolicy_t)
-init_script_use_pseudoterminal(checkpolicy_t)
+init_use_fd(checkpolicy_t)
+init_use_script_pty(checkpolicy_t)
-libraries_use_dynamic_loader(checkpolicy_t)
-libraries_use_shared_libraries(checkpolicy_t)
+libs_use_ld_so(checkpolicy_t)
+libs_use_shared_libs(checkpolicy_t)
-userdomain_use_all_users_file_descriptors(checkpolicy_t)
+userdom_use_all_user_fd(checkpolicy_t)
ifdef(`TODO',`
# Read the devpts root directory.
@@ -158,19 +158,19 @@ fs_getattr_xattr_fs(load_policy_t)
term_use_console(load_policy_t)
term_list_ptys(load_policy_t)
-init_script_use_file_descriptors(load_policy_t)
-init_script_use_pseudoterminal(load_policy_t)
+init_use_script_fd(load_policy_t)
+init_use_script_pty(load_policy_t)
-domain_use_widely_inheritable_file_descriptors(load_policy_t)
+domain_use_wide_inherit_fd(load_policy_t)
-files_search_general_system_config_directory(load_policy_t)
+files_search_etc(load_policy_t)
-libraries_use_dynamic_loader(load_policy_t)
-libraries_use_shared_libraries(load_policy_t)
+libs_use_ld_so(load_policy_t)
+libs_use_shared_libs(load_policy_t)
miscfiles_read_localization(load_policy_t)
-userdomain_use_all_users_file_descriptors(load_policy_t)
+userdom_use_all_user_fd(load_policy_t)
########################################
#
@@ -210,23 +210,23 @@ fs_getattr_xattr_fs(newrole_t)
term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t)
-authlogin_check_password_transition(newrole_t)
+auth_domtrans_chk_passwd(newrole_t)
-domain_use_widely_inheritable_file_descriptors(newrole_t)
+domain_use_wide_inherit_fd(newrole_t)
# Write to utmp.
-init_script_modify_runtime_data(newrole_t)
+init_rw_script_pid(newrole_t)
-files_read_general_system_config(newrole_t)
+files_read_generic_etc_files(newrole_t)
-libraries_use_dynamic_loader(newrole_t)
-libraries_use_shared_libraries(newrole_t)
+libs_use_ld_so(newrole_t)
+libs_use_shared_libs(newrole_t)
-logging_send_system_log_message(newrole_t)
+logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
-userdomain_use_all_unprivileged_users_file_descriptors(newrole_t)
+userdom_use_unpriv_users_fd(newrole_t)
ifdef(`TODO',`
@@ -291,23 +291,23 @@ fs_getattr_xattr_fs(restorecon_t)
term_use_unallocated_tty(restorecon_t)
-init_use_file_descriptors(restorecon_t)
-init_script_use_pseudoterminal(restorecon_t)
+init_use_fd(restorecon_t)
+init_use_script_pty(restorecon_t)
-domain_use_widely_inheritable_file_descriptors(restorecon_t)
+domain_use_wide_inherit_fd(restorecon_t)
-files_read_runtime_system_config(restorecon_t)
-files_read_general_system_config(restorecon_t)
+files_read_etc_runtime_files(restorecon_t)
+files_read_generic_etc_files(restorecon_t)
-libraries_use_dynamic_loader(restorecon_t)
-libraries_use_shared_libraries(restorecon_t)
+libs_use_ld_so(restorecon_t)
+libs_use_shared_libs(restorecon_t)
-logging_send_system_log_message(restorecon_t)
+logging_send_syslog_msg(restorecon_t)
-userdomain_use_all_users_file_descriptors(restorecon_t)
+userdom_use_all_user_fd(restorecon_t)
optional_policy(`hotplug.te',`
- hotplug_use_file_descriptors(restorecon_t)
+ hotplug_use_fd(restorecon_t)
')
# relabeling rules
@@ -315,9 +315,9 @@ kernel_relabel_unlabeled(restorecon_t)
dev_relabel_all_dev_nodes(restorecon_t)
files_relabel_all_files(restorecon_t)
-files_read_all_directories(restorecon_t)
+files_list_all_dirs(restorecon_t)
# this is to satisfy the assertion:
-authlogin_relabel_to_shadow_passwords(restorecon_t)
+auth_relabelto_shadow(restorecon_t)
ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(restorecon_t)
@@ -363,34 +363,34 @@ ifdef(`targeted_policy',`',`
fs_getattr_xattr_fs(run_init_t)
- dev_dontaudit_list_all_nodes(run_init_t)
+ dev_dontaudit_list_all_dev_nodes(run_init_t)
term_dontaudit_list_ptys(run_init_t)
