diff options
| author |   Chris PeBenito <pebenito@ieee.org> | 2019-09-08 16:55:02 -0400 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2019-12-16 21:06:13 +0800 |
| commit | 5b62a0e558c83adef0056739d9ac2934eebccc7c (patch) | |
| tree | a0f11c029a432cc99ba93b326b3600cade9afcc7 | |
| parent | systemd: allow user environment helpers to communicate with systemd --user (diff) | |
| download | hardened-refpolicy-5b62a0e558c83adef0056739d9ac2934eebccc7c.tar.gz hardened-refpolicy-5b62a0e558c83adef0056739d9ac2934eebccc7c.tar.bz2 hardened-refpolicy-5b62a0e558c83adef0056739d9ac2934eebccc7c.zip | |
Rename *_var_run_t types to *_runtime_t.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
665 files changed, 3052 insertions, 3050 deletions
diff --git a/policy/modules/admin/bacula.fc b/policy/modules/admin/bacula.fc index 27c021c32..3afcb326e 100644 --- a/policy/modules/admin/bacula.fc +++ b/policy/modules/admin/bacula.fc @@ -16,6 +16,6 @@ /var/log/bacula.* gen_context(system_u:object_r:bacula_log_t,s0) -/run/bacula.* -- gen_context(system_u:object_r:bacula_var_run_t,s0) +/run/bacula.* -- gen_context(system_u:object_r:bacula_runtime_t,s0) /var/spool/bacula.* gen_context(system_u:object_r:bacula_spool_t,s0) diff --git a/policy/modules/admin/bacula.if b/policy/modules/admin/bacula.if index eba3f1cad..6456a1686 100644 --- a/policy/modules/admin/bacula.if +++ b/policy/modules/admin/bacula.if @@ -68,7 +68,7 @@ interface(`bacula_admin',` gen_require(` type bacula_t, bacula_etc_t, bacula_log_t; type bacula_spool_t, bacula_var_lib_t; - type bacula_var_run_t, bacula_initrc_exec_t; + type bacula_runtime_t, bacula_initrc_exec_t; ') allow $1 bacula_t:process { ptrace signal_perms }; @@ -89,5 +89,5 @@ interface(`bacula_admin',` admin_pattern($1, bacula_var_lib_t) files_search_pids($1) - admin_pattern($1, bacula_var_run_t) + admin_pattern($1, bacula_runtime_t) ') diff --git a/policy/modules/admin/bacula.te b/policy/modules/admin/bacula.te index 8def92c11..7f9c60ebb 100644 --- a/policy/modules/admin/bacula.te +++ b/policy/modules/admin/bacula.te @@ -30,8 +30,8 @@ files_mountpoint(bacula_store_t) type bacula_var_lib_t; files_type(bacula_var_lib_t) -type bacula_var_run_t; -files_pid_file(bacula_var_run_t) +type bacula_runtime_t alias bacula_var_run_t; +files_pid_file(bacula_runtime_t) type bacula_admin_t; type bacula_admin_exec_t; @@ -65,8 +65,8 @@ manage_dirs_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t) manage_files_pattern(bacula_t, bacula_var_lib_t, bacula_var_lib_t) files_var_lib_filetrans(bacula_t, bacula_var_lib_t, dir) -allow bacula_t bacula_var_run_t:file manage_file_perms; -files_pid_filetrans(bacula_t, bacula_var_run_t, file) +allow bacula_t bacula_runtime_t:file manage_file_perms; +files_pid_filetrans(bacula_t, bacula_runtime_t, file) kernel_read_kernel_sysctls(bacula_t) kernel_read_system_state(bacula_t) diff --git a/policy/modules/admin/bcfg2.fc b/policy/modules/admin/bcfg2.fc index feb5d9d9e..cd2da2794 100644 --- a/policy/modules/admin/bcfg2.fc +++ b/policy/modules/admin/bcfg2.fc @@ -6,4 +6,4 @@ /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) -/run/bcfg2-server\.pid -- gen_context(system_u:object_r:bcfg2_var_run_t,s0) +/run/bcfg2-server\.pid -- gen_context(system_u:object_r:bcfg2_runtime_t,s0) diff --git a/policy/modules/admin/bcfg2.if b/policy/modules/admin/bcfg2.if index 0cd2d35bd..6af7cee20 100644 --- a/policy/modules/admin/bcfg2.if +++ b/policy/modules/admin/bcfg2.if @@ -135,7 +135,7 @@ interface(`bcfg2_manage_lib_dirs',` interface(`bcfg2_admin',` gen_require(` type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t; - type bcfg2_var_run_t; + type bcfg2_runtime_t; ') allow $1 bcfg2_t:process { ptrace signal_perms }; @@ -144,7 +144,7 @@ interface(`bcfg2_admin',` init_startstop_service($1, $2, bcfg2_t, bcfg2_initrc_exec_t) files_search_pids($1) - admin_pattern($1, bcfg2_var_run_t) + admin_pattern($1, bcfg2_runtime_t) files_search_var_lib($1) admin_pattern($1, bcfg2_var_lib_t) diff --git a/policy/modules/admin/bcfg2.te b/policy/modules/admin/bcfg2.te index 3897511e3..633578124 100644 --- a/policy/modules/admin/bcfg2.te +++ b/policy/modules/admin/bcfg2.te @@ -15,8 +15,8 @@ init_script_file(bcfg2_initrc_exec_t) type bcfg2_var_lib_t; files_type(bcfg2_var_lib_t) -type bcfg2_var_run_t; -files_pid_file(bcfg2_var_run_t) +type bcfg2_runtime_t alias bcfg2_var_run_t; +files_pid_file(bcfg2_runtime_t) ######################################## # @@ -31,8 +31,8 @@ manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t) manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t) files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, dir) -manage_files_pattern(bcfg2_t, bcfg2_var_run_t, bcfg2_var_run_t) -files_pid_filetrans(bcfg2_t, bcfg2_var_run_t, file) +manage_files_pattern(bcfg2_t, bcfg2_runtime_t, bcfg2_runtime_t) +files_pid_filetrans(bcfg2_t, bcfg2_runtime_t, file) kernel_read_system_state(bcfg2_t) diff --git a/policy/modules/admin/blueman.te b/policy/modules/admin/blueman.te index 718e3bf34..c787383fb 100644 --- a/policy/modules/admin/blueman.te +++ b/policy/modules/admin/blueman.te @@ -12,8 +12,8 @@ dbus_system_domain(blueman_t, blueman_exec_t) type blueman_var_lib_t; files_type(blueman_var_lib_t) -type blueman_var_run_t; -files_pid_file(blueman_var_run_t) +type blueman_runtime_t alias blueman_var_run_t; +files_pid_file(blueman_runtime_t) ######################################## # @@ -28,9 +28,9 @@ manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir) -manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) -manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) -files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file }) +manage_dirs_pattern(blueman_t, blueman_runtime_t, blueman_runtime_t) +manage_files_pattern(blueman_t, blueman_runtime_t, blueman_runtime_t) +files_pid_filetrans(blueman_t, blueman_runtime_t, { dir file }) kernel_read_net_sysctls(blueman_t) kernel_read_system_state(blueman_t) diff --git a/policy/modules/admin/hwloc.fc b/policy/modules/admin/hwloc.fc index 136bb6977..277895907 100644 --- a/policy/modules/admin/hwloc.fc +++ b/policy/modules/admin/hwloc.fc @@ -4,4 +4,4 @@ /usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0) -/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0) +/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_runtime_t,s0) diff --git a/policy/modules/admin/hwloc.if b/policy/modules/admin/hwloc.if index c2349ecf5..5f804ed6b 100644 --- a/policy/modules/admin/hwloc.if +++ b/policy/modules/admin/hwloc.if @@ -74,11 +74,11 @@ interface(`hwloc_exec_dhwd',` # interface(`hwloc_read_runtime_files',` gen_require(` - type hwloc_var_run_t; + type hwloc_runtime_t; ') files_search_pids($1) - read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t) + read_files_pattern($1, hwloc_runtime_t, hwloc_runtime_t) ') ######################################## @@ -95,12 +95,12 @@ interface(`hwloc_read_runtime_files',` # interface(`hwloc_admin',` gen_require(` - type hwloc_dhwd_t, hwloc_var_run_t; + type hwloc_dhwd_t, hwloc_runtime_t; ') allow $1 hwloc_dhwd_t:process { ptrace signal_perms }; ps_process_pattern($1, hwloc_dhwd_t) - admin_pattern($1, hwloc_var_run_t) - files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc") + admin_pattern($1, hwloc_runtime_t) + files_pid_filetrans($1, hwloc_runtime_t, dir, "hwloc") ') diff --git a/policy/modules/admin/hwloc.te b/policy/modules/admin/hwloc.te index e0e2243fb..4d2cae5f0 100644 --- a/policy/modules/admin/hwloc.te +++ b/policy/modules/admin/hwloc.te @@ -13,8 +13,8 @@ type hwloc_dhwd_exec_t; init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t) role hwloc_dhwd_roles types hwloc_dhwd_t; -type hwloc_var_run_t; -files_pid_file(hwloc_var_run_t) +type hwloc_runtime_t alias hwloc_var_run_t; +files_pid_file(hwloc_runtime_t) type hwloc_dhwd_unit_t; init_unit_file(hwloc_dhwd_unit_t) @@ -24,8 +24,8 @@ init_unit_file(hwloc_dhwd_unit_t) # Local policy # -allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms; -allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms; -files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir) +allow hwloc_dhwd_t hwloc_runtime_t:dir manage_dir_perms; +allow hwloc_dhwd_t hwloc_runtime_t:file manage_file_perms; +files_pid_filetrans(hwloc_dhwd_t, hwloc_runtime_t, dir) dev_read_sysfs(hwloc_dhwd_t) diff --git a/policy/modules/admin/kismet.fc b/policy/modules/admin/kismet.fc index 09ccb80d0..b00f6db6c 100644 --- a/policy/modules/admin/kismet.fc +++ b/policy/modules/admin/kismet.fc @@ -10,4 +10,4 @@ HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0) /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0) -/run/kismet_server\.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0) +/run/kismet_server\.pid -- gen_context(system_u:object_r:kismet_runtime_t,s0) diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if index 1ba783c46..7910b2ab2 100644 --- a/policy/modules/admin/kismet.if +++ b/policy/modules/admin/kismet.if @@ -94,11 +94,11 @@ interface(`kismet_run',` # interface(`kismet_read_pid_files',` gen_require(` - type kismet_var_run_t; + type kismet_runtime_t; ') files_search_pids($1) - allow $1 kismet_var_run_t:file read_file_perms; + allow $1 kismet_runtime_t:file read_file_perms; ') ######################################## @@ -114,11 +114,11 @@ interface(`kismet_read_pid_files',` # interface(`kismet_manage_pid_files',` gen_require(` - type kismet_var_run_t; + type kismet_runtime_t; ') files_search_pids($1) - allow $1 kismet_var_run_t:file manage_file_perms; + allow $1 kismet_runtime_t:file manage_file_perms; ') ######################################## @@ -282,7 +282,7 @@ interface(`kismet_manage_log',` # interface(`kismet_admin',` gen_require(` - type kismet_t, kismet_var_lib_t, kismet_var_run_t; + type kismet_t, kismet_var_lib_t, kismet_runtime_t; type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t; ') @@ -295,7 +295,7 @@ interface(`kismet_admin',` admin_pattern($1, kismet_var_lib_t) files_search_pids($1) - admin_pattern($1, kismet_var_run_t) + admin_pattern($1, kismet_runtime_t) logging_search_logs($1) admin_pattern($1, kismet_log_t) diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te index 107189a02..b7c0e1dcb 100644 --- a/policy/modules/admin/kismet.te +++ b/policy/modules/admin/kismet.te @@ -30,8 +30,8 @@ files_tmp_file(kismet_tmpfs_t) type kismet_var_lib_t; files_type(kismet_var_lib_t) -type kismet_var_run_t; -files_pid_file(kismet_var_run_t) +type kismet_runtime_t alias kismet_var_run_t; +files_pid_file(kismet_runtime_t) ######################################## # @@ -70,8 +70,8 @@ allow kismet_t kismet_var_lib_t:file manage_file_perms; allow kismet_t kismet_var_lib_t:dir manage_dir_perms; files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir }) -allow kismet_t kismet_var_run_t:dir manage_dir_perms; -files_pid_filetrans(kismet_t, kismet_var_run_t, file) +allow kismet_t kismet_runtime_t:dir manage_dir_perms; +files_pid_filetrans(kismet_t, kismet_runtime_t, file) can_exec(kismet_t, kismet_exec_t) diff --git a/policy/modules/admin/kudzu.fc b/policy/modules/admin/kudzu.fc index a0127d49c..c02876ec4 100644 --- a/policy/modules/admin/kudzu.fc +++ b/policy/modules/admin/kudzu.fc @@ -6,4 +6,4 @@ /usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0) /usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0) -/run/kudzu(/.*)? gen_context(system_u:object_r:kudzu_var_run_t,s0) +/run/kudzu(/.*)? gen_context(system_u:object_r:kudzu_runtime_t,s0) diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if index 85214c5b4..1559ec025 100644 --- a/policy/modules/admin/kudzu.if +++ b/policy/modules/admin/kudzu.if @@ -82,7 +82,7 @@ interface(`kudzu_getattr_exec_files',` # interface(`kudzu_admin',` gen_require(` - type kudzu_t, kudzu_initrc_exec_t, kudzu_var_run_t; + type kudzu_t, kudzu_initrc_exec_t, kudzu_runtime_t; type kudzu_tmp_t; ') @@ -95,5 +95,5 @@ interface(`kudzu_admin',` admin_pattern($1, kudzu_tmp_t) files_search_pids($1) - admin_pattern($1, kudzu_var_run_t) + admin_pattern($1, kudzu_runtime_t) ') diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te index 1ec6b513a..57824c4fe 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te @@ -18,8 +18,8 @@ init_script_file(kudzu_initrc_exec_t) type kudzu_tmp_t; files_tmp_file(kudzu_tmp_t) -type kudzu_var_run_t; -files_pid_file(kudzu_var_run_t) +type kudzu_runtime_t alias kudzu_var_run_t; +files_pid_file(kudzu_runtime_t) ######################################## # @@ -38,9 +38,9 @@ manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t) files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file }) -manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) -manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t) -files_pid_filetrans(kudzu_t, kudzu_var_run_t, file) +manage_dirs_pattern(kudzu_t, kudzu_runtime_t, kudzu_runtime_t) +manage_files_pattern(kudzu_t, kudzu_runtime_t, kudzu_runtime_t) +files_pid_filetrans(kudzu_t, kudzu_runtime_t, file) kernel_change_ring_buffer_level(kudzu_t) kernel_read_device_sysctls(kudzu_t) diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc index 7e83c901c..59c92ab14 100644 --- a/policy/modules/admin/logwatch.fc +++ b/policy/modules/admin/logwatch.fc @@ -15,4 +15,4 @@ /var/lock/logcheck.* gen_context(system_u:object_r:logwatch_lock_t,s0) -/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0) +/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_runtime_t,s0) diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te index f20454ab5..a0e8ad7c4 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -26,8 +26,8 @@ files_lock_file(logwatch_lock_t) type logwatch_tmp_t; files_tmp_file(logwatch_tmp_t) -type logwatch_var_run_t; -files_pid_file(logwatch_var_run_t) +type logwatch_runtime_t alias logwatch_var_run_t; +files_pid_file(logwatch_runtime_t) mta_base_mail_template(logwatch) role system_r types logwatch_mail_t; @@ -52,8 +52,8 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) -allow logwatch_t logwatch_var_run_t:file manage_file_perms; -files_pid_filetrans(logwatch_t, logwatch_var_run_t, file) +allow logwatch_t logwatch_runtime_t:file manage_file_perms; +files_pid_filetrans(logwatch_t, logwatch_runtime_t, file) kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc index a91a13f93..0b5cca3e4 100644 --- a/policy/modules/admin/mcelog.fc +++ b/policy/modules/admin/mcelog.fc @@ -8,4 +8,4 @@ /var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0) -/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0) +/run/mcelog.* gen_context(system_u:object_r:mcelog_runtime_t,s0) diff --git a/policy/modules/admin/mcelog.if b/policy/modules/admin/mcelog.if index 9b731b827..b4105edc9 100644 --- a/policy/modules/admin/mcelog.if +++ b/policy/modules/admin/mcelog.if @@ -39,7 +39,7 @@ interface(`mcelog_domtrans',` interface(`mcelog_admin',` gen_require(` type mcelog_t, mcelog_initrc_exec_t, mcelog_log_t; - type mcelog_var_run_t, mcelog_etc_t; + type mcelog_runtime_t, mcelog_etc_t; ') allow $1 mcelog_t:process { ptrace signal_perms }; @@ -54,5 +54,5 @@ interface(`mcelog_admin',` admin_pattern($1, mcelog_log_t) files_search_pids($1) - admin_pattern($1, mcelog_var_run_t) + admin_pattern($1, mcelog_runtime_t) ') diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te index 1c3421324..82f932588 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te @@ -57,8 +57,8 @@ files_config_file(mcelog_etc_t) type mcelog_log_t; logging_log_file(mcelog_log_t) -type mcelog_var_run_t; -files_pid_file(mcelog_var_run_t) +type mcelog_runtime_t alias mcelog_var_run_t; +files_pid_file(mcelog_runtime_t) ######################################## # @@ -77,10 +77,10 @@ create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) logging_log_filetrans(mcelog_t, mcelog_log_t, { dir file }) -manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) -manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) -manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) -files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) +manage_dirs_pattern(mcelog_t, mcelog_runtime_t, mcelog_runtime_t) +manage_files_pattern(mcelog_t, mcelog_runtime_t, mcelog_runtime_t) +manage_sock_files_pattern(mcelog_t, mcelog_runtime_t, mcelog_runtime_t) +files_pid_filetrans(mcelog_t, mcelog_runtime_t, { dir file sock_file }) kernel_read_system_state(mcelog_t) diff --git a/policy/modules/admin/mrtg.fc b/policy/modules/admin/mrtg.fc index fad30365d..21bd7448e 100644 --- a/policy/modules/admin/mrtg.fc +++ b/policy/modules/admin/mrtg.fc @@ -13,4 +13,4 @@ /var/log/mrtg.* gen_context(system_u:object_r:mrtg_log_t,s0) -/run/mrtg\.pid -- gen_context(system_u:object_r:mrtg_var_run_t,s0) +/run/mrtg\.pid -- gen_context(system_u:object_r:mrtg_runtime_t,s0) diff --git a/policy/modules/admin/mrtg.if b/policy/modules/admin/mrtg.if index b25b08942..84d882ebb 100644 --- a/policy/modules/admin/mrtg.if +++ b/policy/modules/admin/mrtg.if @@ -57,7 +57,7 @@ interface(`mrtg_append_create_logs',` # interface(`mrtg_admin',` gen_require(` - type mrtg_t, mrtg_var_run_t, mrtg_initrc_exec_t; + type mrtg_t, mrtg_runtime_t, mrtg_initrc_exec_t; type mrtg_var_lib_t, mrtg_lock_t, mrtg_log_t; type mrtg_etc_t; ') @@ -77,7 +77,7 @@ interface(`mrtg_admin',` admin_pattern($1, mrtg_log_t) files_search_pids($1) - admin_pattern($1, mrtg_var_run_t) + admin_pattern($1, mrtg_runtime_t) files_search_var_lib($1) admin_pattern($1, mrtg_var_lib_t) diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index 953738e90..711c75e53 100644 --- a/policy/modules/admin/mrtg.te +++ b/policy/modules/admin/mrtg.te @@ -24,8 +24,8 @@ logging_log_file(mrtg_log_t) type mrtg_var_lib_t; files_type(mrtg_var_lib_t) -type mrtg_var_run_t; -files_pid_file(mrtg_var_run_t) +type mrtg_runtime_t alias mrtg_var_run_t; +files_pid_file(mrtg_runtime_t) ######################################## # @@ -55,8 +55,8 @@ logging_log_filetrans(mrtg_t, mrtg_log_t, { dir file }) manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t) -allow mrtg_t mrtg_var_run_t:file manage_file_perms; -files_pid_filetrans(mrtg_t, mrtg_var_run_t, file) +allow mrtg_t mrtg_runtime_t:file manage_file_perms; +files_pid_filetrans(mrtg_t, mrtg_runtime_t, file) kernel_read_system_state(mrtg_t) kernel_read_network_state(mrtg_t) diff --git a/policy/modules/admin/passenger.fc b/policy/modules/admin/passenger.fc index a1a309293..33a7651a9 100644 --- a/policy/modules/admin/passenger.fc +++ b/policy/modules/admin/passenger.fc @@ -7,4 +7,4 @@ /var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) -/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) +/run/passenger(/.*)? gen_context(system_u:object_r:passenger_runtime_t,s0) diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te index b61814561..08834287f 100644 --- a/policy/modules/admin/passenger.te +++ b/policy/modules/admin/passenger.te @@ -17,8 +17,8 @@ logging_log_file(passenger_log_t) type passenger_var_lib_t; files_type(passenger_var_lib_t) -type passenger_var_run_t; -files_pid_file(passenger_var_run_t) +type passenger_runtime_t alias passenger_var_run_t; +files_pid_file(passenger_runtime_t) ######################################## # @@ -39,11 +39,11 @@ logging_log_filetrans(passenger_t, passenger_log_t, file) manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) -manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) +manage_dirs_pattern(passenger_t, passenger_runtime_t, passenger_runtime_t) +manage_files_pattern(passenger_t, passenger_runtime_t, passenger_runtime_t) +manage_fifo_files_pattern(passenger_t, passenger_runtime_t, passenger_runtime_t) +manage_sock_files_pattern(passenger_t, passenger_runtime_t, passenger_runtime_t) +files_pid_filetrans(passenger_t, passenger_runtime_t, { file dir sock_file }) can_exec(passenger_t, passenger_exec_t) diff --git a/policy/modules/admin/puppet.fc b/policy/modules/admin/puppet.fc index 9bb4d9f21..f45bdc6a8 100644 --- a/policy/modules/admin/puppet.fc +++ b/policy/modules/admin/puppet.fc @@ -15,4 +15,4 @@ /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) -/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) +/run/puppet(/.*)? gen_context(system_u:object_r:puppet_runtime_t,s0) diff --git a/policy/modules/admin/puppet.if b/policy/modules/admin/puppet.if index 135dafb2d..be0e4f581 100644 --- a/policy/modules/admin/puppet.if +++ b/policy/modules/admin/puppet.if @@ -204,7 +204,7 @@ interface(`puppet_admin',` gen_require(` type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t; type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t; - type puppet_var_run_t, puppetmaster_tmp_t; + type puppet_runtime_t, puppetmaster_tmp_t; type puppet_t, puppetca_t, puppetmaster_t; ') @@ -224,7 +224,7 @@ interface(`puppet_admin',` admin_pattern($1, puppet_var_lib_t) files_search_pids($1) - admin_pattern($1, puppet_var_run_t) + admin_pattern($1, puppet_runtime_t) files_search_tmp($1) admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t }) diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te index 0e8161a29..ffbf7ad21 100644 --- a/policy/modules/admin/puppet.te +++ b/policy/modules/admin/puppet.te @@ -35,9 +35,9 @@ files_tmp_file(puppet_tmp_t) type puppet_var_lib_t; files_type(puppet_var_lib_t) -type puppet_var_run_t; -files_pid_file(puppet_var_run_t) -init_daemon_pid_file(puppet_var_run_t, dir, "puppet") +type puppet_runtime_t alias puppet_var_run_t; +files_pid_file(puppet_runtime_t) +init_daemon_pid_file(puppet_runtime_t, dir, "puppet") type puppetca_t; type puppetca_exec_t; @@ -74,9 +74,9 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) can_exec(puppet_t, puppet_var_lib_t) -setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) +setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) +manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) +files_pid_filetrans(puppet_t, puppet_runtime_t, { file dir }) allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms }; append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) @@ -222,7 +222,7 @@ manage_dirs_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) allow puppetca_t puppet_log_t:dir search_dir_perms; -allow puppetca_t puppet_var_run_t:dir search_dir_perms; +allow puppetca_t puppet_runtime_t:dir search_dir_perms; kernel_read_system_state(puppetca_t) kernel_read_kernel_sysctls(puppetca_t) @@ -275,9 +275,9 @@ logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms }; -allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppet_var_run_t:file manage_file_perms; -files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) +allow puppetmaster_t puppet_runtime_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; +allow puppetmaster_t puppet_runtime_t:file manage_file_perms; +files_pid_filetrans(puppetmaster_t, puppet_runtime_t, { file dir }) allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms }; allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms; diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc index 28a21a8bc..42ba13b0f 100644 --- a/policy/modules/admin/quota.fc +++ b/policy/modules/admin/quota.fc @@ -22,7 +22,7 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) /var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) -/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) +/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_runtime_t,s0) /var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if index 6f8a92501..c1ab0e975 100644 --- a/policy/modules/admin/quota.if +++ b/policy/modules/admin/quota.if @@ -178,7 +178,7 @@ interface(`quota_manage_flags',` interface(`quota_admin',` gen_require(` type quota_nld_t, quota_t, quota_db_t; - type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t; + type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_runtime_t; ') allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms }; @@ -187,5 +187,5 @@ interface(`quota_admin',` init_startstop_service($1, $2, quota_nld_t, quota_nld_initrc_exec_t) files_list_all($1) - admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t }) + admin_pattern($1, { quota_db_t quota_flag_t quota_nld_runtime_t }) ') diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te index e85d6d8b2..4264614ce 100644 --- a/policy/modules/admin/quota.te +++ b/policy/modules/admin/quota.te @@ -25,8 +25,8 @@ init_daemon_domain(quota_nld_t, quota_nld_exec_t) type quota_nld_initrc_exec_t; init_script_file(quota_nld_initrc_exec_t) -type quota_nld_var_run_t; -files_pid_file(quota_nld_var_run_t) +type quota_nld_runtime_t alias quota_nld_var_run_t; +files_pid_file(quota_nld_runtime_t) ######################################## # @@ -110,8 +110,8 @@ allow quota_nld_t self:fifo_file rw_fifo_file_perms; allow quota_nld_t self:netlink_socket create_socket_perms; allow quota_nld_t self:unix_stream_socket { accept listen }; -manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) -files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) +manage_files_pattern(quota_nld_t, quota_nld_runtime_t, quota_nld_runtime_t) +files_pid_filetrans(quota_nld_t, quota_nld_runtime_t, { file }) kernel_read_network_state(quota_nld_t) diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc index 823f54540..ba936c9e0 100644 --- a/policy/modules/admin/readahead.fc +++ b/policy/modules/admin/readahead.fc @@ -4,4 +4,4 @@ /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) -/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0) +/run/readahead.* gen_context(system_u:object_r:readahead_runtime_t,s0) diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te index 4b40fe719..b4d68d460 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te @@ -13,9 +13,9 @@ type readahead_var_lib_t; files_type(readahead_var_lib_t) typealias readahead_var_lib_t alias readahead_etc_rw_t; -type readahead_var_run_t; -files_pid_file(readahead_var_run_t) -init_daemon_pid_file(readahead_var_run_t, dir, "readahead") +type readahead_runtime_t alias readahead_var_run_t; +files_pid_file(readahead_runtime_t) +init_daemon_pid_file(readahead_runtime_t, dir, "readahead") ######################################## # @@ -29,9 +29,9 @@ allow readahead_t self:process { setsched signal_perms }; manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) -manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) -manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) -files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file }) +manage_dirs_pattern(readahead_t, readahead_runtime_t, readahead_runtime_t) +manage_files_pattern(readahead_t, readahead_runtime_t, readahead_runtime_t) +files_pid_filetrans(readahead_t, readahead_runtime_t, { dir file }) kernel_read_all_sysctls(readahead_t) kernel_read_system_state(readahead_t) diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc index 49daa1613..6194a4833 100644 --- a/policy/modules/admin/rpm.fc +++ b/policy/modules/admin/rpm.fc @@ -61,8 +61,8 @@ ifdef(`distro_redhat',` /var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) -/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) +/run/yum.* -- gen_context(system_u:object_r:rpm_runtime_t,s0) +/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_runtime_t,s0) ifdef(`enable_mls',` /usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if index d316410d3..a9ab2a60b 100644 --- a/policy/modules/admin/rpm.if +++ b/policy/modules/admin/rpm.if @@ -537,10 +537,10 @@ interface(`rpm_dontaudit_manage_db',` # interface(`rpm_read_pid_files',` gen_require(` - type rpm_var_run_t; + type rpm_runtime_t; ') - read_files_pattern($1, rpm_var_run_t, rpm_var_run_t) + read_files_pattern($1, rpm_runtime_t, rpm_runtime_t) files_search_pids($1) ') @@ -557,10 +557,10 @@ interface(`rpm_read_pid_files',` # interface(`rpm_manage_pid_files',` gen_require(` - type rpm_var_run_t; + type rpm_runtime_t; ') - manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t) + manage_files_pattern($1, rpm_runtime_t, rpm_runtime_t) files_search_pids($1) ') @@ -587,10 +587,10 @@ interface(`rpm_manage_pid_files',` # interface(`rpm_pid_filetrans_rpm_pid',` gen_require(` - type rpm_var_run_t; + type rpm_runtime_t; ') - files_pid_filetrans($1, rpm_var_run_t, $3, $4) + files_pid_filetrans($1, rpm_runtime_t, $3, $4) ') ######################################## @@ -614,7 +614,7 @@ interface(`rpm_admin',` gen_require(` type rpm_t, rpm_script_t, rpm_initrc_exec_t; type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; - type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_var_run_t; + type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_runtime_t; type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; ') @@ -641,7 +641,7 @@ interface(`rpm_admin',` admin_pattern($1, rpm_log_t) files_list_pids($1) - admin_pattern($1, rpm_var_run_t) + admin_pattern($1, rpm_runtime_t) fs_search_tmpfs($1) admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t }) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 73320fc02..1b3ad2f4a 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -47,8 +47,8 @@ typealias rpm_var_lib_t alias var_lib_rpm_t; type rpm_var_cache_t; files_type(rpm_var_cache_t) -type rpm_var_run_t; -files_pid_file(rpm_var_run_t) +type rpm_runtime_t alias rpm_var_run_t; +files_pid_file(rpm_runtime_t) type rpm_script_t; type rpm_script_exec_t; @@ -114,9 +114,9 @@ manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) mmap_read_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file }) -manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) -manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) -files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file }) +manage_dirs_pattern(rpm_t, rpm_runtime_t, rpm_runtime_t) +manage_files_pattern(rpm_t, rpm_runtime_t, rpm_runtime_t) +files_pid_filetrans(rpm_t, rpm_runtime_t, { dir file }) can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t }) @@ -369,7 +369,7 @@ userdom_use_all_users_fds(rpm_script_t) ifdef(`distro_redhat',` optional_policy(` mta_send_mail(rpm_script_t) - mta_system_content(rpm_var_run_t) + mta_system_content(rpm_runtime_t) ') ') diff --git a/policy/modules/admin/samhain.fc b/policy/modules/admin/samhain.fc index 76b448c89..f6326ff7a 100644 --- a/policy/modules/admin/samhain.fc +++ b/policy/modules/admin/samhain.fc @@ -13,4 +13,4 @@ /var/log/samhain_log.