+ ')
+
+ ########################################
+ ##
+-## Write in a sysfs directories.
+## Dontaudit attempts to mount a filesystem on /sys
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
-+interface(`dev_dontaudit_mounton_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ dontaudit $1 sysfs_t:dir mounton;
-+')
-+
-+########################################
-+##
-+## Mount sysfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_mount_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:filesystem mount;
-+')
-+
-+########################################
-+##
-+## Unmount sysfs filesystems.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_unmount_sysfs_fs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:filesystem unmount;
-+')
-+
-+########################################
-+##
- ## Search the sysfs directories.
##
##
-@@ -3904,6 +4591,7 @@ interface(`dev_list_sysfs',`
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-# cjp: added for cpuspeed
+-interface(`dev_write_sysfs_dirs',`
++interface(`dev_dontaudit_mounton_sysfs',`
+ gen_require(`
type sysfs_t;
')
-+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
- list_dirs_pattern($1, sysfs_t, sysfs_t)
+- allow $1 sysfs_t:dir write;
++ dontaudit $1 sysfs_t:dir mounton;
')
-@@ -3928,6 +4616,24 @@ interface(`dev_write_sysfs_dirs',`
-
########################################
##
-+## Access check for a sysfs directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_access_check_sysfs',`
-+ gen_require(`
-+ type sysfs_t;
-+ ')
-+
-+ allow $1 sysfs_t:dir audit_access;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to write in a sysfs directory.
+-## Do not audit attempts to write in a sysfs directory.
++## Mount sysfs filesystems.
##
##
-@@ -3946,23 +4652,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_write_sysfs_dirs',`
++interface(`dev_mount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- dontaudit $1 sysfs_t:dir write;
++ allow $1 sysfs_t:filesystem mount;
+ ')
########################################
##
-## Create, read, write, and delete sysfs
-## directories.
-+## Read cpu online hardware state information.
++## Unmount sysfs filesystems.
##
-+##
-+##
-+## Allow the specified domain to read /sys/devices/system/cpu/online file.
-+##
-+##
##
##
- ## Domain allowed access.
+@@ -3955,68 +4568,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
##
##
#
-interface(`dev_manage_sysfs_dirs',`
-+interface(`dev_read_cpu_online',`
-+ gen_require(`
-+ type cpu_online_t;
-+ ')
-+
-+ dev_search_sysfs($1)
-+ read_files_pattern($1, cpu_online_t, cpu_online_t)
-+')
-+
-+########################################
-+##
-+## Relabel cpu online hardware state information.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_relabel_cpu_online',`
++interface(`dev_unmount_sysfs_fs',`
gen_require(`
-+ type cpu_online_t;
type sysfs_t;
')
- manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+ dev_search_sysfs($1)
++ allow $1 sysfs_t:filesystem unmount;
+ ')
+
+ ########################################
+ ##
+-## Read hardware state information.
++## Search the sysfs directories.
+ ##
+-##
+-##
+-## Allow the specified domain to read the contents of
+-## the sysfs filesystem. This filesystem contains
+-## information, parameters, and other settings on the
+-## hardware installed on the system.
+-##
+-##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`dev_read_sysfs',`
++interface(`dev_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- read_files_pattern($1, sysfs_t, sysfs_t)
+- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ search_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Allow caller to modify hardware state information.
++## Do not audit attempts to search sysfs.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_rw_sysfs',`
++interface(`dev_dontaudit_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+- rw_files_pattern($1, sysfs_t, sysfs_t)
+- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+- list_dirs_pattern($1, sysfs_t, sysfs_t)
++ dontaudit $1 sysfs_t:dir search_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Read and write the TPM device.
++## List the contents of the sysfs directories.
+ ##
+ ##
+ ##
+@@ -4024,114 +4622,97 @@ interface(`dev_rw_sysfs',`
+ ##
+ ##
+ #
+-interface(`dev_rw_tpm',`
++interface(`dev_list_sysfs',`
+ gen_require(`
+- type device_t, tpm_device_t;
++ type sysfs_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, tpm_device_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read from pseudo random number generator devices (e.g., /dev/urandom).
++## Write in a sysfs directories.
+ ##
+-##
+-##
+-## Allow the specified domain to read from pseudo random number
+-## generator devices (e.g., /dev/urandom). Typically this is
+-## used in situations when a cryptographically secure random
+-## number is not necessarily needed. One example is the Stack
+-## Smashing Protector (SSP, formerly known as ProPolice) support
+-## that may be compiled into programs.