- authlogin_check_password_transition(run_init_t)
- authlogin_ignore_read_shadow_passwords(run_init_t)
+ auth_domtrans_chk_passwd(run_init_t)
+ auth_dontaudit_read_shadow(run_init_t)
- corecommands_execute_general_programs(run_init_t)
- corecommands_execute_shell(run_init_t)
+ corecmd_exec_bin(run_init_t)
+ corecmd_exec_shell(run_init_t)
- domain_use_widely_inheritable_file_descriptors(run_init_t)
+ domain_use_wide_inherit_fd(run_init_t)
- files_read_general_system_config(run_init_t)
- files_ignore_search_all_directories(run_init_t)
+ files_read_generic_etc_files(run_init_t)
+ files_dontaudit_search_all_dirs(run_init_t)
- init_script_transition(run_init_t)
+ init_domtrans_script(run_init_t)
# for utmp
- init_script_modify_runtime_data(run_init_t)
+ init_rw_script_pid(run_init_t)
- libraries_use_dynamic_loader(run_init_t)
- libraries_use_shared_libraries(run_init_t)
+ libs_use_ld_so(run_init_t)
+ libs_use_shared_libs(run_init_t)
selinux_read_config(run_init_t)
selinux_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t)
- logging_send_system_log_message(run_init_t)
+ logging_send_syslog_msg(run_init_t)
') dnl end ifdef targeted policy
ifdef(`TODO',`
@@ -398,7 +398,7 @@ ifdef(`TODO',`
ifdef(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
- domain_make_entrypoint_file(run_init_t,initrc_exec_t)
+ domain_entry_file(run_init_t,initrc_exec_t)
')
') dnl end TODO
@@ -427,34 +427,33 @@ term_use_all_user_ttys(setfiles_t)
term_use_all_user_ptys(setfiles_t)
term_use_unallocated_tty(setfiles_t)
-init_use_file_descriptors(setfiles_t)
-init_script_use_file_descriptors(setfiles_t)
-init_script_use_pseudoterminal(setfiles_t)
+init_use_fd(setfiles_t)
+init_use_script_fd(setfiles_t)
+init_use_script_pty(setfiles_t)
-domain_use_widely_inheritable_file_descriptors(setfiles_t)
+domain_use_wide_inherit_fd(setfiles_t)
-libraries_use_dynamic_loader(setfiles_t)
-libraries_use_shared_libraries(setfiles_t)
+libs_use_ld_so(setfiles_t)
+libs_use_shared_libs(setfiles_t)
-files_read_runtime_system_config(setfiles_t)
-files_read_general_system_config(setfiles_t)
+files_read_etc_runtime_files(setfiles_t)
+files_read_generic_etc_files(setfiles_t)
-logging_send_system_log_message(setfiles_t)
+logging_send_syslog_msg(setfiles_t)
miscfiles_read_localization(setfiles_t)
-userdomain_use_all_users_file_descriptors(setfiles_t)
+userdom_use_all_user_fd(setfiles_t)
# for config files in a home directory
-userdomain_read_all_users_data(setfiles_t)
+userdom_read_all_user_data(setfiles_t)
# relabeling rules
kernel_relabel_unlabeled(setfiles_t)
dev_relabel_all_dev_nodes(setfiles_t)
-
-files_read_all_directories(setfiles_t)
+files_list_all_dirs(setfiles_t)
files_relabel_all_files(setfiles_t)
# this is to satisfy the assertion:
-authlogin_relabel_to_shadow_passwords(setfiles_t)
+auth_relabelto_shadow(setfiles_t)
ifdef(`TODO',`
# for upgrading glibc and other shared objects - without this the upgrade
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 534e5f5..ae3481d 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -2,7 +2,7 @@
## Policy for network configuration: ifconfig and dhcp client.
#######################################
-##
+##
##
## Execute dhcp client in dhcpc domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`sysnetwork_dhcpc_transition',`
+define(`sysnet_domtrans_dhcpc',`
requires_block_template(`$0'_depend)
domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
@@ -22,7 +22,7 @@ define(`sysnetwork_dhcpc_transition',`
allow dhcpc_t $1:process sigchld;
')
-define(`sysnetwork_dhcpc_transition_depend',`
+define(`sysnet_domtrans_dhcpc_depend',`
type dhcpc_t, dhcpc_exec_t;
class file { getattr read execute };
@@ -32,7 +32,7 @@ define(`sysnetwork_dhcpc_transition_depend',`
')