* -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) /var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) -/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh) +/run/samhain\.pid -- gen_context(system_u:object_r:samhain_runtime_t,mls_systemhigh) diff --git a/policy/modules/admin/samhain.if b/policy/modules/admin/samhain.if index 8b6fb18b6..914d1cd73 100644 --- a/policy/modules/admin/samhain.if +++ b/policy/modules/admin/samhain.if @@ -186,11 +186,11 @@ interface(`samhain_manage_log_files',` # interface(`samhain_manage_pid_files',` gen_require(` - type samhain_var_run_t; + type samhain_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t) + manage_files_pattern($1, samhain_runtime_t, samhain_runtime_t) ') ####################################### @@ -214,7 +214,7 @@ interface(`samhain_admin',` gen_require(` attribute samhain_domain; type samhain_db_t, samhain_etc_t; - type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; + type samhain_initrc_exec_t, samhain_log_t, samhain_runtime_t; ') allow $1 samhain_domain:process { ptrace signal_perms }; @@ -233,5 +233,5 @@ interface(`samhain_admin',` admin_pattern($1, samhain_log_t) files_list_pids($1) - admin_pattern($1, samhain_var_run_t) + admin_pattern($1, samhain_runtime_t) ') diff --git a/policy/modules/admin/samhain.te b/policy/modules/admin/samhain.te index c5c083fdf..9a8a79dda 100644 --- a/policy/modules/admin/samhain.te +++ b/policy/modules/admin/samhain.te @@ -25,8 +25,8 @@ files_type(samhain_db_t) type samhain_initrc_exec_t; init_script_file(samhain_initrc_exec_t) -type samhain_var_run_t; -files_pid_file(samhain_var_run_t) +type samhain_runtime_t alias samhain_var_run_t; +files_pid_file(samhain_runtime_t) samhain_service_template(samhain) application_domain(samhain_t, samhain_exec_t) @@ -59,8 +59,8 @@ allow samhain_domain samhain_etc_t:file read_file_perms; manage_files_pattern(samhain_domain, samhain_log_t, samhain_log_t) logging_log_filetrans(samhain_domain, samhain_log_t, file) -manage_files_pattern(samhain_domain, samhain_var_run_t, samhain_var_run_t) -files_pid_filetrans(samhain_domain, samhain_var_run_t, file) +manage_files_pattern(samhain_domain, samhain_runtime_t, samhain_runtime_t) +files_pid_filetrans(samhain_domain, samhain_runtime_t, file) kernel_getattr_core_if(samhain_domain) diff --git a/policy/modules/admin/sblim.fc b/policy/modules/admin/sblim.fc index c2aed4165..a3ed59079 100644 --- a/policy/modules/admin/sblim.fc +++ b/policy/modules/admin/sblim.fc @@ -6,4 +6,4 @@ /usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) /usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) -/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) +/run/gather(/.*)? gen_context(system_u:object_r:sblim_runtime_t,s0) diff --git a/policy/modules/admin/sblim.if b/policy/modules/admin/sblim.if index 00e2e69cb..64cdd6c26 100644 --- a/policy/modules/admin/sblim.if +++ b/policy/modules/admin/sblim.if @@ -31,11 +31,11 @@ interface(`sblim_domtrans_gatherd',` # interface(`sblim_read_pid_files',` gen_require(` - type sblim_var_run_t; + type sblim_runtime_t; ') files_search_pids($1) - allow $1 sblim_var_run_t:file read_file_perms; + allow $1 sblim_runtime_t:file read_file_perms; ') ######################################## @@ -58,7 +58,7 @@ interface(`sblim_read_pid_files',` interface(`sblim_admin',` gen_require(` attribute sblim_domain; - type sblim_initrc_exec_t, sblim_var_run_t; + type sblim_initrc_exec_t, sblim_runtime_t; ') allow $1 sblim_domain:process { ptrace signal_perms }; @@ -67,5 +67,5 @@ interface(`sblim_admin',` init_startstop_service($1, $2, sblim_domain, sblim_initrc_exec_t) files_search_pids($1) - admin_pattern($1, sblim_var_run_t) + admin_pattern($1, sblim_runtime_t) ') diff --git a/policy/modules/admin/sblim.te b/policy/modules/admin/sblim.te index d05bc1a6b..e15a0a46c 100644 --- a/policy/modules/admin/sblim.te +++ b/policy/modules/admin/sblim.te @@ -18,8 +18,8 @@ init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) type sblim_initrc_exec_t; init_script_file(sblim_initrc_exec_t) -type sblim_var_run_t; -files_pid_file(sblim_var_run_t) +type sblim_runtime_t alias sblim_var_run_t; +files_pid_file(sblim_runtime_t) ###################################### # @@ -28,9 +28,9 @@ files_pid_file(sblim_var_run_t) allow sblim_domain self:tcp_socket create_stream_socket_perms; -manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) -manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) -manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) +manage_dirs_pattern(sblim_domain, sblim_runtime_t, sblim_runtime_t) +manage_files_pattern(sblim_domain, sblim_runtime_t, sblim_runtime_t) +manage_sock_files_pattern(sblim_domain, sblim_runtime_t, sblim_runtime_t) kernel_read_network_state(sblim_domain) kernel_read_system_state(sblim_domain) diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc index 03a2230c6..bf51c103f 100644 --- a/policy/modules/admin/shutdown.fc +++ b/policy/modules/admin/shutdown.fc @@ -6,4 +6,4 @@ /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) -/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) +/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te index 2168d03fc..6a3387d07 100644 --- a/policy/modules/admin/shutdown.te +++ b/policy/modules/admin/shutdown.te @@ -16,8 +16,8 @@ role shutdown_roles types shutdown_t; type shutdown_etc_t; files_config_file(shutdown_etc_t) -type shutdown_var_run_t; -files_pid_file(shutdown_var_run_t) +type shutdown_runtime_t alias shutdown_var_run_t; +files_pid_file(shutdown_runtime_t) ######################################## # @@ -32,8 +32,8 @@ allow shutdown_t self:unix_stream_socket create_stream_socket_perms; manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t) files_etc_filetrans(shutdown_t, shutdown_etc_t, file) -manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) -files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) +manage_files_pattern(shutdown_t, shutdown_runtime_t, shutdown_runtime_t) +files_pid_filetrans(shutdown_t, shutdown_runtime_t, file) kernel_read_system_state(shutdown_t) diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te index 8eda16080..6408c6046 100644 --- a/policy/modules/admin/sosreport.te +++ b/policy/modules/admin/sosreport.te @@ -13,8 +13,8 @@ type sosreport_exec_t; application_domain(sosreport_t, sosreport_exec_t) role sosreport_roles types sosreport_t; -type sosreport_var_run_t; -files_pid_file(sosreport_var_run_t) +type sosreport_runtime_t alias sosreport_var_run_t; +files_pid_file(sosreport_runtime_t) type sosreport_tmp_t; files_tmp_file(sosreport_tmp_t) @@ -47,11 +47,11 @@ files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) -manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) -manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) -manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) -manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) -files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file }) +manage_files_pattern(sosreport_t, sosreport_runtime_t, sosreport_runtime_t) +manage_dirs_pattern(sosreport_t, sosreport_runtime_t, sosreport_runtime_t) +manage_sock_files_pattern(sosreport_t, sosreport_runtime_t, sosreport_runtime_t) +manage_lnk_files_pattern(sosreport_t, sosreport_runtime_t, sosreport_runtime_t) +files_pid_filetrans(sosreport_t, sosreport_runtime_t, { file dir sock_file }) kernel_read_network_state(sosreport_t) kernel_read_all_sysctls(sosreport_t) diff --git a/policy/modules/admin/vpn.fc b/policy/modules/admin/vpn.fc index 3e40c477b..3166bba5c 100644 --- a/policy/modules/admin/vpn.fc +++ b/policy/modules/admin/vpn.fc @@ -3,4 +3,4 @@ /usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) -/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) +/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_runtime_t,s0) diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index 65de90637..a89b624d8 100644 --- a/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te @@ -16,8 +16,8 @@ role vpnc_roles types vpnc_t; type vpnc_tmp_t; files_tmp_file(vpnc_tmp_t) -type vpnc_var_run_t; -files_pid_file(vpnc_var_run_t) +type vpnc_runtime_t alias vpnc_var_run_t; +files_pid_file(vpnc_runtime_t) ######################################## # @@ -37,9 +37,9 @@ manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir }) -manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) -manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t) -files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir}) +manage_dirs_pattern(vpnc_t, vpnc_runtime_t, vpnc_runtime_t) +manage_files_pattern(vpnc_t, vpnc_runtime_t, vpnc_runtime_t) +files_pid_filetrans(vpnc_t, vpnc_runtime_t, { file dir}) kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index d82eefb99..3dce1e0f0 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -33,8 +33,8 @@ ubac_constrained(games_devpts_t) type games_srv_t; init_system_domain(games_srv_t, games_exec_t) -type games_srv_var_run_t; -files_pid_file(games_srv_var_run_t) +type games_srv_runtime_t alias games_srv_var_run_t; +files_pid_file(games_srv_runtime_t) type games_tmp_t; typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t }; @@ -61,8 +61,8 @@ allow games_srv_t self:process signal_perms; manage_files_pattern(games_srv_t, games_data_t, games_data_t) manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t) -manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t) -files_pid_filetrans(games_srv_t, games_srv_var_run_t, file) +manage_files_pattern(games_srv_t, games_srv_runtime_t, games_srv_runtime_t) +files_pid_filetrans(games_srv_t, games_srv_runtime_t, file) can_exec(games_srv_t, games_exec_t) diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc index 0d9bc354c..7ffeddf50 100644 --- a/policy/modules/apps/pulseaudio.fc +++ b/policy/modules/apps/pulseaudio.fc @@ -7,5 +7,5 @@ HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_xdg_confi /var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) -/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) +/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_runtime_t,s0) /run/user/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if index ca005df0c..da2cc3870 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -198,11 +198,11 @@ interface(`pulseaudio_dontaudit_use_fds',` # interface(`pulseaudio_stream_connect',` gen_require(` - type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t; + type pulseaudio_t, pulseaudio_runtime_t, pulseaudio_tmp_t; ') files_search_pids($1) - stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t) + stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_runtime_t }, { pulseaudio_tmp_t pulseaudio_runtime_t }, pulseaudio_t) ') ######################################## diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index 8ab09b499..7e70741e8 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -37,8 +37,8 @@ userdom_user_tmpfs_file(pulseaudio_tmpfs_t) type pulseaudio_var_lib_t; files_type(pulseaudio_var_lib_t) -type pulseaudio_var_run_t; -files_pid_file(pulseaudio_var_run_t) +type pulseaudio_runtime_t alias pulseaudio_var_run_t; +files_pid_file(pulseaudio_runtime_t) type pulseaudio_xdg_config_t; xdg_config_content(pulseaudio_xdg_config_t) @@ -85,10 +85,10 @@ manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) -manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) -files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) +manage_dirs_pattern(pulseaudio_t, pulseaudio_runtime_t, pulseaudio_runtime_t) +manage_files_pattern(pulseaudio_t, pulseaudio_runtime_t, pulseaudio_runtime_t) +manage_sock_files_pattern(pulseaudio_t, pulseaudio_runtime_t, pulseaudio_runtime_t) +files_pid_filetrans(pulseaudio_t, pulseaudio_runtime_t, { dir file }) manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t) manage_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t) diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc index 1fc798001..df3aa2d33 100644 --- a/policy/modules/apps/qemu.fc +++ b/policy/modules/apps/qemu.fc @@ -1,4 +1,4 @@ -/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0) +/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_runtime_t,s0) /usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if index b6d8e1c27..e373c4d91 100644 --- a/policy/modules/apps/qemu.if +++ b/policy/modules/apps/qemu.if @@ -275,11 +275,11 @@ interface(`qemu_kill',` # interface(`qemu_stream_connect',` gen_require(` - type qemu_t, qemu_var_run_t; + type qemu_t, qemu_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t) + stream_connect_pattern($1, qemu_runtime_t, qemu_runtime_t, qemu_t) ') ######################################## @@ -294,10 +294,10 @@ interface(`qemu_stream_connect',` # interface(`qemu_delete_pid_sock_file',` gen_require(` - type qemu_var_run_t; + type qemu_runtime_t; ') - allow $1 qemu_var_run_t:sock_file unlink; + allow $1 qemu_runtime_t:sock_file unlink; ') ######################################## diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te index 8fa5ba2d2..a61322149 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te @@ -25,8 +25,8 @@ role qemu_roles types qemu_t; type qemu_unit_t; init_unit_file(qemu_unit_t) -type qemu_var_run_t; -files_pid_file(qemu_var_run_t) +type qemu_runtime_t alias qemu_var_run_t; +files_pid_file(qemu_runtime_t) ######################################## # @@ -37,8 +37,8 @@ kernel_read_crypto_sysctls(qemu_t) dev_read_sysfs(qemu_t) -allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms; -files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) +allow qemu_t qemu_runtime_t:sock_file create_sock_file_perms; +files_pid_filetrans(qemu_t, qemu_runtime_t, sock_file) tunable_policy(`qemu_full_network',` corenet_udp_sendrecv_generic_if(qemu_t) @@ -57,7 +57,7 @@ optional_policy(` xen_stream_connect_xenstore(qemu_t) xen_append_log(qemu_t) - xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) + xen_pid_filetrans(qemu_t, qemu_runtime_t, sock_file) ') optional_policy(` diff --git a/policy/modules/apps/slocate.fc b/policy/modules/apps/slocate.fc index 264e1bed3..c92dbe144 100644 --- a/policy/modules/apps/slocate.fc +++ b/policy/modules/apps/slocate.fc @@ -4,4 +4,4 @@ /var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0) -/run/mlocate\.daily\.lock -- gen_context(system_u:object_r:locate_var_run_t,s0) +/run/mlocate\.daily\.lock -- gen_context(system_u:object_r:locate_runtime_t,s0) diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te index 2bf0fed41..6f9b3d36d 100644 --- a/policy/modules/apps/slocate.te +++ b/policy/modules/apps/slocate.te @@ -12,8 +12,8 @@ init_system_domain(locate_t, locate_exec_t) type locate_var_lib_t; files_type(locate_var_lib_t) -type locate_var_run_t; -files_pid_file(locate_var_run_t) +type locate_runtime_t alias locate_var_run_t; +files_pid_file(locate_runtime_t) ######################################## # @@ -28,8 +28,8 @@ allow locate_t self:unix_stream_socket create_socket_perms; manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t) -allow locate_t locate_var_run_t:file manage_file_perms; -files_pid_filetrans(locate_t, locate_var_run_t, file, "mlocate.daily.lock") +allow locate_t locate_runtime_t:file manage_file_perms; +files_pid_filetrans(locate_t, locate_runtime_t, file, "mlocate.daily.lock") can_exec(locate_t, locate_exec_t) diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc index 567966e03..8c98aefb1 100644 --- a/policy/modules/apps/uml.fc +++ b/policy/modules/apps/uml.fc @@ -2,4 +2,4 @@ HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0) /usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0) -/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0) +/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_runtime_t,s0) diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index ab5c1d0da..1763f535e 100644 --- a/policy/modules/apps/uml.if +++ b/policy/modules/apps/uml.if @@ -54,10 +54,10 @@ interface(`uml_role',` # interface(`uml_setattr_util_sockets',` gen_require(` - type uml_switch_var_run_t; + type uml_switch_runtime_t; ') - allow $1 uml_switch_var_run_t:sock_file setattr_sock_file_perms; + allow $1 uml_switch_runtime_t:sock_file setattr_sock_file_perms; ') ######################################## @@ -73,9 +73,9 @@ interface(`uml_setattr_util_sockets',` # interface(`uml_manage_util_files',` gen_require(` - type uml_switch_var_run_t; + type uml_switch_runtime_t; ') - manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) - manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) + manage_files_pattern($1, uml_switch_runtime_t, uml_switch_runtime_t) + manage_lnk_files_pattern($1, uml_switch_runtime_t, uml_switch_runtime_t) ') diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te index 0e2f4c99e..822c9284e 100644 --- a/policy/modules/apps/uml.te +++ b/policy/modules/apps/uml.te @@ -44,8 +44,8 @@ type uml_switch_t; type uml_switch_exec_t; init_daemon_domain(uml_switch_t, uml_switch_exec_t) -type uml_switch_var_run_t; -files_pid_file(uml_switch_var_run_t) +type uml_switch_runtime_t alias uml_swich_var_run_t; +files_pid_file(uml_switch_runtime_t) ######################################## # @@ -149,9 +149,9 @@ dontaudit uml_switch_t self:capability sys_tty_config; allow uml_switch_t self:process signal_perms; allow uml_switch_t self:unix_stream_socket { accept listen }; -manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) -manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t) -files_pid_filetrans(uml_switch_t, uml_switch_var_run_t, file) +manage_files_pattern(uml_switch_t, uml_switch_runtime_t, uml_switch_runtime_t) +manage_sock_files_pattern(uml_switch_t, uml_switch_runtime_t, uml_switch_runtime_t) +files_pid_filetrans(uml_switch_t, uml_switch_runtime_t, file) kernel_read_kernel_sysctls(uml_switch_t) kernel_list_proc(uml_switch_t) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc index d05819bea..ef4427e46 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc @@ -24,10 +24,10 @@ /var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) -/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0) -/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) +/run/abrt\.pid -- gen_context(system_u:object_r:abrt_runtime_t,s0) +/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_runtime_t,s0) +/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_runtime_t,s0) +/run/abrt(/.*)? gen_context(system_u:object_r:abrt_runtime_t,s0) /var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) /var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if index 9d1f00da9..007c6d6e8 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if @@ -86,11 +86,11 @@ interface(`abrt_read_state',` # interface(`abrt_stream_connect',` gen_require(` - type abrt_t, abrt_var_run_t; + type abrt_t, abrt_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t) + stream_connect_pattern($1, abrt_runtime_t, abrt_runtime_t, abrt_t) ') ######################################## @@ -233,11 +233,11 @@ interface(`abrt_read_log',` # interface(`abrt_read_pid_files',` gen_require(` - type abrt_var_run_t; + type abrt_runtime_t; ') files_search_pids($1) - read_files_pattern($1, abrt_var_run_t, abrt_var_run_t) + read_files_pattern($1, abrt_runtime_t, abrt_runtime_t) ') ###################################### @@ -253,11 +253,11 @@ interface(`abrt_read_pid_files',` # interface(`abrt_manage_pid_files',` gen_require(` - type abrt_var_run_t; + type abrt_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) + manage_files_pattern($1, abrt_runtime_t, abrt_runtime_t) ') ##################################### @@ -282,7 +282,7 @@ interface(`abrt_admin',` attribute abrt_domain; type abrt_t, abrt_etc_t, abrt_initrc_exec_t; type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t; - type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t; + type abrt_runtime_t, abrt_tmp_t, abrt_retrace_spool_t; ') allow $1 abrt_domain:process { ptrace signal_perms }; @@ -300,7 +300,7 @@ interface(`abrt_admin',` admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t }) files_search_pids($1) - admin_pattern($1, abrt_var_run_t) + admin_pattern($1, abrt_runtime_t) files_search_tmp($1) admin_pattern($1, abrt_tmp_t) diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te index 718736b50..4fb4db038 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -56,8 +56,8 @@ files_tmp_file(abrt_tmp_t) type abrt_var_cache_t; files_type(abrt_var_cache_t) -type abrt_var_run_t; -files_pid_file(abrt_var_run_t) +type abrt_runtime_t alias abrt_var_run_t; +files_pid_file(abrt_runtime_t) type abrt_dump_oops_t, abrt_domain; type abrt_dump_oops_exec_t; @@ -132,11 +132,11 @@ manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) -manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) -files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) +manage_files_pattern(abrt_t, abrt_runtime_t, abrt_runtime_t) +manage_dirs_pattern(abrt_t, abrt_runtime_t, abrt_runtime_t) +manage_sock_files_pattern(abrt_t, abrt_runtime_t, abrt_runtime_t) +manage_lnk_files_pattern(abrt_t, abrt_runtime_t, abrt_runtime_t) +files_pid_filetrans(abrt_t, abrt_runtime_t, { file dir sock_file }) can_exec(abrt_t, abrt_tmp_t) @@ -282,8 +282,8 @@ manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) -read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) +read_files_pattern(abrt_helper_t, abrt_runtime_t, abrt_runtime_t) +read_lnk_files_pattern(abrt_helper_t, abrt_runtime_t, abrt_runtime_t) corecmd_read_all_executables(abrt_helper_t) @@ -384,8 +384,8 @@ manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) -read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) -read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) +read_files_pattern(abrt_dump_oops_t, abrt_runtime_t, abrt_runtime_t) +read_lnk_files_pattern(abrt_dump_oops_t, abrt_runtime_t, abrt_runtime_t) read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t) diff --git a/policy/modules/services/acpi.fc b/policy/modules/services/acpi.fc index ffd4ea007..dee6897f7 100644 --- a/policy/modules/services/acpi.fc +++ b/policy/modules/services/acpi.fc @@ -15,10 +15,10 @@ /var/log/acpid.* -- gen_context(system_u:object_r:acpid_log_t,s0) -/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_var_run_t,s0) -/run/acpid\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0) -/run/apmd\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0) -/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_var_run_t,s0) -/run/powersave_socket -s gen_context(system_u:object_r:acpid_var_run_t,s0) +/run/\.?acpid\.socket -s gen_context(system_u:object_r:acpid_runtime_t,s0) +/run/acpid\.pid -- gen_context(system_u:object_r:acpid_runtime_t,s0) +/run/apmd\.pid -- gen_context(system_u:object_r:acpid_runtime_t,s0) +/run/powersaved\.pid -- gen_context(system_u:object_r:acpid_runtime_t,s0) +/run/powersave_socket -s gen_context(system_u:object_r:acpid_runtime_t,s0) /var/lib/acpi(/.*)? gen_context(system_u:object_r:acpid_var_lib_t,s0) diff --git a/policy/modules/services/acpi.if b/policy/modules/services/acpi.if index 109b644eb..2023af959 100644 --- a/policy/modules/services/acpi.if +++ b/policy/modules/services/acpi.if @@ -132,11 +132,11 @@ interface(`acpi_append_log',` # interface(`acpi_stream_connect',` gen_require(` - type acpid_t, acpid_var_run_t; + type acpid_t, acpid_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, acpid_var_run_t, acpid_var_run_t, acpid_t) + stream_connect_pattern($1, acpid_runtime_t, acpid_runtime_t, acpid_t) ') ######################################## @@ -159,7 +159,7 @@ interface(`acpi_stream_connect',` interface(`acpi_admin',` gen_require(` type acpid_t, acpid_initrc_exec_t, acpid_log_t; - type acpid_lock_t, acpid_var_run_t, acpid_var_lib_t; + type acpid_lock_t, acpid_runtime_t, acpid_var_lib_t; type acpid_tmp_t; ') @@ -175,7 +175,7 @@ interface(`acpi_admin',` admin_pattern($1, acpid_lock_t) files_search_pids($1) - admin_pattern($1, acpid_var_run_t) + admin_pattern($1, acpid_runtime_t) files_search_var_lib($1) admin_pattern($1, acpid_var_lib_t) diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te index 3a7320d75..a8ef9854e 100644 --- a/policy/modules/services/acpi.te +++ b/policy/modules/services/acpi.te @@ -45,9 +45,9 @@ type acpid_var_lib_t; typealias acpid_var_lib_t alias apmd_var_lib_t; files_type(acpid_var_lib_t) -type acpid_var_run_t; -typealias acpid_var_run_t alias apmd_var_run_t; -files_pid_file(acpid_var_run_t) +type acpid_runtime_t; +typealias acpid_runtime_t alias acpid_var_run_t; +files_pid_file(acpid_runtime_t) ######################################## # @@ -95,11 +95,11 @@ manage_dirs_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t) manage_files_pattern(acpid_t, acpid_var_lib_t, acpid_var_lib_t) files_var_lib_filetrans(acpid_t, acpid_var_lib_t, dir) -manage_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t) -manage_sock_files_pattern(acpid_t, acpid_var_run_t, acpid_var_run_t) -files_pid_filetrans(acpid_t, acpid_var_run_t, { file sock_file }) +manage_files_pattern(acpid_t, acpid_runtime_t, acpid_runtime_t) +manage_sock_files_pattern(acpid_t, acpid_runtime_t, acpid_runtime_t) +files_pid_filetrans(acpid_t, acpid_runtime_t, { file sock_file }) -can_exec(acpid_t, acpid_var_run_t) +can_exec(acpid_t, acpid_runtime_t) kernel_read_kernel_sysctls(acpid_t) kernel_rw_all_sysctls(acpid_t) diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc index 5fc50becc..573b04fd0 100644 --- a/policy/modules/services/aiccu.fc +++ b/policy/modules/services/aiccu.fc @@ -6,4 +6,4 @@ /usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0) -/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0) +/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_runtime_t,s0) diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if index cd22faa1b..e3f25209d 100644 --- a/policy/modules/services/aiccu.if +++ b/policy/modules/services/aiccu.if @@ -49,10 +49,10 @@ interface(`aiccu_initrc_domtrans',` # interface(`aiccu_read_pid_files',` gen_require(` - type aiccu_var_run_t; + type aiccu_runtime_t; ') - allow $1 aiccu_var_run_t:file read_file_perms; + allow $1 aiccu_runtime_t:file read_file_perms; files_search_pids($1) ') @@ -76,7 +76,7 @@ interface(`aiccu_read_pid_files',` interface(`aiccu_admin',` gen_require(` type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t; - type aiccu_var_run_t; + type aiccu_runtime_t; ') allow $1 aiccu_t:process { ptrace signal_perms }; @@ -87,6 +87,6 @@ interface(`aiccu_admin',` admin_pattern($1, aiccu_etc_t) files_list_etc($1) - admin_pattern($1, aiccu_var_run_t) + admin_pattern($1, aiccu_runtime_t) files_list_pids($1) ') diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te index 82c6dff34..af051792c 100644 --- a/policy/modules/services/aiccu.te +++ b/policy/modules/services/aiccu.te @@ -15,8 +15,8 @@ init_script_file(aiccu_initrc_exec_t) type aiccu_etc_t; files_config_file(aiccu_etc_t) -type aiccu_var_run_t; -files_pid_file(aiccu_var_run_t) +type aiccu_runtime_t alias aiccu_var_run_t; +files_pid_file(aiccu_runtime_t) ######################################## # @@ -35,9 +35,9 @@ allow aiccu_t self:unix_stream_socket { accept listen }; allow aiccu_t aiccu_etc_t:file read_file_perms; -manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) -manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t) -files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir }) +manage_dirs_pattern(aiccu_t, aiccu_runtime_t, aiccu_runtime_t) +manage_files_pattern(aiccu_t, aiccu_runtime_t, aiccu_runtime_t) +files_pid_filetrans(aiccu_t, aiccu_runtime_t, { file dir }) kernel_read_system_state(aiccu_t) diff --git a/policy/modules/services/aisexec.fc b/policy/modules/services/aisexec.fc index 578f2d339..7573eda12 100644 --- a/policy/modules/services/aisexec.fc +++ b/policy/modules/services/aisexec.fc @@ -8,4 +8,4 @@ /var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:aisexec_var_log_t,s0) -/run/aisexec.* gen_context(system_u:object_r:aisexec_var_run_t,s0) +/run/aisexec.* gen_context(system_u:object_r:aisexec_runtime_t,s0) diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if index 9e1a105ab..bec2dd4d8 100644 --- a/policy/modules/services/aisexec.if +++ b/policy/modules/services/aisexec.if @@ -32,11 +32,11 @@ interface(`aisexec_domtrans',` # interface(`aisexec_stream_connect',` gen_require(` - type aisexec_t, aisexec_var_run_t; + type aisexec_t, aisexec_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t) + stream_connect_pattern($1, aisexec_runtime_t, aisexec_runtime_t, aisexec_t) ') ####################################### @@ -79,7 +79,7 @@ interface(`aisexec_read_log',` interface(`aisexecd_admin',` gen_require(` type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t; - type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t; + type aisexec_runtime_t, aisexec_tmp_t, aisexec_tmpfs_t; type aisexec_initrc_exec_t; ') @@ -95,7 +95,7 @@ interface(`aisexecd_admin',` admin_pattern($1, aisexec_var_log_t) files_list_pids($1) - admin_pattern($1, aisexec_var_run_t) + admin_pattern($1, aisexec_runtime_t) files_list_tmp($1) admin_pattern($1, aisexec_tmp_t) diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te index dfacbf519..ba2f92295 100644 --- a/policy/modules/services/aisexec.te +++ b/policy/modules/services/aisexec.te @@ -24,8 +24,8 @@ files_type(aisexec_var_lib_t) type aisexec_var_log_t; logging_log_file(aisexec_var_log_t) -type aisexec_var_run_t; -files_pid_file(aisexec_var_run_t) +type aisexec_runtime_t alias aisexec_var_run_t; +files_pid_file(aisexec_runtime_t) ######################################## # @@ -56,9 +56,9 @@ create_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) setattr_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) logging_log_filetrans(aisexec_t, aisexec_var_log_t, file) -manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) -manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) -files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) +manage_files_pattern(aisexec_t, aisexec_runtime_t, aisexec_runtime_t) +manage_sock_files_pattern(aisexec_t, aisexec_runtime_t, aisexec_runtime_t) +files_pid_filetrans(aisexec_t, aisexec_runtime_t, { file sock_file }) kernel_read_system_state(aisexec_t) diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc index da86959bd..8605b54eb 100644 --- a/policy/modules/services/amavis.fc +++ b/policy/modules/services/amavis.fc @@ -22,8 +22,8 @@ ifdef(`distro_debian',` /var/log/amavisd\.log.