diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index 734bd71..e3e0701 100644
--- a/policy/modules/admin/amanda.fc
+++ b/policy/modules/admin/amanda.fc
@@ -1,4 +1,3 @@
-
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
@@ -8,13 +7,12 @@
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
-/tmp/amanda(/.*)? gen_context(system_u:object_r:amanda_tmp_t,s0)
-
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
index 2cb11ea..8498e97 100644
--- a/policy/modules/admin/amanda.if
+++ b/policy/modules/admin/amanda.if
@@ -2,8 +2,8 @@
########################################
##
-## Execute a domain transition to
-## run Amanda Recover.
+## Execute a domain transition to run
+## Amanda recover.
##
##
##
@@ -16,16 +16,15 @@ interface(`amanda_domtrans_recover',`
type amanda_recover_t, amanda_recover_exec_t;
')
- domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
corecmd_search_bin($1)
+ domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
')
########################################
##
-## Execute a domain transition to
-## run Amanda Recover and allow the
-## specified role the Amanda Recover
-## domain.
+## Execute a domain transition to run
+## Amanda recover, and allow the specified
+## role the Amanda recover domain.
##
##
##
@@ -50,7 +49,7 @@ interface(`amanda_run_recover',`
########################################
##
-## Search Amanda lib directories.
+## Search Amanda library directories.
##
##
##
@@ -63,15 +62,13 @@ interface(`amanda_search_lib',`
type amanda_usr_lib_t;
')
- allow $1 amanda_usr_lib_t:dir search_dir_perms;
files_search_usr($1)
- libs_search_lib($1)
+ allow $1 amanda_usr_lib_t:dir search_dir_perms;
')
########################################
##
-## Do not audit attempts to read
-## dumpdates files.
+## Do not audit attempts to read /etc/dumpdates.
##
##
##
@@ -84,12 +81,12 @@ interface(`amanda_dontaudit_read_dumpdates',`
type amanda_dumpdates_t;
')
- dontaudit $1 amanda_dumpdates_t:file read_file_perms;
+ dontaudit $1 amanda_dumpdates_t:file { getattr read };
')
########################################
##
-## Read and write dumpdates files.
+## Read and write /etc/dumpdates.
##
##
##
@@ -102,13 +99,13 @@ interface(`amanda_rw_dumpdates_files',`
type amanda_dumpdates_t;
')
- allow $1 amanda_dumpdates_t:file rw_file_perms;
files_search_etc($1)
+ allow $1 amanda_dumpdates_t:file rw_file_perms;
')
########################################
##
-## Search Amanda lib directories.
+## Search Amanda library directories.
##
##
##
@@ -121,14 +118,13 @@ interface(`amanda_manage_lib',`
type amanda_usr_lib_t;
')
- allow $1 amanda_usr_lib_t:dir manage_dir_perms;
files_search_usr($1)
- libs_search_lib($1)
+ allow $1 amanda_usr_lib_t:dir manage_dir_perms;
')
########################################
##
-## Read and write Amanda logs.
+## Read and append amanda logs.
##
##
##
@@ -141,13 +137,13 @@ interface(`amanda_append_log_files',`
type amanda_log_t;
')
- allow $1 amanda_log_t:file { read_file_perms append_file_perms };
logging_search_logs($1)
+ allow $1 amanda_log_t:file { read_file_perms append_file_perms };
')
#######################################
##
-## Search Amanda lib directories.
+## Search Amanda var library directories.