#######################################
-##
+##
##
## Execute ifconfig in the ifconfig domain.
##
@@ -41,7 +41,7 @@ define(`sysnetwork_dhcpc_transition_depend',`
##
##
#
-define(`sysnetwork_ifconfig_transition',`
+define(`sysnet_domtrans_ifconfig',`
requires_block_template(`$0'_depend)
domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
@@ -52,7 +52,7 @@ define(`sysnetwork_ifconfig_transition',`
allow ifconfig_t $1:process sigchld;
')
-define(`sysnetwork_ifconfig_transition_depend',`
+define(`sysnet_domtrans_ifconfig_depend',`
type ifconfig_t, ifconfig_exec_t;
class file { getattr read execute };
@@ -62,7 +62,7 @@ define(`sysnetwork_ifconfig_transition_depend',`
')
########################################
-##
+##
##
## Execute ifconfig in the ifconfig domain, and
## allow the specified role the ifconfig domain,
@@ -79,22 +79,22 @@ define(`sysnetwork_ifconfig_transition_depend',`
##
##
#
-define(`sysnetwork_ifconfig_transition_add_role_use_terminal',`
+define(`sysnet_run_ifconfig',`
requires_block_template(`$0'_depend)
- sysnetwork_ifconfig_transition($1)
+ sysnet_domtrans_ifconfig($1)
role $2 types ifconfig_t;
allow ifconfig_t $3:chr_file { getattr read write ioctl };
')
-define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
+define(`sysnet_run_ifconfig_depend',`
type ifconfig_t;
class chr_file { getattr read write ioctl };
')
#######################################
-##
+##
##
## Allow network init to read network config files.
##
@@ -103,14 +103,14 @@ define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
##
##
#
-define(`sysnetwork_read_network_config',`
+define(`sysnet_read_config',`
requires_block_template(`$0'_depend)
- files_search_general_system_config_directory($1)
+ files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
')
-define(`sysnetwork_read_network_config_depend',`
+define(`sysnet_read_config_depend',`
type net_conf_t;
class file r_file_perms;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 13e5fb5..4b8e79d 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -9,33 +9,33 @@ policy_module(sysnetwork,1.0)
# this is shared between dhcpc and dhcpd:
type dhcp_etc_t; #, usercanread;
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
-files_make_file(dhcp_etc_t)
+files_file_type(dhcp_etc_t)
# this is shared between dhcpc and dhcpd:
type dhcp_state_t;
-files_make_file(dhcp_state_t)
+files_file_type(dhcp_state_t)
type dhcpc_t;
type dhcpc_exec_t;
-init_make_daemon_domain(dhcpc_t,dhcpc_exec_t)
+init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
type dhcpc_state_t;
-files_make_file(dhcpc_state_t)
+files_file_type(dhcpc_state_t)
type dhcpc_tmp_t;
-files_make_temporary_file(dhcpc_tmp_t)
+files_tmp_file(dhcpc_tmp_t)
type dhcpc_var_run_t;
-files_make_daemon_runtime_file(dhcpc_var_run_t)
+files_pid_file(dhcpc_var_run_t)
type ifconfig_t;
type ifconfig_exec_t;
-init_make_system_domain(ifconfig_t, ifconfig_exec_t)
+init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t;
type net_conf_t alias resolv_conf_t;
-files_make_file(net_conf_t)
+files_file_type(net_conf_t)
########################################
#
@@ -62,17 +62,17 @@ type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
# create pid file
allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
-files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)
+files_create_pid(dhcpc_t,dhcpc_var_run_t)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
allow dhcpc_t net_conf_t:file create_file_perms;
-files_create_private_config(dhcpc_t,net_conf_t,file)
+files_create_etc_config(dhcpc_t,net_conf_t,file)
# create temp files
allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms;
allow dhcpc_t dhcpc_tmp_t:file create_file_perms;
-files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
+files_create_tmp_files(dhcpc_t, dhcpc_tmp_t, { file dir })
can_exec(dhcpc_t, dhcpc_exec_t)
@@ -111,45 +111,45 @@ term_dontaudit_use_all_user_ttys(dhcpc_t)
term_dontaudit_use_all_user_ptys(dhcpc_t)
term_dontaudit_use_unallocated_tty(dhcpc_t)
-corecommands_execute_general_programs(dhcpc_t)
-corecommands_execute_system_programs(dhcpc_t)
-corecommands_execute_shell(dhcpc_t)