* -- gen_context(system_u:object_r:amavis_var_log_t,s0) -/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0) -/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:amavis_var_run_t,s0) +/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_runtime_t,s0) +/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:amavis_runtime_t,s0) /var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0) diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if index f8a810ceb..883b52b10 100644 --- a/policy/modules/services/amavis.if +++ b/policy/modules/services/amavis.if @@ -183,10 +183,10 @@ interface(`amavis_manage_lib_files',` # interface(`amavis_setattr_pid_files',` gen_require(` - type amavis_var_run_t; + type amavis_runtime_t; ') - allow $1 amavis_var_run_t:file setattr_file_perms; + allow $1 amavis_runtime_t:file setattr_file_perms; files_search_pids($1) ') @@ -202,11 +202,11 @@ interface(`amavis_setattr_pid_files',` # interface(`amavis_create_pid_files',` gen_require(` - type amavis_var_run_t; + type amavis_runtime_t; ') - allow $1 amavis_var_run_t:dir add_entry_dir_perms; - allow $1 amavis_var_run_t:file create_file_perms; + allow $1 amavis_runtime_t:dir add_entry_dir_perms; + allow $1 amavis_runtime_t:file create_file_perms; files_search_pids($1) ') @@ -230,7 +230,7 @@ interface(`amavis_create_pid_files',` interface(`amavis_admin',` gen_require(` type amavis_t, amavis_tmp_t, amavis_var_log_t; - type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; + type amavis_spool_t, amavis_var_lib_t, amavis_runtime_t; type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t; ') @@ -257,5 +257,5 @@ interface(`amavis_admin',` admin_pattern($1, amavis_var_log_t) files_list_pids($1) - admin_pattern($1, amavis_var_run_t) + admin_pattern($1, amavis_runtime_t) ') diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index b257d77f2..20cd5d6b8 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -23,8 +23,8 @@ files_config_file(amavis_etc_t) type amavis_initrc_exec_t; init_script_file(amavis_initrc_exec_t) -type amavis_var_run_t; -files_pid_file(amavis_var_run_t) +type amavis_runtime_t alias amavis_var_run_t; +files_pid_file(amavis_runtime_t) type amavis_var_lib_t; files_type(amavis_var_lib_t) @@ -65,7 +65,7 @@ manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t) manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) -filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) +filetrans_pattern(amavis_t, amavis_spool_t, amavis_runtime_t, sock_file) manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) allow amavis_t amavis_tmp_t:dir setattr_dir_perms; @@ -80,10 +80,10 @@ manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) -manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t) -files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file }) +manage_dirs_pattern(amavis_t, amavis_runtime_t, amavis_runtime_t) +manage_files_pattern(amavis_t, amavis_runtime_t, amavis_runtime_t) +manage_sock_files_pattern(amavis_t, amavis_runtime_t, amavis_runtime_t) +files_pid_filetrans(amavis_t, amavis_runtime_t, { dir file sock_file }) can_exec(amavis_t, amavis_exec_t) diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index 90cfe0874..0563412ec 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -30,7 +30,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:obje /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -135,7 +135,7 @@ ifdef(`distro_suse',` /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) /var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) @@ -164,14 +164,14 @@ ifdef(`distro_suse',` /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) -/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) -/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) +/run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0) +/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0) +/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_runtime_t,s0) +/run/gcache_port -s gen_context(system_u:object_r:httpd_runtime_t,s0) +/run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0) +/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) +/run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0) +/run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0) /run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 2934337be..601cdb626 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -1345,7 +1345,7 @@ interface(`apache_admin',` attribute httpd_script_domains, httpd_htaccess_type; type httpd_t, httpd_config_t, httpd_log_t; type httpd_modules_t, httpd_lock_t, httpd_helper_t; - type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t; + type httpd_runtime_t, httpd_passwd_t, httpd_suexec_t; type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t; type httpd_initrc_exec_t, httpd_keytab_t; ') @@ -1371,8 +1371,8 @@ interface(`apache_admin',` admin_pattern($1, httpd_lock_t) files_lock_filetrans($1, httpd_lock_t, file) - admin_pattern($1, httpd_var_run_t) - files_pid_filetrans($1, httpd_var_run_t, file) + admin_pattern($1, httpd_runtime_t) + files_pid_filetrans($1, httpd_runtime_t, file) admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type }) admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t }) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 800540ae0..ab835e1f1 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -356,8 +356,8 @@ typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secad type httpd_var_lib_t; files_type(httpd_var_lib_t) -type httpd_var_run_t; -files_pid_file(httpd_var_run_t) +type httpd_runtime_t alias httpd_var_run_t; +files_pid_file(httpd_runtime_t) type httpd_passwd_t; type httpd_passwd_exec_t; @@ -457,11 +457,11 @@ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) -setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir }) +setattr_dirs_pattern(httpd_t, httpd_runtime_t, httpd_runtime_t) +manage_dirs_pattern(httpd_t, httpd_runtime_t, httpd_runtime_t) +manage_files_pattern(httpd_t, httpd_runtime_t, httpd_runtime_t) +manage_sock_files_pattern(httpd_t, httpd_runtime_t, httpd_runtime_t) +files_pid_filetrans(httpd_t, httpd_runtime_t, { file sock_file dir }) manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc index 43666b342..5b5118ac5 100644 --- a/policy/modules/services/apcupsd.fc +++ b/policy/modules/services/apcupsd.fc @@ -11,7 +11,7 @@ /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) -/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) +/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_runtime_t,s0) /var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if index 3dda63454..7086773a4 100644 --- a/policy/modules/services/apcupsd.if +++ b/policy/modules/services/apcupsd.if @@ -51,11 +51,11 @@ interface(`apcupsd_initrc_domtrans',` # interface(`apcupsd_read_pid_files',` gen_require(` - type apcupsd_var_run_t; + type apcupsd_runtime_t; ') files_search_pids($1) - allow $1 apcupsd_var_run_t:file read_file_perms; + allow $1 apcupsd_runtime_t:file read_file_perms; ') ######################################## @@ -143,7 +143,7 @@ interface(`apcupsd_cgi_script_domtrans',` interface(`apcupsd_admin',` gen_require(` type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; - type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t; + type apcupsd_runtime_t, apcupsd_initrc_exec_t, apcupsd_lock_t; ') allow $1 apcupsd_t:process { ptrace signal_perms }; @@ -161,5 +161,5 @@ interface(`apcupsd_admin',` admin_pattern($1, apcupsd_tmp_t) files_list_pids($1) - admin_pattern($1, apcupsd_var_run_t) + admin_pattern($1, apcupsd_runtime_t) ') diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te index 3e4a24650..a6873542f 100644 --- a/policy/modules/services/apcupsd.te +++ b/policy/modules/services/apcupsd.te @@ -24,8 +24,8 @@ files_tmp_file(apcupsd_tmp_t) type apcupsd_unit_t; init_unit_file(apcupsd_unit_t) -type apcupsd_var_run_t; -files_pid_file(apcupsd_var_run_t) +type apcupsd_runtime_t alias apcupsd_var_run_t; +files_pid_file(apcupsd_runtime_t) ######################################## # @@ -49,8 +49,8 @@ logging_log_filetrans(apcupsd_t, apcupsd_log_t, file) manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file) -manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t) -files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file) +manage_files_pattern(apcupsd_t, apcupsd_runtime_t, apcupsd_runtime_t) +files_pid_filetrans(apcupsd_t, apcupsd_runtime_t, file) kernel_read_system_state(apcupsd_t) diff --git a/policy/modules/services/asterisk.fc b/policy/modules/services/asterisk.fc index 337bf6017..97b6acf4a 100644 --- a/policy/modules/services/asterisk.fc +++ b/policy/modules/services/asterisk.fc @@ -10,6 +10,6 @@ /var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0) -/run/asterisk.* gen_context(system_u:object_r:asterisk_var_run_t,s0) +/run/asterisk.* gen_context(system_u:object_r:asterisk_runtime_t,s0) /var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0) diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if index 2e3f5a4b8..2ca8a5c6d 100644 --- a/policy/modules/services/asterisk.if +++ b/policy/modules/services/asterisk.if @@ -51,11 +51,11 @@ interface(`asterisk_exec',` # interface(`asterisk_stream_connect',` gen_require(` - type asterisk_t, asterisk_var_run_t; + type asterisk_t, asterisk_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) + stream_connect_pattern($1, asterisk_runtime_t, asterisk_runtime_t, asterisk_t) ') ####################################### @@ -92,11 +92,11 @@ interface(`asterisk_setattr_logs',` # interface(`asterisk_setattr_pid_files',` gen_require(` - type asterisk_var_run_t; + type asterisk_runtime_t; ') - setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t) - setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t) + setattr_files_pattern($1, asterisk_runtime_t, asterisk_runtime_t) + setattr_dirs_pattern($1, asterisk_runtime_t, asterisk_runtime_t) files_search_pids($1) ') @@ -119,7 +119,7 @@ interface(`asterisk_setattr_pid_files',` # interface(`asterisk_admin',` gen_require(` - type asterisk_t, asterisk_var_run_t, asterisk_spool_t; + type asterisk_t, asterisk_runtime_t, asterisk_spool_t; type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t; type asterisk_var_lib_t, asterisk_initrc_exec_t; ') @@ -147,5 +147,5 @@ interface(`asterisk_admin',` admin_pattern($1, asterisk_var_lib_t) files_list_pids($1) - admin_pattern($1, asterisk_var_run_t) + admin_pattern($1, asterisk_runtime_t) ') diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index 2e0a687cb..0c61a615f 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -30,9 +30,9 @@ files_tmpfs_file(asterisk_tmpfs_t) type asterisk_var_lib_t; files_type(asterisk_var_lib_t) -type asterisk_var_run_t; -files_pid_file(asterisk_var_run_t) -init_daemon_pid_file(asterisk_var_run_t, dir, "asterisk") +type asterisk_runtime_t alias asterisk_var_run_t; +files_pid_file(asterisk_runtime_t) +init_daemon_pid_file(asterisk_runtime_t, dir, "asterisk") ######################################## # @@ -73,10 +73,10 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) -manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) -files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) +manage_files_pattern(asterisk_t, asterisk_runtime_t, asterisk_runtime_t) +manage_fifo_files_pattern(asterisk_t, asterisk_runtime_t, asterisk_runtime_t) +manage_sock_files_pattern(asterisk_t, asterisk_runtime_t, asterisk_runtime_t) +files_pid_filetrans(asterisk_t, asterisk_runtime_t, file) can_exec(asterisk_t, asterisk_exec_t) diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc index dadd3a9f8..26542bc76 100644 --- a/policy/modules/services/automount.fc +++ b/policy/modules/services/automount.fc @@ -9,4 +9,4 @@ /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) -/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) +/run/autofs.* gen_context(system_u:object_r:automount_runtime_t,s0) diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if index fbaa32205..ab52167fc 100644 --- a/policy/modules/services/automount.if +++ b/policy/modules/services/automount.if @@ -137,7 +137,7 @@ interface(`automount_dontaudit_getattr_tmp_dirs',` interface(`automount_admin',` gen_require(` type automount_t, automount_lock_t, automount_tmp_t; - type automount_var_run_t, automount_initrc_exec_t; + type automount_runtime_t, automount_initrc_exec_t; type automount_keytab_t; ') @@ -156,5 +156,5 @@ interface(`automount_admin',` admin_pattern($1, automount_tmp_t) files_list_pids($1) - admin_pattern($1, automount_var_run_t) + admin_pattern($1, automount_runtime_t) ') diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index 349222816..f007ea79c 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -25,8 +25,8 @@ files_mountpoint(automount_tmp_t) type automount_unit_t; init_unit_file(automount_unit_t) -type automount_var_run_t; -files_pid_file(automount_var_run_t) +type automount_runtime_t alias automount_var_run_t; +files_pid_file(automount_runtime_t) ######################################## # @@ -53,9 +53,9 @@ files_tmp_filetrans(automount_t, automount_tmp_t, { file dir }) files_home_filetrans(automount_t, automount_tmp_t, dir) files_root_filetrans(automount_t, automount_tmp_t, dir) -manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) -manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t) -files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file }) +manage_files_pattern(automount_t, automount_runtime_t, automount_runtime_t) +manage_fifo_files_pattern(automount_t, automount_runtime_t, automount_runtime_t) +files_pid_filetrans(automount_t, automount_runtime_t, { file fifo_file }) kernel_read_kernel_sysctls(automount_t) kernel_read_irq_sysctls(automount_t) diff --git a/policy/modules/services/avahi.fc b/policy/modules/services/avahi.fc index 2f72be4ab..212e85f7b 100644 --- a/policy/modules/services/avahi.fc +++ b/policy/modules/services/avahi.fc @@ -10,6 +10,6 @@ /usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0) /usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0) -/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0) +/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_runtime_t,s0) /var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0) diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if index 4652358fa..ecbe2e7b6 100644 --- a/policy/modules/services/avahi.if +++ b/policy/modules/services/avahi.if @@ -126,11 +126,11 @@ interface(`avahi_dbus_chat',` # interface(`avahi_stream_connect',` gen_require(` - type avahi_t, avahi_var_run_t; + type avahi_t, avahi_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t) + stream_connect_pattern($1, avahi_runtime_t, avahi_runtime_t, avahi_t) ') ######################################## @@ -145,11 +145,11 @@ interface(`avahi_stream_connect',` # interface(`avahi_create_pid_dirs',` gen_require(` - type avahi_var_run_t; + type avahi_runtime_t; ') files_search_pids($1) - allow $1 avahi_var_run_t:dir create_dir_perms; + allow $1 avahi_runtime_t:dir create_dir_perms; ') ######################################## @@ -164,11 +164,11 @@ interface(`avahi_create_pid_dirs',` # interface(`avahi_setattr_pid_dirs',` gen_require(` - type avahi_var_run_t; + type avahi_runtime_t; ') files_search_pids($1) - allow $1 avahi_var_run_t:dir setattr_dir_perms; + allow $1 avahi_runtime_t:dir setattr_dir_perms; ') ######################################## @@ -183,11 +183,11 @@ interface(`avahi_setattr_pid_dirs',` # interface(`avahi_manage_pid_files',` gen_require(` - type avahi_var_run_t; + type avahi_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, avahi_var_run_t, avahi_var_run_t) + manage_files_pattern($1, avahi_runtime_t, avahi_runtime_t) ') ######################################## @@ -203,10 +203,10 @@ interface(`avahi_manage_pid_files',` # interface(`avahi_dontaudit_search_pid',` gen_require(` - type avahi_var_run_t; + type avahi_runtime_t; ') - dontaudit $1 avahi_var_run_t:dir search_dir_perms; + dontaudit $1 avahi_runtime_t:dir search_dir_perms; ') ######################################## @@ -232,10 +232,10 @@ interface(`avahi_dontaudit_search_pid',` # interface(`avahi_filetrans_pid',` gen_require(` - type avahi_var_run_t; + type avahi_runtime_t; ') - files_pid_filetrans($1, avahi_var_run_t, $2, $3) + files_pid_filetrans($1, avahi_runtime_t, $2, $3) ') ######################################## @@ -257,7 +257,7 @@ interface(`avahi_filetrans_pid',` # interface(`avahi_admin',` gen_require(` - type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; + type avahi_t, avahi_runtime_t, avahi_initrc_exec_t; type avahi_var_lib_t; ') @@ -267,7 +267,7 @@ interface(`avahi_admin',` init_startstop_service($1, $2, avahi_t, avahi_initrc_exec_t) files_search_pids($1) - admin_pattern($1, avahi_var_run_t) + admin_pattern($1, avahi_runtime_t) files_search_var_lib($1) admin_pattern($1, avahi_var_lib_t) diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index c90208263..6ec9ca753 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -8,7 +8,7 @@ policy_module(avahi, 1.19.0) type avahi_t; type avahi_exec_t; init_daemon_domain(avahi_t, avahi_exec_t) -init_named_socket_activation(avahi_t, avahi_var_run_t) +init_named_socket_activation(avahi_t, avahi_runtime_t) type avahi_initrc_exec_t; init_script_file(avahi_initrc_exec_t) @@ -19,8 +19,8 @@ init_unit_file(avahi_unit_t) type avahi_var_lib_t; files_pid_file(avahi_var_lib_t) -type avahi_var_run_t; -files_pid_file(avahi_var_run_t) +type avahi_runtime_t alias avahi_var_run_t; +files_pid_file(avahi_runtime_t) ######################################## # @@ -39,11 +39,11 @@ manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) -manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t) -allow avahi_t avahi_var_run_t:dir setattr_dir_perms; -files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file }) +manage_dirs_pattern(avahi_t, avahi_runtime_t, avahi_runtime_t) +manage_files_pattern(avahi_t, avahi_runtime_t, avahi_runtime_t) +manage_sock_files_pattern(avahi_t, avahi_runtime_t, avahi_runtime_t) +allow avahi_t avahi_runtime_t:dir setattr_dir_perms; +files_pid_filetrans(avahi_t, avahi_runtime_t, { dir file }) kernel_read_kernel_sysctls(avahi_t) kernel_read_network_state(avahi_t) diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc index b4879dc1b..7c1df4895 100644 --- a/policy/modules/services/bind.fc +++ b/policy/modules/services/bind.fc @@ -49,7 +49,7 @@ /var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0) /var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0) /var/named/chroot/proc(/.*)? <<none>> -/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) +/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_runtime_t,s0) /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) /var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) @@ -59,8 +59,8 @@ /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) /var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) -/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -/run/lwresd/lwresd\.pid -s gen_context(system_u:object_r:named_var_run_t,s0) -/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) -/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +/run/ndc -s gen_context(system_u:object_r:named_runtime_t,s0) +/run/bind(/.*)? gen_context(system_u:object_r:named_runtime_t,s0) +/run/lwresd/lwresd\.pid -s gen_context(system_u:object_r:named_runtime_t,s0) +/run/named(/.*)? gen_context(system_u:object_r:named_runtime_t,s0) +/run/unbound(/.*)? gen_context(system_u:object_r:named_runtime_t,s0) diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index a99bae9c6..872f05ecc 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if @@ -266,10 +266,10 @@ interface(`bind_manage_cache',` # interface(`bind_setattr_pid_dirs',` gen_require(` - type named_var_run_t; + type named_runtime_t; ') - allow $1 named_var_run_t:dir setattr_dir_perms; + allow $1 named_runtime_t:dir setattr_dir_perms; ') ######################################## @@ -350,7 +350,7 @@ interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; type named_cache_t, named_zone_t, named_initrc_exec_t; - type dnssec_t, ndc_t, named_conf_t, named_var_run_t; + type dnssec_t, ndc_t, named_conf_t, named_runtime_t; type named_keytab_t; ') @@ -372,5 +372,5 @@ interface(`bind_admin',` admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) files_list_pids($1) - admin_pattern($1, named_var_run_t) + admin_pattern($1, named_runtime_t) ') diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index c96d0b828..c561c086a 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -56,9 +56,9 @@ files_tmp_file(named_tmp_t) type named_unit_t; init_unit_file(named_unit_t) -type named_var_run_t; -files_pid_file(named_var_run_t) -init_daemon_pid_file(named_var_run_t, dir, "named") +type named_runtime_t alias named_var_run_t; +files_pid_file(named_runtime_t) +init_daemon_pid_file(named_runtime_t, dir, "named") # for primary zone files type named_zone_t; @@ -101,10 +101,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) manage_files_pattern(named_t, named_tmp_t, named_tmp_t) files_tmp_filetrans(named_t, named_tmp_t, { file dir }) -manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t) -manage_files_pattern(named_t, named_var_run_t, named_var_run_t) -manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t) -files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file }) +manage_dirs_pattern(named_t, named_runtime_t, named_runtime_t) +manage_files_pattern(named_t, named_runtime_t, named_runtime_t) +manage_sock_files_pattern(named_t, named_runtime_t, named_runtime_t) +files_pid_filetrans(named_t, named_runtime_t, { dir file sock_file }) can_exec(named_t, named_exec_t) @@ -231,7 +231,7 @@ allow ndc_t self:unix_stream_socket { accept listen }; allow ndc_t dnssec_t:file read_file_perms; allow ndc_t dnssec_t:lnk_file read_lnk_file_perms; -stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) +stream_connect_pattern(ndc_t, named_runtime_t, named_runtime_t, named_t) allow ndc_t named_conf_t:file read_file_perms; allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; diff --git a/policy/modules/services/bird.fc b/policy/modules/services/bird.fc index d415fdf3c..00739632c 100644 --- a/policy/modules/services/bird.fc +++ b/policy/modules/services/bird.fc @@ -10,4 +10,4 @@ /var/log/bird\.log.* -- gen_context(system_u:object_r:bird_log_t,s0) -/run/bird\.ctl -s gen_context(system_u:object_r:bird_var_run_t,s0) +/run/bird\.ctl -s gen_context(system_u:object_r:bird_runtime_t,s0) diff --git a/policy/modules/services/bird.if b/policy/modules/services/bird.if index d744d6b8f..166115276 100644 --- a/policy/modules/services/bird.if +++ b/policy/modules/services/bird.if @@ -20,7 +20,7 @@ interface(`bird_admin',` gen_require(` type bird_t, bird_etc_t, bird_log_t; - type bird_var_run_t, bird_initrc_exec_t; + type bird_runtime_t, bird_initrc_exec_t; ') allow $1 bird_t:process { ptrace signal_perms }; @@ -35,5 +35,5 @@ interface(`bird_admin',` admin_pattern($1, bird_log_t) files_list_pids($1) - admin_pattern($1, bird_var_run_t) + admin_pattern($1, bird_runtime_t) ') diff --git a/policy/modules/services/bird.te b/policy/modules/services/bird.te index e525f326b..d97215e23 100644 --- a/policy/modules/services/bird.te +++ b/policy/modules/services/bird.te @@ -18,8 +18,8 @@ files_config_file(bird_etc_t) type bird_log_t; logging_log_file(bird_log_t) -type bird_var_run_t; -files_pid_file(bird_var_run_t) +type bird_runtime_t alias bird_var_run_t; +files_pid_file(bird_runtime_t) ######################################## # @@ -35,8 +35,8 @@ allow bird_t bird_etc_t:file read_file_perms; allow bird_t bird_log_t:file { create_file_perms append_file_perms setattr_file_perms }; logging_log_filetrans(bird_t, bird_log_t, file) -allow bird_t bird_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(bird_t, bird_var_run_t, sock_file) +allow bird_t bird_runtime_t:sock_file manage_sock_file_perms; +files_pid_filetrans(bird_t, bird_runtime_t, sock_file) corenet_all_recvfrom_unlabeled(bird_t) corenet_all_recvfrom_netlabel(bird_t) diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc index e7b0aa607..41c277806 100644 --- a/policy/modules/services/bitlbee.fc +++ b/policy/modules/services/bitlbee.fc @@ -10,6 +10,6 @@ /var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0) -/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) -/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) -/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) +/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_runtime_t,s0) +/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_runtime_t,s0) +/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_runtime_t,s0) diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if index 3409d80d0..faba5e66a 100644 --- a/policy/modules/services/bitlbee.if +++ b/policy/modules/services/bitlbee.if @@ -40,7 +40,7 @@ interface(`bitlbee_read_config',` interface(`bitlbee_admin',` gen_require(` type bitlbee_t, bitlbee_conf_t, bitlbee_var_t; - type bitlbee_initrc_exec_t, bitlbee_var_run_t; + type bitlbee_initrc_exec_t, bitlbee_runtime_t; type bitlbee_log_t, bitlbee_tmp_t; ') @@ -59,7 +59,7 @@ interface(`bitlbee_admin',` admin_pattern($1, bitlbee_tmp_t) files_search_pids($1) - admin_pattern($1, bitlbee_var_run_t) + admin_pattern($1, bitlbee_runtime_t) files_search_var_lib($1) admin_pattern($1, bitlbee_var_t) diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te index 411c2896c..321d8ed76 100644 --- a/policy/modules/services/bitlbee.te +++ b/policy/modules/services/bitlbee.te @@ -25,8 +25,8 @@ files_type(bitlbee_var_t) type bitlbee_log_t; logging_log_file(bitlbee_log_t) -type bitlbee_var_run_t; -files_pid_file(bitlbee_var_run_t) +type bitlbee_runtime_t alias bitlbee_var_run_t; +files_pid_file(bitlbee_runtime_t) ######################################## # @@ -54,10 +54,10 @@ files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) -manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) -manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) -manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) -files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) +manage_dirs_pattern(bitlbee_t, bitlbee_runtime_t, bitlbee_runtime_t) +manage_files_pattern(bitlbee_t, bitlbee_runtime_t, bitlbee_runtime_t) +manage_sock_files_pattern(bitlbee_t, bitlbee_runtime_t, bitlbee_runtime_t) +files_pid_filetrans(bitlbee_t, bitlbee_runtime_t, { dir file sock_file }) kernel_read_kernel_sysctls(bitlbee_t) kernel_read_system_state(bitlbee_t) diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc index 4fbe7955a..1d011e077 100644 --- a/policy/modules/services/bluetooth.fc +++ b/policy/modules/services/bluetooth.fc @@ -28,8 +28,8 @@ /var/lock/subsys/bluetoothd -- gen_context(system_u:object_r:bluetooth_lock_t,s0) -/run/bluetoothd_address -- gen_context(system_u:object_r:bluetooth_var_run_t,s0) -/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0) +/run/bluetoothd_address -- gen_context(system_u:object_r:bluetooth_runtime_t,s0) +/run/sdp -s gen_context(system_u:object_r:bluetooth_runtime_t,s0) ifdef(`distro_gentoo',` diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index dc61988c0..c0b92e5bf 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -19,7 +19,7 @@ interface(`bluetooth_role',` gen_require(` attribute_role bluetooth_helper_roles; type bluetooth_t, bluetooth_helper_t, bluetooth_helper_exec_t; - type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_var_run_t; + type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_runtime_t; ') ######################################## @@ -45,7 +45,7 @@ interface(`bluetooth_role',` allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms }; allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) + stream_connect_pattern($2, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t) files_search_pids($2) ') @@ -62,12 +62,12 @@ interface(`bluetooth_role',` # interface(`bluetooth_stream_connect',` gen_require(` - type bluetooth_t, bluetooth_var_run_t; + type bluetooth_t, bluetooth_runtime_t; ') files_search_pids($1) allow $1 bluetooth_t:socket rw_socket_perms; - stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) + stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t) ') ######################################## @@ -168,7 +168,7 @@ interface(`bluetooth_dontaudit_read_helper_state',` interface(`bluetooth_admin',` gen_require(` type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; - type bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_var_lib_t, bluetooth_runtime_t; type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; type bluetooth_initrc_exec_t; ') @@ -191,5 +191,5 @@ interface(`bluetooth_admin',` admin_pattern($1, bluetooth_var_lib_t) files_list_pids($1) - admin_pattern($1, bluetooth_var_run_t) + admin_pattern($1, bluetooth_runtime_t) ') diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index 45e5a361f..5b2ba72a1 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -49,8 +49,8 @@ init_unit_file(bluetooth_unit_t) type bluetooth_var_lib_t; files_type(bluetooth_var_lib_t) -type bluetooth_var_run_t; -files_pid_file(bluetooth_var_run_t) +type bluetooth_runtime_t alias bluetooth_var_run_t; +files_pid_file(bluetooth_runtime_t) ######################################## # @@ -87,9 +87,9 @@ manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } ) -manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) -manage_sock_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) -files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) +manage_files_pattern(bluetooth_t, bluetooth_runtime_t, bluetooth_runtime_t) +manage_sock_files_pattern(bluetooth_t, bluetooth_runtime_t, bluetooth_runtime_t) +files_pid_filetrans(bluetooth_t, bluetooth_runtime_t, { file sock_file }) can_exec(bluetooth_t, bluetooth_helper_exec_t) diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc index f58be76be..1a1b2ac1c 100644 --- a/policy/modules/services/cachefilesd.fc +++ b/policy/modules/services/cachefilesd.fc @@ -6,4 +6,4 @@ /var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0) -/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) +/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_runtime_t,s0) diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if index c4084b91b..00f52a83d 100644 --- a/policy/modules/services/cachefilesd.if +++ b/policy/modules/services/cachefilesd.if @@ -20,7 +20,7 @@ interface(`cachefilesd_admin',` gen_require(` type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t; - type cachefilesd_var_run_t; + type cachefilesd_runtime_t; ') allow $1 cachefilesd_t:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`cachefilesd_admin',` admin_pattern($1, cachefilesd_cache_t) files_search_pids($1) - admin_pattern($1, cachefilesd_var_run_t) + admin_pattern($1, cachefilesd_runtime_t) ') diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te index cf1e03371..8c966398d 100644 --- a/policy/modules/services/cachefilesd.te +++ b/policy/modules/services/cachefilesd.te @@ -15,8 +15,8 @@ init_script_file(cachefilesd_initrc_exec_t) type cachefilesd_cache_t; files_mountpoint(cachefilesd_cache_t) -type cachefilesd_var_run_t; -files_pid_file(cachefilesd_var_run_t) +type cachefilesd_runtime_t alias cachefilesd_var_run_t; +files_pid_file(cachefilesd_runtime_t) type cachefiles_kernel_t; domain_type(cachefiles_kernel_t) @@ -31,8 +31,8 @@ allow cachefilesd_t self:capability { dac_override setgid setuid sys_admin }; allow cachefilesd_t cachefiles_kernel_t:kernel_service use_as_override; -manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) -files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) +manage_files_pattern(cachefilesd_t, cachefilesd_runtime_t, cachefilesd_runtime_t) +files_pid_filetrans(cachefilesd_t, cachefilesd_runtime_t, file) allow cachefilesd_t cachefilesd_cache_t:kernel_service create_files_as; manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) diff --git a/policy/modules/services/callweaver.fc b/policy/modules/services/callweaver.fc index 3cdd635b3..130b409b7 100644 --- a/policy/modules/services/callweaver.fc +++ b/policy/modules/services/callweaver.fc @@ -8,6 +8,6 @@ /var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0) -/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_run_t,s0) +/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_runtime_t,s0) /var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0) diff --git a/policy/modules/services/callweaver.if b/policy/modules/services/callweaver.if index f89bf39ad..2b52ede88 100644 --- a/policy/modules/services/callweaver.if +++ b/policy/modules/services/callweaver.if @@ -32,11 +32,11 @@ interface(`callweaver_exec',` # interface(`callweaver_stream_connect',` gen_require(` - type callweaver_t, callweaver_var_run_t; + type callweaver_t, callweaver_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t) + stream_connect_pattern($1, callweaver_runtime_t, callweaver_runtime_t, callweaver_t) ') ######################################## @@ -59,7 +59,7 @@ interface(`callweaver_stream_connect',` interface(`callweaver_admin',` gen_require(` type callweaver_t, callweaver_initrc_exec_t, callweaver_log_t; - type callweaver_var_lib_t, callweaver_var_run_t, callweaver_spool_t; + type callweaver_var_lib_t, callweaver_runtime_t, callweaver_spool_t; ') allow $1 callweaver_t:process { ptrace signal_perms }; @@ -71,7 +71,7 @@ interface(`callweaver_admin',` admin_pattern($1, callweaver_log_t) files_search_pids($1) - admin_pattern($1, callweaver_var_run_t) + admin_pattern($1, callweaver_runtime_t) files_search_var_lib($1) admin_pattern($1, { callweaver_spool_t callweaver_var_lib_t }) diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te index 3c8fff6fe..2b11080e1 100644 --- a/policy/modules/services/callweaver.te +++ b/policy/modules/services/callweaver.te @@ -18,8 +18,8 @@ logging_log_file(callweaver_log_t) type callweaver_var_lib_t; files_type(callweaver_var_lib_t) -type callweaver_var_run_t; -files_pid_file(callweaver_var_run_t) +type callweaver_runtime_t alias callweaver_var_run_t; +files_pid_file(callweaver_runtime_t) type callweaver_spool_t; files_type(callweaver_spool_t) @@ -45,10 +45,10 @@ manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t) manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t) files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file }) -manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) -manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) -manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t) -files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file }) +manage_dirs_pattern(callweaver_t, callweaver_runtime_t, callweaver_runtime_t) +manage_files_pattern(callweaver_t, callweaver_runtime_t, callweaver_runtime_t) +manage_sock_files_pattern(callweaver_t, callweaver_runtime_t, callweaver_runtime_t) +files_pid_filetrans(callweaver_t, callweaver_runtime_t, { dir file sock_file }) manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t) diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc index 7688d0ecb..250d87c41 100644 --- a/policy/modules/services/canna.fc +++ b/policy/modules/services/canna.fc @@ -14,6 +14,6 @@ /var/log/canna(/.