-##
@@ -14905,92 +14977,93 @@ index f962f76..e06a46c 100644
-##
#
-interface(`files_search_var_lib',`
-+interface(`files_create_kernel_symbol_table',`
++interface(`files_read_kernel_symbol_table',`
gen_require(`
- type var_t, var_lib_t;
+ type boot_t, system_map_t;
')
- search_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
++ allow $1 boot_t:dir list_dir_perms;
++ read_files_pattern($1, boot_t, system_map_t)
')
########################################
##
-## Do not audit attempts to search the
-## contents of /var/lib.
-+## Dontaudit getattr attempts on the system.map file
++## Delete a system.map in the /boot directory.
##
##
##
- ## Domain to not audit.
+-## Domain to not audit.
++## Domain allowed access.
##
##
-##
#
-interface(`files_dontaudit_search_var_lib',`
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
++interface(`files_delete_kernel_symbol_table',`
gen_require(`
- type var_lib_t;
-+ type system_map_t;
++ type boot_t, system_map_t;
')
- dontaudit $1 var_lib_t:dir search_dir_perms;
-+ dontaudit $1 system_map_t:file getattr;
++ allow $1 boot_t:dir list_dir_perms;
++ delete_files_pattern($1, boot_t, system_map_t)
')
########################################
##
-## List the contents of the /var/lib directory.
-+## Read system.map in the /boot directory.
++## Search the contents of /var.
##
##
##
-@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,88 +6493,72 @@ interface(`files_dontaudit_search_var_lib',`
##
##
#
-interface(`files_list_var_lib',`
-+interface(`files_read_kernel_symbol_table',`
++interface(`files_search_var',`
gen_require(`
- type var_t, var_lib_t;
-+ type boot_t, system_map_t;
++ type var_t;
')
- list_dirs_pattern($1, var_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ read_files_pattern($1, boot_t, system_map_t)
++ allow $1 var_t:dir search_dir_perms;
')
-###########################################
+########################################
##
-## Read-write /var/lib directories
-+## Delete a system.map in the /boot directory.
++## Do not audit attempts to write to /var.
##
##
##
-@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',`
+-## Domain allowed access.
++## Domain to not audit.
##
##
#
-interface(`files_rw_var_lib_dirs',`
-+interface(`files_delete_kernel_symbol_table',`
++interface(`files_dontaudit_write_var_dirs',`
gen_require(`
- type var_lib_t;
-+ type boot_t, system_map_t;
++ type var_t;
')
- rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 boot_t:dir list_dir_perms;
-+ delete_files_pattern($1, boot_t, system_map_t)
++ dontaudit $1 var_t:dir write;
')
########################################
##
-## Create objects in the /var/lib directory
-+## Search the contents of /var.
++## Allow attempts to write to /var.dirs
##
##
##
@@ -15014,20 +15087,22 @@ index f962f76..e06a46c 100644
-##
#
-interface(`files_var_lib_filetrans',`
-+interface(`files_search_var',`
++interface(`files_write_var_dirs',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
')
- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_lib_t, $2, $3, $4)
++ allow $1 var_t:dir write;
')
########################################
##
-## Read generic files in /var/lib.
-+## Do not audit attempts to write to /var.
++## Do not audit attempts to search
++## the contents of /var.
##
##
##
@@ -15037,7 +15112,7 @@ index f962f76..e06a46c 100644
##
#
-interface(`files_read_var_lib_files',`
-+interface(`files_dontaudit_write_var_dirs',`
++interface(`files_dontaudit_search_var',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
@@ -15045,29 +15120,29 @@ index f962f76..e06a46c 100644
- allow $1 var_lib_t:dir list_dir_perms;
- read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ dontaudit $1 var_t:dir write;
++ dontaudit $1 var_t:dir search_dir_perms;
')
########################################
##
-## Read generic symbolic links in /var/lib
-+## Allow attempts to write to /var.dirs
++## List the contents of /var.
