diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 7209a09..d5c32a9 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -2361,5 +2361,5 @@ interface(`fs_unconfined',` # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. - allow $1 filesystem_type:{ dir lnk_file sock_file fifo_file blk_file } *; + allow $1 filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; ') diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index b870ccf..3f581a7 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -130,11 +130,10 @@ interface(`storage_raw_write_fixed_disk',` gen_require(` attribute fixed_disk_raw_write; type fixed_disk_device_t; - class blk_file { getattr write ioctl }; ') dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; + allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl }; typeattribute $1 fixed_disk_raw_write; ') diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 7ea3893..b9f496d 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -326,11 +326,10 @@ interface(`term_ioctl_generic_pty',` interface(`term_use_generic_pty',` gen_require(` type devpts_t; - class chr_file { read write }; ') dev_list_all_dev_nodes($1) - allow $1 devpts_t:chr_file { read write }; + allow $1 devpts_t:chr_file { rw_term_perms lock append }; ') ######################################## @@ -500,7 +499,7 @@ interface(`term_use_all_user_ptys',` dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; - allow $1 ptynode:chr_file { getattr read write ioctl }; + allow $1 ptynode:chr_file { rw_term_perms lock append }; ') ######################################## @@ -797,11 +796,10 @@ interface(`term_write_all_user_ttys',` interface(`term_use_all_user_ttys',` gen_require(` attribute ttynode; - class chr_file { getattr read write ioctl }; ') dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file { getattr read write ioctl }; + allow $1 ttynode:chr_file { rw_term_perms lock append }; ') ######################################## diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te index 761c12e..134a1c0 100644 --- a/refpolicy/policy/modules/services/apm.te +++ b/refpolicy/policy/modules/services/apm.te @@ -148,13 +148,6 @@ userdom_dontaudit_use_unpriv_user_fd(apmd_t) userdom_dontaudit_search_sysadm_home_dir(apmd_t) userdom_dontaudit_search_all_users_home(apmd_t) # Excessive? -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_tty(apmd_t) - term_dontaudit_use_generic_pty(apmd_t) - files_dontaudit_read_root_file(apmd_t) - unconfined_domain_template(apmd_t) -') - ifdef(`distro_redhat',` allow apmd_t apmd_lock_t:file create_file_perms; files_create_lock(apmd_t,apmd_lock_t) @@ -162,7 +155,7 @@ ifdef(`distro_redhat',` can_exec(apmd_t, apmd_var_run_t) # ifconfig_exec_t needs to be run in its own domain for Red Hat - optional_policy(`ifconfig.te',` + optional_policy(`sysnetwork.te',` sysnet_domtrans_ifconfig(apmd_t) ') @@ -186,6 +179,13 @@ ifdef(`distro_suse',` files_create_var_lib(apmd_t,apmd_var_lib_t) ') +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_tty(apmd_t) + term_dontaudit_use_generic_pty(apmd_t) + files_dontaudit_read_root_file(apmd_t) + unconfined_domain_template(apmd_t) +') + optional_policy(`clock.te',` clock_domtrans(apmd_t) clock_rw_adjtime(apmd_t) diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index 31c7581..d0c236f 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -75,6 +75,7 @@ corenet_tcp_sendrecv_all_nodes(dovecot_t) corenet_raw_sendrecv_all_nodes(dovecot_t) corenet_tcp_sendrecv_all_ports(dovecot_t) corenet_tcp_bind_all_nodes(dovecot_t) +corenet_tcp_bind_pop_port(dovecot_t) corenet_tcp_connect_all_ports(dovecot_t) dev_read_sysfs(dovecot_t) diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te