*)? gen_context(system_u:object_r:canna_log_t,s0) /var/log/wnn(/.*)? gen_context(system_u:object_r:canna_log_t,s0) -/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) -/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) -/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) +/run/\.iroha_unix -d gen_context(system_u:object_r:canna_runtime_t,s0) +/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_runtime_t,s0) +/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_runtime_t,s0) diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if index e3fd19939..241d00235 100644 --- a/policy/modules/services/canna.if +++ b/policy/modules/services/canna.if @@ -13,11 +13,11 @@ # interface(`canna_stream_connect',` gen_require(` - type canna_t, canna_var_run_t; + type canna_t, canna_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t) + stream_connect_pattern($1, canna_runtime_t, canna_runtime_t, canna_t) ') ######################################## @@ -40,7 +40,7 @@ interface(`canna_stream_connect',` interface(`canna_admin',` gen_require(` type canna_t, canna_log_t, canna_var_lib_t; - type canna_var_run_t, canna_initrc_exec_t; + type canna_runtime_t, canna_initrc_exec_t; ') allow $1 canna_t:process { ptrace signal_perms }; @@ -55,5 +55,5 @@ interface(`canna_admin',` admin_pattern($1, canna_var_lib_t) files_list_pids($1) - admin_pattern($1, canna_var_run_t) + admin_pattern($1, canna_runtime_t) ') diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te index d4a2b7872..ac42c9b9c 100644 --- a/policy/modules/services/canna.te +++ b/policy/modules/services/canna.te @@ -18,8 +18,8 @@ logging_log_file(canna_log_t) type canna_var_lib_t; files_type(canna_var_lib_t) -type canna_var_run_t; -files_pid_file(canna_var_run_t) +type canna_runtime_t alias canna_var_run_t; +files_pid_file(canna_runtime_t) ######################################## # @@ -44,10 +44,10 @@ manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t) files_var_lib_filetrans(canna_t, canna_var_lib_t, file) -manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t) -manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) -manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t) -files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file }) +manage_dirs_pattern(canna_t, canna_runtime_t, canna_runtime_t) +manage_files_pattern(canna_t, canna_runtime_t, canna_runtime_t) +manage_sock_files_pattern(canna_t, canna_runtime_t, canna_runtime_t) +files_pid_filetrans(canna_t, canna_runtime_t, { dir sock_file }) kernel_read_kernel_sysctls(canna_t) kernel_read_system_state(canna_t) diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc index f428bee05..fb224aaa0 100644 --- a/policy/modules/services/ccs.fc +++ b/policy/modules/services/ccs.fc @@ -10,5 +10,5 @@ /var/log/cluster/((ccs)|(ccsd)).* gen_context(system_u:object_r:ccs_var_log_t,s0) -/run/cluster/((ccs)|(ccsd))\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) -/run/cluster/((ccs)|(ccsd))\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) +/run/cluster/((ccs)|(ccsd))\.pid -- gen_context(system_u:object_r:ccs_runtime_t,s0) +/run/cluster/((ccs)|(ccsd))\.sock -s gen_context(system_u:object_r:ccs_runtime_t,s0) diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if index 767fb7127..f6d3bb1cc 100644 --- a/policy/modules/services/ccs.if +++ b/policy/modules/services/ccs.if @@ -31,11 +31,11 @@ interface(`ccs_domtrans',` # interface(`ccs_stream_connect',` gen_require(` - type ccs_t, ccs_var_run_t; + type ccs_t, ccs_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, ccs_var_run_t, ccs_var_run_t, ccs_t) + stream_connect_pattern($1, ccs_runtime_t, ccs_runtime_t, ccs_t) ') ######################################## @@ -99,7 +99,7 @@ interface(`ccs_admin',` gen_require(` type ccs_t, ccs_initrc_exec_t, cluster_conf_t; type ccs_var_lib_t, ccs_var_log_t; - type ccs_var_run_t, ccs_tmp_t; + type ccs_runtime_t, ccs_tmp_t; ') allow $1 ccs_t:process { ptrace signal_perms }; @@ -117,7 +117,7 @@ interface(`ccs_admin',` admin_pattern($1, ccs_var_log_t) files_search_pids($1) - admin_pattern($1, ccs_var_run_t) + admin_pattern($1, ccs_runtime_t) files_search_tmp($1) admin_pattern($1, ccs_tmp_t) diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index dac9ec8ae..5437f69f3 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -27,8 +27,8 @@ logging_log_file(ccs_var_lib_t) type ccs_var_log_t; logging_log_file(ccs_var_log_t) -type ccs_var_run_t; -files_pid_file(ccs_var_run_t) +type ccs_runtime_t alias ccs_var_run_t; +files_pid_file(ccs_runtime_t) ######################################## # @@ -66,9 +66,9 @@ setattr_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) logging_log_filetrans(ccs_t, ccs_var_log_t, { file sock_file }) -manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) -manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t) -files_pid_filetrans(ccs_t, ccs_var_run_t, { file sock_file }) +manage_files_pattern(ccs_t, ccs_runtime_t, ccs_runtime_t) +manage_sock_files_pattern(ccs_t, ccs_runtime_t, ccs_runtime_t) +files_pid_filetrans(ccs_t, ccs_runtime_t, { file sock_file }) kernel_read_kernel_sysctls(ccs_t) diff --git a/policy/modules/services/certmaster.fc b/policy/modules/services/certmaster.fc index 8322c3487..9aa994139 100644 --- a/policy/modules/services/certmaster.fc +++ b/policy/modules/services/certmaster.fc @@ -8,4 +8,4 @@ /var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0) -/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0) +/run/certmaster.* gen_context(system_u:object_r:certmaster_runtime_t,s0) diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if index 965755cdb..14da4c710 100644 --- a/policy/modules/services/certmaster.if +++ b/policy/modules/services/certmaster.if @@ -116,7 +116,7 @@ interface(`certmaster_manage_log',` # interface(`certmaster_admin',` gen_require(` - type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; + type certmaster_t, certmaster_runtime_t, certmaster_var_lib_t; type certmaster_etc_rw_t, certmaster_var_log_t; type certmaster_initrc_exec_t; ') @@ -133,7 +133,7 @@ interface(`certmaster_admin',` admin_pattern($1, certmaster_etc_rw_t) files_list_pids($1) - admin_pattern($1, certmaster_var_run_t) + admin_pattern($1, certmaster_runtime_t) logging_list_logs($1) admin_pattern($1, certmaster_var_log_t) diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te index daeb417df..0e2666ca3 100644 --- a/policy/modules/services/certmaster.te +++ b/policy/modules/services/certmaster.te @@ -21,8 +21,8 @@ files_type(certmaster_var_lib_t) type certmaster_var_log_t; logging_log_file(certmaster_var_log_t) -type certmaster_var_run_t; -files_pid_file(certmaster_var_run_t) +type certmaster_runtime_t alias certmaster_var_run_t; +files_pid_file(certmaster_runtime_t) ########################################### # @@ -44,9 +44,9 @@ create_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) setattr_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) logging_log_filetrans(certmaster_t, certmaster_var_log_t, file ) -manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) -manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t) -files_pid_filetrans(certmaster_t ,certmaster_var_run_t, { file sock_file }) +manage_files_pattern(certmaster_t, certmaster_runtime_t, certmaster_runtime_t) +manage_sock_files_pattern(certmaster_t, certmaster_runtime_t, certmaster_runtime_t) +files_pid_filetrans(certmaster_t ,certmaster_runtime_t, { file sock_file }) kernel_read_system_state(certmaster_t) diff --git a/policy/modules/services/certmonger.fc b/policy/modules/services/certmonger.fc index 7d357324c..6a2977f19 100644 --- a/policy/modules/services/certmonger.fc +++ b/policy/modules/services/certmonger.fc @@ -6,4 +6,4 @@ /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) -/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0) +/run/certmonger.* gen_context(system_u:object_r:certmonger_runtime_t,s0) diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if index 3a456b70d..f10d0fe06 100644 --- a/policy/modules/services/certmonger.if +++ b/policy/modules/services/certmonger.if @@ -71,11 +71,11 @@ interface(`certmonger_initrc_domtrans',` # interface(`certmonger_read_pid_files',` gen_require(` - type certmonger_var_run_t; + type certmonger_runtime_t; ') files_search_pids($1) - allow $1 certmonger_var_run_t:file read_file_perms; + allow $1 certmonger_runtime_t:file read_file_perms; ') ######################################## @@ -156,7 +156,7 @@ interface(`certmonger_manage_lib_files',` interface(`certmonger_admin',` gen_require(` type certmonger_t, certmonger_initrc_exec_t; - type certmonger_var_lib_t, certmonger_var_run_t; + type certmonger_var_lib_t, certmonger_runtime_t; ') ps_process_pattern($1, certmonger_t) @@ -168,5 +168,5 @@ interface(`certmonger_admin',` admin_pattern($1, certmonger_var_lib_t) files_search_pids($1) - admin_pattern($1, certmonger_var_run_t) + admin_pattern($1, certmonger_runtime_t) ') diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te index 6e569dff8..89e7286f2 100644 --- a/policy/modules/services/certmonger.te +++ b/policy/modules/services/certmonger.te @@ -15,8 +15,8 @@ init_script_file(certmonger_initrc_exec_t) type certmonger_var_lib_t; files_type(certmonger_var_lib_t) -type certmonger_var_run_t; -files_pid_file(certmonger_var_run_t) +type certmonger_runtime_t alias certmonger_var_run_t; +files_pid_file(certmonger_runtime_t) ######################################## # @@ -35,9 +35,9 @@ manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, dir) -manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) -manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) -files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file }) +manage_dirs_pattern(certmonger_t, certmonger_runtime_t, certmonger_runtime_t) +manage_files_pattern(certmonger_t, certmonger_runtime_t, certmonger_runtime_t) +files_pid_filetrans(certmonger_t, certmonger_runtime_t, { dir file }) kernel_read_kernel_sysctls(certmonger_t) kernel_read_system_state(certmonger_t) diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc index f631358ec..452910654 100644 --- a/policy/modules/services/cgroup.fc +++ b/policy/modules/services/cgroup.fc @@ -16,4 +16,4 @@ /usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) /var/log/cgrulesengd\.log.* -- gen_context(system_u:object_r:cgred_log_t,s0) -/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) +/run/cgred.* gen_context(system_u:object_r:cgred_runtime_t,s0) diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if index a8870b96c..dd631ae5e 100644 --- a/policy/modules/services/cgroup.if +++ b/policy/modules/services/cgroup.if @@ -140,10 +140,10 @@ interface(`cgroup_run_cgclear',` # interface(`cgroup_stream_connect_cgred', ` gen_require(` - type cgred_var_run_t, cgred_t; + type cgred_runtime_t, cgred_t; ') - stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) + stream_connect_pattern($1, cgred_runtime_t, cgred_runtime_t, cgred_t) files_search_pids($1) ') @@ -166,7 +166,7 @@ interface(`cgroup_stream_connect_cgred', ` # interface(`cgroup_admin',` gen_require(` - type cgred_t, cgconfig_t, cgred_var_run_t; + type cgred_t, cgconfig_t, cgred_runtime_t; type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; type cgrules_etc_t, cgclear_t; ') @@ -177,7 +177,7 @@ interface(`cgroup_admin',` admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) - admin_pattern($1, cgred_var_run_t) + admin_pattern($1, cgred_runtime_t) files_list_pids($1) init_startstop_service($1, $2, cgred_t, cgred_initrc_exec_t) diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te index ac7294a2e..86641dc65 100644 --- a/policy/modules/services/cgroup.te +++ b/policy/modules/services/cgroup.te @@ -19,8 +19,8 @@ init_script_file(cgred_initrc_exec_t) type cgred_log_t; logging_log_file(cgred_log_t) -type cgred_var_run_t; -files_pid_file(cgred_var_run_t) +type cgred_runtime_t alias cgred_var_run_t; +files_pid_file(cgred_runtime_t) type cgrules_etc_t; files_config_file(cgrules_etc_t) @@ -86,9 +86,9 @@ allow cgred_t cgrules_etc_t:file read_file_perms; allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(cgred_t, cgred_log_t, file) -manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) +manage_files_pattern(cgred_t, cgred_runtime_t, cgred_runtime_t) +manage_sock_files_pattern(cgred_t, cgred_runtime_t, cgred_runtime_t) +files_pid_filetrans(cgred_t, cgred_runtime_t, { file sock_file }) kernel_read_all_sysctls(cgred_t) kernel_read_system_state(cgred_t) diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc index 7153deee0..139940663 100644 --- a/policy/modules/services/chronyd.fc +++ b/policy/modules/services/chronyd.fc @@ -16,9 +16,9 @@ /var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0) -/run/chronyd?(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0) -/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) -/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0) +/run/chronyd?(/.*)? gen_context(system_u:object_r:chronyd_runtime_t,s0) +/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_runtime_t,s0) +/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_runtime_t,s0) ifdef(`distro_gentoo',` /etc/chrony/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if index bc4ba6916..ee21f7ce1 100644 --- a/policy/modules/services/chronyd.if +++ b/policy/modules/services/chronyd.if @@ -195,11 +195,11 @@ interface(`chronyd_rw_shm',` # interface(`chronyd_stream_connect',` gen_require(` - type chronyd_t, chronyd_var_run_t; + type chronyd_t, chronyd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) + stream_connect_pattern($1, chronyd_runtime_t, chronyd_runtime_t, chronyd_t) ') ######################################## @@ -215,11 +215,11 @@ interface(`chronyd_stream_connect',` # interface(`chronyd_dgram_send',` gen_require(` - type chronyd_t, chronyd_var_run_t; + type chronyd_t, chronyd_runtime_t; ') files_search_pids($1) - dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) + dgram_send_pattern($1, chronyd_runtime_t, chronyd_runtime_t, chronyd_t) ') ######################################## @@ -311,11 +311,11 @@ interface(`chronyd_status',` # interface(`chronyd_dgram_send_cli',` gen_require(` - type chronyc_t, chronyd_var_run_t; + type chronyc_t, chronyd_runtime_t; ') files_search_pids($1) - dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyc_t) + dgram_send_pattern($1, chronyd_runtime_t, chronyd_runtime_t, chronyc_t) ') #################################### @@ -338,7 +338,7 @@ interface(`chronyd_dgram_send_cli',` interface(`chronyd_admin',` gen_require(` type chronyd_t, chronyd_var_log_t; - type chronyd_var_run_t, chronyd_var_lib_t; + type chronyd_runtime_t, chronyd_var_lib_t; type chronyd_initrc_exec_t, chronyd_keys_t; ') @@ -357,5 +357,5 @@ interface(`chronyd_admin',` admin_pattern($1, chronyd_var_lib_t) files_search_pids($1) - admin_pattern($1, chronyd_var_run_t) + admin_pattern($1, chronyd_runtime_t) ') diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te index 777164079..d55110a9d 100644 --- a/policy/modules/services/chronyd.te +++ b/policy/modules/services/chronyd.te @@ -38,8 +38,8 @@ files_type(chronyd_var_lib_t) type chronyd_var_log_t; logging_log_file(chronyd_var_log_t) -type chronyd_var_run_t; -init_daemon_pid_file(chronyd_var_run_t, dir, "chrony") +type chronyd_runtime_t alias chronyd_var_run_t; +init_daemon_pid_file(chronyd_runtime_t, dir, "chrony") ######################################## # @@ -68,10 +68,10 @@ create_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) setattr_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t) logging_log_filetrans(chronyd_t, chronyd_var_log_t, dir) -manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) -manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) -manage_sock_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) -files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) +manage_dirs_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t) +manage_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t) +manage_sock_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t) +files_pid_filetrans(chronyd_t, chronyd_runtime_t, { dir file sock_file }) kernel_read_system_state(chronyd_t) kernel_read_network_state(chronyd_t) @@ -120,10 +120,10 @@ allow chronyc_t self:process { signal }; allow chronyc_t self:udp_socket create_socket_perms; allow chronyc_t self:netlink_route_socket create_netlink_socket_perms; -manage_dirs_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) -manage_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) -manage_sock_files_pattern(chronyc_t, chronyd_var_run_t, chronyd_var_run_t) -files_pid_filetrans(chronyc_t, chronyd_var_run_t, { dir file sock_file }) +manage_dirs_pattern(chronyc_t, chronyd_runtime_t, chronyd_runtime_t) +manage_files_pattern(chronyc_t, chronyd_runtime_t, chronyd_runtime_t) +manage_sock_files_pattern(chronyc_t, chronyd_runtime_t, chronyd_runtime_t) +files_pid_filetrans(chronyc_t, chronyd_runtime_t, { dir file sock_file }) corenet_all_recvfrom_unlabeled(chronyc_t) corenet_all_recvfrom_netlabel(chronyc_t) diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc index 70fb22e69..271595baa 100644 --- a/policy/modules/services/clamav.fc +++ b/policy/modules/services/clamav.fc @@ -23,8 +23,8 @@ /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) -/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) -/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0) -/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0) +/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_runtime_t,s0) +/run/clamav.* gen_context(system_u:object_r:clamd_runtime_t,s0) +/run/clamd.* gen_context(system_u:object_r:clamd_runtime_t,s0) -/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_runtime_t,s0) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 30d0b814d..5b5a3ba73 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -58,13 +58,13 @@ interface(`clamav_run',` # interface(`clamav_stream_connect',` gen_require(` - type clamd_t, clamd_var_run_t; + type clamd_t, clamd_runtime_t; ') allow clamd_t $1:fd use; files_search_pids($1) - stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) + stream_connect_pattern($1, clamd_runtime_t, clamd_runtime_t, clamd_t) ') ######################################## @@ -100,12 +100,12 @@ interface(`clamav_append_log',` # interface(`clamav_manage_pid_content',` gen_require(` - type clamd_var_run_t; + type clamd_runtime_t; ') files_search_pids($1) - manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) - manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) + manage_dirs_pattern($1, clamd_runtime_t, clamd_runtime_t) + manage_files_pattern($1, clamd_runtime_t, clamd_runtime_t) ') ######################################## @@ -412,7 +412,7 @@ interface(`clamav_admin',` gen_require(` type clamd_t, clamd_etc_t, clamd_tmp_t; type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t; - type clamd_var_run_t, clamscan_t, clamscan_tmp_t; + type clamd_runtime_t, clamscan_t, clamscan_tmp_t; type freshclam_t, freshclam_var_log_t; ') @@ -431,7 +431,7 @@ interface(`clamav_admin',` admin_pattern($1, { clamd_var_log_t freshclam_var_log_t }) files_list_pids($1) - admin_pattern($1, clamd_var_run_t) + admin_pattern($1, clamd_runtime_t) files_list_tmp($1) admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index e5e03f889..0a59883b0 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -51,9 +51,9 @@ logging_log_file(clamd_var_log_t) type clamd_var_lib_t; files_type(clamd_var_lib_t) -type clamd_var_run_t; -files_pid_file(clamd_var_run_t) -typealias clamd_var_run_t alias clamd_sock_t; +type clamd_runtime_t; +files_pid_file(clamd_runtime_t) +typealias clamd_runtime_t alias clamd_var_run_t; type clamscan_t; type clamscan_exec_t; @@ -99,10 +99,10 @@ create_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) setattr_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file }) -manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) -files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file }) +manage_dirs_pattern(clamd_t, clamd_runtime_t, clamd_runtime_t) +manage_files_pattern(clamd_t, clamd_runtime_t, clamd_runtime_t) +manage_sock_files_pattern(clamd_t, clamd_runtime_t, clamd_runtime_t) +files_pid_filetrans(clamd_t, clamd_runtime_t, { dir file sock_file }) read_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type) read_lnk_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type) @@ -157,7 +157,7 @@ tunable_policy(`clamd_use_jit',` optional_policy(` amavis_read_lib_files(clamd_t) - amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) + amavis_spool_filetrans(clamd_t, clamd_runtime_t, sock_file) amavis_create_pid_files(clamd_t) ') @@ -189,15 +189,15 @@ read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t) manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t) -manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t) -files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +manage_files_pattern(freshclam_t, clamd_runtime_t, clamd_runtime_t) +files_pid_filetrans(freshclam_t, clamd_runtime_t, file) append_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) create_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) setattr_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) -stream_connect_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t, clamd_t) +stream_connect_pattern(freshclam_t, clamd_runtime_t, clamd_runtime_t, clamd_t) read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t) @@ -282,10 +282,10 @@ list_dirs_pattern(clamscan_t, clam_scannable_type, clam_scannable_type) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) -allow clamscan_t clamd_var_run_t:dir list_dir_perms; -read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t) +allow clamscan_t clamd_runtime_t:dir list_dir_perms; +read_files_pattern(clamscan_t, clamd_runtime_t, clamd_runtime_t) -stream_connect_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t, clamd_t) +stream_connect_pattern(clamscan_t, clamd_runtime_t, clamd_runtime_t, clamd_t) kernel_dontaudit_list_proc(clamscan_t) kernel_read_kernel_sysctls(clamscan_t) diff --git a/policy/modules/services/clogd.fc b/policy/modules/services/clogd.fc index 6c5de73b9..38a26207f 100644 --- a/policy/modules/services/clogd.fc +++ b/policy/modules/services/clogd.fc @@ -2,4 +2,4 @@ /usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) -/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) +/run/clogd\.pid -- gen_context(system_u:object_r:clogd_runtime_t,s0) diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te index 3f0c47ff7..28f32eea3 100644 --- a/policy/modules/services/clogd.te +++ b/policy/modules/services/clogd.te @@ -12,8 +12,8 @@ init_daemon_domain(clogd_t, clogd_exec_t) type clogd_tmpfs_t; files_tmpfs_file(clogd_tmpfs_t) -type clogd_var_run_t; -files_pid_file(clogd_var_run_t) +type clogd_runtime_t alias clogd_var_run_t; +files_pid_file(clogd_runtime_t) ######################################## # @@ -30,8 +30,8 @@ manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file }) -manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) -files_pid_filetrans(clogd_t, clogd_var_run_t, file) +manage_files_pattern(clogd_t, clogd_runtime_t, clogd_runtime_t) +files_pid_filetrans(clogd_t, clogd_runtime_t, file) dev_manage_generic_blk_files(clogd_t) dev_read_lvm_control(clogd_t) diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc index c948aacf9..d511f3e30 100644 --- a/policy/modules/services/cmirrord.fc +++ b/policy/modules/services/cmirrord.fc @@ -4,4 +4,4 @@ /usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) -/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) +/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_runtime_t,s0) diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if index 0785068f5..ce5c107b2 100644 --- a/policy/modules/services/cmirrord.if +++ b/policy/modules/services/cmirrord.if @@ -51,11 +51,11 @@ interface(`cmirrord_initrc_domtrans',` # interface(`cmirrord_read_pid_files',` gen_require(` - type cmirrord_var_run_t; + type cmirrord_runtime_t; ') files_search_pids($1) - allow $1 cmirrord_var_run_t:file read_file_perms; + allow $1 cmirrord_runtime_t:file read_file_perms; ') ####################################### @@ -100,7 +100,7 @@ interface(`cmirrord_rw_shm',` # interface(`cmirrord_admin',` gen_require(` - type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; + type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_runtime_t; ') allow $1 cmirrord_t:process { ptrace signal_perms }; @@ -109,5 +109,5 @@ interface(`cmirrord_admin',` init_startstop_service($1, $2, cmirrord_t, cmirrord_initrc_exec_t) files_list_pids($1) - admin_pattern($1, cmirrord_var_run_t) + admin_pattern($1, cmirrord_runtime_t) ') diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te index 612477472..35ea5040e 100644 --- a/policy/modules/services/cmirrord.te +++ b/policy/modules/services/cmirrord.te @@ -15,8 +15,8 @@ init_script_file(cmirrord_initrc_exec_t) type cmirrord_tmpfs_t; files_tmpfs_file(cmirrord_tmpfs_t) -type cmirrord_var_run_t; -files_pid_file(cmirrord_var_run_t) +type cmirrord_runtime_t alias cmirrord_var_run_t; +files_pid_file(cmirrord_runtime_t) ######################################## # @@ -36,8 +36,8 @@ manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file }) -manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) -files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) +manage_files_pattern(cmirrord_t, cmirrord_runtime_t, cmirrord_runtime_t) +files_pid_filetrans(cmirrord_t, cmirrord_runtime_t, file) domain_use_interactive_fds(cmirrord_t) domain_obj_id_change_exemption(cmirrord_t) diff --git a/policy/modules/services/collectd.fc b/policy/modules/services/collectd.fc index 4e9b367e3..90f8b9686 100644 --- a/policy/modules/services/collectd.fc +++ b/policy/modules/services/collectd.fc @@ -6,7 +6,7 @@ /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0) -/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0) -/run/collectd(/.*)? gen_context(system_u:object_r:collectd_var_run_t,s0) +/run/collectd\.pid -- gen_context(system_u:object_r:collectd_runtime_t,s0) +/run/collectd(/.*)? gen_context(system_u:object_r:collectd_runtime_t,s0) /usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0) diff --git a/policy/modules/services/collectd.if b/policy/modules/services/collectd.if index a55db07b4..f98f01e20 100644 --- a/policy/modules/services/collectd.if +++ b/policy/modules/services/collectd.if @@ -19,7 +19,7 @@ # interface(`collectd_admin',` gen_require(` - type collectd_t, collectd_initrc_exec_t, collectd_var_run_t; + type collectd_t, collectd_initrc_exec_t, collectd_runtime_t; type collectd_var_lib_t; ') @@ -29,7 +29,7 @@ interface(`collectd_admin',` init_startstop_service($1, $2, collectd_t, collectd_initrc_exec_t) files_search_pids($1) - admin_pattern($1, collectd_var_run_t) + admin_pattern($1, collectd_runtime_t) files_search_var_lib($1) admin_pattern($1, collectd_var_lib_t) diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te index 5feefa30c..166fc9b4f 100644 --- a/policy/modules/services/collectd.te +++ b/policy/modules/services/collectd.te @@ -23,8 +23,8 @@ init_script_file(collectd_initrc_exec_t) type collectd_var_lib_t; files_type(collectd_var_lib_t) -type collectd_var_run_t; -files_pid_file(collectd_var_run_t) +type collectd_runtime_t alias collectd_var_run_t; +files_pid_file(collectd_runtime_t) apache_content_template(collectd) @@ -44,9 +44,9 @@ manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) -manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) -manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) -files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file }) +manage_files_pattern(collectd_t, collectd_runtime_t, collectd_runtime_t) +manage_dirs_pattern(collectd_t, collectd_runtime_t, collectd_runtime_t) +files_pid_filetrans(collectd_t, collectd_runtime_t, { dir file }) domain_use_interactive_fds(collectd_t) diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te index 763235286..c4ead89ee 100644 --- a/policy/modules/services/comsat.te +++ b/policy/modules/services/comsat.te @@ -12,8 +12,8 @@ inetd_udp_service_domain(comsat_t, comsat_exec_t) type comsat_tmp_t; files_tmp_file(comsat_tmp_t) -type comsat_var_run_t; -files_pid_file(comsat_var_run_t) +type comsat_runtime_t alias comsat_var_run_t; +files_pid_file(comsat_runtime_t) ######################################## # @@ -30,8 +30,8 @@ manage_dirs_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) manage_files_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t) files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir }) -manage_files_pattern(comsat_t, comsat_var_run_t, comsat_var_run_t) -files_pid_filetrans(comsat_t, comsat_var_run_t, file) +manage_files_pattern(comsat_t, comsat_runtime_t, comsat_runtime_t) +files_pid_filetrans(comsat_t, comsat_runtime_t, file) kernel_read_kernel_sysctls(comsat_t) kernel_read_network_state(comsat_t) diff --git a/policy/modules/services/condor.fc b/policy/modules/services/condor.fc index eed1e3414..10df86889 100644 --- a/policy/modules/services/condor.fc +++ b/policy/modules/services/condor.fc @@ -28,4 +28,4 @@ /var/log/condor(/.