##
##
##
-@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6566,36 @@ interface(`files_read_var_lib_files',`
##
##
#
-interface(`files_read_var_lib_symlinks',`
-+interface(`files_write_var_dirs',`
++interface(`files_list_var',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
')
- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+ allow $1 var_t:dir write;
++ allow $1 var_t:dir list_dir_perms;
')
-# cjp: the next two interfaces really need to be fixed
@@ -15077,8 +15152,7 @@ index f962f76..e06a46c 100644
##
-## Create, read, write, and delete the
-## pseudorandom number generator seed.
-+## Do not audit attempts to search
-+## the contents of /var.
++## Do not audit listing of the var directory (/var).
##
##
##
@@ -15088,7 +15162,7 @@ index f962f76..e06a46c 100644
##
#
-interface(`files_manage_urandom_seed',`
-+interface(`files_dontaudit_search_var',`
++interface(`files_dontaudit_list_var',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
@@ -15096,23 +15170,24 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ dontaudit $1 var_t:dir search_dir_perms;
++ dontaudit $1 var_t:dir list_dir_perms;
')
########################################
##
-## Allow domain to manage mount tables
-## necessary for rpcd, nfsd, etc.
-+## List the contents of /var.
++## Create, read, write, and delete directories
++## in the /var directory.
##
##
##
-@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,18 +6603,17 @@ interface(`files_manage_urandom_seed',`
##
##
#
-interface(`files_manage_mounttab',`
-+interface(`files_list_var',`
++interface(`files_manage_var_dirs',`
gen_require(`
- type var_t, var_lib_t;
+ type var_t;
@@ -15120,46 +15195,44 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- manage_files_pattern($1, var_lib_t, var_lib_t)
-+ allow $1 var_t:dir list_dir_perms;
++ allow $1 var_t:dir manage_dir_perms;
')
########################################
##
-## Set the attributes of the generic lock directories.
-+## Do not audit listing of the var directory (/var).
++## Read files in the /var directory.
##
##
##
--## Domain allowed access.
-+## Domain to not audit.
+@@ -5649,17 +6621,17 @@ interface(`files_manage_mounttab',`
##
##
#
-interface(`files_setattr_lock_dirs',`
-+interface(`files_dontaudit_list_var',`
++interface(`files_read_var_files',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
')
- setattr_dirs_pattern($1, var_t, var_lock_t)
-+ dontaudit $1 var_t:dir list_dir_perms;
++ read_files_pattern($1, var_t, var_t)
')
########################################
##
-## Search the locks directory (/var/lock).
-+## Create, read, write, and delete directories
-+## in the /var directory.
++## Append files in the /var directory.
##
##
##
-@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,58 +6639,54 @@ interface(`files_setattr_lock_dirs',`
##
##
#
-interface(`files_search_locks',`
-+interface(`files_manage_var_dirs',`
++interface(`files_append_var_files',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15167,14 +15240,14 @@ index f962f76..e06a46c 100644
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- search_dirs_pattern($1, var_t, var_lock_t)
-+ allow $1 var_t:dir manage_dir_perms;
++ append_files_pattern($1, var_t, var_t)
')
########################################
##
-## Do not audit attempts to search the
-## locks directory (/var/lock).
-+## Read files in the /var directory.
++## Read and write files in the /var directory.
##
##
##
@@ -15184,7 +15257,7 @@ index f962f76..e06a46c 100644
##
#
-interface(`files_dontaudit_search_locks',`
-+interface(`files_read_var_files',`
++interface(`files_rw_var_files',`
gen_require(`
- type var_lock_t;
+ type var_t;
@@ -15192,22 +15265,24 @@ index f962f76..e06a46c 100644
- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
- dontaudit $1 var_lock_t:dir search_dir_perms;
-+ read_files_pattern($1, var_t, var_t)
++ rw_files_pattern($1, var_t, var_t)
')
########################################
##
-## List generic lock directories.