+-##
+-##
+-## Related interface:
+-##
+-##
+-## - dev_read_rand()
+-##
+-##
+-## Related tunable:
+-##
+-##
+-##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`dev_read_urand',`
++# cjp: added for cpuspeed
++interface(`dev_write_sysfs_dirs',`
+ gen_require(`
+- type device_t, urandom_device_t;
++ type sysfs_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, urandom_device_t)
++ allow $1 sysfs_t:dir write;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read from pseudo
+-## random devices (e.g., /dev/urandom)
++## Access check for a sysfs directories.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_read_urand',`
++interface(`dev_access_check_sysfs',`
+ gen_require(`
+- type urandom_device_t;
++ type sysfs_t;
+ ')
+
+- dontaudit $1 urandom_device_t:chr_file { getattr read };
++ allow $1 sysfs_t:dir audit_access;
+ ')
+
+ ########################################
+ ##
+-## Write to the pseudo random device (e.g., /dev/urandom). This
+-## sets the random number generator seed.
++## Do not audit attempts to write in a sysfs directory.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_write_urand',`
++interface(`dev_dontaudit_write_sysfs_dirs',`
+ gen_require(`
+- type device_t, urandom_device_t;
++ type sysfs_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, urandom_device_t)
++ dontaudit $1 sysfs_t:dir write;
+ ')
+
+ ########################################
+ ##
+-## Getattr generic the USB devices.
++## Read cpu online hardware state information.
+ ##
++##
++##
++## Allow the specified domain to read /sys/devices/system/cpu/online file.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`dev_getattr_generic_usb_dev',`
++interface(`dev_read_cpu_online',`
+ gen_require(`
+- type usb_device_t;
++ type cpu_online_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, usb_device_t)
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
+ ')
+
+ ########################################
+ ##
+-## Setattr generic the USB devices.
++## Relabel cpu online hardware state information.
+ ##
+ ##
+ ##
+@@ -4139,35 +4720,50 @@ interface(`dev_getattr_generic_usb_dev',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_generic_usb_dev',`
++interface(`dev_relabel_cpu_online',`
+ gen_require(`
+- type usb_device_t;
++ type cpu_online_t;
++ type sysfs_t;
+ ')
+
+- setattr_chr_files_pattern($1, device_t, usb_device_t)
++ dev_search_sysfs($1)
+ allow $1 cpu_online_t:file relabel_file_perms;
')
+
- ########################################
- ##
- ## Read hardware state information.
-@@ -4016,6 +4748,62 @@ interface(`dev_rw_sysfs',`
-
- ########################################
- ##
-+## Relabel hardware state directories.
+ ########################################
+ ##
+-## Read generic the USB devices.
++## Read hardware state information.
+ ##
++##
++##
++## Allow the specified domain to read the contents of
++## the sysfs filesystem. This filesystem contains
++## information, parameters, and other settings on the
++## hardware installed on the system.
++##
++##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`dev_read_generic_usb_dev',`
++interface(`dev_read_sysfs',`
+ gen_require(`
+- type usb_device_t;
++ type sysfs_t;
+ ')
+
+- read_chr_files_pattern($1, device_t, usb_device_t)
++ read_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read and write generic the USB devices.
++## Allow caller to modify hardware state information.
+ ##
+ ##
+ ##
+@@ -4175,17 +4771,20 @@ interface(`dev_read_generic_usb_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_generic_usb_dev',`
++interface(`dev_rw_sysfs',`
+ gen_require(`
+- type device_t, usb_device_t;
++ type sysfs_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, usb_device_t)
++ rw_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Relabel generic the USB devices.
++## Relabel hardware state directories.
+ ##
+ ##
+ ##
+@@ -4193,17 +4792,17 @@ interface(`dev_rw_generic_usb_dev',`
+ ##
+ ##
+ #
+-interface(`dev_relabel_generic_usb_dev',`
++interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
+- type usb_device_t;
++ type sysfs_t;
+ ')
+
+- relabel_chr_files_pattern($1, device_t, usb_device_t)
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+
+ ########################################
+ ##
+-## Read USB monitor devices.
++## Relabel hardware state files
+ ##
+ ##
+ ##
+@@ -4211,7 +4810,251 @@ interface(`dev_relabel_generic_usb_dev',`
+ ##
+ ##
+ #
+-interface(`dev_read_usbmon_dev',`
++interface(`dev_relabel_all_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_files_pattern($1, sysfs_t, sysfs_t)
++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Allow caller to modify hardware state information.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_manage_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ manage_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++##
++## Read and write the TPM device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_tpm',`
++ gen_require(`
++ type device_t, tpm_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, tpm_device_t)
++')
++
++########################################
++##
++## Read from pseudo random number generator devices (e.g., /dev/urandom).
++##
++##
++##
++## Allow the specified domain to read from pseudo random number
++## generator devices (e.g., /dev/urandom). Typically this is
++## used in situations when a cryptographically secure random
++## number is not necessarily needed. One example is the Stack
++## Smashing Protector (SSP, formerly known as ProPolice) support
++## that may be compiled into programs.