+corecmd_exec_bin(dhcpc_t)
+corecmd_exec_sbin(dhcpc_t)
+corecmd_exec_shell(dhcpc_t)
-domain_use_widely_inheritable_file_descriptors(dhcpc_t)
+domain_use_wide_inherit_fd(dhcpc_t)
-files_read_general_system_config(dhcpc_t)
-files_read_runtime_system_config(dhcpc_t)
+files_read_generic_etc_files(dhcpc_t)
+files_read_etc_runtime_files(dhcpc_t)
-init_use_file_descriptors(dhcpc_t)
-init_script_use_pseudoterminal(dhcpc_t)
-init_script_modify_runtime_data(dhcpc_t)
+init_use_fd(dhcpc_t)
+init_use_script_pty(dhcpc_t)
+init_rw_script_pid(dhcpc_t)
-logging_send_system_log_message(dhcpc_t)
+logging_send_syslog_msg(dhcpc_t)
-libraries_use_dynamic_loader(dhcpc_t)
-libraries_use_shared_libraries(dhcpc_t)
+libs_use_ld_so(dhcpc_t)
+libs_use_shared_libs(dhcpc_t)
miscfiles_read_localization(dhcpc_t)
-modutils_insmod_transition(dhcpc_t)
+modutils_domtrans_insmod(dhcpc_t)
ifdef(`distro_redhat', `
- files_execute_system_config_script(dhcpc_t)
+ files_exec_generic_etc_files(dhcpc_t)
')
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(dhcpc_t)
terminal_ignore_use_general_pseudoterminal(dhcpc_t)
- files_ignore_read_rootfs_file(dhcpc_t)
+ files_dontaudit_read_root_file(dhcpc_t)
')
optional_policy(`consoletype.te',`
- consoletype_transition(dhcpc_t)
+ consoletype_domtrans(dhcpc_t)
')
optional_policy(`hostname.te',`
- hostname_transition(dhcpc_t)
+ hostname_domtrans(dhcpc_t)
')
optional_policy(`nscd.te',`
@@ -161,17 +161,17 @@ optional_policy(`selinux.te',`
')
optional_policy(`udev.te',`
- udev_read_database(dhcpc_t)
+ udev_read_db(dhcpc_t)
')
optional_policy(`userdomain.te',`
- userdomain_use_all_users_file_descriptors(dhcpc_t)
+ userdom_use_all_user_fd(dhcpc_t)
')
#
# dhclient sometimes starts ypbind and ntpd
#
-init_script_execute(dhcpc_t)
+init_exec_script(dhcpc_t)
optional_policy(`ypbind.te',`
ypbind_transition(dhcpc_t)
')
@@ -257,7 +257,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
-files_read_general_system_config(ifconfig_t);
+files_read_generic_etc_files(ifconfig_t);
kernel_use_fd(ifconfig_t)
kernel_read_system_state(ifconfig_t)
@@ -270,24 +270,24 @@ fs_getattr_xattr_fs(ifconfig_t)
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
-domain_use_widely_inheritable_file_descriptors(ifconfig_t)
+domain_use_wide_inherit_fd(ifconfig_t)
-files_ignore_read_rootfs_file(ifconfig_t)
+files_dontaudit_read_root_file(ifconfig_t)
-init_use_file_descriptors(ifconfig_t)
-init_script_use_pseudoterminal(ifconfig_t)
+init_use_fd(ifconfig_t)
+init_use_script_pty(ifconfig_t)
-libraries_use_dynamic_loader(ifconfig_t)
-libraries_use_shared_libraries(ifconfig_t)
-libraries_read_library_resources(ifconfig_t)
+libs_use_ld_so(ifconfig_t)
+libs_use_shared_libs(ifconfig_t)
+libs_read_lib(ifconfig_t)
-logging_send_system_log_message(ifconfig_t)
+logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
-selinux_run_init_use_file_descriptors(ifconfig_t)
+selinux_use_runinit_fd(ifconfig_t)
-userdomain_use_all_users_file_descriptors(ifconfig_t)
+userdom_use_all_user_fd(ifconfig_t)
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if
index a8eb6e1..f0a43db 100644
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@@ -2,7 +2,7 @@
## Policy for udev.
########################################
-##
+##
##
## Execute udev in the udev domain.
##
@@ -11,7 +11,7 @@
##
##
#
-define(`udev_transition',`
+define(`udev_domtrans',`
requires_block_template(`$0'_depend)
domain_auto_trans($1, udev_exec_t, udev_t)
@@ -22,7 +22,7 @@ define(`udev_transition',`
allow udev_t $1:process sigchld;
')
-define(`udev_transition_depend',`
+define(`udev_domtrans_depend',`
type udev_t, udev_exec_t;
class file { getattr read execute };
@@ -32,7 +32,7 @@ define(`udev_transition_depend',`
')
########################################
-##
+##
##
## Allow process to read list of devices.
##
@@ -41,20 +41,20 @@ define(`udev_transition_depend',`
##
##
#
-define(`udev_read_database',`
+define(`udev_read_db',`
requires_block_template(`$0'_depend)
allow $1 udev_tdb_t:file r_file_perms;
')
-define(`udev_read_database_depend',`
+define(`udev_read_db_depend',`
type udev_tdb_t;
class file r_file_perms;
')