-+## Append files in the /var directory.
++## Do not audit attempts to read and write
++## files in the /var directory.
##
##
##
-@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',`
+-## Domain allowed access.
++## Domain to not audit.
##
##
#
-interface(`files_list_locks',`
-+interface(`files_append_var_files',`
++interface(`files_dontaudit_rw_var_files',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15215,23 +15290,23 @@ index f962f76..e06a46c 100644
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_lock_t)
-+ append_files_pattern($1, var_t, var_t)
++ dontaudit $1 var_t:file rw_inherited_file_perms;
')
########################################
##
-## Add and remove entries in the /var/lock
-## directories.
-+## Read and write files in the /var directory.
++## Create, read, write, and delete files in the /var directory.
##
##
##
-@@ -5726,60 +6638,54 @@ interface(`files_list_locks',`
+@@ -5726,81 +6694,88 @@ interface(`files_list_locks',`
##
##
#
-interface(`files_rw_lock_dirs',`
-+interface(`files_rw_var_files',`
++interface(`files_manage_var_files',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15239,25 +15314,24 @@ index f962f76..e06a46c 100644
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- rw_dirs_pattern($1, var_t, var_lock_t)
-+ rw_files_pattern($1, var_t, var_t)
++ manage_files_pattern($1, var_t, var_t)
')
########################################
##
-## Create lock directories
-+## Do not audit attempts to read and write
-+## files in the /var directory.
++## Read symbolic links in the /var directory.
##
##
-##
-## Domain allowed access
+##
-+## Domain to not audit.
++## Domain allowed access.
##
##
#
-interface(`files_create_lock_dirs',`
-+interface(`files_dontaudit_rw_var_files',`
++interface(`files_read_var_symlinks',`
gen_require(`
- type var_t, var_lock_t;
+ type var_t;
@@ -15266,13 +15340,14 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- create_dirs_pattern($1, var_lock_t, var_lock_t)
-+ dontaudit $1 var_t:file rw_inherited_file_perms;
++ read_lnk_files_pattern($1, var_t, var_t)
')
########################################
##
-## Relabel to and from all lock directory types.
-+## Create, read, write, and delete files in the /var directory.
++## Create, read, write, and delete symbolic
++## links in the /var directory.
##
##
##
@@ -15282,7 +15357,7 @@ index f962f76..e06a46c 100644
-##
#
-interface(`files_relabel_all_lock_dirs',`
-+interface(`files_manage_var_files',`
++interface(`files_manage_var_symlinks',`
gen_require(`
- attribute lockfile;
- type var_t, var_lock_t;
@@ -15292,63 +15367,12 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- relabel_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Get the attributes of generic lock files.
-+## Read symbolic links in the /var directory.
- ##
- ##
- ##
-@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',`
- ##
- ##
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_read_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 var_lock_t:dir list_dir_perms;
-- getattr_files_pattern($1, var_lock_t, var_lock_t)
-+ read_lnk_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ##
--## Delete generic lock files.
-+## Create, read, write, and delete symbolic
-+## links in the /var directory.
- ##
- ##
- ##
-@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',`
- ##
- ##
- #
--interface(`files_delete_generic_locks',`
-+interface(`files_manage_var_symlinks',`
- gen_require(`
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, var_lock_t, var_lock_t)
+ manage_lnk_files_pattern($1, var_t, var_t)
')
########################################
##
--## Create, read, write, and delete generic
--## lock files.
+-## Get the attributes of generic lock files.