++##
++##
++## Related interface:
++##
++##
++## - dev_read_rand()
++##
++##
++## Related tunable:
++##
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`dev_read_urand',`
++ gen_require(`
++ type device_t, urandom_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, urandom_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to read from pseudo
++## random devices (e.g., /dev/urandom)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_read_urand',`
++ gen_require(`
++ type urandom_device_t;
++ ')
++
++ dontaudit $1 urandom_device_t:chr_file { getattr read };
++')
++
++########################################
++##
++## Write to the pseudo random device (e.g., /dev/urandom). This
++## sets the random number generator seed.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_write_urand',`
++ gen_require(`
++ type device_t, urandom_device_t;
++ ')
++
++ write_chr_files_pattern($1, device_t, urandom_device_t)
++')
++
++########################################
++##
++## Do not audit attempts to write to pseudo
++## random devices (e.g., /dev/urandom)
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_write_urand',`
++ gen_require(`
++ type urandom_device_t;
++ ')
++
++ dontaudit $1 urandom_device_t:chr_file write;
++')
++
++########################################
++##
++## Getattr generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_generic_usb_dev',`
++ gen_require(`
++ type usb_device_t,device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++##
++## Setattr generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_generic_usb_dev',`
++ gen_require(`
++ type usb_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++##
++## Read generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_generic_usb_dev',`
++ gen_require(`
++ type usb_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++##
++## Read and write generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_generic_usb_dev',`
++ gen_require(`
++ type device_t, usb_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++##
++## Relabel generic the USB devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_relabel_generic_usb_dev',`
++ gen_require(`
++ type usb_device_t;
++ ')
++
++ relabel_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++##
++## Read USB monitor devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_usbmon_dev',`
+ gen_require(`
+ type device_t, usbmon_device_t;
+ ')
+@@ -4267,15 +5110,169 @@ interface(`dev_mount_usbfs',`
+ #
+ interface(`dev_associate_usbfs',`
+ gen_require(`
+- type usbfs_t;
++ type usbfs_t;
++ ')
++
++ allow $1 usbfs_t:filesystem associate;
++')
++
++########################################
++##
++## Get the attributes of a directory in the usb filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_usbfs_dirs',`
++ gen_require(`
++ type usbfs_t;
++ ')
++
++ allow $1 usbfs_t:dir getattr_dir_perms;
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of a directory in the usb filesystem.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dev_dontaudit_getattr_usbfs_dirs',`
++ gen_require(`
++ type usbfs_t;
++ ')
++
++ dontaudit $1 usbfs_t:dir getattr_dir_perms;
++')
++
++########################################
++##
++## Search the directory containing USB hardware information.
+##
+##
+##
@@ -7445,17 +8042,17 @@ index 76f285e..450a2b7 100644
+##
+##
+#
-+interface(`dev_relabel_sysfs_dirs',`
++interface(`dev_search_usbfs',`
+ gen_require(`
-+ type sysfs_t;
++ type usbfs_t;
+ ')
+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ search_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
-+## Relabel hardware state files
++## Allow caller to get a list of usb hardware.
+##
+##
+##
@@ -7463,19 +8060,20 @@ index 76f285e..450a2b7 100644
+##
+##
+#
-+interface(`dev_relabel_all_sysfs',`
++interface(`dev_list_usbfs',`
+ gen_require(`
-+ type sysfs_t;
++ type usbfs_t;
+ ')
+
-+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+ relabel_files_pattern($1, sysfs_t, sysfs_t)
-+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ getattr_files_pattern($1, usbfs_t, usbfs_t)
++
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
-+## Allow caller to modify hardware state information.
++## Set the attributes of usbfs filesystem.
+##
+##
+##
@@ -7483,266 +8081,425 @@ index 76f285e..450a2b7 100644
+##
+##
+#
-+interface(`dev_manage_sysfs_dirs',`
++interface(`dev_setattr_usbfs_files',`
+ gen_require(`
-+ type sysfs_t;
++ type usbfs_t;
+ ')
+
-+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
++ setattr_files_pattern($1, usbfs_t, usbfs_t)
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
- ## Read and write the TPM device.
- ##
- ##
-@@ -4113,6 +4901,25 @@ interface(`dev_write_urand',`
-
- ########################################
- ##
-+## Do not audit attempts to write to pseudo
-+## random devices (e.g., /dev/urandom)
++## Read USB hardware information using
++## the usbfs filesystem interface.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`dev_dontaudit_write_urand',`
++interface(`dev_read_usbfs',`
+ gen_require(`
-+ type urandom_device_t;
++ type usbfs_t;
+ ')
+
-+ dontaudit $1 urandom_device_t:chr_file write;
++ read_files_pattern($1, usbfs_t, usbfs_t)
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+##
- ## Getattr generic the USB devices.