########################################
-##
+##
##
## Allow process to modify list of devices.
##
@@ -63,13 +63,13 @@ define(`udev_read_database_depend',`
##
##
#
-define(`udev_modify_database',`
+define(`udev_rw_db',`
requires_block_template(`$0'_depend)
allow $1 udev_tdb_t:file rw_file_perms;
')
-define(`udev_modify_database_depend',`
+define(`udev_rw_db_depend',`
type udev_tdb_t;
class file rw_file_perms;
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index e12d946..bd6cc1a 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -10,24 +10,24 @@ type udev_t; # nscd_client_domain
type udev_exec_t;
type udev_helper_exec_t;
kernel_userland_entry(udev_t,udev_exec_t)
-kernel_make_object_identity_change_constraint_exception(udev_t)
-domain_make_entrypoint_file(udev_t,udev_helper_exec_t)
-domain_make_file_descriptors_widely_inheritable(udev_t)
-init_make_daemon_domain(udev_t,udev_exec_t)
+kernel_obj_id_change_exempt(udev_t)
+domain_entry_file(udev_t,udev_helper_exec_t)
+domain_wide_inherit_fd(udev_t)
+init_daemon_domain(udev_t,udev_exec_t)
type udev_etc_t alias etc_udev_t;
-files_make_file(udev_etc_t)
+files_file_type(udev_etc_t)
# udev_runtime_t is the type of the udev table file
# cjp: this is probably a copy of udev_tbl_t and can be removed
type udev_runtime_t;
-files_make_file(udev_runtime_t)
+files_file_type(udev_runtime_t)
type udev_tbl_t alias udev_tdb_t;
-files_make_file(udev_tbl_t)
+files_file_type(udev_tbl_t)
type udev_var_run_t;
-files_make_daemon_runtime_file(udev_var_run_t)
+files_pid_file(udev_var_run_t)
########################################
#
@@ -82,53 +82,53 @@ dev_manage_dev_nodes(udev_t)
fs_getattr_all_fs(udev_t)
-corecommands_execute_general_programs(udev_t)
-corecommands_execute_system_programs(udev_t)
-corecommands_execute_shell(udev_t)
+corecmd_exec_bin(udev_t)
+corecmd_exec_sbin(udev_t)
+corecmd_exec_shell(udev_t)
-domain_execute_all_entrypoint_programs(udev_t)
-domain_ignore_read_all_domains_process_dirs(udev_t)
+domain_exec_all_entry_files(udev_t)
+domain_dontaudit_list_all_domains_proc(udev_t)
-files_read_runtime_system_config(udev_t)
-files_read_general_system_config(udev_t)
-files_execute_system_config_script(udev_t)
-files_ignore_search_isid_type_dir(udev_t)
+files_read_etc_runtime_files(udev_t)
+files_read_generic_etc_files(udev_t)
+files_exec_generic_etc_files(udev_t)
+files_dontaudit_search_isid_type_dir(udev_t)
-init_use_file_descriptors(udev_t)
-init_script_read_runtime_data(udev_t)
-init_script_ignore_write_runtime_data(udev_t)
+init_use_fd(udev_t)
+init_read_script_pid(udev_t)
+init_dontaudit_write_script_pid(udev_t)
-libraries_use_dynamic_loader(udev_t)
-libraries_use_shared_libraries(udev_t)
+libs_use_ld_so(udev_t)
+libs_use_shared_libs(udev_t)
-logging_send_system_log_message(udev_t)
+logging_send_syslog_msg(udev_t)
miscfiles_read_localization(udev_t)
-modutils_insmod_transition(udev_t)
+modutils_domtrans_insmod(udev_t)
selinux_read_config(udev_t)
selinux_read_default_contexts(udev_t)
selinux_read_file_contexts(udev_t)
-selinux_restorecon_transition(udev_t)
+selinux_domtrans_restorecon(udev_t)
-sysnetwork_ifconfig_transition(udev_t)
+sysnet_domtrans_ifconfig(udev_t)
ifdef(`distro_redhat',`
fs_manage_tmpfs_block_devices(udev_t)
fs_manage_tmpfs_character_devices(udev_t)
# for arping used for static IP addresses on PCMCIA ethernet
- netutils_transition(udev_t)
+ netutils_domtrans(udev_t)
')
optional_policy(`authlogin.te',`
- authlogin_pam_console_read_runtime_data(udev_t)
- authlogin_pam_console_transition(udev_t)
+ auth_read_pam_console_data(udev_t)
+ auth_domtrans_pam_console(udev_t)
')
optional_policy(`consoletype.te',`
- consoletype_execute(udev_t)
+ consoletype_exec(udev_t)
')
optional_policy(`hotplug.te',`
@@ -136,7 +136,7 @@ optional_policy(`hotplug.te',`
')
optional_policy(`sysnetwork.te',`
- sysnetwork_dhcpc_transition(udev_t)
+ sysnet_domtrans_dhcpc(udev_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 43957db..90253f6 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -12,8 +12,8 @@ define(`base_user_domain',`
attribute $1_file_type;
type $1_t, userdomain;
- domain_make_domain($1_t)
- corecommands_make_shell_entrypoint($1_t)
+ domain_type($1_t)
+ corecmd_shell_entry_type($1_t)