+## Create objects in the /var directory
##
##
@@ -15372,7 +15396,7 @@ index f962f76..e06a46c 100644
+##
+##
#
--interface(`files_manage_generic_locks',`
+-interface(`files_getattr_generic_locks',`
+interface(`files_var_filetrans',`
gen_require(`
- type var_t, var_lock_t;
@@ -15381,68 +15405,65 @@ index f962f76..e06a46c 100644
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- manage_dirs_pattern($1, var_lock_t, var_lock_t)
-- manage_files_pattern($1, var_lock_t, var_lock_t)
+- allow $1 var_lock_t:dir list_dir_perms;
+- getattr_files_pattern($1, var_lock_t, var_lock_t)
+ filetrans_pattern($1, var_t, $2, $3, $4)
')
+
########################################
##
--## Delete all lock files.
+-## Delete generic lock files.
+## Relabel dirs in the /var directory.
##
##
##
- ## Domain allowed access.
+@@ -5808,20 +6783,16 @@ interface(`files_getattr_generic_locks',`
##
##
--##
#
--interface(`files_delete_all_locks',`
+-interface(`files_delete_generic_locks',`
+interface(`files_relabel_var_dirs',`
gen_require(`
-- attribute lockfile;
- type var_t, var_lock_t;
+ type var_t;
')
-
- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- delete_files_pattern($1, lockfile, lockfile)
+- delete_files_pattern($1, var_lock_t, var_lock_t)
+ allow $1 var_t:dir relabel_dir_perms;
')
########################################
##
--## Read all lock files.
+-## Create, read, write, and delete generic
+-## lock files.
+## Get the attributes of the /var/lib directory.
##
##
##
-@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',`
+@@ -5829,65 +6800,69 @@ interface(`files_delete_generic_locks',`
##
##
#
--interface(`files_read_all_locks',`
+-interface(`files_manage_generic_locks',`
+interface(`files_getattr_var_lib_dirs',`
gen_require(`
-- attribute lockfile;
- type var_t, var_lock_t;
+ type var_t, var_lib_t;
')
+- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- allow $1 lockfile:dir list_dir_perms;
-- read_files_pattern($1, lockfile, lockfile)
-- read_lnk_files_pattern($1, lockfile, lockfile)
+- manage_dirs_pattern($1, var_lock_t, var_lock_t)
+- manage_files_pattern($1, var_lock_t, var_lock_t)
+ getattr_dirs_pattern($1, var_t, var_lib_t)
')
########################################
##
--## manage all lock files.
+-## Delete all lock files.
+## Search the /var/lib directory.
##
+##
@@ -15463,9 +15484,10 @@ index f962f76..e06a46c 100644
## Domain allowed access.
##
##
+-##
+##
#
--interface(`files_manage_all_locks',`
+-interface(`files_delete_all_locks',`
+interface(`files_search_var_lib',`
gen_require(`
- attribute lockfile;
@@ -15473,140 +15495,143 @@ index f962f76..e06a46c 100644
+ type var_t, var_lib_t;
')
+- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- manage_dirs_pattern($1, lockfile, lockfile)
-- manage_files_pattern($1, lockfile, lockfile)
-- manage_lnk_files_pattern($1, lockfile, lockfile)
+- delete_files_pattern($1, lockfile, lockfile)
+ search_dirs_pattern($1, var_t, var_lib_t)
')
########################################
##
--## Create an object in the locks directory, with a private
--## type using a type transition.
+-## Read all lock files.
+## Do not audit attempts to search the
+## contents of /var/lib.
##
##
##
-## Domain allowed access.
--##
--##
--##
--##
--## The type of the object to be created.
--##
--##
--##
--##
--## The object class of the object being created.
--##
--##
--##
--##
--## The name of the object being created.
+## Domain to not audit.
##
##
+##
#
--interface(`files_lock_filetrans',`
+-interface(`files_read_all_locks',`
+interface(`files_dontaudit_search_var_lib',`
gen_require(`
+- attribute lockfile;
- type var_t, var_lock_t;
+ type var_lib_t;
')
-- allow $1 var_t:dir search_dir_perms;
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-- filetrans_pattern($1, var_lock_t, $2, $3, $4)
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- allow $1 lockfile:dir list_dir_perms;
+- read_files_pattern($1, lockfile, lockfile)
+- read_lnk_files_pattern($1, lockfile, lockfile)
+ dontaudit $1 var_lib_t:dir search_dir_perms;
')
########################################
##
--## Do not audit attempts to get the attributes
--## of the /var/run directory.