++## Allow caller to modify usb hardware configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_usbfs',`
++ gen_require(`
++ type usbfs_t;
++ ')
++
++ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ rw_files_pattern($1, usbfs_t, usbfs_t)
++ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++')
++
++######################################
++##
++## Read and write userio device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_userio_dev',`
++ gen_require(`
++ type device_t, userio_device_t;
+ ')
+
+- allow $1 usbfs_t:filesystem associate;
++ rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of a directory in the usb filesystem.
++## Get the attributes of video4linux devices.
##
##
-@@ -4123,7 +4930,7 @@ interface(`dev_write_urand',`
+ ##
+@@ -4283,18 +5280,18 @@ interface(`dev_associate_usbfs',`
+ ##
+ ##
#
- interface(`dev_getattr_generic_usb_dev',`
+-interface(`dev_getattr_usbfs_dirs',`
++interface(`dev_getattr_video_dev',`
gen_require(`
-- type usb_device_t;
-+ type usb_device_t,device_t;
+- type usbfs_t;
++ type device_t, v4l_device_t;
')
- getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5216,9 @@ interface(`dev_rw_usbfs',`
- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+- allow $1 usbfs_t:dir getattr_dir_perms;
++ getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
--########################################
-+######################################
+ ########################################
##
--## Get the attributes of video4linux devices.
-+## Read and write userio device.
+ ## Do not audit attempts to get the attributes
+-## of a directory in the usb filesystem.
++## of video4linux device nodes.
##
##
##
-@@ -4419,17 +5226,17 @@ interface(`dev_rw_usbfs',`
+@@ -4302,17 +5299,17 @@ interface(`dev_getattr_usbfs_dirs',`
##
##
#
--interface(`dev_getattr_video_dev',`
-+interface(`dev_rw_userio_dev',`
+-interface(`dev_dontaudit_getattr_usbfs_dirs',`
++interface(`dev_dontaudit_getattr_video_dev',`
gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, userio_device_t;
+- type usbfs_t;
++ type v4l_device_t;
')
-- getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, userio_device_t)
+- dontaudit $1 usbfs_t:dir getattr_dir_perms;
++ dontaudit $1 v4l_device_t:chr_file getattr;
')
--######################################
-+########################################
+ ########################################
##
--## Read and write userio device.
-+## Get the attributes of video4linux devices.
+-## Search the directory containing USB hardware information.
++## Set the attributes of video4linux device nodes.
##
##
##
-@@ -4437,12 +5244,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4320,38 +5317,36 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
##
##
#
--interface(`dev_rw_userio_dev',`
-+interface(`dev_getattr_video_dev',`
+-interface(`dev_search_usbfs',`
++interface(`dev_setattr_video_dev',`
gen_require(`
-- type device_t, userio_device_t;
+- type usbfs_t;
+ type device_t, v4l_device_t;
')
-- rw_chr_files_pattern($1, device_t, userio_device_t)
-+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
+- search_dirs_pattern($1, usbfs_t, usbfs_t)
++ setattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+
+ ########################################
+ ##
+-## Allow caller to get a list of usb hardware.
++## Do not audit attempts to set the attributes
++## of video4linux device nodes.
+ ##
+ ##
+ ##
+-## Domain allowed access.
++## Domain to not audit.
+ ##
+ ##
+ #
+-interface(`dev_list_usbfs',`
++interface(`dev_dontaudit_setattr_video_dev',`
+ gen_require(`
+- type usbfs_t;
++ type v4l_device_t;
+ ')
+
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+- getattr_files_pattern($1, usbfs_t, usbfs_t)
+-
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ dontaudit $1 v4l_device_t:chr_file setattr;
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of usbfs filesystem.
++## Read the video4linux devices.
+ ##
+ ##
+ ##
+@@ -4359,19 +5354,17 @@ interface(`dev_list_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_usbfs_files',`
++interface(`dev_read_video_dev',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, v4l_device_t;
+ ')
+
+- setattr_files_pattern($1, usbfs_t, usbfs_t)
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ read_chr_files_pattern($1, device_t, v4l_device_t)
')
########################################
-@@ -4539,6 +5346,134 @@ interface(`dev_write_video_dev',`
+ ##
+-## Read USB hardware information using
+-## the usbfs filesystem interface.
++## Write the video4linux devices.
+ ##
+ ##
+ ##
+@@ -4379,19 +5372,17 @@ interface(`dev_setattr_usbfs_files',`
+ ##
+ ##
+ #
+-interface(`dev_read_usbfs',`
++interface(`dev_write_video_dev',`
+ gen_require(`
+- type usbfs_t;
++ type device_t, v4l_device_t;
+ ')
+
+- read_files_pattern($1, usbfs_t, usbfs_t)
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
++ write_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
########################################
##
+-## Allow caller to modify usb hardware configuration files.