role $1_r types $1_t;
allow system_r $1_r;
@@ -23,17 +23,17 @@ define(`base_user_domain',`
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
- files_make_file($1_home_t)
+ files_file_type($1_home_t)
# type of home directory
type $1_home_dir_t, home_dir_type, home_type;
- files_make_file($1_home_t)
+ files_file_type($1_home_t)
type $1_tmp_t, $1_file_type;
- files_make_temporary_file($1_tmp_t)
+ files_tmp_file($1_tmp_t)
type $1_tmpfs_t;
- files_make_tmpfs_file($1_tmpfs_t)
+ files_tmpfs_file($1_tmpfs_t)
type $1_tty_device_t;
term_tty($1_t,$1_tty_device_t)
@@ -142,37 +142,37 @@ define(`base_user_domain',`
# for eject
storage_getattr_fixed_disk($1_t)
- authlogin_read_login_records($1_t)
- authlogin_ignore_write_login_records($1_t)
- authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ auth_read_login_records($1_t)
+ auth_dontaudit_write_login_records($1_t)
+ auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- corecommands_execute_general_programs($1_t)
- corecommands_execute_system_programs($1_t)
- corecommands_execute_ls($1_t)
+ corecmd_exec_bin($1_t)
+ corecmd_exec_sbin($1_t)
+ corecmd_exec_ls($1_t)
- domain_execute_all_entrypoint_programs($1_t)
- domain_use_widely_inheritable_file_descriptors($1_t)
+ domain_exec_all_entry_files($1_t)
+ domain_use_wide_inherit_fd($1_t)
- files_execute_system_config_script($1_t)
- files_read_system_source_code($1_t)
+ files_exec_generic_etc_files($1_t)
+ files_read_usr_src($1_t)
# Caused by su - init scripts
- init_script_ignore_use_pseudoterminal($1_t)
+ init_dontaudit_use_script_pty($1_t)
- libraries_use_dynamic_loader($1_t)
- libraries_use_shared_libraries($1_t)
- libraries_execute_dynamic_loader($1_t)
- libraries_execute_library_scripts($1_t)
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+ libs_exec_ld_so($1_t)
+ libs_exec_lib_files($1_t)
- logging_ignore_get_all_logs_attributes($1_t)
+ logging_dontaudit_getattr_all_logs($1_t)
miscfiles_read_localization($1_t)
- miscfiles_manage_man_page_cache($1_t)
+ miscfiles_rw_man_cache($1_t)
- selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ selinux_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
- mta_modify_mail_spool($1_t)
+ mta_rw_spool($1_t)
if (allow_execmem) {
# Allow loading DSOs that require executable stack.
@@ -206,8 +206,8 @@ define(`base_user_domain',`
}
optional_policy(`usermanage.te',`
- usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
- usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+ usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
')
ifdef(`TODO',`
@@ -411,7 +411,7 @@ define(`user_domain_template', `
base_user_domain($1)
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
- domain_make_file_descriptors_widely_inheritable($1_t)
+ domain_wide_inherit_fd($1_t)
#typeattribute $1_devpts_t userpty_type, user_tty_type;
#typeattribute $1_home_dir_t user_home_dir_type;
@@ -439,7 +439,7 @@ define(`user_domain_template', `
allow $1_t $1_tmp_t:dir create_dir_perms;
allow $1_t $1_tmp_t:sock_file create_file_perms;
allow $1_t $1_tmp_t:fifo_file create_file_perms;
- files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
+ files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
# privileged home directory writers
allow privhome $1_home_t:file create_file_perms;
@@ -459,24 +459,24 @@ define(`user_domain_template', `
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
- files_read_general_system_config($1_t)
- files_list_home_directories($1_t)
- files_read_general_application_resources($1_t)
+ files_read_generic_etc_files($1_t)
+ files_list_home($1_t)
+ files_read_usr_files($1_t)
- init_script_read_runtime_data($1_t)
+ init_read_script_pid($1_t)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
- init_script_ignore_write_runtime_data($1_t)
+ init_dontaudit_write_script_pid($1_t)
# Stop warnings about access to /dev/console
- init_ignore_use_file_descriptors($1_t)
- init_script_ignore_use_file_descriptors($1_t)
+ init_dontaudit_use_fd($1_t)
+ init_dontaudit_use_script_fd($1_t)
miscfiles_read_man_pages($1_t)
selinux_read_config($1_t)
# Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file
- selinux_checkpolicy_execute($1_t)
+ selinux_exec_checkpol($1_t)
if (user_dmesg) {
kernel_read_ring_buffer($1_t)