+-## manage all lock files.
+## List the contents of the /var/lib directory.
##
##
##
--## Domain to not audit.
-+## Domain allowed access.
+@@ -5895,78 +6870,1372 @@ interface(`files_read_all_locks',`
##
##
#
--interface(`files_dontaudit_getattr_pid_dirs',`
+-interface(`files_manage_all_locks',`
+interface(`files_list_var_lib',`
gen_require(`
-- type var_run_t;
+- attribute lockfile;
+- type var_t, var_lock_t;
+ type var_t, var_lib_t;
')
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir getattr;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- allow $1 { var_t var_lock_t }:dir search_dir_perms;
+- manage_dirs_pattern($1, lockfile, lockfile)
+- manage_files_pattern($1, lockfile, lockfile)
+- manage_lnk_files_pattern($1, lockfile, lockfile)
+ list_dirs_pattern($1, var_t, var_lib_t)
')
-########################################
+###########################################
##
--## Set the attributes of the /var/run directory.
+-## Create an object in the locks directory, with a private
+-## type using a type transition.
+## Read-write /var/lib directories
##
##
##
-@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+ ## Domain allowed access.
##
##
+-##
+-##
+-## The type of the object to be created.
+-##
+-##
+-##
+-##
+-## The object class of the object being created.
+-##
+-##
+-##
+-##
+-## The name of the object being created.
+-##
+-##
#
--interface(`files_setattr_pid_dirs',`
+-interface(`files_lock_filetrans',`
+interface(`files_rw_var_lib_dirs',`
gen_require(`
-- type var_run_t;
+- type var_t, var_lock_t;
+ type var_lib_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:dir setattr;
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+- filetrans_pattern($1, var_lock_t, $2, $3, $4)
+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
########################################
##
--## Search the contents of runtime process
--## ID directories (/var/run).
+-## Do not audit attempts to get the attributes
+-## of the /var/run directory.
+## Create directories in /var/lib
##
##
##
-@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',`
+-## Domain to not audit.
++## Domain allowed access.
##
##
#
--interface(`files_search_pids',`
+-interface(`files_dontaudit_getattr_pid_dirs',`
+interface(`files_create_var_lib_dirs',`
gen_require(`
-- type var_t, var_run_t;
+- type var_run_t;
+ type var_lib_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- search_dirs_pattern($1, var_t, var_run_t)
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir getattr;
+ allow $1 var_lib_t:dir { create rw_dir_perms };
')
+
########################################
##
--## Do not audit attempts to search
--## the /var/run directory.
+-## Set the attributes of the /var/run directory.
+## Create objects in the /var/lib directory
- ##
- ##
- ##
--## Domain to not audit.
++##
++##
++##
+## Domain allowed access.
+##
+##
@@ -15623,37 +15648,30 @@ index f962f76..e06a46c 100644
+##
+##
+## The name of the object being created.
- ##
- ##
- #
--interface(`files_dontaudit_search_pids',`
++##
++##
++#
+interface(`files_var_lib_filetrans',`
- gen_require(`
-- type var_run_t;
++ gen_require(`
+ type var_t, var_lib_t;
- ')
-
-- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
-- dontaudit $1 var_run_t:dir search_dir_perms;
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
- ')
-
- ########################################
- ##
--## List the contents of the runtime process
--## ID directories (/var/run).
++')
++
++########################################
++##
+## Read generic files in /var/lib.