index 33213fe..94e85c2 100644 --- a/refpolicy/policy/modules/services/finger.te +++ b/refpolicy/policy/modules/services/finger.te @@ -77,7 +77,7 @@ corecmd_exec_shell(fingerd_t) domain_use_wide_inherit_fd(fingerd_t) -files_getattr_home_dir(fingerd_t) +files_search_home(fingerd_t) files_read_etc_files(fingerd_t) files_read_etc_runtime_files(fingerd_t) diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te index fb89452..bd0e210 100644 --- a/refpolicy/policy/modules/services/ftp.te +++ b/refpolicy/policy/modules/services/ftp.te @@ -44,19 +44,23 @@ allow ftpd_t self:unix_stream_socket create_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; allow ftpd_t self:udp_socket create_socket_perms; -allow ftpd_t ftpd_etc_t:file { getattr read }; +allow ftpd_t ftpd_etc_t:file r_file_perms; allow ftpd_t ftpd_tmp_t:dir create_dir_perms; allow ftpd_t ftpd_tmp_t:file create_file_perms; files_create_tmp_files(ftpd_t, ftpd_tmp_t, { file dir }) -allow ftpd_t ftpd_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; -allow ftpd_t ftpd_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; -allow ftpd_t ftpd_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; -allow ftpd_t ftpd_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; -allow ftpd_t ftpd_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; +allow ftpd_t ftpd_tmpfs_t:fifo_file create_file_perms; +allow ftpd_t ftpd_tmpfs_t:dir create_dir_perms; +allow ftpd_t ftpd_tmpfs_t:file create_file_perms; +allow ftpd_t ftpd_tmpfs_t:lnk_file create_lnk_perms; +allow ftpd_t ftpd_tmpfs_t:sock_file create_file_perms; fs_create_tmpfs_data(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +allow ftpd_t ftpd_var_run_t:file create_file_perms; +allow ftpd_t ftpd_var_run_t:dir rw_dir_perms; +files_create_pid(ftpd_t,ftpd_var_run_t) + # Create and modify /var/log/xferlog. allow ftpd_t xferlog_t:file create_file_perms; logging_create_log(ftpd_t,xferlog_t) @@ -86,6 +90,7 @@ corenet_tcp_connect_all_ports(ftpd_t) term_dontaudit_use_console(ftpd_t) +auth_domtrans_chk_passwd(ftpd_t) # Append to /var/log/wtmp. auth_append_login_records(ftpd_t) #kerberized ftp requires the following @@ -190,6 +195,10 @@ optional_policy(`mount.te',` mount_send_nfs_client_request(ftpd_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(ftpd_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(ftpd_t) ') diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te index edbd64b..6d12e3f 100644 --- a/refpolicy/policy/modules/services/hal.te +++ b/refpolicy/policy/modules/services/hal.te @@ -23,6 +23,7 @@ files_pid_file(hald_var_run_t) allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio }; dontaudit hald_t self:capability sys_tty_config; +allow hald_t self:process signal_perms; allow hald_t self:fifo_file rw_file_perms; allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow hald_t self:unix_dgram_socket create_socket_perms; @@ -45,8 +46,10 @@ kernel_read_kernel_sysctl(hald_t) kernel_write_proc_file(hald_t) corenet_tcp_sendrecv_all_if(hald_t) +corenet_udp_sendrecv_all_if(hald_t) corenet_raw_sendrecv_all_if(hald_t) corenet_tcp_sendrecv_all_nodes(hald_t) +corenet_udp_sendrecv_all_nodes(hald_t) corenet_raw_sendrecv_all_nodes(hald_t) corenet_tcp_sendrecv_all_ports(hald_t) corenet_tcp_bind_all_nodes(hald_t) diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 7b439f4..6ec899b 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -144,9 +144,7 @@ optional_policy(`unconfined.te', ` unconfined_domtrans(inetd_t) ') -# This should be tunable_policy, but leaving -# ifdef until typeattribute works in conditionals -ifdef(`unlimitedInetd', ` +ifdef(`targeted_policy',` unconfined_domain_template(inetd_t) ') @@ -184,8 +182,10 @@ kernel_read_system_state(inetd_child_t) kernel_read_network_state(inetd_child_t) corenet_tcp_sendrecv_all_if(inetd_child_t) +corenet_udp_sendrecv_all_if(inetd_child_t) corenet_raw_sendrecv_all_if(inetd_child_t) corenet_tcp_sendrecv_all_nodes(inetd_child_t) +corenet_udp_sendrecv_all_nodes(inetd_child_t) corenet_raw_sendrecv_all_nodes(inetd_child_t) corenet_tcp_bind_all_nodes(inetd_child_t) corenet_tcp_sendrecv_all_ports(inetd_child_t) diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if index a3f1d8c..364faf3 100644 --- a/refpolicy/policy/modules/services/mailman.if +++ b/refpolicy/policy/modules/services/mailman.if @@ -248,7 +248,7 @@ interface(`mailman_read_archive',` type mailman_archive_t; ') - allow $1 mailman_archive_t:dir { getattr read search }; - allow $1 mailman_archive_t:file { read getattr }; + allow $1 mailman_archive_t:dir list_dir_perms; + allow $1 mailman_archive_t:file r_file_perms; allow $1 mailman_archive_t:lnk_file { getattr read }; ') diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te index a18741a..45b79d6 100644 --- a/refpolicy/policy/modules/services/squid.te +++ b/refpolicy/policy/modules/services/squid.te @@ -121,6 +121,7 @@ libs_exec_lib_files(squid_t) logging_send_syslog_msg(squid_t) +miscfiles_read_certs(squid_t) miscfiles_read_localization(squid_t) userdom_use_unpriv_users_fd(squid_t) @@ -172,7 +173,7 @@ optional_policy(`rhgb.te',` ifdef(`apache.te',` can_tcp_connect(squid_t, httpd_t) ') -r_dir_file(squid_t, cert_t) + ifdef(`winbind.te', ` domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t) allow winbind_helper_t squid_t:tcp_socket rw_socket_perms; diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 504e104..5098412 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1322,10 +1322,9 @@ interface(`files_create_etc_config',` interface(`files_dontaudit_search_isid_type_dir',` gen_require(` type file_t; - class dir search; ') - dontaudit $1 file_t:dir search; + dontaudit $1 file_t:dir search_dir_perms; ') ######################################## @@ -1566,10 +1565,9 @@ interface(`files_dontaudit_getattr_home_dir',` interface(`files_search_home',` gen_require(` type home_root_t; - class dir search; ') - allow $1 home_root_t:dir search; + allow $1 home_root_t:dir search_dir_perms; ') ######################################## @@ -1584,10 +1582,9 @@ interface(`files_search_home',` interface(`files_dontaudit_search_home',` gen_require(` type home_root_t; - class dir search; ') - dontaudit $1 home_root_t:dir search; + dontaudit $1 home_root_t:dir search_dir_perms; ') ######################################## @@ -2565,10 +2562,9 @@ interface(`files_dontaudit_getattr_pid_dir',` interface(`files_search_pids',` gen_require(` type var_t, var_run_t; - class dir search; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir search; ') @@ -2599,7 +2595,7 @@ interface(`files_list_pids',` class dir r_dir_perms; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir r_dir_perms; ') @@ -2613,7 +2609,7 @@ interface(`files_create_pid',` class dir rw_dir_perms; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir rw_dir_perms; ifelse(`$3',`',` @@ -2650,7 +2646,6 @@ interface(`files_rw_generic_pids',` interface(`files_dontaudit_write_all_pids',` gen_require(` attribute pidfile; - class file write; ') dontaudit $1 pidfile:file write; @@ -2667,7 +2662,6 @@ interface(`files_dontaudit_write_all_pids',` interface(`files_dontaudit_ioctl_all_pids',` gen_require(` attribute pidfile; - class file ioctl; ') dontaudit $1 pidfile:file ioctl; @@ -2681,11 +2675,9 @@ interface(`files_read_all_pids',` gen_require(` attribute pidfile; type var_t; - class dir r_dir_perms; - class