@@ -493,12 +493,12 @@ define(`user_domain_template', `
# for running depmod as part of the kernel packaging process
optional_policy(`modutils.te',`
- modutils_read_kernel_module_loading_config($1_t)
+ modutils_read_module_conf($1_t)
')
optional_policy(`selinux.te',`
# for when the network connection is killed
- selinux_newrole_ignore_signal($1_t)
+ selinux_dontaudit_newrole_signal($1_t)
')
# Need the following rule to allow users to run vpnc
@@ -612,7 +612,7 @@ define(`admin_domain_template',`
base_user_domain($1)
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
- kernel_make_object_identity_change_constraint_exception($1_t)
+ kernel_obj_id_change_exempt($1_t)
role system_r types $1_t;
#ifdef(`direct_sysadm_daemon', `, priv_system_role')
@@ -650,7 +650,7 @@ define(`admin_domain_template',`
allow $1_t $1_tmp_t:lnk_file create_file_perms;
allow $1_t $1_tmp_t:fifo_file create_file_perms;
allow $1_t $1_tmp_t:sock_file create_file_perms;
- files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set })
+ files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
@@ -698,12 +698,12 @@ define(`admin_domain_template',`
term_use_all_user_ttys($1_t)
# Manage almost all files
- authlogin_manage_all_files_except_shadow($1_t)
+ auth_manage_all_files_except_shadow($1_t)
# Relabel almost all files
- authlogin_relabel_all_files_except_shadow($1_t)
+ auth_relabel_all_files_except_shadow($1_t)
- domain_set_all_domains_priorities($1_t)
- domain_read_all_domains_process_state($1_t)
+ domain_setpriority_all_domains($1_t)
+ domain_read_all_domains_state($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
domain_signal_all_domains($1_t)
@@ -712,22 +712,22 @@ define(`admin_domain_template',`
domain_sigstop_all_domains($1_t)
domain_sigchld_all_domains($1_t)
- files_execute_system_source_code_scripts($1_t)
+ files_exec_usr_files($1_t)
- init_use_control_channel($1_t)
+ init_use_initctl($1_t)
- logging_send_system_log_message($1_t)
+ logging_send_syslog_msg($1_t)
- modutils_insmod_transition($1_t)
+ modutils_domtrans_insmod($1_t)
selinux_read_config($1_t)
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs.
- selinux_manage_source_policy($1_t)
+ selinux_manage_src_pol($1_t)
# Violates the goal of limiting write access to checkpolicy.
# But presently necessary for installing the file_contexts file.
- selinux_manage_binary_policy($1_t)
+ selinux_manage_binary_pol($1_t)
optional_policy(`cron.te',`
cron_admin_template($1)
@@ -807,7 +807,7 @@ define(`admin_domain_template',`
')
########################################
-##
+##
##
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
@@ -818,17 +818,17 @@ define(`admin_domain_template',`
##
##
#
-define(`userdomain_all_users_explicit_transition',`
+define(`userdom_spec_domtrans_all_users',`
requires_block_template(`$0'_depend)
- corecommands_shell_explicit_transition($1,userdomain)
+ corecmd_shell_spec_domtrans($1,userdomain)
')
-define(`userdomain_all_users_explicit_transition_depend',`
+define(`userdom_spec_domtrans_all_users_depend',`
type sysadm_t;
')
########################################
-##
+##
##
## Execute a shell in the sysadm domain.
##
@@ -837,18 +837,18 @@ define(`userdomain_all_users_explicit_transition_depend',`
##
##
#
-define(`userdomain_sysadm_shell_transition',`
+define(`userdom_shell_domtrans_sysadm',`
requires_block_template(`$0'_depend)
- corecommands_shell_transition($1,sysadm_t)
+ corecmd_domtrans_shell($1,sysadm_t)
')
-define(`userdomain_sysadm_shell_transition_depend',`
+define(`userdom_shell_domtrans_sysadm_depend',`
type sysadm_t;
')
########################################
-##
+##
##
## Read and write administrative users
## physical and pseudo terminals.
@@ -858,7 +858,7 @@ define(`userdomain_sysadm_shell_transition_depend',`
##
##
#
-define(`userdomain_use_admin_terminals',`
+define(`userdom_use_sysadm_terms',`
requires_block_template(`$0'_depend)
dev_list_all_dev_nodes($1)
@@ -866,14 +866,14 @@ define(`userdomain_use_admin_terminals',`
allow $1 admin_terminal:chr_file { getattr read write ioctl };
')
-define(`userdomain_use_admin_terminals_depend',`
+define(`userdom_use_sysadm_terms_depend',`
attribute admin_terminal;
class chr_file { getattr read write ioctl };
')