- ##
- ##
- ##
-@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',`
- ##
- ##
- #
--interface(`files_list_pids',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_read_var_lib_files',`
- gen_require(`
++ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
@@ -16774,11 +16792,9 @@ index f962f76..e06a46c 100644
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
- type var_t, var_run_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
++ type var_t, var_run_t;
++ ')
++
+ files_search_pids($1)
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
@@ -16931,34 +16947,39 @@ index f962f76..e06a46c 100644
+##
+## List the contents of generic spool
+## (/var/spool) directories.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5974,19 +8243,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+ ##
+ ##
+ #
+-interface(`files_setattr_pid_dirs',`
+interface(`files_list_spool',`
-+ gen_require(`
+ gen_require(`
+- type var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir setattr;
+ list_dirs_pattern($1, var_t, var_spool_t)
')
########################################
##
--## Read generic process ID files.
+-## Search the contents of runtime process
+-## ID directories (/var/run).
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
##
##
##
-@@ -6053,19 +8243,18 @@ interface(`files_list_pids',`
+@@ -5994,39 +8262,38 @@ interface(`files_setattr_pid_dirs',`
##
##
#
--interface(`files_read_generic_pids',`
+-interface(`files_search_pids',`
+interface(`files_manage_generic_spool_dirs',`
gen_require(`
- type var_t, var_run_t;
@@ -16966,67 +16987,74 @@ index f962f76..e06a46c 100644
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-- read_files_pattern($1, var_run_t, var_run_t)
+- search_dirs_pattern($1, var_t, var_run_t)
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
')
########################################
##
--## Write named generic process ID pipes
+-## Do not audit attempts to search
+-## the /var/run directory.
+## Read generic spool files.
##
##
##
-@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',`
+-## Domain to not audit.
++## Domain allowed access.
##
##
#
--interface(`files_write_generic_pid_pipes',`
+-interface(`files_dontaudit_search_pids',`
+interface(`files_read_generic_spool',`
gen_require(`
- type var_run_t;
+ type var_t, var_spool_t;
')
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- allow $1 var_run_t:fifo_file write;
+- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+- dontaudit $1 var_run_t:dir search_dir_perms;
+ list_dirs_pattern($1, var_t, var_spool_t)
+ read_files_pattern($1, var_spool_t, var_spool_t)
')
########################################
##
--## Create an object in the process ID directory, with a private type.
+-## List the contents of the runtime process
+-## ID directories (/var/run).
+## Create, read, write, and delete generic
+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6034,38 +8301,55 @@ interface(`files_dontaudit_search_pids',`
+ ##
+ ##
+ #
+-interface(`files_list_pids',`
+interface(`files_manage_generic_spool',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read generic process ID files.
+## Create objects in the spool directory
+## with a private type with a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+##
+##
+## Type to which the created node will be transitioned.
@@ -17043,33 +17071,43 @@ index f962f76..e06a46c 100644
+## The name of the object being created.
+##
+##
-+#
+ #
+-interface(`files_read_generic_pids',`
+interface(`files_spool_filetrans',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_run_t;
+ type var_t, var_spool_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, var_run_t)
+- read_files_pattern($1, var_run_t, var_run_t)
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Write named generic process ID pipes
+## Allow access to manage all polyinstantiated
+## directories on the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6073,43 +8357,75 @@ interface(`files_read_generic_pids',`
+ ##
+ ##
+ #
+-interface(`files_write_generic_pid_pipes',`
+interface(`files_polyinstantiate_all',`
-+ gen_require(`
+ gen_require(`
+- type var_run_t;
+ attribute polydir, polymember, polyparent;
+ type poly_t;
-+ ')
-+
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:fifo_file write;
+ # Need to give access to /selinux/member
+ selinux_compute_member($1)
+
@@ -17106,10 +17144,11 @@ index f962f76..e06a46c 100644
+ corecmd_exec_bin($1)
+ seutil_domtrans_setfiles($1)
+ ')
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create an object in the process ID directory, with a private type.
+## Unconfined access to files.
+##
+##
@@ -17158,7 +17197,7 @@ index f962f76..e06a46c 100644
##
##
##