*)? gen_context(system_u:object_r:condor_log_t,s0) -/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0) +/run/condor(/.*)? gen_context(system_u:object_r:condor_runtime_t,s0) diff --git a/policy/modules/services/condor.if b/policy/modules/services/condor.if index b2af357a4..8974f312e 100644 --- a/policy/modules/services/condor.if +++ b/policy/modules/services/condor.if @@ -60,7 +60,7 @@ interface(`condor_admin',` attribute condor_domain; type condor_initrc_exec_t, condor_log_t; type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; - type condor_var_run_t, condor_startd_tmp_t, condor_conf_t; + type condor_runtime_t, condor_startd_tmp_t, condor_conf_t; ') allow $1 condor_domain:process { ptrace signal_perms }; @@ -81,7 +81,7 @@ interface(`condor_admin',` admin_pattern($1, condor_var_lib_t) files_search_pids($1) - admin_pattern($1, condor_var_run_t) + admin_pattern($1, condor_runtime_t) files_search_tmp($1) admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te index 0d04d4cbc..46b1b5baf 100644 --- a/policy/modules/services/condor.te +++ b/policy/modules/services/condor.te @@ -46,8 +46,8 @@ files_type(condor_var_lib_t) type condor_var_lock_t; files_lock_file(condor_var_lock_t) -type condor_var_run_t; -files_pid_file(condor_var_run_t) +type condor_runtime_t alias condor_var_run_t; +files_pid_file(condor_runtime_t) condor_domain_template(collector) condor_domain_template(negotiator) @@ -79,10 +79,10 @@ manage_dirs_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t) manage_files_pattern(condor_domain, condor_var_lock_t, condor_var_lock_t) files_lock_filetrans(condor_domain, condor_var_lock_t, { dir file }) -manage_dirs_pattern(condor_domain, condor_var_run_t, condor_var_run_t) -manage_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t) -manage_fifo_files_pattern(condor_domain, condor_var_run_t, condor_var_run_t) -files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) +manage_dirs_pattern(condor_domain, condor_runtime_t, condor_runtime_t) +manage_files_pattern(condor_domain, condor_runtime_t, condor_runtime_t) +manage_fifo_files_pattern(condor_domain, condor_runtime_t, condor_runtime_t) +files_pid_filetrans(condor_domain, condor_runtime_t, { dir file fifo_file }) allow condor_domain condor_master_t:process signull; allow condor_domain condor_master_t:tcp_socket getattr; diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc index d4623586e..e57c6070a 100644 --- a/policy/modules/services/consolekit.fc +++ b/policy/modules/services/consolekit.fc @@ -6,6 +6,6 @@ /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) -/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0) -/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) -/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0) +/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_runtime_t,s0) +/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_runtime_t,s0) +/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_runtime_t,s0) diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if index e5cc8434b..9aa0dbce8 100644 --- a/policy/modules/services/consolekit.if +++ b/policy/modules/services/consolekit.if @@ -56,11 +56,11 @@ interface(`consolekit_dbus_chat',` # interface(`consolekit_use_inhibit_lock',` gen_require(` - type consolekit_t, consolekit_var_run_t; + type consolekit_t, consolekit_runtime_t; ') allow $1 consolekit_t:fd use; - allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms; + allow $1 consolekit_runtime_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -114,10 +114,10 @@ interface(`consolekit_manage_log',` # interface(`consolekit_read_pid_files',` gen_require(` - type consolekit_var_run_t; + type consolekit_runtime_t; ') files_search_pids($1) - allow $1 consolekit_var_run_t:dir list_dir_perms; - read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) + allow $1 consolekit_runtime_t:dir list_dir_perms; + read_files_pattern($1, consolekit_runtime_t, consolekit_runtime_t) ') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te index e5b452292..ea6583536 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te @@ -18,9 +18,9 @@ files_tmpfs_file(consolekit_tmpfs_t) type consolekit_unit_t; init_unit_file(consolekit_unit_t) -type consolekit_var_run_t; -files_pid_file(consolekit_var_run_t) -init_daemon_pid_file(consolekit_var_run_t, dir, "ConsoleKit") +type consolekit_runtime_t alias consolekit_var_run_t; +files_pid_file(consolekit_runtime_t) +init_daemon_pid_file(consolekit_runtime_t, dir, "ConsoleKit") ######################################## # @@ -38,10 +38,10 @@ read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) logging_log_filetrans(consolekit_t, consolekit_log_t, file) -manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) -files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file }) +manage_dirs_pattern(consolekit_t, consolekit_runtime_t, consolekit_runtime_t) +manage_files_pattern(consolekit_t, consolekit_runtime_t, consolekit_runtime_t) +manage_fifo_files_pattern(consolekit_t, consolekit_runtime_t, consolekit_runtime_t) +files_pid_filetrans(consolekit_t, consolekit_runtime_t, { dir file }) kernel_read_system_state(consolekit_t) diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc index 3671df610..51a558c87 100644 --- a/policy/modules/services/corosync.fc +++ b/policy/modules/services/corosync.fc @@ -10,6 +10,6 @@ /var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:corosync_var_log_t,s0) -/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) -/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) -/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) +/run/cman_.* -s gen_context(system_u:object_r:corosync_runtime_t,s0) +/run/corosync\.pid -- gen_context(system_u:object_r:corosync_runtime_t,s0) +/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_runtime_t,s0) diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if index 2b2d11af9..02dc0439a 100644 --- a/policy/modules/services/corosync.if +++ b/policy/modules/services/corosync.if @@ -90,11 +90,11 @@ interface(`corosync_read_log',` # interface(`corosync_stream_connect',` gen_require(` - type corosync_t, corosync_var_run_t; + type corosync_t, corosync_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) + stream_connect_pattern($1, corosync_runtime_t, corosync_runtime_t, corosync_t) ') ###################################### @@ -136,7 +136,7 @@ interface(`corosync_rw_tmpfs',` interface(`corosync_admin',` gen_require(` type corosync_t, corosync_var_lib_t, corosync_var_log_t; - type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; + type corosync_runtime_t, corosync_tmp_t, corosync_tmpfs_t; type corosync_initrc_exec_t; ') @@ -157,5 +157,5 @@ interface(`corosync_admin',` admin_pattern($1, corosync_var_log_t) files_list_pids($1) - admin_pattern($1, corosync_var_run_t) + admin_pattern($1, corosync_runtime_t) ') diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te index 6f8d20c68..45bd9e1fc 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -25,8 +25,8 @@ files_type(corosync_var_lib_t) type corosync_var_log_t; logging_log_file(corosync_var_log_t) -type corosync_var_run_t; -files_pid_file(corosync_var_run_t) +type corosync_runtime_t alias corosync_var_run_t; +files_pid_file(corosync_runtime_t) ######################################## # @@ -63,10 +63,10 @@ append_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) setattr_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) logging_log_filetrans(corosync_t, corosync_var_log_t, file) -manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) -manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) -manage_dirs_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t) -files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file dir }) +manage_files_pattern(corosync_t, corosync_runtime_t, corosync_runtime_t) +manage_sock_files_pattern(corosync_t, corosync_runtime_t, corosync_runtime_t) +manage_dirs_pattern(corosync_t, corosync_runtime_t,corosync_runtime_t) +files_pid_filetrans(corosync_t, corosync_runtime_t, { file sock_file dir }) can_exec(corosync_t, corosync_exec_t) @@ -145,4 +145,4 @@ optional_policy(` optional_policy(` rpc_search_nfs_state_data(corosync_t) -')
\ No newline at end of file +') diff --git a/policy/modules/services/couchdb.fc b/policy/modules/services/couchdb.fc index 620bb5c92..927f0002a 100644 --- a/policy/modules/services/couchdb.fc +++ b/policy/modules/services/couchdb.fc @@ -6,4 +6,4 @@ /var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0) /var/log/couchdb(/.*)? gen_context(system_u:object_r:couchdb_log_t,s0) -/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0) +/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_runtime_t,s0) diff --git a/policy/modules/services/couchdb.if b/policy/modules/services/couchdb.if index 830c271f3..fe89aeb56 100644 --- a/policy/modules/services/couchdb.if +++ b/policy/modules/services/couchdb.if @@ -69,11 +69,11 @@ interface(`couchdb_read_conf_files',` # interface(`couchdb_read_pid_files',` gen_require(` - type couchdb_var_run_t; + type couchdb_runtime_t; ') files_search_pids($1) - read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t) + read_files_pattern($1, couchdb_runtime_t, couchdb_runtime_t) ') ######################################## @@ -96,7 +96,7 @@ interface(`couchdb_read_pid_files',` interface(`couchdb_admin',` gen_require(` type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t; - type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t; + type couchdb_log_t, couchdb_var_lib_t, couchdb_runtime_t; type couchdb_tmp_t; ') @@ -118,5 +118,5 @@ interface(`couchdb_admin',` admin_pattern($1, couchdb_var_lib_t) files_search_pids($1) - admin_pattern($1, couchdb_var_run_t) + admin_pattern($1, couchdb_runtime_t) ') diff --git a/policy/modules/services/couchdb.te b/policy/modules/services/couchdb.te index dbb4cf9ae..d9079e397 100644 --- a/policy/modules/services/couchdb.te +++ b/policy/modules/services/couchdb.te @@ -28,9 +28,9 @@ files_tmp_file(couchdb_tmp_t) type couchdb_var_lib_t; files_type(couchdb_var_lib_t) -type couchdb_var_run_t; -files_pid_file(couchdb_var_run_t) -init_daemon_pid_file(couchdb_var_run_t, dir, "couchdb") +type couchdb_runtime_t alias couchdb_var_run_t; +files_pid_file(couchdb_runtime_t) +init_daemon_pid_file(couchdb_runtime_t, dir, "couchdb") ######################################## # @@ -63,9 +63,9 @@ manage_dirs_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t) manage_files_pattern(couchdb_t, couchdb_var_lib_t, couchdb_var_lib_t) files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir) -manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) -manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) -files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir) +manage_dirs_pattern(couchdb_t, couchdb_runtime_t, couchdb_runtime_t) +manage_files_pattern(couchdb_t, couchdb_runtime_t, couchdb_runtime_t) +files_pid_filetrans(couchdb_t, couchdb_runtime_t, dir) kernel_read_system_state(couchdb_t) diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc index c28b22092..8804751f1 100644 --- a/policy/modules/services/courier.fc +++ b/policy/modules/services/courier.fc @@ -33,7 +33,7 @@ /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) -/run/courier(/.*)? gen_context(system_u:object_r:courier_var_run_t,s0) +/run/courier(/.*)? gen_context(system_u:object_r:courier_runtime_t,s0) /var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) /var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0) diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if index db4d192be..69ce2b0c4 100644 --- a/policy/modules/services/courier.if +++ b/policy/modules/services/courier.if @@ -65,11 +65,11 @@ interface(`courier_domtrans_authdaemon',` # interface(`courier_stream_connect_authdaemon',` gen_require(` - type courier_authdaemon_t, courier_var_run_t; + type courier_authdaemon_t, courier_runtime_t; ') files_search_spool($1) - stream_connect_pattern($1, courier_var_run_t, courier_var_run_t, courier_authdaemon_t) + stream_connect_pattern($1, courier_runtime_t, courier_runtime_t, courier_authdaemon_t) ') ######################################## diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te index 1d873ae45..7c2ed47b8 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te @@ -23,8 +23,8 @@ files_type(courier_spool_t) type courier_var_lib_t; files_type(courier_var_lib_t) -type courier_var_run_t; -files_pid_file(courier_var_run_t) +type courier_runtime_t alias courier_var_run_t; +files_pid_file(courier_runtime_t) type courier_exec_t; mta_agent_executable(courier_exec_t) @@ -44,11 +44,11 @@ allow courier_domain self:udp_socket create_socket_perms; read_files_pattern(courier_domain, courier_etc_t, courier_etc_t) allow courier_domain courier_etc_t:dir list_dir_perms; -manage_dirs_pattern(courier_domain, courier_var_run_t, courier_var_run_t) -manage_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) -manage_lnk_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) -manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) -files_pid_filetrans(courier_domain, courier_var_run_t, dir) +manage_dirs_pattern(courier_domain, courier_runtime_t, courier_runtime_t) +manage_files_pattern(courier_domain, courier_runtime_t, courier_runtime_t) +manage_lnk_files_pattern(courier_domain, courier_runtime_t, courier_runtime_t) +manage_sock_files_pattern(courier_domain, courier_runtime_t, courier_runtime_t) +files_pid_filetrans(courier_domain, courier_runtime_t, dir) kernel_read_kernel_sysctls(courier_domain) kernel_read_system_state(courier_domain) diff --git a/policy/modules/services/cpucontrol.fc b/policy/modules/services/cpucontrol.fc index d01f23501..3f8062170 100644 --- a/policy/modules/services/cpucontrol.fc +++ b/policy/modules/services/cpucontrol.fc @@ -10,4 +10,4 @@ /usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0) /usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0) -/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0) +/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_runtime_t,s0) diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te index aee03750c..f2a1dc4be 100644 --- a/policy/modules/services/cpucontrol.te +++ b/policy/modules/services/cpucontrol.te @@ -18,8 +18,8 @@ type cpuspeed_t, cpucontrol_domain; type cpuspeed_exec_t; init_system_domain(cpuspeed_t, cpuspeed_exec_t) -type cpuspeed_var_run_t; -files_pid_file(cpuspeed_var_run_t) +type cpuspeed_runtime_t alias cpuspeed_var_run_t; +files_pid_file(cpuspeed_runtime_t) ######################################## # @@ -87,8 +87,8 @@ optional_policy(` allow cpuspeed_t self:process setsched; allow cpuspeed_t self:unix_dgram_socket create_socket_perms; -allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms; -files_pid_filetrans(cpuspeed_t, cpuspeed_var_run_t, file) +allow cpuspeed_t cpuspeed_runtime_t:file manage_file_perms; +files_pid_filetrans(cpuspeed_t, cpuspeed_runtime_t, file) kernel_read_system_state(cpuspeed_t) diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc index 5ba06a2c1..6fdcdb78d 100644 --- a/policy/modules/services/cron.fc +++ b/policy/modules/services/cron.fc @@ -28,14 +28,16 @@ /var/log/popularity-contest.* gen_context(system_u:object_r:cron_log_t,s0) /var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) -/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0) -/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) -/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0) +/run/anacron\.pid -- gen_context(system_u:object_r:crond_runtime_t,s0) +/run/atd\.pid -- gen_context(system_u:object_r:crond_runtime_t,s0) +/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_runtime_t,s0) +/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_runtime_t,s0) +/run/fcron\.fifo -s gen_context(system_u:object_r:crond_runtime_t,s0) +/run/fcron\.pid -- gen_context(system_u:object_r:crond_runtime_t,s0) +/run/.*cron.* -- gen_context(system_u:object_r:crond_runtime_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 87f8322b8..ac690b0a8 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -222,7 +222,7 @@ interface(`cron_admin_role',` gen_require(` type cronjob_t, crontab_exec_t, admin_crontab_t; class passwd crontab; - type crond_t, crond_var_run_t, user_cron_spool_t; + type crond_t, crond_runtime_t, user_cron_spool_t; bool cron_userdomain_transition, fcron_crond; ') @@ -279,7 +279,7 @@ interface(`cron_admin_role',` tunable_policy(`fcron_crond',` # Support for fcrondyn - stream_connect_pattern($2, crond_var_run_t, crond_var_run_t, crond_t) + stream_connect_pattern($2, crond_runtime_t, crond_runtime_t, crond_t) ') optional_policy(` @@ -640,10 +640,10 @@ interface(`cron_search_spool',` # interface(`cron_manage_pid_files',` gen_require(` - type crond_var_run_t; + type crond_runtime_t; ') - manage_files_pattern($1, crond_var_run_t, crond_var_run_t) + manage_files_pattern($1, crond_runtime_t, crond_runtime_t) ') ######################################## @@ -954,7 +954,7 @@ interface(`cron_admin',` type cron_var_lib_t, system_cronjob_var_lib_t; type crond_tmp_t, admin_crontab_tmp_t; type crontab_tmp_t, system_cronjob_tmp_t; - type cron_var_run_t, system_cronjob_var_run_t, crond_var_run_t; + type cron_runtime_t, system_cronjob_runtime_t, crond_runtime_t; type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t; attribute cron_spool_type; ') @@ -972,7 +972,7 @@ interface(`cron_admin',` admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t }) files_search_pids($1) - admin_pattern($1, { cron_var_run_t crond_var_run_t system_cronjob_var_run_t }) + admin_pattern($1, { cron_runtime_t crond_runtime_t system_cronjob_runtime_t }) files_search_locks($1) admin_pattern($1, system_cronjob_lock_t) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index b97dcddf2..238c0ed4a 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -47,8 +47,8 @@ files_type(cron_spool_t) type cron_var_lib_t; files_type(cron_var_lib_t) -type cron_var_run_t; -files_pid_file(cron_var_run_t) +type cron_runtime_t alias cron_var_run_t; +files_pid_file(cron_runtime_t) type cron_log_t; logging_log_file(cron_log_t) @@ -77,8 +77,8 @@ files_poly_parent(crond_tmp_t) type crond_unit_t; init_unit_file(crond_unit_t) -type crond_var_run_t; -files_pid_file(crond_var_run_t) +type crond_runtime_t alias crond_var_run_t; +files_pid_file(crond_runtime_t) type crontab_exec_t; application_executable_file(crontab_exec_t) @@ -110,8 +110,8 @@ files_tmp_file(system_cronjob_tmp_t) type system_cronjob_var_lib_t; files_type(system_cronjob_var_lib_t) -type system_cronjob_var_run_t; -files_pid_file(system_cronjob_var_run_t) +type system_cronjob_runtime_t alias system_cronjob_var_run_t; +files_pid_file(system_cronjob_runtime_t) type user_cron_spool_t, cron_spool_type; typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; @@ -130,7 +130,7 @@ ifdef(`enable_mcs',` optional_policy(` mta_system_content(cron_spool_t) mta_system_content(crond_tmp_t) - mta_system_content(crond_var_run_t) + mta_system_content(crond_runtime_t) mta_system_content(system_cron_spool_t) mta_system_content(user_cron_spool_t) mta_system_content(user_cron_spool_log_t) @@ -159,7 +159,7 @@ filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file) allow crontab_domain cron_spool_t:dir setattr_dir_perms; allow crontab_domain crond_t:process signal; -allow crontab_domain crond_var_run_t:file read_file_perms; +allow crontab_domain crond_runtime_t:file read_file_perms; kernel_read_system_state(crontab_domain) @@ -241,8 +241,8 @@ dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(crond_t, cron_log_t, file) -manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) -files_pid_filetrans(crond_t, crond_var_run_t, file) +manage_files_pattern(crond_t, crond_runtime_t, crond_runtime_t) +files_pid_filetrans(crond_t, crond_runtime_t, file) manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) @@ -367,8 +367,8 @@ tunable_policy(`allow_polyinstantiation',` tunable_policy(`fcron_crond',` allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms; - allow crond_t crond_var_run_t:sock_file manage_sock_file_perms; - files_pid_filetrans(crond_t, crond_var_run_t, sock_file) + allow crond_t crond_runtime_t:sock_file manage_sock_file_perms; + files_pid_filetrans(crond_t, crond_runtime_t, sock_file) ') optional_policy(` @@ -473,8 +473,8 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) -allow system_cronjob_t cron_var_run_t:file manage_file_perms; -files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) +allow system_cronjob_t cron_runtime_t:file manage_file_perms; +files_pid_filetrans(system_cronjob_t, cron_runtime_t, file) manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) diff --git a/policy/modules/services/ctdb.fc b/policy/modules/services/ctdb.fc index 984843412..92022ee04 100644 --- a/policy/modules/services/ctdb.fc +++ b/policy/modules/services/ctdb.fc @@ -9,6 +9,6 @@ /var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) /var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) -/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) +/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_runtime_t,s0) /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) diff --git a/policy/modules/services/ctdb.if b/policy/modules/services/ctdb.if index 79b0c9abd..1a2fe607b 100644 --- a/policy/modules/services/ctdb.if +++ b/policy/modules/services/ctdb.if @@ -33,11 +33,11 @@ interface(`ctdbd_manage_lib_files',` # interface(`ctdbd_stream_connect',` gen_require(` - type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; + type ctdbd_t, ctdbd_runtime_t, ctdbd_tmp_t; ') files_search_pids($1) - stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t) + stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_runtime_t }, { ctdbd_tmp_t ctdbd_runtime_t }, ctdbd_t) ') ######################################## @@ -60,7 +60,7 @@ interface(`ctdbd_stream_connect',` interface(`ctdb_admin',` gen_require(` type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t; - type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; + type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_runtime_t; ') allow $1 ctdbd_t:process { ptrace signal_perms }; @@ -78,5 +78,5 @@ interface(`ctdb_admin',` admin_pattern($1, ctdbd_var_lib_t) files_search_pids($1) - admin_pattern($1, ctdbd_var_run_t) + admin_pattern($1, ctdbd_runtime_t) ') diff --git a/policy/modules/services/ctdb.te b/policy/modules/services/ctdb.te index f52a9a4f8..473403cbd 100644 --- a/policy/modules/services/ctdb.te +++ b/policy/modules/services/ctdb.te @@ -24,8 +24,8 @@ files_tmp_file(ctdbd_tmp_t) type ctdbd_var_lib_t; files_type(ctdbd_var_lib_t) -type ctdbd_var_run_t; -files_pid_file(ctdbd_var_run_t) +type ctdbd_runtime_t alias ctdbd_var_run_t; +files_pid_file(ctdbd_runtime_t) ######################################## # @@ -59,9 +59,9 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir) -manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) -manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) -files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) +manage_dirs_pattern(ctdbd_t, ctdbd_runtime_t, ctdbd_runtime_t) +manage_files_pattern(ctdbd_t, ctdbd_runtime_t, ctdbd_runtime_t) +files_pid_filetrans(ctdbd_t, ctdbd_runtime_t, dir) kernel_read_network_state(ctdbd_t) kernel_read_system_state(ctdbd_t) diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc index 950c288d5..df02e9539 100644 --- a/policy/modules/services/cups.fc +++ b/policy/modules/services/cups.fc @@ -75,12 +75,12 @@ /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) /var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) -/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) -/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) -/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) -/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) -/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_runtime_t,s0) +/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_runtime_t,s0) +/run/cups(/.*)? gen_context(system_u:object_r:cupsd_runtime_t,s0) +/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_runtime_t,s0) +/run/hp.*\.port -- gen_context(system_u:object_r:hplip_runtime_t,s0) +/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_runtime_t,s0) +/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_runtime_t,s0) +/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_runtime_t,s0) +/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_runtime_t,s0) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if index e268b96f1..2c9dbd3ad 100644 --- a/policy/modules/services/cups.if +++ b/policy/modules/services/cups.if @@ -65,12 +65,12 @@ interface(`cups_domtrans',` # interface(`cups_stream_connect',` gen_require(` - type cupsd_t, cupsd_var_run_t; + type cupsd_t, cupsd_runtime_t; ') files_search_pids($1) - allow $1 cupsd_var_run_t:sock_file read_sock_file_perms; - stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + allow $1 cupsd_runtime_t:sock_file read_sock_file_perms; + stream_connect_pattern($1, cupsd_runtime_t, cupsd_runtime_t, cupsd_t) ') ######################################## @@ -106,11 +106,11 @@ interface(`cups_dbus_chat',` # interface(`cups_read_pid_files',` gen_require(` - type cupsd_var_run_t; + type cupsd_runtime_t; ') files_search_pids($1) - allow $1 cupsd_var_run_t:file read_file_perms; + allow $1 cupsd_runtime_t:file read_file_perms; ') ######################################## @@ -284,11 +284,11 @@ interface(`cups_write_log',` # interface(`cups_stream_connect_ptal',` gen_require(` - type ptal_t, ptal_var_run_t; + type ptal_t, ptal_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) + stream_connect_pattern($1, ptal_runtime_t, ptal_runtime_t, ptal_t) ') ######################################## @@ -353,9 +353,9 @@ interface(`cups_admin',` gen_require(` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; type cupsd_etc_t, cupsd_log_t; - type cupsd_config_var_run_t, cupsd_lpd_var_run_t; - type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; - type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; + type cupsd_config_runtime_t, cupsd_lpd_runtime_t; + type cupsd_runtime_t, ptal_etc_t, cupsd_rw_etc_t; + type ptal_runtime_t, hplip_runtime_t, cupsd_initrc_exec_t; type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; type hplip_t, ptal_t; ') @@ -379,6 +379,6 @@ interface(`cups_admin',` admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) files_list_pids($1) - admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t }) - admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t }) + admin_pattern($1, { cupsd_config_runtime_t cupsd_runtime_t hplip_runtime_t }) + admin_pattern($1, { ptal_runtime_t cupsd_lpd_runtime_t }) ') diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 74ab14ccf..782de6876 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -9,13 +9,13 @@ type cupsd_config_t; type cupsd_config_exec_t; init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) -type cupsd_config_var_run_t; -files_pid_file(cupsd_config_var_run_t) +type cupsd_config_runtime_t alias cupsd_config_var_run_t; +files_pid_file(cupsd_config_runtime_t) type cupsd_t; type cupsd_exec_t; init_daemon_domain(cupsd_t, cupsd_exec_t) -init_named_socket_activation(cupsd_t, cupsd_var_run_t) +init_named_socket_activation(cupsd_t, cupsd_runtime_t) mls_trusted_object(cupsd_t) type cupsd_etc_t; @@ -45,8 +45,8 @@ role system_r types cupsd_lpd_t; type cupsd_lpd_tmp_t; files_tmp_file(cupsd_lpd_tmp_t) -type cupsd_lpd_var_run_t; -files_pid_file(cupsd_lpd_var_run_t) +type cupsd_lpd_runtime_t alias cupsd_lpd_var_run_t; +files_pid_file(cupsd_lpd_runtime_t) type cups_pdf_t; type cups_pdf_exec_t; @@ -61,10 +61,10 @@ files_tmp_file(cupsd_tmp_t) type cupsd_unit_t; init_unit_file(cupsd_unit_t) -type cupsd_var_run_t; -files_pid_file(cupsd_var_run_t) -init_daemon_pid_file(cupsd_var_run_t, dir, "cups") -mls_trusted_object(cupsd_var_run_t) +type cupsd_runtime_t alias cupsd_var_run_t; +files_pid_file(cupsd_runtime_t) +init_daemon_pid_file(cupsd_runtime_t, dir, "cups") +mls_trusted_object(cupsd_runtime_t) type hplip_t; type hplip_exec_t; @@ -83,8 +83,8 @@ files_tmp_file(hplip_tmp_t) type hplip_var_lib_t; files_type(hplip_var_lib_t) -type hplip_var_run_t; -files_pid_file(hplip_var_run_t) +type hplip_runtime_t alias hplip_var_run_t; +files_pid_file(hplip_runtime_t) type ptal_t; type ptal_exec_t; @@ -93,8 +93,8 @@ init_daemon_domain(ptal_t, ptal_exec_t) type ptal_etc_t; files_config_file(ptal_etc_t) -type ptal_var_run_t; -files_pid_file(ptal_var_run_t) +type ptal_runtime_t alias ptal_var_run_t; +files_pid_file(ptal_runtime_t) ifdef(`enable_mcs',` init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh) @@ -148,24 +148,24 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file }) -manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) -files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file }) +manage_dirs_pattern(cupsd_t, cupsd_runtime_t, cupsd_runtime_t) +manage_files_pattern(cupsd_t, cupsd_runtime_t, cupsd_runtime_t) +manage_sock_files_pattern(cupsd_t, cupsd_runtime_t, cupsd_runtime_t) +manage_fifo_files_pattern(cupsd_t, cupsd_runtime_t, cupsd_runtime_t) +files_pid_filetrans(cupsd_t, cupsd_runtime_t, { dir fifo_file file }) allow cupsd_t hplip_t:process { signal sigkill }; read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) -allow