file r_file_perms; ') - allow $1 var_t:dir search; + allow $1 var_t:dir search_dir_perms; allow $1 pidfile:dir r_dir_perms; allow $1 pidfile:file r_file_perms; ') diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te index 00586cd..8e5f692 100644 --- a/refpolicy/policy/modules/system/getty.te +++ b/refpolicy/policy/modules/system/getty.te @@ -38,7 +38,7 @@ files_pid_file(getty_var_run_t) # Use capabilities. allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid }; -allow getty_t self:process { getpgid getsession }; +allow getty_t self:process { getpgid getsession signal_perms }; allow getty_t getty_etc_t:dir r_dir_perms; allow getty_t getty_etc_t:file r_file_perms; @@ -47,14 +47,15 @@ files_create_etc_config(getty_t,getty_etc_t,{ file dir }) allow getty_t getty_lock_t:file create_file_perms; files_create_lock(getty_t,getty_lock_t) -allow getty_t getty_log_t:file { getattr append setattr }; +allow getty_t getty_log_t:file create_file_perms; +logging_create_log(getty_t,getty_log_t) -allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink }; -allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir }; +allow getty_t getty_tmp_t:file create_file_perms; +allow getty_t getty_tmp_t:dir create_dir_perms; files_create_tmp_files(getty_t,getty_tmp_t,{ file dir }) allow getty_t getty_var_run_t:file create_file_perms; -allow getty_t getty_var_run_t:dir create_dir_perms; +allow getty_t getty_var_run_t:dir rw_dir_perms; files_create_pid(getty_t,getty_var_run_t) dev_read_sysfs(getty_t) @@ -90,11 +91,6 @@ logging_send_syslog_msg(getty_t) miscfiles_read_localization(getty_t) -ifdef(`TODO',` -# -# getty needs to be able to run pppd -# -ifdef(`pppd.te', ` -domain_auto_trans(getty_t, pppd_exec_t, pppd_t) +optional_policy(`ppp.te',` + ppp_domtrans(getty_t) ') -') dnl end TODO diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te index e298a69..4ea3d19 100644 --- a/refpolicy/policy/modules/system/hostname.te +++ b/refpolicy/policy/modules/system/hostname.te @@ -19,6 +19,7 @@ role system_r types hostname_t; # for setting the hostname allow hostname_t self:process { sigchld sigkill sigstop signull signal }; allow hostname_t self:capability sys_admin; +allow hostname_t self:unix_stream_socket create_stream_socket_perms; dontaudit hostname_t self:capability sys_tty_config; kernel_dontaudit_use_fd(hostname_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 6e268c6..9309e8a 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -14,6 +14,7 @@ init_daemon_domain(hotplug_t,hotplug_exec_t) type hotplug_etc_t; #, usercanread; files_type(hotplug_etc_t) kernel_search_from(hotplug_etc_t) +domain_entry_file(hotplug_t,hotplug_etc_t) type hotplug_var_run_t; files_pid_file(hotplug_var_run_t) @@ -27,7 +28,7 @@ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit hotplug_t self:capability { dac_override dac_read_search }; -allow hotplug_t self:process { getsession getattr }; +allow hotplug_t self:process { getsession getattr signal_perms }; allow hotplug_t self:fifo_file rw_file_perms; allow hotplug_t self:netlink_route_socket r_netlink_socket_perms; allow hotplug_t self:udp_socket create_socket_perms; @@ -36,11 +37,11 @@ allow hotplug_t self:tcp_socket connected_stream_socket_perms; allow hotplug_t hotplug_etc_t:file r_file_perms; allow hotplug_t hotplug_etc_t:dir r_dir_perms; allow hotplug_t hotplug_etc_t:lnk_file r_file_perms; +can_exec(hotplug_t,hotplug_etc_t) -allow hotplug_t hotplug_exec_t:file { getattr read ioctl execute execute_no_trans }; -allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans }; +can_exec(hotplug_t,hotplug_exec_t) -allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink }; +allow hotplug_t hotplug_var_run_t:file