##
##
##
@@ -160,6 +156,6 @@ interface(`amanda_search_var_lib',`
type amanda_var_lib_t;
')
- allow $1 amanda_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
+ allow $1 amanda_var_lib_t:dir search_dir_perms;
')
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 8b6bef6..a05f32f 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,4 +1,4 @@
-policy_module(amanda, 1.12.0)
+policy_module(amanda, 1.12.1)
#######################################
#
@@ -16,44 +16,35 @@ domain_entry_file(amanda_t, amanda_exec_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
-# type for amanda configurations files
type amanda_config_t;
files_type(amanda_config_t)
-# type for files in /usr/lib/amanda
type amanda_usr_lib_t;
files_type(amanda_usr_lib_t)
-# type for all files in /var/lib/amanda
type amanda_var_lib_t;
files_type(amanda_var_lib_t)
-# type for all files in /var/lib/amanda/gnutar-lists/
type amanda_gnutarlists_t;
files_type(amanda_gnutarlists_t)
type amanda_tmp_t;
files_tmp_file(amanda_tmp_t)
-# type for /etc/amandates
type amanda_amandates_t;
files_type(amanda_amandates_t)
-# type for /etc/dumpdates
type amanda_dumpdates_t;
files_type(amanda_dumpdates_t)
-# type for amanda data
type amanda_data_t;
files_type(amanda_data_t)
-# type for amrecover
type amanda_recover_t;
type amanda_recover_exec_t;
application_domain(amanda_recover_t, amanda_recover_exec_t)
role system_r types amanda_recover_t;
-# type for recover files ( restored data )
type amanda_recover_dir_t;
files_type(amanda_recover_dir_t)
@@ -74,24 +65,19 @@ allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
allow amanda_t self:udp_socket create_socket_perms;
-# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file rw_file_perms;
-# configuration files -> read only
allow amanda_t amanda_config_t:file read_file_perms;
-# access to amandas data structure
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
-# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
can_exec(amanda_t, amanda_exec_t)
can_exec(amanda_t, amanda_inetd_exec_t)
-# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
@@ -151,19 +137,15 @@ storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
-# Added for targeted policy
-term_use_unallocated_ttys(amanda_t)
-
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
-optional_policy(`
- logging_send_syslog_msg(amanda_t)
-')
+logging_send_syslog_msg(amanda_t)
########################################
#
# Amanda recover local policy
+#
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal };
@@ -175,7 +157,6 @@ allow amanda_recover_t self:udp_socket create_socket_perms;
manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
-# access to amanda_recover_dir_t
manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
diff --git a/policy/modules/admin/amtu.if b/policy/modules/admin/amtu.if
index 52ea86f..be82315 100644
--- a/policy/modules/admin/amtu.if
+++ b/policy/modules/admin/amtu.if
@@ -1,8 +1,8 @@
-## Abstract Machine Test Utility
+## Abstract Machine Test Utility.
########################################
##
-## Execute amtu in the amtu domain.
+## Execute a domain transition to run Amtu.
##
##
##
@@ -21,8 +21,9 @@ interface(`amtu_domtrans',`
########################################
##
-## Execute amtu in the amtu domain, and
-## allow the specified role the amtu domain.
+## Execute a domain transition to run
+## Amtu, and allow the specified role
+## the Amtu domain.
##
##
##
diff --git a/policy/modules/admin/anaconda.fc b/policy/modules/admin/anaconda.fc
index 3afd63b..b098089 100644
--- a/policy/modules/admin/anaconda.fc
+++ b/policy/modules/admin/anaconda.fc
@@ -1,5 +1 @@
-#
-# Currently anaconda does not have any file context since it is
-# started during install. This is a placeholder to satisfy
-# the policy Makefile dependencies.
-#
+# No file context specifications.
diff --git a/policy/modules/admin/anaconda.if b/policy/modules/admin/anaconda.if
index 18491c8..14a61b7 100644
--- a/policy/modules/admin/anaconda.if
+++ b/policy/modules/admin/anaconda.if
@@ -1 +1 @@
-## Policy for the Anaconda installer.
+## Anaconda installer.
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index 6cf5d7a..9a9526a 100644
--- a/policy/modules/admin/anaconda.te
+++ b/policy/modules/admin/anaconda.te
@@ -20,7 +20,6 @@ allow anaconda_t self:process execmem;
kernel_domtrans_to(anaconda_t, anaconda_exec_t)
-# Run other rc scripts in the anaconda_t domain.