cupsd_t hplip_var_run_t:file read_file_perms; +allow cupsd_t hplip_runtime_t:file read_file_perms; # hpcups read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t) read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t) -stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +stream_connect_pattern(cupsd_t, ptal_runtime_t, ptal_runtime_t, ptal_t) +allow cupsd_t ptal_runtime_t:sock_file setattr_sock_file_perms; can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) @@ -381,15 +381,15 @@ manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) -allow cupsd_config_t cupsd_var_run_t:file read_file_perms; +allow cupsd_config_t cupsd_runtime_t:file read_file_perms; -manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) -manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) -files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) +manage_dirs_pattern(cupsd_config_t, cupsd_config_runtime_t, cupsd_config_runtime_t) +manage_files_pattern(cupsd_config_t, cupsd_config_runtime_t, cupsd_config_runtime_t) +files_pid_filetrans(cupsd_config_t, cupsd_config_runtime_t, { dir file }) read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) -stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +stream_connect_pattern(cupsd_config_t, cupsd_runtime_t, cupsd_runtime_t, cupsd_t) can_exec(cupsd_config_t, cupsd_config_exec_t) @@ -514,10 +514,10 @@ manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t) files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { dir file }) -manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t) -files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file) +manage_files_pattern(cupsd_lpd_t, cupsd_lpd_runtime_t, cupsd_lpd_runtime_t) +files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_runtime_t, file) -stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +stream_connect_pattern(cupsd_lpd_t, cupsd_runtime_t, cupsd_runtime_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -642,10 +642,10 @@ manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) -manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) -files_pid_filetrans(hplip_t, hplip_var_run_t, file) +manage_files_pattern(hplip_t, hplip_runtime_t, hplip_runtime_t) +files_pid_filetrans(hplip_t, hplip_runtime_t, file) -stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +stream_connect_pattern(hplip_t, cupsd_runtime_t, cupsd_runtime_t, cupsd_t) kernel_read_system_state(hplip_t) kernel_read_kernel_sysctls(hplip_t) @@ -748,12 +748,12 @@ allow ptal_t ptal_etc_t:dir list_dir_perms; read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t) -manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t) -files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file }) +manage_dirs_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t) +manage_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t) +manage_lnk_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t) +manage_fifo_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t) +manage_sock_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t) +files_pid_filetrans(ptal_t, ptal_runtime_t, { dir file lnk_file sock_file fifo_file }) kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) diff --git a/policy/modules/services/cvs.fc b/policy/modules/services/cvs.fc index 67ba72b57..a2405d195 100644 --- a/policy/modules/services/cvs.fc +++ b/policy/modules/services/cvs.fc @@ -8,6 +8,6 @@ /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) -/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0) +/run/cvs\.pid -- gen_context(system_u:object_r:cvs_runtime_t,s0) /var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if index 49f6c1cb9..296fa1556 100644 --- a/policy/modules/services/cvs.if +++ b/policy/modules/services/cvs.if @@ -59,7 +59,7 @@ interface(`cvs_exec',` interface(`cvs_admin',` gen_require(` type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; - type cvs_data_t, cvs_var_run_t, cvs_keytab_t; + type cvs_data_t, cvs_runtime_t, cvs_keytab_t; ') allow $1 cvs_t:process { ptrace signal_perms }; @@ -77,5 +77,5 @@ interface(`cvs_admin',` admin_pattern($1, cvs_data_t) files_list_pids($1) - admin_pattern($1, cvs_var_run_t) + admin_pattern($1, cvs_runtime_t) ') diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index f090b62a4..b9de2daef 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -31,8 +31,8 @@ files_type(cvs_keytab_t) type cvs_tmp_t; files_tmp_file(cvs_tmp_t) -type cvs_var_run_t; -files_pid_file(cvs_var_run_t) +type cvs_runtime_t alias cvs_var_run_t; +files_pid_file(cvs_runtime_t) ######################################## # @@ -55,8 +55,8 @@ manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t) files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file }) -manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t) -files_pid_filetrans(cvs_t, cvs_var_run_t, file) +manage_files_pattern(cvs_t, cvs_runtime_t, cvs_runtime_t) +files_pid_filetrans(cvs_t, cvs_runtime_t, file) kernel_read_kernel_sysctls(cvs_t) kernel_read_system_state(cvs_t) diff --git a/policy/modules/services/cyphesis.fc b/policy/modules/services/cyphesis.fc index 5e9dd74e6..859f3efaf 100644 --- a/policy/modules/services/cyphesis.fc +++ b/policy/modules/services/cyphesis.fc @@ -4,4 +4,4 @@ /var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0) -/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0) +/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_runtime_t,s0) diff --git a/policy/modules/services/cyphesis.if b/policy/modules/services/cyphesis.if index da37d4eea..f741459c1 100644 --- a/policy/modules/services/cyphesis.if +++ b/policy/modules/services/cyphesis.if @@ -39,7 +39,7 @@ interface(`cyphesis_domtrans',` interface(`cyphesis_admin',` gen_require(` type cyphesis_t, cyphesis_initrc_exec_t, cyphesis_log_t; - type cyphesis_var_run_t, cyphesis_tmp_t; + type cyphesis_runtime_t, cyphesis_tmp_t; ') allow $1 cyphesis_t:process { ptrace signal_perms }; @@ -51,7 +51,7 @@ interface(`cyphesis_admin',` admin_pattern($1, cyphesis_log_t) files_search_pids($1) - admin_pattern($1, cyphesis_var_run_t) + admin_pattern($1, cyphesis_runtime_t) files_search_tmp($1) admin_pattern($1, cyphesis_tmp_t) diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te index 5707b6188..47d5a1503 100644 --- a/policy/modules/services/cyphesis.te +++ b/policy/modules/services/cyphesis.te @@ -19,8 +19,8 @@ logging_log_file(cyphesis_log_t) type cyphesis_tmp_t; files_tmp_file(cyphesis_tmp_t) -type cyphesis_var_run_t; -files_pid_file(cyphesis_var_run_t) +type cyphesis_runtime_t alias cyphesis_var_run_t; +files_pid_file(cyphesis_runtime_t) ######################################## # @@ -37,10 +37,10 @@ create_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) setattr_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t) logging_log_filetrans(cyphesis_t, cyphesis_log_t, file) -manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t) -files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, dir) +manage_dirs_pattern(cyphesis_t, cyphesis_runtime_t, cyphesis_runtime_t) +manage_files_pattern(cyphesis_t, cyphesis_runtime_t, cyphesis_runtime_t) +manage_sock_files_pattern(cyphesis_t, cyphesis_runtime_t, cyphesis_runtime_t) +files_pid_filetrans(cyphesis_t, cyphesis_runtime_t, dir) kernel_read_system_state(cyphesis_t) kernel_read_kernel_sysctls(cyphesis_t) diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc index 36755fa2d..9795c9180 100644 --- a/policy/modules/services/cyrus.fc +++ b/policy/modules/services/cyrus.fc @@ -7,4 +7,4 @@ /var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) -/run/cyrus.* gen_context(system_u:object_r:cyrus_var_run_t,s0) +/run/cyrus.* gen_context(system_u:object_r:cyrus_runtime_t,s0) diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if index 759e074b8..57cdd62d2 100644 --- a/policy/modules/services/cyrus.if +++ b/policy/modules/services/cyrus.if @@ -60,7 +60,7 @@ interface(`cyrus_stream_connect',` interface(`cyrus_admin',` gen_require(` type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; - type cyrus_var_run_t, cyrus_initrc_exec_t; + type cyrus_runtime_t, cyrus_initrc_exec_t; type cyrus_keytab_t; ') @@ -79,5 +79,5 @@ interface(`cyrus_admin',` admin_pattern($1, cyrus_var_lib_t) files_list_pids($1) - admin_pattern($1, cyrus_var_run_t) + admin_pattern($1, cyrus_runtime_t) ') diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index af6b5b6ce..15ebb3ae9 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -21,8 +21,8 @@ files_tmp_file(cyrus_tmp_t) type cyrus_var_lib_t; files_type(cyrus_var_lib_t) -type cyrus_var_run_t; -files_pid_file(cyrus_var_run_t) +type cyrus_runtime_t alias cyrus_var_run_t; +files_pid_file(cyrus_runtime_t) ######################################## # @@ -55,9 +55,9 @@ manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) -manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) -manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) -files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file }) +manage_files_pattern(cyrus_t, cyrus_runtime_t, cyrus_runtime_t) +manage_sock_files_pattern(cyrus_t, cyrus_runtime_t, cyrus_runtime_t) +files_pid_filetrans(cyrus_t, cyrus_runtime_t, { file sock_file }) kernel_read_kernel_sysctls(cyrus_t) kernel_read_system_state(cyrus_t) diff --git a/policy/modules/services/dante.fc b/policy/modules/services/dante.fc index 3aea91874..c2c4016ad 100644 --- a/policy/modules/services/dante.fc +++ b/policy/modules/services/dante.fc @@ -9,5 +9,5 @@ /usr/sbin/danted -- gen_context(system_u:object_r:dante_exec_t,s0) /usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0) -/run/danted\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0) -/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0) +/run/danted\.pid -- gen_context(system_u:object_r:dante_runtime_t,s0) +/run/sockd\.pid -- gen_context(system_u:object_r:dante_runtime_t,s0) diff --git a/policy/modules/services/dante.if b/policy/modules/services/dante.if index 8d02f8c8b..60948e029 100644 --- a/policy/modules/services/dante.if +++ b/policy/modules/services/dante.if @@ -19,7 +19,7 @@ # interface(`dante_admin',` gen_require(` - type dante_t, dante_conf_t, dante_var_run_t; + type dante_t, dante_conf_t, dante_runtime_t; type dante_initrc_exec_t; ') @@ -32,5 +32,5 @@ interface(`dante_admin',` admin_pattern($1, dante_conf_t) files_search_pids($1) - admin_pattern($1, dante_var_run_t) + admin_pattern($1, dante_runtime_t) ') diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te index 55d8dad35..cbc535de7 100644 --- a/policy/modules/services/dante.te +++ b/policy/modules/services/dante.te @@ -15,8 +15,8 @@ init_script_file(dante_initrc_exec_t) type dante_conf_t; files_config_file(dante_conf_t) -type dante_var_run_t; -files_pid_file(dante_var_run_t) +type dante_runtime_t alias dante_var_run_t; +files_pid_file(dante_runtime_t) ######################################## # @@ -32,8 +32,8 @@ allow dante_t self:tcp_socket { accept listen }; allow dante_t dante_conf_t:dir list_dir_perms; allow dante_t dante_conf_t:file read_file_perms; -manage_files_pattern(dante_t, dante_var_run_t, dante_var_run_t) -files_pid_filetrans(dante_t, dante_var_run_t, file) +manage_files_pattern(dante_t, dante_runtime_t, dante_runtime_t) +files_pid_filetrans(dante_t, dante_runtime_t, file) kernel_read_kernel_sysctls(dante_t) kernel_list_proc(dante_t) diff --git a/policy/modules/services/dbskk.te b/policy/modules/services/dbskk.te index 41d6beb86..6b95dd690 100644 --- a/policy/modules/services/dbskk.te +++ b/policy/modules/services/dbskk.te @@ -13,8 +13,8 @@ role system_r types dbskkd_t; type dbskkd_tmp_t; files_tmp_file(dbskkd_tmp_t) -type dbskkd_var_run_t; -files_pid_file(dbskkd_var_run_t) +type dbskkd_runtime_t alias dbskkd_var_run_t; +files_pid_file(dbskkd_runtime_t) ######################################## # @@ -29,8 +29,8 @@ manage_dirs_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) manage_files_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t) files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir }) -manage_files_pattern(dbskkd_t, dbskkd_var_run_t, dbskkd_var_run_t) -files_pid_filetrans(dbskkd_t, dbskkd_var_run_t, file) +manage_files_pattern(dbskkd_t, dbskkd_runtime_t, dbskkd_runtime_t) +files_pid_filetrans(dbskkd_t, dbskkd_runtime_t, file) kernel_read_kernel_sysctls(dbskkd_t) kernel_read_system_state(dbskkd_t) diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc index e9a13ee99..e0c35eb2f 100644 --- a/policy/modules/services/dbus.fc +++ b/policy/modules/services/dbus.fc @@ -2,8 +2,8 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) /etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) -/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_runtime_t,s0) +/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_runtime_t,s0) /run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_runtime_t,s0) /run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_runtime_t,s0) @@ -22,11 +22,11 @@ HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) -/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_runtime_t,s0) # /var/run prefix exception; https://dbus.freedesktop.org/doc/dbus-specification.html#idm2461 -/var/run/dbus/system_bus_socket gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/var/run/dbus/system_bus_socket gen_context(system_u:object_r:system_dbusd_runtime_t,s0) ifdef(`distro_debian',` -/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_runtime_t,s0) ') diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 8780edd98..7337fcd3b 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -133,7 +133,7 @@ template(`dbus_role_template',` interface(`dbus_system_bus_client',` gen_require(` attribute dbusd_system_bus_client; - type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t; + type system_dbusd_t, system_dbusd_runtime_t, system_dbusd_var_lib_t; class dbus send_msg; ') @@ -146,7 +146,7 @@ interface(`dbus_system_bus_client',` read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_pids($1) - stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) + stream_connect_pattern($1, system_dbusd_runtime_t, system_dbusd_runtime_t, system_dbusd_t) dbus_read_config($1) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 53fcb1062..a5e33a11e 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -35,7 +35,7 @@ userdom_user_tmp_file(session_dbusd_tmp_t) type system_dbusd_t; init_system_domain(system_dbusd_t, dbusd_exec_t) -init_named_socket_activation(system_dbusd_t, system_dbusd_var_run_t) +init_named_socket_activation(system_dbusd_t, system_dbusd_runtime_t) type system_dbusd_tmp_t; files_tmp_file(system_dbusd_tmp_t) @@ -43,9 +43,9 @@ files_tmp_file(system_dbusd_tmp_t) type system_dbusd_var_lib_t; files_type(system_dbusd_var_lib_t) -type system_dbusd_var_run_t; -files_pid_file(system_dbusd_var_run_t) -init_daemon_pid_file(system_dbusd_var_run_t, dir, "dbus") +type system_dbusd_runtime_t alias system_dbusd_var_run_t; +files_pid_file(system_dbusd_runtime_t) +init_daemon_pid_file(system_dbusd_runtime_t, dir, "dbus") type session_dbusd_runtime_t; files_pid_file(session_dbusd_runtime_t) @@ -82,10 +82,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file }) read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) -manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) -files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file }) +manage_dirs_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t) +manage_files_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t) +manage_sock_files_pattern(system_dbusd_t, system_dbusd_runtime_t, system_dbusd_runtime_t) +files_pid_filetrans(system_dbusd_t, system_dbusd_runtime_t, { dir file }) can_exec(system_dbusd_t, dbusd_exec_t) diff --git a/policy/modules/services/dcc.fc b/policy/modules/services/dcc.fc index bc9189c84..204b444d1 100644 --- a/policy/modules/services/dcc.fc +++ b/policy/modules/services/dcc.fc @@ -1,5 +1,5 @@ /etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) -/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) +/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_runtime_t,s0) /etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) /usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0) @@ -25,6 +25,6 @@ /var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0) /var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) -/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) +/run/dcc(/.*)? gen_context(system_u:object_r:dcc_runtime_t,s0) /run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) -/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0) +/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_runtime_t,s0) diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if index a5c21e0e8..31d971272 100644 --- a/policy/modules/services/dcc.if +++ b/policy/modules/services/dcc.if @@ -170,9 +170,9 @@ interface(`dcc_run_dbclean',` # interface(`dcc_stream_connect_dccifd',` gen_require(` - type dcc_var_t, dccifd_var_run_t, dccifd_t; + type dcc_var_t, dccifd_runtime_t, dccifd_t; ') files_search_var($1) - stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) + stream_connect_pattern($1, dcc_var_t, dccifd_runtime_t, dccifd_t) ') diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te index 9b8a0bc11..01770b0fd 100644 --- a/policy/modules/services/dcc.te +++ b/policy/modules/services/dcc.te @@ -44,8 +44,8 @@ files_tmp_file(dcc_dbclean_tmp_t) type dcc_var_t; files_type(dcc_var_t) -type dcc_var_run_t; -files_type(dcc_var_run_t) +type dcc_runtime_t; +files_type(dcc_runtime_t) type dccd_t; type dccd_exec_t; @@ -54,8 +54,8 @@ init_daemon_domain(dccd_t, dccd_exec_t) type dccd_tmp_t; files_tmp_file(dccd_tmp_t) -type dccd_var_run_t; -files_pid_file(dccd_var_run_t) +type dccd_runtime_t; +files_pid_file(dccd_runtime_t) type dccifd_t; type dccifd_exec_t; @@ -64,8 +64,8 @@ init_daemon_domain(dccifd_t, dccifd_exec_t) type dccifd_tmp_t; files_tmp_file(dccifd_tmp_t) -type dccifd_var_run_t; -files_pid_file(dccifd_var_run_t) +type dccifd_runtime_t alias dccifd_var_run_t; +files_pid_file(dccifd_runtime_t) type dccm_t; type dccm_exec_t; @@ -74,8 +74,8 @@ init_daemon_domain(dccm_t, dccm_exec_t) type dccm_tmp_t; files_tmp_file(dccm_tmp_t) -type dccm_var_run_t; -files_pid_file(dccm_var_run_t) +type dccm_runtime_t alias dccm_var_run_t; +files_pid_file(dccm_runtime_t) ######################################## # @@ -195,9 +195,9 @@ manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t) files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir }) -manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) -manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t) -files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) +manage_dirs_pattern(dccd_t, dccd_runtime_t, dccd_runtime_t) +manage_files_pattern(dccd_t, dccd_runtime_t, dccd_runtime_t) +files_pid_filetrans(dccd_t, dccd_runtime_t, { dir file }) kernel_read_system_state(dccd_t) kernel_read_kernel_sysctls(dccd_t) @@ -261,10 +261,10 @@ manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t) files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir }) -manage_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) -manage_sock_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t) -filetrans_pattern(dccifd_t, dcc_var_t, dccifd_var_run_t, { file sock_file }) -files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) +manage_files_pattern(dccifd_t, dccifd_runtime_t, dccifd_runtime_t) +manage_sock_files_pattern(dccifd_t, dccifd_runtime_t, dccifd_runtime_t) +filetrans_pattern(dccifd_t, dcc_var_t, dccifd_runtime_t, { file sock_file }) +files_pid_filetrans(dccifd_t, dccifd_runtime_t, file) kernel_read_system_state(dccifd_t) kernel_read_kernel_sysctls(dccifd_t) @@ -316,10 +316,10 @@ manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t) files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir }) -manage_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) -manage_sock_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t) -filetrans_pattern(dccm_t, dcc_var_run_t, dccm_var_run_t, { file sock_file }) -files_pid_filetrans(dccm_t, dccm_var_run_t, file) +manage_files_pattern(dccm_t, dccm_runtime_t, dccm_runtime_t) +manage_sock_files_pattern(dccm_t, dccm_runtime_t, dccm_runtime_t) +filetrans_pattern(dccm_t, dcc_runtime_t, dccm_runtime_t, { file sock_file }) +files_pid_filetrans(dccm_t, dccm_runtime_t, file) kernel_read_system_state(dccm_t) kernel_read_kernel_sysctls(dccm_t) diff --git a/policy/modules/services/ddclient.fc b/policy/modules/services/ddclient.fc index 64d55e5c6..5fc7a53a3 100644 --- a/policy/modules/services/ddclient.fc +++ b/policy/modules/services/ddclient.fc @@ -15,5 +15,5 @@ /var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) -/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) -/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) +/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_runtime_t,s0) +/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_runtime_t,s0) diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if index 96ddeea17..63ba603c1 100644 --- a/policy/modules/services/ddclient.if +++ b/policy/modules/services/ddclient.if @@ -67,7 +67,7 @@ interface(`ddclient_admin',` gen_require(` type ddclient_t, ddclient_etc_t, ddclient_log_t; type ddclient_var_t, ddclient_var_lib_t, ddclient_tmp_t; - type ddclient_var_run_t, ddclient_initrc_exec_t; + type ddclient_runtime_t, ddclient_initrc_exec_t; ') allow $1 ddclient_t:process { ptrace signal_perms }; @@ -88,7 +88,7 @@ interface(`ddclient_admin',` admin_pattern($1, ddclient_var_lib_t) files_list_pids($1) - admin_pattern($1, ddclient_var_run_t) + admin_pattern($1, ddclient_runtime_t) files_list_tmp($1) admin_pattern($1, ddclient_tmp_t) diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te index ff6500ab6..382afd3ff 100644 --- a/policy/modules/services/ddclient.te +++ b/policy/modules/services/ddclient.te @@ -30,8 +30,8 @@ files_type(ddclient_var_t) type ddclient_var_lib_t; files_type(ddclient_var_lib_t) -type ddclient_var_run_t; -files_pid_file(ddclient_var_run_t) +type ddclient_runtime_t alias ddclient_var_run_t; +files_pid_file(ddclient_runtime_t) ######################################## # @@ -61,8 +61,8 @@ manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t) -manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t) -files_pid_filetrans(ddclient_t, ddclient_var_run_t, file) +manage_files_pattern(ddclient_t, ddclient_runtime_t, ddclient_runtime_t) +files_pid_filetrans(ddclient_t, ddclient_runtime_t, file) kernel_getattr_core_if(ddclient_t) kernel_getattr_message_if(ddclient_t) diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc index 2b6d443c8..8293591d6 100644 --- a/policy/modules/services/devicekit.fc +++ b/policy/modules/services/devicekit.fc @@ -17,8 +17,8 @@ /var/log/pm-powersave\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) /var/log/pm-suspend\.log.* -- gen_context(system_u:object_r:devicekit_var_log_t,s0) -/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0) -/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_runtime_t,s0) +/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_runtime_t,s0) +/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_runtime_t,s0) +/run/udisks.* gen_context(system_u:object_r:devicekit_runtime_t,s0) +/run/upower(/.*)? gen_context(system_u:object_r:devicekit_runtime_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if index da75b8e4e..9f2f2535b 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -32,11 +32,11 @@ interface(`devicekit_domtrans',` # interface(`devicekit_dgram_send',` gen_require(` - type devicekit_t, devicekit_var_run_t; + type devicekit_t, devicekit_runtime_t; ') files_search_pids($1) - dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t) + dgram_send_pattern($1, devicekit_runtime_t, devicekit_runtime_t, devicekit_t) ') ######################################## @@ -211,11 +211,11 @@ interface(`devicekit_relabel_log_files',` # interface(`devicekit_read_pid_files',` gen_require(` - type devicekit_var_run_t; + type devicekit_runtime_t; ') files_search_pids($1) - read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) + read_files_pattern($1, devicekit_runtime_t, devicekit_runtime_t) ') ######################################## @@ -231,11 +231,11 @@ interface(`devicekit_read_pid_files',` # interface(`devicekit_manage_pid_files',` gen_require(` - type devicekit_var_run_t; + type devicekit_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) + manage_files_pattern($1, devicekit_runtime_t, devicekit_runtime_t) ') ######################################## @@ -258,7 +258,7 @@ interface(`devicekit_manage_pid_files',` interface(`devicekit_admin',` gen_require(` type devicekit_t, devicekit_disk_t, devicekit_power_t; - type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; + type devicekit_var_lib_t, devicekit_runtime_t, devicekit_tmp_t; type devicekit_var_log_t; ') @@ -275,5 +275,5 @@ interface(`devicekit_admin',` admin_pattern($1, devicekit_var_log_t) files_search_pids($1) - admin_pattern($1, devicekit_var_run_t) + admin_pattern($1, devicekit_runtime_t) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index 2b8aee680..481c90cd6 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -20,8 +20,8 @@ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) type devicekit_tmp_t; files_tmp_file(devicekit_tmp_t) -type devicekit_var_run_t; -files_pid_file(devicekit_var_run_t) +type devicekit_runtime_t alias devicekit_var_run_t; +files_pid_file(devicekit_runtime_t) type devicekit_var_lib_t; files_type(devicekit_var_lib_t) @@ -36,9 +36,9 @@ logging_log_file(devicekit_var_log_t) allow devicekit_t self:unix_dgram_socket create_socket_perms; -manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_t, devicekit_var_run_t, { dir file }) +manage_dirs_pattern(devicekit_t, devicekit_runtime_t, devicekit_runtime_t) +manage_files_pattern(devicekit_t, devicekit_runtime_t, devicekit_runtime_t) +files_pid_filetrans(devicekit_t, devicekit_runtime_t, { dir file }) kernel_read_system_state(devicekit_t) @@ -83,10 +83,10 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) -allow devicekit_disk_t devicekit_var_run_t:dir mounton; -manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) -manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) +allow devicekit_disk_t devicekit_runtime_t:dir mounton; +manage_dirs_pattern(devicekit_disk_t, devicekit_runtime_t, devicekit_runtime_t) +manage_files_pattern(devicekit_disk_t, devicekit_runtime_t, devicekit_runtime_t) +files_pid_filetrans(devicekit_disk_t, devicekit_runtime_t, { dir file }) kernel_getattr_message_if(devicekit_disk_t) kernel_list_unlabeled(devicekit_disk_t) @@ -240,9 +240,9 @@ allow devicekit_power_t devicekit_var_log_t:file create_file_perms; allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms; logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) -manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) +manage_dirs_pattern(devicekit_power_t, devicekit_runtime_t, devicekit_runtime_t) +manage_files_pattern(devicekit_power_t, devicekit_runtime_t, devicekit_runtime_t) +files_pid_filetrans(devicekit_power_t, devicekit_runtime_t, { dir file }) kernel_read_fs_sysctls(devicekit_power_t) kernel_read_network_state(devicekit_power_t) diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc index a58b11034..97d409dd0 100644 --- a/policy/modules/services/dhcp.fc +++ b/policy/modules/services/dhcp.fc @@ -10,4 +10,4 @@ /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) /var/lib/dhcp/dhcpd6\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) -/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) +/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_runtime_t,s0) diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if index b7a0337c4..2ece51928 100644 --- a/policy/modules/services/dhcp.if +++ b/policy/modules/services/dhcp.if @@ -78,7 +78,7 @@ interface(`dhcpd_initrc_domtrans',` interface(`dhcpd_admin',` gen_require(` type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; - type dhcpd_var_run_t, dhcpd_initrc_exec_t; + type dhcpd_runtime_t, dhcpd_initrc_exec_t; ') allow $1 dhcpd_t:process { ptrace signal_perms }; @@ -93,5 +93,5 @@ interface(`dhcpd_admin',` admin_pattern($1, dhcpd_state_t) files_list_pids($1) - admin_pattern($1, dhcpd_var_run_t) + admin_pattern($1, dhcpd_runtime_t) ') diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te index 5d7cc8b6a..4e6f8ba2c 100644 --- a/policy/modules/services/dhcp.te +++ b/policy/modules/services/dhcp.te @@ -29,8 +29,8 @@ files_tmp_file(dhcpd_tmp_t) type dhcpd_unit_t; init_unit_file(dhcpd_unit_t) -type dhcpd_var_run_t; -files_pid_file(dhcpd_var_run_t) +type dhcpd_runtime_t alias dhcpd_var_run_t; +files_pid_file(dhcpd_runtime_t) ######################################## # @@ -52,8 +52,8 @@ manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { dir file }) -manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t) -files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file) +manage_files_pattern(dhcpd_t, dhcpd_runtime_t, dhcpd_runtime_t) +files_pid_filetrans(dhcpd_t, dhcpd_runtime_t, file) can_exec(dhcpd_t, dhcpd_exec_t) diff --git a/policy/modules/services/dictd.fc b/policy/modules/services/dictd.fc index b2c773b2d..68a5e3ea7 100644 --- a/policy/modules/services/dictd.fc +++ b/policy/modules/services/dictd.fc @@ -8,4 +8,4 @@ /var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) -/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) +/run/dictd\.pid -- gen_context(system_u:object_r:dictd_runtime_t,s0) diff --git a/policy/modules/services/dictd.if b/policy/modules/services/dictd.if index 6feb8280f..52697aa4f 100644 --- a/policy/modules/services/dictd.if +++ b/policy/modules/services/dictd.if @@ -20,7 +20,7 @@ interface(`dictd_admin',` gen_require(` type dictd_t, dictd_etc_t, dictd_var_lib_t; - type dictd_var_run_t, dictd_initrc_exec_t; + type dictd_runtime_t, dictd_initrc_exec_t; ') allow $1 dictd_t:process { ptrace signal_perms }; @@ -35,5 +35,5 @@ interface(`dictd_admin',` admin_pattern($1, dictd_var_lib_t) files_list_pids($1) - admin_pattern($1, dictd_var_run_t) + admin_pattern($1, dictd_runtime_t) ') diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te index ea11ea76d..6098c29d6 100644 --- a/policy/modules/services/dictd.te +++ b/policy/modules/services/dictd.te @@ -18,8 +18,8 @@ init_script_file(dictd_initrc_exec_t) type dictd_var_lib_t alias var_lib_dictd_t; files_type(dictd_var_lib_t) -type dictd_var_run_t; -files_pid_file(dictd_var_run_t) +type dictd_runtime_t alias dictd_var_run_t; +files_pid_file(dictd_runtime_t) ######################################## # @@ -37,8 +37,8 @@ allow dictd_t dictd_etc_t:file read_file_perms; allow dictd_t dictd_var_lib_t:dir list_dir_perms; allow dictd_t dictd_var_lib_t:file read_file_perms; -manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t) -files_pid_filetrans(dictd_t, dictd_var_run_t, file) +manage_files_pattern(dictd_t, dictd_runtime_t, dictd_runtime_t) +files_pid_filetrans(dictd_t, dictd_runtime_t, file) kernel_read_system_state(dictd_t) kernel_read_kernel_sysctls(dictd_t) diff --git a/policy/modules/services/dirmngr.fc b/policy/modules/services/dirmngr.fc index 207bb54ac..7cd9fb3dc 100644 --- a/policy/modules/services/dirmngr.fc +++ b/policy/modules/services/dirmngr.fc @@ -11,8 +11,8 @@ HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0) /var/lib/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_lib_t,s0) /var/cache/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_lib_t,s0) -/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0) +/run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_runtime_t,s0) -/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0) +/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_runtime_t,s0) /run/user/%{USERID}/gnupg/S\.dirmngr -s gen_context(system_u:object_r:dirmngr_tmp_t,s0) diff --git a/policy/modules/services/dirmngr.if b/policy/modules/services/dirmngr.if index 07af50631..cf1c2202e 100644 --- a/policy/modules/services/dirmngr.if +++ b/policy/modules/services/dirmngr.if @@ -113,7 +113,7 @@ interface(`dirmngr_stream_connect',` # interface(`dirmngr_admin',` gen_require(` - type dirmngr_t, dirmngr_initrc_exec_t, dirmngr_var_run_t; + type dirmngr_t, dirmngr_initrc_exec_t, dirmngr_runtime_t; type dirmngr_conf_t, dirmngr_var_lib_t, dirmngr_log_t; ') @@ -129,7 +129,7 @@ interface(`dirmngr_admin',` admin_pattern($1, dirmngr_log_t) files_search_pids($1) - admin_pattern($1, dirmngr_var_run_t) + admin_pattern($1, dirmngr_runtime_t) files_search_var_lib($1) admin_pattern($1, dirmngr_var_lib_t) diff --git a/policy/modules/services/dirmngr.te b/policy/modules/services/dirmngr.te index f8c136493..1504b3928 100644 --- a/policy/modules/services/dirmngr.te +++ b/policy/modules/services/dirmngr.te @@ -25,8 +25,8 @@ userdom_user_runtime_content(dirmngr_tmp_t) type dirmngr_var_lib_t; files_type(dirmngr_var_lib_t) -type dirmngr_var_run_t; -files_pid_file(dirmngr_var_run_t) +type dirmngr_runtime_t alias dirmngr_var_run_t; +files_pid_file(dirmngr_runtime_t) type dirmngr_home_t; userdom_user_home_content(dirmngr_home_t) @@ -58,10 +58,10 @@ files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir) manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t) -manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) -manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) -manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) -files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) +manage_dirs_pattern(dirmngr_t, dirmngr_runtime_t, dirmngr_runtime_t) +manage_files_pattern(dirmngr_t, dirmngr_runtime_t, dirmngr_runtime_t) +manage_sock_files_pattern(dirmngr_t, dirmngr_runtime_t, dirmngr_runtime_t) +files_pid_filetrans(dirmngr_t, dirmngr_runtime_t, { dir file }) kernel_read_crypto_sysctls(dirmngr_t) diff --git a/policy/modules/services/distcc.fc b/policy/modules/services/distcc.fc index 3da3c346f..9b8617bf3 100644 --- a/policy/modules/services/distcc.fc +++ b/policy/modules/services/distcc.fc @@ -4,4 +4,4 @@ /var/log/distccd.