########################################
-##
+##
##
## Do not audit attempts to use admin ttys and ptys.
##
@@ -882,20 +882,20 @@ define(`userdomain_use_admin_terminals_depend',`
##
##
#
-define(`userdomain_dontaudit_use_admin_terminals',`
+define(`userdom_dontaudit_use_sysadm_terms',`
requires_block_template(`$0'_depend)
dontaudit $1 admin_terminal:chr_file { read write };
')
-define(`userdomain_dontaudit_use_admin_terminals_depend',`
+define(`userdom_dontaudit_use_sysadm_terms_depend',`
attribute admin_terminal;
class chr_file { read write };
')
########################################
-##
+##
##
## Search all users home directories.
##
@@ -904,21 +904,21 @@ define(`userdomain_dontaudit_use_admin_terminals_depend',`
##
##
#
-define(`userdomain_search_all_users_home_dirs',`
+define(`userdom_search_all_users_home',`
requires_block_template(`$0'_depend)
- files_list_home_directories($1)
+ files_list_home($1)
allow $1 { home_dir_type home_type }:dir search;
')
-define(`userdomain_search_all_users_home_dirs_depend',`
+define(`userdom_search_all_users_home_depend',`
attribute home_dir_type, home_type;
class dir search;
')
########################################
-##
+##
##
## Read all files in all users home directories.
##
@@ -927,15 +927,15 @@ define(`userdomain_search_all_users_home_dirs_depend',`
##
##
#
-define(`userdomain_read_all_users_data',`
+define(`userdom_read_all_user_data',`
requires_block_template(`$0'_depend)
- files_list_home_directories($1)
+ files_list_home($1)
allow $1 home_type:dir r_dir_perms;
allow $1 home_type:file r_file_perms;
')
-define(`userdomain_read_all_users_data_depend',`
+define(`userdom_read_all_user_data_depend',`
attribute home_type;
class dir r_dir_perms;
@@ -943,7 +943,7 @@ define(`userdomain_read_all_users_data_depend',`
')
########################################
-##
+##
##
## Inherit the file descriptors from all user domains
##
@@ -952,20 +952,20 @@ define(`userdomain_read_all_users_data_depend',`
##
##
#
-define(`userdomain_use_all_users_file_descriptors',`
+define(`userdom_use_all_user_fd',`
requires_block_template(`$0'_depend)
allow $1 userdomain:fd use;
')
-define(`userdomain_use_all_users_file_descriptors_depend',`
+define(`userdom_use_all_user_fd_depend',`
attribute userdomain;
class fd use;
')
########################################
-##
+##
##
## Send general signals to all user domains.
##
@@ -974,20 +974,20 @@ define(`userdomain_use_all_users_file_descriptors_depend',`
##
##
#
-define(`userdomain_signal_all_userdomains',`
+define(`userdom_signal_all_users',`
requires_block_template(`$0'_depend)
allow $1 userdomain:process signal;
')
-define(`userdomain_signal_all_userdomains_depend',`
+define(`userdom_signal_all_users_depend',`
attribute userdomain;
class process signal;
')
########################################
-##
+##
##
## Inherit the file descriptors from all user domains.
##
@@ -996,20 +996,20 @@ define(`userdomain_signal_all_userdomains_depend',`
##
##
#
-define(`userdomain_use_all_unprivileged_users_file_descriptors',`
+define(`userdom_use_unpriv_users_fd',`
requires_block_template(`$0'_depend)
allow $1 unpriv_userdomain:fd use;
')
-define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',`
+define(`userdom_use_unpriv_users_fd_depend',`
attribute unpriv_userdomain;
class fd use;
')
########################################
-##
+##
##
## Do not audit attempts to inherit the
## file descriptors from all user domains.
@@ -1019,13 +1019,13 @@ define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',`
##
##
#
-define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',`
+define(`userdom_dontaudit_use_unpriv_user_fd',`
requires_block_template(`$0'_depend)
dontaudit $1 unpriv_userdomain:fd use;
')
-define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',`
+define(`userdom_dontaudit_use_unpriv_user_fd_depend',`
attribute unpriv_userdomain;
class fd use;
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index a3b414f..003cb57 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -126,54 +126,54 @@ optional_policy(`bootloader.te',`
')
optional_policy(`clock.te',`
- clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ clock_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`hostname.te',`
- hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ hostname_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`iptables.te',`
- iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ iptables_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`libraries.te',`
- libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`lvm.te',`
- lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ lvm_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`modutils.te',`
- modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
- modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
- modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
+ modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
+ modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`mount.te',`
- mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ mount_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`rpm.te',`
- rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ rpm_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`selinux.te',`
- selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
- selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
- selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
- selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ selinux_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
+ selinux_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
+ selinux_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
+ selinux_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
optional_policy(`targeted_policy',`',`
- selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ selinux_run_runinit(sysadm_t,sysadm_r,admin_terminal)
')
')
optional_policy(`sysnetwork.te',`
- sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`usermanage.te',`
- usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
- usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+ usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
+ usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
')