+## Get the attributes of vfio devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4399,37 +5390,36 @@ interface(`dev_read_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_rw_usbfs',`
+interface(`dev_getattr_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type usbfs_t;
+ type device_t, vfio_device_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, usbfs_t, usbfs_t)
+- rw_files_pattern($1, usbfs_t, usbfs_t)
+- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ getattr_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of video4linux devices.
+## Do not audit attempts to get the attributes
+## of vfio device nodes.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed access.
+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_getattr_video_dev',`
+interface(`dev_dontaudit_getattr_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type device_t, v4l_device_t;
+ type vfio_device_t;
-+ ')
-+
+ ')
+
+- getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ dontaudit $1 vfio_device_t:chr_file getattr;
-+')
-+
+ ')
+
+-######################################
+########################################
-+##
+ ##
+-## Read and write userio device.
+## Set the attributes of vfio device nodes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4437,18 +5427,18 @@ interface(`dev_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_userio_dev',`
+interface(`dev_setattr_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type device_t, userio_device_t;
+ type device_t, vfio_device_t;
-+ ')
-+
+ ')
+
+- rw_chr_files_pattern($1, device_t, userio_device_t)
+ setattr_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of video4linux device nodes.
+## Do not audit attempts to set the attributes
+## of vfio device nodes.
-+##
-+##
-+##
-+## Domain to not audit.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4456,17 +5446,17 @@ interface(`dev_rw_userio_dev',`
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_getattr_video_dev',`
+interface(`dev_dontaudit_setattr_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type v4l_device_t;
+ type vfio_device_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 v4l_device_t:chr_file getattr;
+ dontaudit $1 vfio_device_t:chr_file setattr;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of video4linux device nodes.
+## Read the vfio devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4474,36 +5464,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_video_dev',`
+interface(`dev_read_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type device_t, v4l_device_t;
+ type device_t, vfio_device_t;
-+ ')
-+
+ ')
+
+- setattr_chr_files_pattern($1, device_t, v4l_device_t)
+ read_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to set the attributes
+-## of video4linux device nodes.
+## Write the vfio devices.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`dev_dontaudit_setattr_video_dev',`
+interface(`dev_write_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type v4l_device_t;
+ type device_t, vfio_device_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 v4l_device_t:chr_file setattr;
+ write_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read the video4linux devices.
+## Read and write the VFIO devices.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -4511,17 +5500,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_read_video_dev',`
+interface(`dev_rw_vfio_dev',`
-+ gen_require(`
+ gen_require(`
+- type device_t, v4l_device_t;
+ type device_t, vfio_device_t;
-+ ')
-+
+ ')
+
+- read_chr_files_pattern($1, device_t, v4l_device_t)
+ rw_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+##
- ## Allow read/write the vhost net device
+ ')
+
+ ########################################
+ ##
+-## Write the video4linux devices.
++## Allow read/write the vhost net device
##
##
-@@ -4557,6 +5492,24 @@ interface(`dev_rw_vhost',`
+ ##
+@@ -4529,17 +5518,17 @@ interface(`dev_read_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_write_video_dev',`
++interface(`dev_rw_vhost',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, vhost_device_t;
+ ')
+
+- write_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, vhost_device_t)
+ ')
########################################
##
+-## Allow read/write the vhost net device
+## Allow read/write inheretid the vhost net device
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`dev_rw_inherited_vhost',`
-+ gen_require(`
-+ type device_t, vhost_device_t;
-+ ')
-+
-+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+##
- ## Read and write VMWare devices.
##
##
-@@ -4630,6 +5583,24 @@ interface(`dev_write_watchdog',`
+ ##
+@@ -4547,12 +5536,12 @@ interface(`dev_write_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_vhost',`
++interface(`dev_rw_inherited_vhost',`
+ gen_require(`
+ type device_t, vhost_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, vhost_device_t)
++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+
+ ########################################
+@@ -4630,6 +5619,24 @@ interface(`dev_write_watchdog',`
########################################
##
@@ -7767,7 +8524,7 @@ index 76f285e..450a2b7 100644
## Read and write the the wireless device.
##
##
-@@ -4762,6 +5733,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5769,44 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -7812,7 +8569,7 @@ index 76f285e..450a2b7 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +5860,966 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5896,966 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -10019,7 +10776,7 @@ index b876c48..a351aff 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..1a36ae2 100644
+index f962f76..a226015 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10760,7 +11517,7 @@ index f962f76..1a36ae2 100644
## Do not audit attempts to get the attributes
## of non security named sockets.
##
-@@ -1073,10 +1502,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,13 +1502,12 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -10773,7 +11530,20 @@ index f962f76..1a36ae2 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1609,6 @@ interface(`files_list_all',`
++ auth_relabelto_shadow($1)
+ ')
+
+ ########################################
+@@ -1140,6 +1568,8 @@ interface(`files_manage_all_files',`
+ # satisfy the assertions:
+ seutil_create_bin_policy($1)
+ files_manage_kernel_modules($1)
++ auth_reader_shadow($1)
++ auth_writer_shadow($1)
+ ')
+
+ ########################################
+@@ -1182,24 +1612,6 @@ interface(`files_list_all',`
########################################
##
@@ -10798,17 +11568,18 @@ index f962f76..1a36ae2 100644
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
-@@ -1443,9 +1852,6 @@ interface(`files_relabel_non_auth_files',`
- # device nodes with file types.