init_domtrans_script(anaconda_t)
libs_domtrans_ldconfig(anaconda_t)
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index 9cba75f..86644f0 100644
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
@@ -1,4 +1,4 @@
-policy_module(certwatch, 1.5.0)
+policy_module(certwatch, 1.5.1)
########################################
#
@@ -31,7 +31,7 @@ auth_var_filetrans_cache(certwatch_t)
logging_send_syslog_msg(certwatch_t)
-miscfiles_read_certs(certwatch_t)
+miscfiles_read_generic_certs(certwatch_t)
miscfiles_read_localization(certwatch_t)
userdom_use_user_terminals(certwatch_t)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index 5d3d45c..e15a20c 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -1,4 +1,4 @@
-policy_module(evolution, 2.1.1)
+policy_module(evolution, 2.1.2)
########################################
#
@@ -541,7 +541,7 @@ fs_search_auto_mountpoints(evolution_server_t)
miscfiles_read_localization(evolution_server_t)
# Look in /etc/pki
-miscfiles_read_certs(evolution_server_t)
+miscfiles_read_generic_certs(evolution_server_t)
# Talk to ldap (address book)
sysnet_read_config(evolution_server_t)
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index 65609e5..2bd70ae 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -147,7 +147,7 @@ sysnet_dns_name_resolve(abrt_t)
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-miscfiles_read_certs(abrt_t)
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index cc216a4..31f4612 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -144,7 +144,7 @@ init_stream_connect_script(amavis_t)
logging_send_syslog_msg(amavis_t)
-miscfiles_read_certs(amavis_t)
+miscfiles_read_generic_certs(amavis_t)
miscfiles_read_localization(amavis_t)
sysnet_dns_name_resolve(amavis_t)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index de4388a..7a8df8a 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -484,7 +484,7 @@ logging_send_syslog_msg(httpd_t)
miscfiles_read_localization(httpd_t)
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
-miscfiles_read_certs(httpd_t)
+miscfiles_read_generic_certs(httpd_t)
seutil_dontaudit_search_config(httpd_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index ac13727..6189565 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -141,7 +141,7 @@ logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
miscfiles_read_localization(automount_t)
-miscfiles_read_certs(automount_t)
+miscfiles_read_generic_certs(automount_t)
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 0aa1998..803adbf 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -86,7 +86,7 @@ init_signull_script(avahi_t)
logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
-miscfiles_read_certs(avahi_t)
+miscfiles_read_generic_certs(avahi_t)
sysnet_domtrans_ifconfig(avahi_t)
sysnet_manage_config(avahi_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 190b0bc..ece1f1f 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -143,7 +143,7 @@ auth_use_nsswitch(named_t)
logging_send_syslog_msg(named_t)
miscfiles_read_localization(named_t)
-miscfiles_read_certs(named_t)
+miscfiles_read_generic_certs(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
index 221ea9e..f9335fb 100644
--- a/policy/modules/services/certmaster.if
+++ b/policy/modules/services/certmaster.if
@@ -129,8 +129,8 @@ interface(`certmaster_admin',`
allow $2 system_r;
files_list_etc($1)
- miscfiles_manage_cert_dirs($1)
- miscfiles_manage_cert_files($1)
+ miscfiles_manage_generic_cert_dirs($1)
+ miscfiles_manage_generic_cert_files($1)
admin_pattern($1, certmaster_etc_rw_t)
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
index 6e32117..da60c93 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -1,4 +1,4 @@
-policy_module(certmaster, 1.1.0)
+policy_module(certmaster, 1.1.1)
########################################
#
@@ -68,5 +68,5 @@ auth_use_nsswitch(certmaster_t)
miscfiles_read_localization(certmaster_t)
-miscfiles_manage_cert_dirs(certmaster_t)
-miscfiles_manage_cert_files(certmaster_t)
+miscfiles_manage_generic_cert_dirs(certmaster_t)
+miscfiles_manage_generic_cert_files(certmaster_t)
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
index 52312f5..261a37c 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -54,7 +54,7 @@ files_list_tmp(certmonger_t)
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
-miscfiles_manage_cert_files(certmonger_t)
+miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index ab82c3c..f80e725 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -104,7 +104,7 @@ libs_exec_lib_files(cyrus_t)
logging_send_syslog_msg(cyrus_t)
miscfiles_read_localization(cyrus_t)
-miscfiles_read_certs(cyrus_t)
+miscfiles_read_generic_certs(cyrus_t)