* -- gen_context(system_u:object_r:distccd_log_t,s0) -/run/distccd\.pid -- gen_context(system_u:object_r:distccd_var_run_t,s0) +/run/distccd\.pid -- gen_context(system_u:object_r:distccd_runtime_t,s0) diff --git a/policy/modules/services/distcc.if b/policy/modules/services/distcc.if index 6b432866b..f525c12ae 100644 --- a/policy/modules/services/distcc.if +++ b/policy/modules/services/distcc.if @@ -20,7 +20,7 @@ interface(`distcc_admin',` gen_require(` type distccd_t, distccd_t, distccd_log_t; - type distccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t; + type distccd_runtime_t, distccd_tmp_t, distccd_initrc_exec_t; ') allow $1 distccd_t:process { ptrace signal_perms }; @@ -35,5 +35,5 @@ interface(`distcc_admin',` admin_pattern($1, distccd_tmp_t) files_search_pids($1) - admin_pattern($1, distccd_var_run_t) + admin_pattern($1, distccd_runtime_t) ') diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te index 4239519e8..68da55f04 100644 --- a/policy/modules/services/distcc.te +++ b/policy/modules/services/distcc.te @@ -18,8 +18,8 @@ logging_log_file(distccd_log_t) type distccd_tmp_t; files_tmp_file(distccd_tmp_t) -type distccd_var_run_t; -files_pid_file(distccd_var_run_t) +type distccd_runtime_t alias distccd_var_run_t; +files_pid_file(distccd_runtime_t) ######################################## # @@ -41,8 +41,8 @@ manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) manage_files_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir }) -manage_files_pattern(distccd_t, distccd_var_run_t, distccd_var_run_t) -files_pid_filetrans(distccd_t, distccd_var_run_t, file) +manage_files_pattern(distccd_t, distccd_runtime_t, distccd_runtime_t) +files_pid_filetrans(distccd_t, distccd_runtime_t, file) kernel_read_system_state(distccd_t) kernel_read_kernel_sysctls(distccd_t) diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc index 278b880f4..04e45e57a 100644 --- a/policy/modules/services/dnsmasq.fc +++ b/policy/modules/services/dnsmasq.fc @@ -3,8 +3,8 @@ /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) -/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_runtime_t,s0) +/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_runtime_t,s0) /usr/bin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if index f81566a87..e6f2450e1 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if @@ -148,10 +148,10 @@ interface(`dnsmasq_write_config',` # interface(`dnsmasq_delete_pid_files',` gen_require(` - type dnsmasq_var_run_t; + type dnsmasq_runtime_t; ') - delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + delete_files_pattern($1, dnsmasq_runtime_t, dnsmasq_runtime_t) ') ######################################## @@ -167,11 +167,11 @@ interface(`dnsmasq_delete_pid_files',` # interface(`dnsmasq_manage_pid_files',` gen_require(` - type dnsmasq_var_run_t; + type dnsmasq_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + manage_files_pattern($1, dnsmasq_runtime_t, dnsmasq_runtime_t) ') ######################################## @@ -187,10 +187,10 @@ interface(`dnsmasq_manage_pid_files',` # interface(`dnsmasq_read_pid_files',` gen_require(` - type dnsmasq_var_run_t; + type dnsmasq_runtime_t; ') - read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + read_files_pattern($1, dnsmasq_runtime_t, dnsmasq_runtime_t) ') ######################################## @@ -205,11 +205,11 @@ interface(`dnsmasq_read_pid_files',` # interface(`dnsmasq_create_pid_dirs',` gen_require(` - type dnsmasq_var_run_t; + type dnsmasq_runtime_t; ') files_search_pids($1) - allow $1 dnsmasq_var_run_t:dir create_dir_perms; + allow $1 dnsmasq_runtime_t:dir create_dir_perms; ') ######################################## @@ -241,10 +241,10 @@ interface(`dnsmasq_create_pid_dirs',` # interface(`dnsmasq_spec_filetrans_pid',` gen_require(` - type dnsmasq_var_run_t; + type dnsmasq_runtime_t; ') - filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4) + filetrans_pattern($1, $2, dnsmasq_runtime_t, $3, $4) ') ######################################## @@ -266,7 +266,7 @@ interface(`dnsmasq_spec_filetrans_pid',` # interface(`dnsmasq_admin',` gen_require(` - type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; + type dnsmasq_t, dnsmasq_lease_t, dnsmasq_runtime_t; type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; ') @@ -282,5 +282,5 @@ interface(`dnsmasq_admin',` admin_pattern($1, dnsmasq_var_log_t) files_list_pids($1) - admin_pattern($1, dnsmasq_var_run_t) + admin_pattern($1, dnsmasq_runtime_t) ') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index 94c584d0b..9be5da5f2 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -24,8 +24,8 @@ init_unit_file(dnsmasq_unit_t) type dnsmasq_var_log_t; logging_log_file(dnsmasq_var_log_t) -type dnsmasq_var_run_t; -files_pid_file(dnsmasq_var_run_t) +type dnsmasq_runtime_t alias dnsmasq_var_run_t; +files_pid_file(dnsmasq_runtime_t) ######################################## # @@ -51,9 +51,9 @@ allow dnsmasq_t dnsmasq_var_log_t:file create_file_perms; allow dnsmasq_t dnsmasq_var_log_t:file setattr_file_perms; logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) -manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) -manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) -files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) +manage_dirs_pattern(dnsmasq_t, dnsmasq_runtime_t, dnsmasq_runtime_t) +manage_files_pattern(dnsmasq_t, dnsmasq_runtime_t, dnsmasq_runtime_t) +files_pid_filetrans(dnsmasq_t, dnsmasq_runtime_t, { dir file }) kernel_read_kernel_sysctls(dnsmasq_t) kernel_read_net_sysctls(dnsmasq_t) @@ -132,6 +132,6 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) virt_read_pid_files(dnsmasq_t) - virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) + virt_pid_filetrans(dnsmasq_t, dnsmasq_runtime_t, { dir file }) virt_domtrans_leaseshelper(dnsmasq_t) ') diff --git a/policy/modules/services/dnssectrigger.fc b/policy/modules/services/dnssectrigger.fc index e2ed6e235..14daa7582 100644 --- a/policy/modules/services/dnssectrigger.fc +++ b/policy/modules/services/dnssectrigger.fc @@ -8,4 +8,4 @@ /var/log/dnssec-trigger\.log.* -- gen_context(system_u:object_r:dnssec_trigger_log_t,s0) -/run/dnssec-triggerd\.pid -- gen_context(system_u:object_r:dnssec_triggerd_var_run_t,s0) +/run/dnssec-triggerd\.pid -- gen_context(system_u:object_r:dnssec_triggerd_runtime_t,s0) diff --git a/policy/modules/services/dnssectrigger.if b/policy/modules/services/dnssectrigger.if index eea250e35..03c466272 100644 --- a/policy/modules/services/dnssectrigger.if +++ b/policy/modules/services/dnssectrigger.if @@ -20,7 +20,7 @@ interface(`dnssectrigger_admin',` gen_require(` type dnssec_triggerd_t, dnssec_triggerd_initrc_exec_t, dnssec_trigger_conf_t; - type dnssec_trigger_log_t, dnssec_triggerd_var_run_t; + type dnssec_trigger_log_t, dnssec_triggerd_runtime_t; ') allow $1 dnssec_triggerd_t:process { ptrace signal_perms }; @@ -35,5 +35,5 @@ interface(`dnssectrigger_admin',` admin_pattern($1, dnssec_trigger_log_t) files_search_pids($1) - admin_pattern($1, dnssec_triggerd_var_run_t) + admin_pattern($1, dnssec_triggerd_runtime_t) ') diff --git a/policy/modules/services/dnssectrigger.te b/policy/modules/services/dnssectrigger.te index 27d900a13..6e520844c 100644 --- a/policy/modules/services/dnssectrigger.te +++ b/policy/modules/services/dnssectrigger.te @@ -18,8 +18,8 @@ files_config_file(dnssec_trigger_conf_t) type dnssec_trigger_log_t; logging_log_file(dnssec_trigger_log_t) -type dnssec_triggerd_var_run_t; -files_pid_file(dnssec_triggerd_var_run_t) +type dnssec_triggerd_runtime_t alias dnssec_triggerd_var_run_t; +files_pid_file(dnssec_triggerd_runtime_t) ######################################## # @@ -39,8 +39,8 @@ create_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log setattr_files_pattern(dnssec_triggerd_t, dnssec_trigger_log_t, dnssec_trigger_log_t) logging_log_filetrans(dnssec_triggerd_t, dnssec_trigger_log_t, file) -manage_files_pattern(dnssec_triggerd_t, dnssec_triggerd_var_run_t, dnssec_triggerd_var_run_t) -files_pid_filetrans(dnssec_triggerd_t, dnssec_triggerd_var_run_t, file) +manage_files_pattern(dnssec_triggerd_t, dnssec_triggerd_runtime_t, dnssec_triggerd_runtime_t) +files_pid_filetrans(dnssec_triggerd_t, dnssec_triggerd_runtime_t, file) kernel_read_system_state(dnssec_triggerd_t) diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc index 1b9d3bf41..1d37b8448 100644 --- a/policy/modules/services/dovecot.fc +++ b/policy/modules/services/dovecot.fc @@ -30,7 +30,7 @@ /usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_runtime_t,s0) /run/dovecot/login/ssl-parameters\.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if index 3608ba24a..151b88175 100644 --- a/policy/modules/services/dovecot.if +++ b/policy/modules/services/dovecot.if @@ -13,11 +13,11 @@ # interface(`dovecot_stream_connect',` gen_require(` - type dovecot_t, dovecot_var_run_t; + type dovecot_t, dovecot_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) + stream_connect_pattern($1, dovecot_runtime_t, dovecot_runtime_t, dovecot_t) ') ######################################## @@ -34,11 +34,11 @@ interface(`dovecot_stream_connect',` # interface(`dovecot_stream_connect_auth',` gen_require(` - type dovecot_auth_t, dovecot_var_run_t; + type dovecot_auth_t, dovecot_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) + stream_connect_pattern($1, dovecot_runtime_t, dovecot_runtime_t, dovecot_auth_t) ') ######################################## @@ -141,7 +141,7 @@ interface(`dovecot_admin',` gen_require(` type dovecot_t, dovecot_etc_t, dovecot_var_log_t; type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t; - type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t; + type dovecot_runtime_t, dovecot_cert_t, dovecot_passwd_t; type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t; type dovecot_keytab_t; ') @@ -167,7 +167,7 @@ interface(`dovecot_admin',` admin_pattern($1, dovecot_var_lib_t) files_list_pids($1) - admin_pattern($1, dovecot_var_run_t) + admin_pattern($1, dovecot_runtime_t) admin_pattern($1, { dovecot_cert_t dovecot_passwd_t }) ') diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index ce1781f59..da5a2b009 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -64,8 +64,8 @@ files_type(dovecot_var_lib_t) type dovecot_var_log_t; logging_log_file(dovecot_var_log_t) -type dovecot_var_run_t; -files_pid_file(dovecot_var_run_t) +type dovecot_runtime_t alias dovecot_var_run_t; +files_pid_file(dovecot_runtime_t) ######################################## # @@ -128,12 +128,12 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) -manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) +manage_dirs_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t) +manage_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t) +manage_lnk_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t) +manage_sock_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t) +manage_fifo_files_pattern(dovecot_t, dovecot_runtime_t, dovecot_runtime_t) +files_pid_filetrans(dovecot_t, dovecot_runtime_t, { dir file fifo_file }) can_exec(dovecot_t, dovecot_exec_t) @@ -253,10 +253,10 @@ manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; -allow dovecot_auth_t dovecot_var_run_t:file manage_file_perms; -allow dovecot_auth_t dovecot_var_run_t:fifo_file write_fifo_file_perms; -manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) +allow dovecot_auth_t dovecot_runtime_t:dir list_dir_perms; +allow dovecot_auth_t dovecot_runtime_t:file manage_file_perms; +allow dovecot_auth_t dovecot_runtime_t:fifo_file write_fifo_file_perms; +manage_sock_files_pattern(dovecot_auth_t, dovecot_runtime_t, dovecot_runtime_t) allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; @@ -335,11 +335,11 @@ manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tm manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) -allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; -allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms; -allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms; +allow dovecot_deliver_t dovecot_runtime_t:dir list_dir_perms; +allow dovecot_deliver_t dovecot_runtime_t:file read_file_perms; +allow dovecot_deliver_t dovecot_runtime_t:sock_file read_sock_file_perms; -stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t }) +stream_connect_pattern(dovecot_deliver_t, dovecot_runtime_t, dovecot_runtime_t, { dovecot_t dovecot_auth_t }) can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) diff --git a/policy/modules/services/dspam.fc b/policy/modules/services/dspam.fc index 40f98ba6a..be76b9db7 100644 --- a/policy/modules/services/dspam.fc +++ b/policy/modules/services/dspam.fc @@ -9,4 +9,4 @@ /var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0) -/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0) +/run/dspam(/.*)? gen_context(system_u:object_r:dspam_runtime_t,s0) diff --git a/policy/modules/services/dspam.if b/policy/modules/services/dspam.if index 969fd89d0..0fa43acfd 100644 --- a/policy/modules/services/dspam.if +++ b/policy/modules/services/dspam.if @@ -32,12 +32,12 @@ interface(`dspam_domtrans',` # interface(`dspam_stream_connect',` gen_require(` - type dspam_t, dspam_var_run_t; + type dspam_t, dspam_runtime_t; ') files_search_pids($1) files_search_tmp($1) - stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t) + stream_connect_pattern($1, dspam_runtime_t, dspam_runtime_t, dspam_t) ') ######################################## @@ -60,7 +60,7 @@ interface(`dspam_stream_connect',` interface(`dspam_admin',` gen_require(` type dspam_t, dspam_initrc_exec_t, dspam_log_t; - type dspam_var_lib_t, dspam_var_run_t; + type dspam_var_lib_t, dspam_runtime_t; ') allow $1 dspam_t:process { ptrace signal_perms }; @@ -75,5 +75,5 @@ interface(`dspam_admin',` admin_pattern($1, dspam_var_lib_t) files_search_pids($1) - admin_pattern($1, dspam_var_run_t) + admin_pattern($1, dspam_runtime_t) ') diff --git a/policy/modules/services/dspam.te b/policy/modules/services/dspam.te index f43dca6b7..834d109ea 100644 --- a/policy/modules/services/dspam.te +++ b/policy/modules/services/dspam.te @@ -18,8 +18,8 @@ logging_log_file(dspam_log_t) type dspam_var_lib_t; files_type(dspam_var_lib_t) -type dspam_var_run_t; -files_pid_file(dspam_var_run_t) +type dspam_runtime_t alias dspam_var_run_t; +files_pid_file(dspam_runtime_t) ######################################## # @@ -41,10 +41,10 @@ manage_dirs_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t) manage_files_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t) files_var_lib_filetrans(dspam_t, dspam_var_lib_t, dir) -manage_dirs_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) -manage_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) -manage_sock_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) -files_pid_filetrans(dspam_t, dspam_var_run_t, dir) +manage_dirs_pattern(dspam_t, dspam_runtime_t, dspam_runtime_t) +manage_files_pattern(dspam_t, dspam_runtime_t, dspam_runtime_t) +manage_sock_files_pattern(dspam_t, dspam_runtime_t, dspam_runtime_t) +files_pid_filetrans(dspam_t, dspam_runtime_t, dir) corenet_all_recvfrom_unlabeled(dspam_t) corenet_all_recvfrom_netlabel(dspam_t) diff --git a/policy/modules/services/entropyd.fc b/policy/modules/services/entropyd.fc index ed5dffbfc..ee19c2ee8 100644 --- a/policy/modules/services/entropyd.fc +++ b/policy/modules/services/entropyd.fc @@ -8,5 +8,5 @@ /usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) /usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) -/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) -/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) +/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_runtime_t,s0) +/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_runtime_t,s0) diff --git a/policy/modules/services/entropyd.if b/policy/modules/services/entropyd.if index eedfae6cf..4fdced18f 100644 --- a/policy/modules/services/entropyd.if +++ b/policy/modules/services/entropyd.if @@ -19,7 +19,7 @@ # interface(`entropyd_admin',` gen_require(` - type entropyd_t, entropyd_initrc_exec_t, entropyd_var_run_t; + type entropyd_t, entropyd_initrc_exec_t, entropyd_runtime_t; ') allow $1 entropyd_t:process { ptrace signal_perms }; @@ -28,5 +28,5 @@ interface(`entropyd_admin',` init_startstop_service($1, $2, entropyd_t, entropyd_initrc_exec_t) files_search_pids($1) - admin_pattern($1, entropyd_var_run_t) + admin_pattern($1, entropyd_runtime_t) ') diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te index 5dc8c2d7b..e8c9c2d8c 100644 --- a/policy/modules/services/entropyd.te +++ b/policy/modules/services/entropyd.te @@ -24,8 +24,8 @@ init_script_file(entropyd_initrc_exec_t) type entropyd_unit_t; init_unit_file(entropyd_unit_t) -type entropyd_var_run_t; -files_pid_file(entropyd_var_run_t) +type entropyd_runtime_t alias entropyd_var_run_t; +files_pid_file(entropyd_runtime_t) ######################################## # @@ -37,8 +37,8 @@ dontaudit entropyd_t self:capability sys_tty_config; allow entropyd_t self:process signal_perms; allow entropyd_t self:unix_stream_socket create_stream_socket_perms; -manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) -files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) +manage_files_pattern(entropyd_t, entropyd_runtime_t, entropyd_runtime_t) +files_pid_filetrans(entropyd_t, entropyd_runtime_t, file) kernel_read_system_state(entropyd_t) kernel_rw_kernel_sysctl(entropyd_t) diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc index 1379b6eef..82cfb8b71 100644 --- a/policy/modules/services/fail2ban.fc +++ b/policy/modules/services/fail2ban.fc @@ -6,4 +6,4 @@ /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) /var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) -/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) +/run/fail2ban.* gen_context(system_u:object_r:fail2ban_runtime_t,s0) diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if index 5b8e08be5..43799c86d 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if @@ -79,11 +79,11 @@ interface(`fail2ban_run_client',` # interface(`fail2ban_stream_connect',` gen_require(` - type fail2ban_t, fail2ban_var_run_t; + type fail2ban_t, fail2ban_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) + stream_connect_pattern($1, fail2ban_runtime_t, fail2ban_runtime_t, fail2ban_t) ') ######################################## @@ -232,11 +232,11 @@ interface(`fail2ban_append_log',` # interface(`fail2ban_read_pid_files',` gen_require(` - type fail2ban_var_run_t; + type fail2ban_runtime_t; ') files_search_pids($1) - allow $1 fail2ban_var_run_t:file read_file_perms; + allow $1 fail2ban_runtime_t:file read_file_perms; ') ######################################## @@ -259,7 +259,7 @@ interface(`fail2ban_read_pid_files',` interface(`fail2ban_admin',` gen_require(` type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t; - type fail2ban_var_run_t, fail2ban_initrc_exec_t; + type fail2ban_runtime_t, fail2ban_initrc_exec_t; type fail2ban_var_lib_t, fail2ban_client_t; ') @@ -272,7 +272,7 @@ interface(`fail2ban_admin',` admin_pattern($1, fail2ban_log_t) files_list_pids($1) - admin_pattern($1, fail2ban_var_run_t) + admin_pattern($1, fail2ban_runtime_t) files_search_var_lib($1) admin_pattern($1, fail2ban_var_lib_t) diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index 215d0935b..9af723242 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -20,8 +20,8 @@ logging_log_file(fail2ban_log_t) type fail2ban_var_lib_t; files_type(fail2ban_var_lib_t) -type fail2ban_var_run_t; -files_pid_file(fail2ban_var_run_t) +type fail2ban_runtime_t alias fail2ban_var_run_t; +files_pid_file(fail2ban_runtime_t) type fail2ban_tmp_t; files_tmp_file(fail2ban_tmp_t) @@ -57,10 +57,10 @@ files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file }) manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) -manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) -files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) +manage_dirs_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t) +manage_sock_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t) +manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t) +files_pid_filetrans(fail2ban_t, fail2ban_runtime_t, file) kernel_read_system_state(fail2ban_t) @@ -133,7 +133,7 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) -stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) +stream_connect_pattern(fail2ban_client_t, fail2ban_runtime_t, fail2ban_runtime_t, fail2ban_t) kernel_read_system_state(fail2ban_client_t) diff --git a/policy/modules/services/fcoe.fc b/policy/modules/services/fcoe.fc index cb9552dbe..dcfab4507 100644 --- a/policy/modules/services/fcoe.fc +++ b/policy/modules/services/fcoe.fc @@ -4,5 +4,5 @@ /usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0) -/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0) -/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0) +/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_runtime_t,s0) +/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_runtime_t,s0) diff --git a/policy/modules/services/fcoe.if b/policy/modules/services/fcoe.if index 78d114715..eeb15f504 100644 --- a/policy/modules/services/fcoe.if +++ b/policy/modules/services/fcoe.if @@ -12,11 +12,11 @@ # interface(`fcoe_dgram_send_fcoemon',` gen_require(` - type fcoemon_t, fcoemon_var_run_t; + type fcoemon_t, fcoemon_runtime_t; ') files_search_pids($1) - dgram_send_pattern($1, fcoemon_var_run_t, fcoemon_var_run_t, fcoemon_t) + dgram_send_pattern($1, fcoemon_runtime_t, fcoemon_runtime_t, fcoemon_t) ') ######################################## @@ -38,7 +38,7 @@ interface(`fcoe_dgram_send_fcoemon',` # interface(`fcoe_admin',` gen_require(` - type fcoemon_t, fcoemon_initrc_exec_t, fcoemon_var_run_t; + type fcoemon_t, fcoemon_initrc_exec_t, fcoemon_runtime_t; ') allow $1 fcoemon_t:process { ptrace signal_perms }; @@ -47,5 +47,5 @@ interface(`fcoe_admin',` init_startstop_service($1, $2, fcoemon_t, fcoemon_initrc_exec_t) files_search_pids($1) - admin_pattern($1, fcoemon_var_run_t) + admin_pattern($1, fcoemon_runtime_t) ') diff --git a/policy/modules/services/fcoe.te b/policy/modules/services/fcoe.te index 3ec9397c7..601b2363f 100644 --- a/policy/modules/services/fcoe.te +++ b/policy/modules/services/fcoe.te @@ -12,8 +12,8 @@ init_daemon_domain(fcoemon_t, fcoemon_exec_t) type fcoemon_initrc_exec_t; init_script_file(fcoemon_initrc_exec_t) -type fcoemon_var_run_t; -files_pid_file(fcoemon_var_run_t) +type fcoemon_runtime_t alias fcoemon_var_run_t; +files_pid_file(fcoemon_runtime_t) ######################################## # @@ -26,10 +26,10 @@ allow fcoemon_t self:unix_stream_socket { accept listen }; allow fcoemon_t self:netlink_socket create_socket_perms; allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms; -manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) -manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) -manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) -files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file }) +manage_dirs_pattern(fcoemon_t, fcoemon_runtime_t, fcoemon_runtime_t) +manage_files_pattern(fcoemon_t, fcoemon_runtime_t, fcoemon_runtime_t) +manage_sock_files_pattern(fcoemon_t, fcoemon_runtime_t, fcoemon_runtime_t) +files_pid_filetrans(fcoemon_t, fcoemon_runtime_t, { dir file }) files_read_etc_files(fcoemon_t) diff --git a/policy/modules/services/fetchmail.fc b/policy/modules/services/fetchmail.fc index 8ffcb5ae6..fd3b88fe0 100644 --- a/policy/modules/services/fetchmail.fc +++ b/policy/modules/services/fetchmail.fc @@ -12,4 +12,4 @@ HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0) /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) -/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0) +/run/fetchmail.