+@@ -1444,8 +1856,8 @@ interface(`files_relabel_non_auth_files',`
relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
--
+
- # satisfy the assertions:
- seutil_relabelto_bin_policy($1)
++ # satisfy the assertions:
++ seutil_relabelto_bin_policy($1)
')
#############################################
-@@ -1601,6 +2007,24 @@ interface(`files_setattr_all_mountpoints',`
+@@ -1601,6 +2013,24 @@ interface(`files_setattr_all_mountpoints',`
########################################
##
@@ -10833,7 +11604,7 @@ index f962f76..1a36ae2 100644
## Do not audit attempts to set the attributes on all mount points.
##
##
-@@ -1691,6 +2115,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1691,6 +2121,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
@@ -10858,7 +11629,14 @@ index f962f76..1a36ae2 100644
## Do not audit attempts to write to mount points.
##
##
-@@ -1709,98 +2151,79 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1703,104 +2151,86 @@ interface(`files_dontaudit_write_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
++ dontaudit $1 self:capability dac_override;
+
+ dontaudit $1 mountpoint:dir write;
+ ')
########################################
##
@@ -10978,7 +11756,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -1808,17 +2231,127 @@ interface(`files_root_filetrans',`
+@@ -1808,18 +2238,128 @@ interface(`files_root_filetrans',`
##
##
#
@@ -10995,6 +11773,7 @@ index f962f76..1a36ae2 100644
########################################
##
-## Do not audit attempts to read or write
+-## files in the root directory.
+## Do not audit attempts to write to / dirs.
+##
+##
@@ -11106,10 +11885,11 @@ index f962f76..1a36ae2 100644
+########################################
+##
+## Do not audit attempts to read or write
- ## files in the root directory.
++## files in the root directory.
##
##
-@@ -1892,25 +2425,25 @@ interface(`files_delete_root_dir_entry',`
+ ##
+@@ -1892,25 +2432,25 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -11141,7 +11921,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -1923,7 +2456,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2463,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@@ -11150,7 +11930,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -1946,6 +2479,42 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2486,42 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -11193,7 +11973,7 @@ index f962f76..1a36ae2 100644
## Get attributes of the /boot directory.
##
##
-@@ -2181,6 +2750,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2757,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@@ -11218,7 +11998,7 @@ index f962f76..1a36ae2 100644
######################################
##
## Read symbolic links in the /boot directory.
-@@ -2645,6 +3232,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3239,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -11243,7 +12023,7 @@ index f962f76..1a36ae2 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2716,6 +3321,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3328,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -11251,7 +12031,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -2724,7 +3330,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3337,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -11260,7 +12040,7 @@ index f962f76..1a36ae2 100644
##
##
#
-@@ -2780,6 +3386,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3393,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -11286,7 +12066,7 @@ index f962f76..1a36ae2 100644
## Delete system configuration files in /etc.
##
##
-@@ -2798,6 +3423,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3430,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -11311,7 +12091,7 @@ index f962f76..1a36ae2 100644
## Execute generic files in /etc.
##
##
-@@ -2963,24 +3606,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3613,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -11336,7 +12116,7 @@ index f962f76..1a36ae2 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3021,9 +3646,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3653,7 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -11347,7 +12127,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -3031,18 +3654,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3661,17 @@ interface(`files_read_etc_runtime_files',`
##
##
#
@@ -11369,7 +12149,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -3060,6 +3682,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3689,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
##
@@ -11396,7 +12176,7 @@ index f962f76..1a36ae2 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -3077,6 +3719,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3726,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -11404,7 +12184,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3098,6 +3741,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3748,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -11412,7 +12192,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3142,34 +3786,34 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,34 +3793,34 @@ interface(`files_etc_filetrans_etc_runtime',`
#
interface(`files_getattr_isid_type_dirs',`
gen_require(`
@@ -11455,7 +12235,7 @@ index f962f76..1a36ae2 100644
## that have not yet been labeled.
##
##
-@@ -3178,17 +3822,55 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3178,12 +3829,50 @@ interface(`files_dontaudit_search_isid_type_dirs',`
##
##
#
@@ -11468,11 +12248,10 @@ index f962f76..1a36ae2 100644
- allow $1 file_t:dir list_dir_perms;
+ allow $1 unlabeled_t:dir setattr;
- ')
-
- ########################################
- ##
--## Read and write directories on new filesystems
++')
++
++########################################
++##
+## Do not audit attempts to search directories on new filesystems
+## that have not yet been labeled.