sysnet_read_config(cyrus_t)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4b3d9c4..c725cae 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -130,7 +130,7 @@ logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)
-miscfiles_read_certs(system_dbusd_t)
+miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index c771d46..b52545a 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -143,7 +143,7 @@ auth_use_nsswitch(dovecot_t)
logging_send_syslog_msg(dovecot_t)
-miscfiles_read_certs(dovecot_t)
+miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index b55c438..6c819a3 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -123,7 +123,7 @@ auth_use_nsswitch(exim_t)
logging_send_syslog_msg(exim_t)
miscfiles_read_localization(exim_t)
-miscfiles_read_certs(exim_t)
+miscfiles_read_generic_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index f50e0f1..5f5b57b 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -80,7 +80,7 @@ domain_use_interactive_fds(fetchmail_t)
logging_send_syslog_msg(fetchmail_t)
miscfiles_read_localization(fetchmail_t)
-miscfiles_read_certs(fetchmail_t)
+miscfiles_read_generic_certs(fetchmail_t)
sysnet_read_config(fetchmail_t)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index a715c65..ee5e345 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -123,7 +123,7 @@ auth_use_nsswitch(slapd_t)
logging_send_syslog_msg(slapd_t)
-miscfiles_read_certs(slapd_t)
+miscfiles_read_generic_certs(slapd_t)
miscfiles_read_localization(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 45ecee3..02ae4e0 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -132,7 +132,7 @@ auth_use_nsswitch(NetworkManager_t)
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-miscfiles_read_certs(NetworkManager_t)
+miscfiles_read_generic_certs(NetworkManager_t)
modutils_domtrans_insmod(NetworkManager_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 4c61aa5..ba7c06b 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -113,7 +113,7 @@ auth_use_pam(openvpn_t)
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
-miscfiles_read_certs(openvpn_t)
+miscfiles_read_all_certs(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index 18996a5..b6d763d 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -91,7 +91,7 @@ template(`postfix_domain_template',`
logging_send_syslog_msg(postfix_$1_t)
miscfiles_read_localization(postfix_$1_t)
- miscfiles_read_certs(postfix_$1_t)
+ miscfiles_read_generic_certs(postfix_$1_t)
userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index df6769b..b3f1fd3 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -111,7 +111,7 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
miscfiles_read_localization(radiusd_t)
-miscfiles_read_certs(radiusd_t)
+miscfiles_read_generic_certs(radiusd_t)
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
userdom_dontaudit_search_user_home_dirs(radiusd_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index eae7d14..9ae080e 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -94,7 +94,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
selinux_dontaudit_read_fs(rpcd_t)
-miscfiles_read_certs(rpcd_t)
+miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -222,7 +222,7 @@ files_dontaudit_write_var_dirs(gssd_t)
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-miscfiles_read_certs(gssd_t)
+miscfiles_read_generic_certs(gssd_t)
mount_signal(gssd_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 8655cb0..87810ec 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -83,7 +83,7 @@ init_dontaudit_stream_connect_script(saslauthd_t)
logging_send_syslog_msg(saslauthd_t)
miscfiles_read_localization(saslauthd_t)
-miscfiles_read_certs(saslauthd_t)
+miscfiles_read_generic_certs(saslauthd_t)
seutil_dontaudit_read_config(saslauthd_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 668ce83..b6781d5 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -104,7 +104,7 @@ libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t)
logging_dontaudit_write_generic_logs(sendmail_t)
-miscfiles_read_certs(sendmail_t)
+miscfiles_read_generic_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index e219c1f..4b2230e 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -160,7 +160,7 @@ libs_exec_lib_files(squid_t)
logging_send_syslog_msg(squid_t)
-miscfiles_read_certs(squid_t)
+miscfiles_read_generic_certs(squid_t)
miscfiles_read_localization(squid_t)
userdom_use_unpriv_users_fds(squid_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 8dad56a..3061e83 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -401,7 +401,7 @@ template(`ssh_role_template',`
logging_send_syslog_msg($1_ssh_agent_t)
miscfiles_read_localization($1_ssh_agent_t)
- miscfiles_read_certs($1_ssh_agent_t)
+ miscfiles_read_generic_certs($1_ssh_agent_t)