manage_file_perms; files_create_pid(hotplug_t,hotplug_var_run_t) kernel_sigchld(hotplug_t) diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index c8df5f1..9c27dae 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -618,33 +618,37 @@ interface(`init_use_script_pty',` ######################################## ## -## Read init scripts. +## Do not audit attempts to read and +## write the init script pty. ## ## -## The type of the process performing this action. +## Domain to not audit. ## # -interface(`init_read_script_file',` +interface(`init_dontaudit_use_script_pty',` gen_require(` - type initrc_exec_t; - class file r_file_perms; + type initrc_devpts_t; ') - files_search_etc($1) - allow $1 initrc_exec_t:file r_file_perms; + dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; ') ######################################## +## +## Read init scripts. +## +## +## The type of the process performing this action. +## # -# init_dontaudit_use_script_pty(domain) -# -interface(`init_dontaudit_use_script_pty',` +interface(`init_read_script_file',` gen_require(` - type initrc_devpts_t; - class chr_file { read write ioctl }; + type initrc_exec_t; + class file r_file_perms; ') - dontaudit $1 initrc_devpts_t:chr_file { read write ioctl }; + files_search_etc($1) + allow $1 initrc_exec_t:file r_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te index b1ba783..f724db3 100644 --- a/refpolicy/policy/modules/system/pcmcia.te +++ b/refpolicy/policy/modules/system/pcmcia.te @@ -49,8 +49,6 @@ files_create_pid(cardmgr_t,cardmgr_var_run_t) kernel_read_system_state(cardmgr_t) kernel_read_kernel_sysctl(cardmgr_t) -kernel_list_proc(cardmgr_t) -kernel_read_proc_symlinks(cardmgr_t) kernel_dontaudit_getattr_message_if(cardmgr_t) bootloader_search_kernel_modules(cardmgr_t) @@ -118,13 +116,13 @@ sysnet_manage_config(cardmgr_t) userdom_dontaudit_use_unpriv_user_fd(cardmgr_t) userdom_dontaudit_search_sysadm_home_dir(cardmgr_t) -ifdef(`targeted_policy', ` +ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty(cardmgr_t) term_dontaudit_use_generic_pty(cardmgr_t) files_dontaudit_read_root_file(cardmgr_t) ') -optional_policy(`selinuxutils.te',` +optional_policy(`selinuxutil.te',` seutil_dontaudit_read_config(cardmgr_t) seutil_sigchld_newrole(cardmgr_t) ') diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 656a0aa..cf55822 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -141,7 +141,7 @@ interface(`sysnet_rw_dhcp_config',` ') files_search_etc($1) - allow $1 dhcp_etc_t:file { getattr read }; + allow $1 dhcp_etc_t:file rw_file_perms; ') ######################################## diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 5a6217d..b998b18 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -244,7 +244,7 @@ rhgb_domain(dhcpc_t) # allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; -allow ifconfig_t self:capability { net_admin sys_tty_config }; +allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; dontaudit ifconfig_t self:capability sys_module; allow ifconfig_t self:fd use; diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 0183c29..1b2cbc1 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1781,7 +1781,7 @@ interface(`userdom_dontaudit_search_sysadm_home_dir',` type sysadm_home_dir_t; ') - dontaudit $1 sysadm_home_dir_t:dir search; + dontaudit $1 sysadm_home_dir_t:dir { getattr search }; ') ######################################## @@ -1849,7 +1849,7 @@ interface(`userdom_dontaudit_search_all_users_home',` attribute home_dir_type, home_type; ') - dontaudit $1 { home_dir_type home_type }:dir search; + dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; ') ########################################