+##
@@ -11507,15 +12286,10 @@ index f962f76..1a36ae2 100644
+ ')
+
+ allow $1 unlabeled_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
-+## Read and write directories on new filesystems
- ## that have not yet been labeled.
- ##
- ##
-@@ -3199,10 +3881,10 @@ interface(`files_list_isid_type_dirs',`
+ ')
+
+ ########################################
+@@ -3199,10 +3888,10 @@ interface(`files_list_isid_type_dirs',`
#
interface(`files_rw_isid_type_dirs',`
gen_require(`
@@ -11528,7 +12302,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3218,10 +3900,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3907,66 @@ interface(`files_rw_isid_type_dirs',`
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
@@ -11571,9 +12345,8 @@ index f962f76..1a36ae2 100644
+interface(`files_mounton_isid',`
+ gen_require(`
+ type unlabeled_t;
- ')
-
-- delete_dirs_pattern($1, file_t, file_t)
++ ')
++
+ allow $1 unlabeled_t:dir mounton;
+')
+
@@ -11591,13 +12364,14 @@ index f962f76..1a36ae2 100644
+interface(`files_relabelfrom_isid_type',`
+ gen_require(`
+ type unlabeled_t;
-+ ')
-+
+ ')
+
+- delete_dirs_pattern($1, file_t, file_t)
+ dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
')
########################################
-@@ -3237,10 +3975,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +3982,10 @@ interface(`files_delete_isid_type_dirs',`
#
interface(`files_manage_isid_type_dirs',`
gen_require(`
@@ -11610,7 +12384,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3256,10 +3994,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +4001,29 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
@@ -11642,7 +12416,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3275,10 +4032,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +4039,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
@@ -11655,7 +12429,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3294,10 +4051,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4058,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
@@ -11668,7 +12442,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3313,10 +4070,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4077,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
@@ -11681,7 +12455,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3332,10 +4089,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4096,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
@@ -11694,7 +12468,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3351,10 +4108,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4115,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
@@ -11707,7 +12481,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3370,10 +4127,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4134,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
@@ -11720,7 +12494,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3389,10 +4146,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4153,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
@@ -11733,7 +12507,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3408,10 +4165,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4172,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
@@ -11746,7 +12520,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3427,10 +4184,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4191,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
@@ -11759,7 +12533,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3446,10 +4203,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4210,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
@@ -11772,7 +12546,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3465,10 +4222,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4229,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
@@ -11804,7 +12578,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3484,10 +4260,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4267,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
@@ -11817,7 +12591,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3503,10 +4279,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4286,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
@@ -11830,7 +12604,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -3552,6 +4328,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4335,27 @@ interface(`files_dontaudit_getattr_home_dir',`
########################################
##
@@ -11858,7 +12632,7 @@ index f962f76..1a36ae2 100644
## Search home directories root (/home).
##
##
-@@ -3814,20 +4611,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4618,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -11902,7 +12676,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -4217,6 +5032,175 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +5039,175 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -12078,7 +12852,7 @@ index f962f76..1a36ae2 100644
########################################
##
## Allow the specified type to associate
-@@ -4239,6 +5223,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5230,26 @@ interface(`files_associate_tmp',`
########################################
##
@@ -12105,7 +12879,7 @@ index f962f76..1a36ae2 100644
## Get the attributes of the tmp directory (/tmp).
##
##
-@@ -4252,17 +5256,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5263,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -12144,7 +12918,7 @@ index f962f76..1a36ae2 100644
##
##
#
-@@ -4289,6 +5313,8 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5320,8 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -12153,7 +12927,7 @@ index f962f76..1a36ae2 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4325,6 +5351,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5358,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -12161,7 +12935,7 @@ index f962f76..1a36ae2 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4334,7 +5361,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5368,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -12170,7 +12944,7 @@ index f962f76..1a36ae2 100644
##
##
#
-@@ -4346,14 +5373,33 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,21 +5380,41 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -12187,8 +12961,9 @@ index f962f76..1a36ae2 100644
+##
+## Domain not to audit.
+##
-+##
-+#
+ ##
+ #
+-interface(`files_delete_tmp_dir_entry',`
+interface(`files_rw_generic_tmp_dir',`
+ gen_require(`
+ type tmp_t;
@@ -12206,10 +12981,10 @@ index f962f76..1a36ae2 100644
+##
+## Domain allowed access.