seutil_dontaudit_read_config($1_ssh_agent_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 5a77c23..f38e1ce 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -341,7 +341,7 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
miscfiles_read_localization(virtd_t)
-miscfiles_read_certs(virtd_t)
+miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
modutils_read_module_deps(virtd_t)
diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
index c37d690..f4c4c1b 100644
--- a/policy/modules/services/w3c.te
+++ b/policy/modules/services/w3c.te
@@ -26,7 +26,7 @@ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
-miscfiles_read_certs(httpd_w3c_validator_script_t)
+miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 395f8f3..bd3185e 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -401,7 +401,7 @@ interface(`auth_domtrans_chk_passwd',`
logging_send_audit_msgs($1)
- miscfiles_read_certs($1)
+ miscfiles_read_generic_certs($1)
optional_policy(`
kerberos_read_keytab($1)
@@ -1574,7 +1574,7 @@ interface(`auth_use_nsswitch',`
# read /etc/nsswitch.conf
files_read_etc_files($1)
- miscfiles_read_certs($1)
+ miscfiles_read_generic_certs($1)
sysnet_dns_name_resolve($1)
sysnet_use_ldap($1)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index bd9d529..ee0fe55 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -281,7 +281,7 @@ init_use_script_ptys(pam_console_t)
logging_send_syslog_msg(pam_console_t)
miscfiles_read_localization(pam_console_t)
-miscfiles_read_certs(pam_console_t)
+miscfiles_read_generic_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d96bf27..e0dc975 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.15.2)
+policy_module(init, 1.15.3)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 4eeb1a5..926ba65 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -46,7 +46,7 @@ interface(`miscfiles_cert_type',`
########################################
##
-## Read system SSL certificates.
+## Read all SSL certificates.
##
##
##
@@ -55,7 +55,7 @@ interface(`miscfiles_cert_type',`
##
##
#
-interface(`miscfiles_read_certs',`
+interface(`miscfiles_read_all_certs',`
gen_require(`
attribute cert_type;
')
@@ -67,7 +67,7 @@ interface(`miscfiles_read_certs',`
########################################
##
-## manange system SSL certificates.
+## Read generic SSL certificates.
##
##
##
@@ -76,7 +76,27 @@ interface(`miscfiles_read_certs',`
##
##
#
-interface(`miscfiles_manage_cert_dirs',`
+interface(`miscfiles_read_generic_certs',`
+ gen_require(`
+ type cert_t;
+ ')
+
+ allow $1 cert_t:dir list_dir_perms;
+ read_files_pattern($1, cert_t, cert_t)
+ read_lnk_files_pattern($1, cert_t, cert_t)
+')
+
+########################################
+##
+## Manage generic SSL certificates.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`miscfiles_manage_generic_cert_dirs',`
gen_require(`
type cert_t;
')
@@ -86,7 +106,7 @@ interface(`miscfiles_manage_cert_dirs',`
########################################
##
-## manange system SSL certificates.
+## Manage generic SSL certificates.
##
##
##
@@ -95,7 +115,7 @@ interface(`miscfiles_manage_cert_dirs',`
##
##
#
-interface(`miscfiles_manage_cert_files',`
+interface(`miscfiles_manage_generic_cert_files',`
gen_require(`
type cert_t;
')
@@ -106,6 +126,51 @@ interface(`miscfiles_manage_cert_files',`
########################################
##
+## Read SSL certificates.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`miscfiles_read_certs',`
+ miscfiles_read_generic_certs($1)
+ refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.')
+')
+
+########################################
+##
+## Manage SSL certificates.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`miscfiles_manage_cert_dirs',`
+ miscfiles_manage_generic_cert_dirs($1)
+ refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.')
+')
+
+########################################
+##
+## Manage SSL certificates.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`miscfiles_manage_cert_files',`
+ miscfiles_manage_generic_cert_files($1)
+ refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.')
+')
+
+########################################
+##
## Read fonts.
##
##
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index eb75070..59c70bf 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.8.0)
+policy_module(miscfiles, 1.8.1)
########################################
#
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e1da594..c67c8e8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -126,7 +126,10 @@ template(`userdom_base_user_template',`
libs_exec_ld_so($1_usertype)
- miscfiles_read_certs($1_usertype)
+ miscfiles_read_localization($1_t)
+ miscfiles_read_generic_certs($1_t)
+
+ miscfiles_read_all_certs($1_usertype)
miscfiles_read_localization($1_usertype)
miscfiles_read_man_pages($1_usertype)
miscfiles_read_public_files($1_usertype)