+##
- ##
- #
- interface(`files_delete_tmp_dir_entry',`
-@@ -4361,6 +5407,7 @@ interface(`files_delete_tmp_dir_entry',`
++##
++#
++interface(`files_delete_tmp_dir_entry',`
+ gen_require(`
type tmp_t;
')
@@ -12217,7 +12992,7 @@ index f962f76..1a36ae2 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4402,6 +5449,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5456,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -12250,7 +13025,7 @@ index f962f76..1a36ae2 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4456,6 +5529,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5536,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -12293,7 +13068,7 @@ index f962f76..1a36ae2 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4474,6 +5583,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5590,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
@@ -12354,7 +13129,7 @@ index f962f76..1a36ae2 100644
## List all tmp directories.
##
##
-@@ -4519,7 +5682,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5689,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -12363,7 +13138,7 @@ index f962f76..1a36ae2 100644
##
##
#
-@@ -4579,7 +5742,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5749,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -12372,7 +13147,7 @@ index f962f76..1a36ae2 100644
##
##
#
-@@ -4611,6 +5774,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5781,44 @@ interface(`files_read_all_tmp_files',`
########################################
##
@@ -12417,7 +13192,7 @@ index f962f76..1a36ae2 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
##
-@@ -4664,6 +5865,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5872,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -12434,7 +13209,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -5112,6 +6323,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6330,24 @@ interface(`files_create_kernel_symbol_table',`
########################################
##
@@ -12459,7 +13234,7 @@ index f962f76..1a36ae2 100644
## Read system.map in the /boot directory.
##
##
-@@ -5241,6 +6470,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6477,24 @@ interface(`files_list_var',`
########################################
##
@@ -12484,7 +13259,7 @@ index f962f76..1a36ae2 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5328,7 +6575,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6582,7 @@ interface(`files_dontaudit_rw_var_files',`
type var_t;
')
@@ -12493,7 +13268,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -5527,6 +6774,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6781,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
##
@@ -12519,7 +13294,7 @@ index f962f76..1a36ae2 100644
## Create objects in the /var/lib directory
##
##
-@@ -5596,6 +6862,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6869,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -12545,7 +13320,7 @@ index f962f76..1a36ae2 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5641,7 +6926,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6933,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -12554,7 +13329,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -5649,12 +6934,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6941,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -12570,7 +13345,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -5672,6 +6958,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6965,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -12578,7 +13353,7 @@ index f962f76..1a36ae2 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5698,7 +6985,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6992,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -12606,7 +13381,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -5706,13 +7012,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +7019,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -12623,7 +13398,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -5731,7 +7036,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +7043,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -12632,7 +13407,7 @@ index f962f76..1a36ae2 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5764,7 +7069,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +7076,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -12640,7 +13415,7 @@ index f962f76..1a36ae2 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5779,7 +7083,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7090,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
@@ -12649,7 +13424,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -5787,13 +7091,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7098,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -12684,7 +13459,7 @@ index f962f76..1a36ae2 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5809,13 +7133,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7140,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -12702,7 +13477,7 @@ index f962f76..1a36ae2 100644
')
########################################
-@@ -5834,9 +7157,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7164,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -12713,7 +13488,7 @@ index f962f76..1a36ae2 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5878,8 +7199,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7206,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -12723,7 +13498,7 @@ index f962f76..1a36ae2 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7221,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7228,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -12733,7 +13508,7 @@ index f962f76..1a36ae2 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7258,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7265,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -12743,7 +13518,7 @@ index f962f76..1a36ae2 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5979,7 +7297,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7304,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -12752,7 +13527,7 @@ index f962f76..1a36ae2 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5999,10 +7317,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7324,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -12801,7 +13576,7 @@ index f962f76..1a36ae2 100644
########################################
##
## Do not audit attempts to search
-@@ -6025,6 +7381,43 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7388,43 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -12845,7 +13620,7 @@ index f962f76..1a36ae2 100644
## List the contents of the runtime process
## ID directories (/var/run).
##
-@@ -6039,7 +7432,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7439,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -12854,7 +13629,7 @@ index f962f76..1a36ae2 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6058,7 +7451,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7458,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -12863,7 +13638,7 @@ index f962f76..1a36ae2 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6078,7 +7471,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7478,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -12872,7 +13647,7 @@ index f962f76..1a36ae2 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6140,7 +7533,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7540,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -12880,7 +13655,7 @@ index f962f76..1a36ae2 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6169,6 +7561,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7568,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
##
@@ -12905,7 +13680,7 @@ index f962f76..1a36ae2 100644
## Read and write generic process ID files.
##
##
-@@ -6182,7 +7592,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7599,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -12914,7 +13689,7 @@ index f962f76..1a36ae2 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6249,55 +7659,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7666,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -12977,7 +13752,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -6305,42 +7703,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7710,35 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -13027,7 +13802,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -6348,18 +7739,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7746,18 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -13051,7 +13826,7 @@ index f962f76..1a36ae2 100644
##
##
##
-@@ -6367,37 +7758,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7765,40 @@ interface(`files_mounton_all_poly_members',`
##
##
#
@@ -13103,7 +13878,7 @@ index f962f76..1a36ae2 100644
##
##