* gen_context(system_u:object_r:fetchmail_runtime_t,s0) diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if index 5115affc7..5176a3045 100644 --- a/policy/modules/services/fetchmail.if +++ b/policy/modules/services/fetchmail.if @@ -20,7 +20,7 @@ interface(`fetchmail_admin',` gen_require(` type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t; - type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t; + type fetchmail_runtime_t, fetchmail_initrc_exec_t, fetchmail_log_t; ') init_startstop_service($1, $2, fetchmail_t, fetchmail_initrc_exec_t) @@ -35,7 +35,7 @@ interface(`fetchmail_admin',` admin_pattern($1, fetchmail_uidl_cache_t) files_list_pids($1) - admin_pattern($1, fetchmail_var_run_t) + admin_pattern($1, fetchmail_runtime_t) logging_search_logs($1) admin_pattern($1, fetchmail_log_t) diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te index 1574b8758..50ea5fd0e 100644 --- a/policy/modules/services/fetchmail.te +++ b/policy/modules/services/fetchmail.te @@ -22,8 +22,8 @@ userdom_user_home_content(fetchmail_home_t) type fetchmail_log_t; logging_log_file(fetchmail_log_t) -type fetchmail_var_run_t; -files_pid_file(fetchmail_var_run_t) +type fetchmail_runtime_t alias fetchmail_var_run_t; +files_pid_file(fetchmail_runtime_t) type fetchmail_uidl_cache_t; files_type(fetchmail_uidl_cache_t) @@ -51,9 +51,9 @@ allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms; allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) -manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) -manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) -files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { file dir }) +manage_dirs_pattern(fetchmail_t, fetchmail_runtime_t, fetchmail_runtime_t) +manage_files_pattern(fetchmail_t, fetchmail_runtime_t, fetchmail_runtime_t) +files_pid_filetrans(fetchmail_t, fetchmail_runtime_t, { file dir }) kernel_read_kernel_sysctls(fetchmail_t) kernel_list_proc(fetchmail_t) diff --git a/policy/modules/services/finger.fc b/policy/modules/services/finger.fc index ce3adb5c9..973a169f0 100644 --- a/policy/modules/services/finger.fc +++ b/policy/modules/services/finger.fc @@ -10,4 +10,4 @@ /var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0) -/run/fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0) +/run/fingerd\.pid -- gen_context(system_u:object_r:fingerd_runtime_t,s0) diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te index 92a0161f1..32f84599f 100644 --- a/policy/modules/services/finger.te +++ b/policy/modules/services/finger.te @@ -16,8 +16,8 @@ files_config_file(fingerd_etc_t) type fingerd_log_t; logging_log_file(fingerd_log_t) -type fingerd_var_run_t; -files_pid_file(fingerd_var_run_t) +type fingerd_runtime_t alias fingerd_var_run_t; +files_pid_file(fingerd_runtime_t) ######################################## # @@ -30,8 +30,8 @@ allow fingerd_t self:process signal_perms; allow fingerd_t self:fifo_file rw_fifo_file_perms; allow fingerd_t self:tcp_socket connected_stream_socket_perms; -manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t) -files_pid_filetrans(fingerd_t, fingerd_var_run_t, file) +manage_files_pattern(fingerd_t, fingerd_runtime_t, fingerd_runtime_t) +files_pid_filetrans(fingerd_t, fingerd_runtime_t, file) allow fingerd_t fingerd_etc_t:dir list_dir_perms; read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc index 19fc91778..70129173f 100644 --- a/policy/modules/services/firewalld.fc +++ b/policy/modules/services/firewalld.fc @@ -8,5 +8,5 @@ /var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0) -/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0) -/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0) +/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_runtime_t,s0) +/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_runtime_t,s0) diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if index b4fda82cb..e2fa4d4f3 100644 --- a/policy/modules/services/firewalld.if +++ b/policy/modules/services/firewalld.if @@ -71,11 +71,11 @@ interface(`firewalld_dontaudit_rw_tmp_files',` # interface(`firewalld_read_var_run_files',` gen_require(` - type firewalld_var_run_t; + type firewalld_runtime_t; ') files_search_pids($1) - read_files_pattern($1, firewalld_var_run_t, firewalld_var_run_t) + read_files_pattern($1, firewalld_runtime_t, firewalld_runtime_t) ') ######################################## @@ -98,7 +98,7 @@ interface(`firewalld_read_var_run_files',` interface(`firewalld_admin',` gen_require(` type firewalld_t, firewalld_initrc_exec_t; - type firewalld_etc_rw_t, firewalld_var_run_t; + type firewalld_etc_rw_t, firewalld_runtime_t; type firewalld_var_log_t; ') @@ -108,7 +108,7 @@ interface(`firewalld_admin',` init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t) files_search_pids($1) - admin_pattern($1, firewalld_var_run_t) + admin_pattern($1, firewalld_runtime_t) logging_search_logs($1) admin_pattern($1, firewalld_var_log_t) diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te index 0b09d823b..93631ab63 100644 --- a/policy/modules/services/firewalld.te +++ b/policy/modules/services/firewalld.te @@ -21,8 +21,8 @@ logging_log_file(firewalld_var_log_t) type firewalld_tmp_t; files_tmp_file(firewalld_tmp_t) -type firewalld_var_run_t; -files_pid_file(firewalld_var_run_t) +type firewalld_runtime_t alias firewalld_var_run_t; +files_pid_file(firewalld_runtime_t) ######################################## # @@ -49,9 +49,9 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file) allow firewalld_t firewalld_tmp_t:file mmap_exec_file_perms; -manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) -manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) -files_pid_filetrans(firewalld_t, firewalld_var_run_t, { dir file }) +manage_dirs_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t) +manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t) +files_pid_filetrans(firewalld_t, firewalld_runtime_t, { dir file }) kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc index 6af8b34f8..b90598fed 100644 --- a/policy/modules/services/ftp.fc +++ b/policy/modules/services/ftp.fc @@ -23,7 +23,7 @@ /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) -/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0) +/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0) /usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index 3bfe581d2..655b3fa5d 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -160,7 +160,7 @@ interface(`ftp_admin',` gen_require(` type ftpd_t, ftpdctl_t, ftpd_tmp_t; type ftpd_etc_t, ftpd_lock_t, sftpd_t; - type ftpd_var_run_t, xferlog_t, anon_sftpd_t; + type ftpd_runtime_t, xferlog_t, anon_sftpd_t; type ftpd_initrc_exec_t, ftpdctl_tmp_t; type ftpd_keytab_t; ') @@ -182,7 +182,7 @@ interface(`ftp_admin',` admin_pattern($1, ftpd_lock_t) files_list_pids($1) - admin_pattern($1, ftpd_var_run_t) + admin_pattern($1, ftpd_runtime_t) logging_list_logs($1) admin_pattern($1, xferlog_t) diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 29bc077c2..0a6f92dfa 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -139,8 +139,8 @@ files_tmpfs_file(ftpd_tmpfs_t) type ftpd_unit_t; init_unit_file(ftpd_unit_t) -type ftpd_var_run_t; -files_pid_file(ftpd_var_run_t) +type ftpd_runtime_t alias ftpd_var_run_t; +files_pid_file(ftpd_runtime_t) type ftpdctl_t; type ftpdctl_exec_t; @@ -194,10 +194,10 @@ manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) -files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) +manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t) +manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t) +manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t) +files_pid_filetrans(ftpd_t, ftpd_runtime_t, { file dir }) allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; @@ -420,7 +420,7 @@ optional_policy(` # Ctl local policy # -stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) +stream_connect_pattern(ftpdctl_t, ftpd_runtime_t, ftpd_runtime_t, ftpd_t) allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) diff --git a/policy/modules/services/gatekeeper.fc b/policy/modules/services/gatekeeper.fc index 516f65a24..0d068cbfd 100644 --- a/policy/modules/services/gatekeeper.fc +++ b/policy/modules/services/gatekeeper.fc @@ -10,5 +10,5 @@ /var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0) -/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0) -/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0) +/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_runtime_t,s0) +/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_runtime_t,s0) diff --git a/policy/modules/services/gatekeeper.if b/policy/modules/services/gatekeeper.if index 83681df77..4f73dc34c 100644 --- a/policy/modules/services/gatekeeper.if +++ b/policy/modules/services/gatekeeper.if @@ -20,7 +20,7 @@ interface(`gatekeeper_admin',` gen_require(` type gatekeeper_t, gatekeeper_etc_t, gatekeeper_log_t; - type gatekeeper_var_run_t, gatekeeper_tmp_t, gatekeeper_initrc_exec_t; + type gatekeeper_runtime_t, gatekeeper_tmp_t, gatekeeper_initrc_exec_t; ') allow $1 gatekeeper_t:process { ptrace signal_perms }; @@ -38,5 +38,5 @@ interface(`gatekeeper_admin',` admin_pattern($1, gatekeeper_tmp_t) files_search_var_lib($1) - admin_pattern($1, gatekeeper_var_run_t) + admin_pattern($1, gatekeeper_runtime_t) ') diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te index a2a4b41c1..3420475f8 100644 --- a/policy/modules/services/gatekeeper.te +++ b/policy/modules/services/gatekeeper.te @@ -21,8 +21,8 @@ logging_log_file(gatekeeper_log_t) type gatekeeper_tmp_t; files_tmp_file(gatekeeper_tmp_t) -type gatekeeper_var_run_t; -files_pid_file(gatekeeper_var_run_t) +type gatekeeper_runtime_t alias gatekeeper_var_run_t; +files_pid_file(gatekeeper_runtime_t) ######################################## # @@ -48,9 +48,9 @@ manage_dirs_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) manage_files_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t) files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir }) -manage_dirs_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t) -manage_files_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t) -files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, { dir file }) +manage_dirs_pattern(gatekeeper_t, gatekeeper_runtime_t, gatekeeper_runtime_t) +manage_files_pattern(gatekeeper_t, gatekeeper_runtime_t, gatekeeper_runtime_t) +files_pid_filetrans(gatekeeper_t, gatekeeper_runtime_t, { dir file }) kernel_read_system_state(gatekeeper_t) kernel_read_kernel_sysctls(gatekeeper_t) diff --git a/policy/modules/services/gdomap.fc b/policy/modules/services/gdomap.fc index ee4b34a9d..2074d1dd5 100644 --- a/policy/modules/services/gdomap.fc +++ b/policy/modules/services/gdomap.fc @@ -4,5 +4,5 @@ /usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0) -/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0) -/run/gdomap(/.*)? gen_context(system_u:object_r:gdomap_var_run_t,s0) +/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_runtime_t,s0) +/run/gdomap(/.*)? gen_context(system_u:object_r:gdomap_runtime_t,s0) diff --git a/policy/modules/services/gdomap.if b/policy/modules/services/gdomap.if index 58e5c4423..8d169e97e 100644 --- a/policy/modules/services/gdomap.if +++ b/policy/modules/services/gdomap.if @@ -39,7 +39,7 @@ interface(`gdomap_read_config',` interface(`gdomap_admin',` gen_require(` type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t; - type gdomap_var_run_t; + type gdomap_runtime_t; ') allow $1 gdomap_t:process { ptrace signal_perms }; @@ -51,5 +51,5 @@ interface(`gdomap_admin',` admin_pattern($1, gdomap_conf_t) files_search_pids($1) - admin_pattern($1, gdomap_var_run_t) + admin_pattern($1, gdomap_runtime_t) ') diff --git a/policy/modules/services/gdomap.te b/policy/modules/services/gdomap.te index e53ddc5d9..46b2aca44 100644 --- a/policy/modules/services/gdomap.te +++ b/policy/modules/services/gdomap.te @@ -15,8 +15,8 @@ init_script_file(gdomap_initrc_exec_t) type gdomap_conf_t; files_config_file(gdomap_conf_t) -type gdomap_var_run_t; -files_pid_file(gdomap_var_run_t) +type gdomap_runtime_t alias gdomap_var_run_t; +files_pid_file(gdomap_runtime_t) ######################################## # @@ -26,10 +26,10 @@ files_pid_file(gdomap_var_run_t) allow gdomap_t self:capability { net_bind_service setgid setuid sys_chroot }; allow gdomap_t self:tcp_socket { listen accept }; -allow gdomap_t gdomap_var_run_t:file manage_file_perms; -# gdomap_var_run_t dir is for chroot -allow gdomap_t gdomap_var_run_t:dir search; -files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid") +allow gdomap_t gdomap_runtime_t:file manage_file_perms; +# gdomap_runtime_t dir is for chroot +allow gdomap_t gdomap_runtime_t:dir search; +files_pid_filetrans(gdomap_t, gdomap_runtime_t, file, "gdomap.pid") corenet_sendrecv_gdomap_server_packets(gdomap_t) corenet_tcp_bind_generic_node(gdomap_t) diff --git a/policy/modules/services/glance.fc b/policy/modules/services/glance.fc index caf9c3d89..de66d841f 100644 --- a/policy/modules/services/glance.fc +++ b/policy/modules/services/glance.fc @@ -8,4 +8,4 @@ /var/log/glance(/.*)? gen_context(system_u:object_r:glance_log_t,s0) -/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0) +/run/glance(/.*)? gen_context(system_u:object_r:glance_runtime_t,s0) diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if index 6d9f3daaa..92e6e3c92 100644 --- a/policy/modules/services/glance.if +++ b/policy/modules/services/glance.if @@ -191,11 +191,11 @@ interface(`glance_manage_lib_dirs',` # interface(`glance_read_pid_files',` gen_require(` - type glance_var_run_t; + type glance_runtime_t; ') files_search_pids($1) - read_files_pattern($1, glance_var_run_t, glance_var_run_t) + read_files_pattern($1, glance_runtime_t, glance_runtime_t) ') ######################################## @@ -211,11 +211,11 @@ interface(`glance_read_pid_files',` # interface(`glance_manage_pid_files',` gen_require(` - type glance_var_run_t; + type glance_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, glance_var_run_t, glance_var_run_t) + manage_files_pattern($1, glance_runtime_t, glance_runtime_t) ') ######################################## @@ -238,7 +238,7 @@ interface(`glance_manage_pid_files',` interface(`glance_admin',` gen_require(` type glance_registry_t, glance_api_t, glance_log_t; - type glance_var_lib_t, glance_var_run_t; + type glance_var_lib_t, glance_runtime_t; type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; ') @@ -255,5 +255,5 @@ interface(`glance_admin',` admin_pattern($1, glance_var_lib_t) files_search_pids($1) - admin_pattern($1, glance_var_run_t) + admin_pattern($1, glance_runtime_t) ') diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te index 20f0ff272..c624348d5 100644 --- a/policy/modules/services/glance.te +++ b/policy/modules/services/glance.te @@ -33,8 +33,8 @@ files_type(glance_var_lib_t) type glance_tmp_t; files_tmp_file(glance_tmp_t) -type glance_var_run_t; -files_pid_file(glance_var_run_t) +type glance_runtime_t alias glance_var_run_t; +files_pid_file(glance_runtime_t) ####################################### # @@ -53,8 +53,8 @@ setattr_files_pattern(glance_domain, glance_log_t, glance_log_t) manage_dirs_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) -manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) -manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) +manage_dirs_pattern(glance_domain, glance_runtime_t, glance_runtime_t) +manage_files_pattern(glance_domain, glance_runtime_t, glance_runtime_t) kernel_read_system_state(glance_domain) diff --git a/policy/modules/services/glusterfs.fc b/policy/modules/services/glusterfs.fc index be43eb4f7..8e538dc8e 100644 --- a/policy/modules/services/glusterfs.fc +++ b/policy/modules/services/glusterfs.fc @@ -15,5 +15,5 @@ /var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) -/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) -/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) +/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_runtime_t,s0) +/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_runtime_t,s0) diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if index b4f5d01c2..fec72ef7c 100644 --- a/policy/modules/services/glusterfs.if +++ b/policy/modules/services/glusterfs.if @@ -21,7 +21,7 @@ interface(`glusterfs_admin',` gen_require(` type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t; type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t; - type glusterd_var_run_t; + type glusterd_runtime_t; ') init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t) @@ -42,5 +42,5 @@ interface(`glusterfs_admin',` admin_pattern($1, glusterd_var_lib_t) files_search_pids($1) - admin_pattern($1, glusterd_var_run_t) + admin_pattern($1, glusterd_runtime_t) ') diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te index 54bd1807c..57636b9d8 100644 --- a/policy/modules/services/glusterfs.te +++ b/policy/modules/services/glusterfs.te @@ -21,8 +21,8 @@ files_tmp_file(glusterd_tmp_t) type glusterd_log_t; logging_log_file(glusterd_log_t) -type glusterd_var_run_t; -files_pid_file(glusterd_var_run_t) +type glusterd_runtime_t alias glusterd_var_run_t; +files_pid_file(glusterd_runtime_t) type glusterd_var_lib_t; files_type(glusterd_var_lib_t) @@ -53,10 +53,10 @@ create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) logging_log_filetrans(glusterd_t, glusterd_log_t, dir) -manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) -manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) -manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) -files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file }) +manage_dirs_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t) +manage_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t) +manage_sock_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t) +files_pid_filetrans(glusterd_t, glusterd_runtime_t, { dir file sock_file }) manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) diff --git a/policy/modules/services/gpm.fc b/policy/modules/services/gpm.fc index 24531dc00..fcb57f530 100644 --- a/policy/modules/services/gpm.fc +++ b/policy/modules/services/gpm.fc @@ -10,4 +10,4 @@ /usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0) -/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0) +/run/gpm\.pid -- gen_context(system_u:object_r:gpm_runtime_t,s0) diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if index e024da28c..a8d3babc6 100644 --- a/policy/modules/services/gpm.if +++ b/policy/modules/services/gpm.if @@ -102,7 +102,7 @@ interface(`gpm_setattr_gpmctl',` interface(`gpm_admin',` gen_require(` type gpm_t, gpm_conf_t, gpm_initrc_exec_t; - type gpm_var_run_t, gpmctl_t; + type gpm_runtime_t, gpmctl_t; ') allow $1 gpm_t:process { ptrace signal_perms }; @@ -117,5 +117,5 @@ interface(`gpm_admin',` admin_pattern($1, gpmctl_t) files_search_pids($1) - admin_pattern($1, gpm_var_run_t) + admin_pattern($1, gpm_runtime_t) ') diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te index 6e6ad1930..c6a1a06e0 100644 --- a/policy/modules/services/gpm.te +++ b/policy/modules/services/gpm.te @@ -18,8 +18,8 @@ files_type(gpm_conf_t) type gpm_tmp_t; files_tmp_file(gpm_tmp_t) -type gpm_var_run_t; -files_pid_file(gpm_var_run_t) +type gpm_runtime_t alias gpm_var_run_t; +files_pid_file(gpm_runtime_t) type gpmctl_t; files_type(gpmctl_t) @@ -41,8 +41,8 @@ manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t) files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir }) -allow gpm_t gpm_var_run_t:file manage_file_perms; -files_pid_filetrans(gpm_t, gpm_var_run_t, file) +allow gpm_t gpm_runtime_t:file manage_file_perms; +files_pid_filetrans(gpm_t, gpm_runtime_t, file) allow gpm_t gpmctl_t:sock_file manage_sock_file_perms; allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms; diff --git a/policy/modules/services/gpsd.fc b/policy/modules/services/gpsd.fc index 4e62fd9e8..e03b20a1c 100644 --- a/policy/modules/services/gpsd.fc +++ b/policy/modules/services/gpsd.fc @@ -4,5 +4,5 @@ /usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) -/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) -/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) +/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_runtime_t,s0) +/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_runtime_t,s0) diff --git a/policy/modules/services/gpsd.if b/policy/modules/services/gpsd.if index 1d10f63ad..da61fd4ee 100644 --- a/policy/modules/services/gpsd.if +++ b/policy/modules/services/gpsd.if @@ -85,7 +85,7 @@ interface(`gpsd_rw_shm',` # interface(`gpsd_admin',` gen_require(` - type gpsd_t, gpsd_initrc_exec_t, gpsd_var_run_t; + type gpsd_t, gpsd_initrc_exec_t, gpsd_runtime_t; ') allow $1 gpsd_t:process { ptrace signal_perms }; @@ -94,7 +94,7 @@ interface(`gpsd_admin',` init_startstop_service($1, $2, gpsd_t, gpsd_initrc_exec_t) files_search_pids($1) - admin_pattern($1, gpsd_var_run_t) + admin_pattern($1, gpsd_runtime_t) gpsd_run($1, $2) ') diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te index d4aacb79c..29dc7acfa 100644 --- a/policy/modules/services/gpsd.te +++ b/policy/modules/services/gpsd.te @@ -19,8 +19,8 @@ init_script_file(gpsd_initrc_exec_t) type gpsd_tmpfs_t; files_tmpfs_file(gpsd_tmpfs_t) -type gpsd_var_run_t; -files_pid_file(gpsd_var_run_t) +type gpsd_runtime_t alias gpsd_var_run_t; +files_pid_file(gpsd_runtime_t) ######################################## # @@ -38,9 +38,9 @@ manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) -manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) -manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) -files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) +manage_files_pattern(gpsd_t, gpsd_runtime_t, gpsd_runtime_t) +manage_sock_files_pattern(gpsd_t, gpsd_runtime_t, gpsd_runtime_t) +files_pid_filetrans(gpsd_t, gpsd_runtime_t, { file sock_file }) kernel_list_proc(gpsd_t) kernel_request_load_module(gpsd_t) diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc index b43cfde90..e6a80dbdc 100644 --- a/policy/modules/services/hadoop.fc +++ b/policy/modules/services/hadoop.fc @@ -43,11 +43,11 @@ /var/log/hadoop.*/history(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_log_t,s0) /var/log/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_log_t,s0) -/run/hadoop.* -d gen_context(system_u:object_r:hadoop_var_run_t,s0) -/run/hadoop.*/hadoop-hadoop-datanode\.pid -- gen_context(system_u:object_r:hadoop_datanode_initrc_var_run_t,s0) -/run/hadoop.*/hadoop-hadoop-jobtracker\.pid -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_var_run_t,s0) -/run/hadoop.*/hadoop-hadoop-namenode\.pid -- gen_context(system_u:object_r:hadoop_namenode_initrc_var_run_t,s0) -/run/hadoop.*/hadoop-hadoop-secondarynamenode\.pid -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_var_run_t,s0) -/run/hadoop.*/hadoop-hadoop-tasktracker\.pid -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_var_run_t,s0) +/run/hadoop.* -d gen_context(system_u:object_r:hadoop_runtime_t,s0) +/run/hadoop.*/hadoop-hadoop-datanode\.pid -- gen_context(system_u:object_r:hadoop_datanode_initrc_runtime_t,s0) +/run/hadoop.*/hadoop-hadoop-jobtracker\.pid -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_runtime_t,s0) +/run/hadoop.*/hadoop-hadoop-namenode\.pid -- gen_context(system_u:object_r:hadoop_namenode_initrc_runtime_t,s0) +/run/hadoop.*/hadoop-hadoop-secondarynamenode\.pid -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_runtime_t,s0) +/run/hadoop.*/hadoop-hadoop-tasktracker\.pid -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_runtime_t,s0) /var/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if index 5908119df..f7af454cc 100644 --- a/policy/modules/services/hadoop.if +++ b/policy/modules/services/hadoop.if @@ -15,7 +15,7 @@ template(`hadoop_domain_template',` attribute hadoop_domain, hadoop_initrc_domain, hadoop_init_script_file; attribute hadoop_pid_file, hadoop_lock_file, hadoop_log_file; attribute hadoop_tmp_file, hadoop_var_lib_file; - type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t; + type hadoop_log_t, hadoop_var_lib_t, hadoop_runtime_t; type hadoop_exec_t, hadoop_hsperfdata_t; ') @@ -34,8 +34,8 @@ template(`hadoop_domain_template',` init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t) role system_r types hadoop_$1_initrc_t; - type hadoop_$1_initrc_var_run_t, hadoop_pid_file; - files_pid_file(hadoop_$1_initrc_var_run_t) + type hadoop_$1_initrc_runtime_t, hadoop_pid_file; + files_pid_file(hadoop_$1_initrc_runtime_t) type hadoop_$1_lock_t, hadoop_lock_file; files_lock_file(hadoop_$1_lock_t) @@ -61,8 +61,8 @@ template(`hadoop_domain_template',` manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) - manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) - filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_runtime_t, hadoop_$1_initrc_runtime_t) + filetrans_pattern(hadoop_$1_t, hadoop_runtime_t, hadoop_$1_initrc_runtime_t, file) manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file) @@ -81,8 +81,8 @@ template(`hadoop_domain_template',` manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t) files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file) - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) - filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) + manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_runtime_t, hadoop_$1_initrc_runtime_t) + filetrans_pattern(hadoop_$1_initrc_t, hadoop_runtime_t, hadoop_$1_initrc_runtime_t, file) manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t) filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te index 9f333bfd2..15d0086ba 100644 --- a/policy/modules/services/hadoop.te +++ b/policy/modules/services/hadoop.te @@ -41,8 +41,8 @@ userdom_user_tmp_file(hadoop_tmp_t) type hadoop_var_lib_t, hadoop_var_lib_file; files_type(hadoop_var_lib_t) -type hadoop_var_run_t, hadoop_pid_file; -files_pid_file(hadoop_var_run_t) +type hadoop_runtime_t, hadoop_pid_file; +files_pid_file(hadoop_runtime_t) type hadoop_hsperfdata_t; userdom_user_tmp_file(hadoop_hsperfdata_t) @@ -77,8 +77,8 @@ files_tmp_file(zookeeper_server_tmp_t) type zookeeper_server_var_t; files_type(zookeeper_server_var_t) -type zookeeper_server_var_run_t, hadoop_pid_file; -files_pid_file(zookeeper_server_var_run_t) +type zookeeper_server_runtime_t alias zookeeper_server_var_run_t, hadoop_pid_file; +files_pid_file(zookeeper_server_runtime_t) type zookeeper_tmp_t, hadoop_tmp_file; userdom_user_tmp_file(zookeeper_tmp_t) @@ -119,7 +119,7 @@ manage_dirs_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t) manage_files_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t) files_search_var_lib(hadoop_t) -getattr_dirs_pattern(hadoop_t, hadoop_var_run_t, hadoop_var_run_t) +getattr_dirs_pattern(hadoop_t, hadoop_runtime_t, hadoop_runtime_t) kernel_read_network_state(hadoop_t) kernel_read_system_state(hadoop_t) @@ -251,8 +251,8 @@ dontaudit hadoop_initrc_domain self:capability sys_tty_config; allow hadoop_initrc_domain self:process setsched; allow hadoop_initrc_domain self:fifo_file rw_fifo_file_perms; -manage_dirs_pattern(hadoop_initrc_domain, hadoop_var_run_t, hadoop_var_run_t) -manage_files_pattern(hadoop_initrc_domain, hadoop_var_run_t, hadoop_var_run_t) +manage_dirs_pattern(hadoop_initrc_domain, hadoop_runtime_t, hadoop_runtime_t) +manage_files_pattern(hadoop_initrc_domain, hadoop_runtime_t, hadoop_runtime_t) hadoop_exec_config(hadoop_initrc_domain) @@ -497,8 +497,8 @@ logging_log_filetrans(zookeeper_server_t, zookeeper_log_t, file) manage_files_pattern(zookeeper_server_t, zookeeper_server_tmp_t, zookeeper_server_tmp_t) filetrans_pattern(zookeeper_server_t, hadoop_hsperfdata_t, zookeeper_server_tmp_t, file) -manage_files_pattern(zookeeper_server_t, zookeeper_server_var_run_t, zookeeper_server_var_run_t) -files_pid_filetrans(zookeeper_server_t, zookeeper_server_var_run_t, file) +manage_files_pattern(zookeeper_server_t, zookeeper_server_runtime_t, zookeeper_server_runtime_t) +files_pid_filetrans(zookeeper_server_t, zookeeper_server_runtime_t, file) can_exec(zookeeper_server_t, zookeeper_server_exec_t) diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc index 5ac1f7a74..9e65a37f0 100644 --- a/policy/modules/services/hal.fc +++ b/policy/modules/services/hal.fc @@ -22,8 +22,8 @@ /var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) -/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) -/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) -/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0) -/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) +/run/hald(/.*)? gen_context(system_u:object_r:hald_runtime_t,s0) +/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_runtime_t,s0) +/run/pm(/.*)? gen_context(system_u:object_r:hald_runtime_t,s0) +/run/synce.* gen_context(system_u:object_r:hald_runtime_t,s0) +/run/vbe.* -- gen_context(system_u:object_r:hald_runtime_t,s0) diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if index 98c4f127d..3d8085c88 100644 --- a/policy/modules/services/hal.if +++ b/policy/modules/services/hal.if @@ -373,11 +373,11 @@ interface(`hal_dontaudit_append_lib_files',` # interface(`hal_read_pid_files',` gen_require(` - type hald_var_run_t; + type hald_runtime_t; ') files_search_pids($1) - allow $1 hald_var_run_t:file read_file_perms; + allow $1 hald_runtime_t:file read_file_perms; ') ######################################## @@ -392,11 +392,11 @@ interface(`hal_read_pid_files',` # interface(`hal_rw_pid_files',` gen_require(` - type hald_var_run_t; + type hald_runtime_t; ') files_search_pids($1) - allow $1 hald_var_run_t:file rw_file_perms; + allow $1 hald_runtime_t:file rw_file_perms; ') ######################################## @@ -412,11 +412,11 @@ interface(`hal_rw_pid_files',` # interface(`hal_manage_pid_dirs',` gen_require(` - type hald_var_run_t; + type hald_runtime_t; ') files_search_pids($1) - manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t) + manage_dirs_pattern($1, hald_runtime_t, hald_runtime_t) ') ######################################## @@ -432,9 +432,9 @@ interface(`hal_manage_pid_dirs',` # interface(`hal_manage_pid_files',` gen_require(` - type hald_var_run_t; + type hald_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, hald_var_run_t, hald_var_run_t) + manage_files_pattern($1, hald_runtime_t, hald_runtime_t) ') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index 9bfd37fbc..7a0b85cfc 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -50,8 +50,8 @@ role system_r types hald_sonypic_t; type hald_tmp_t; files_tmp_file(hald_tmp_t) -type hald_var_run_t; -files_pid_file(hald_var_run_t) +type hald_runtime_t alias hald_var_run_t; +files_pid_file(hald_runtime_t) type hald_var_lib_t; files_type(hald_var_lib_t) @@ -95,9 +95,9 @@ manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t) -manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_t, hald_var_run_t, { dir file }) +manage_dirs_pattern(hald_t, hald_runtime_t, hald_runtime_t) +manage_files_pattern(hald_t, hald_runtime_t, hald_runtime_t) +files_pid_filetrans(hald_t, hald_runtime_t, { dir file }) domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) @@ -346,9 +346,9 @@ allow hald_acl_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t) -manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) +manage_dirs_pattern(hald_acl_t, hald_runtime_t, hald_runtime_t) +manage_files_pattern(hald_acl_t, hald_runtime_t, hald_runtime_t) +files_pid_filetrans(hald_acl_t, hald_runtime_t, { dir file }) corecmd_exec_bin(hald_acl_t) @@ -456,10 +456,10 @@ allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) -manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) -files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file }) +manage_dirs_pattern(hald_dccm_t, hald_runtime_t, hald_runtime_t) +manage_files_pattern(hald_dccm_t, hald_runtime_t, hald_runtime_t) +manage_sock_files_pattern(hald_dccm_t, hald_runtime_t, hald_runtime_t) +files_pid_filetrans(hald_dccm_t, hald_runtime_t, { dir file sock_file }) manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t) files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file) diff --git a/policy/modules/services/hostapd.fc b/policy/modules/services/hostapd.fc index f7392119f..c0a9e3354 100644 --- a/policy/modules/services/hostapd.fc +++ b/policy/modules/services/hostapd.fc @@ -2,8 +2,8 @@ /usr/sbin/hostapd -- gen_context(system_u:object_r:hostapd_exec_t,s0) -/var/run/hostapd(/.*)? gen_context(system_u:object_r:hostapd_var_run_t,s0) +/var/run/hostapd(/.*)? gen_context(system_u:object_r:hostapd_runtime_t,s0) /etc/hostapd(/.*)? gen_context(system_u:object_r:hostapd_conf_t,s0) -/run/hostapd\.pid -- gen_context(system_u:object_r:hostapd_var_run_t,s0) +/run/hostapd\.pid -- gen_context(system_u:object_r:hostapd_runtime_t,s0) diff --git a/policy/modules/services/hostapd.te b/policy/modules/services/hostapd.te index af55f6aa7..16a4c7b13 100644 --- a/policy/modules/services/hostapd.te +++ b/policy/modules/services/hostapd.te @@ -9,8 +9,8 @@ type hostapd_t; type hostapd_exec_t; init_daemon_domain(hostapd_t, hostapd_exec_t) -type hostapd_var_run_t; -files_pid_file(hostapd_var_run_t) +type hostapd_runtime_t alias hostapd_var_run_t; +files_pid_file(hostapd_runtime_t) type hostapd_conf_t; files_type(hostapd_conf_t) @@ -30,11 +30,11 @@ allow hostapd_t self:packet_socket create_socket_perms; read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t) -manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) -manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) -manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) -manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) -files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file }) +manage_dirs_pattern(hostapd_t, hostapd_runtime_t, hostapd_runtime_t) +manage_files_pattern(hostapd_t, hostapd_runtime_t, hostapd_runtime_t) +manage_lnk_files_pattern(hostapd_t, hostapd_runtime_t, hostapd_runtime_t) +manage_sock_files_pattern(hostapd_t, hostapd_runtime_t, hostapd_runtime_t) +files_pid_filetrans(hostapd_t, hostapd_runtime_t, { dir file lnk_file sock_file }) kernel_read_system_state(hostapd_t) kernel_read_network_state(hostapd_t) diff --git a/policy/modules/services/howl.fc b/policy/modules/services/howl.fc index c164df12d..a7a9bf07a 100644 --- a/policy/modules/services/howl.fc +++ b/policy/modules/services/howl.fc @@ -3,4 +3,4 @@ /usr/bin/mDNSResponder -- gen_context(system_u:object_r:howl_exec_t,s0) /usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0) -/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0) +/run/nifd\.pid -- gen_context(system_u:object_r:howl_runtime_t,s0) diff --git a/policy/modules/services/howl.if b/policy/modules/services/howl.if index afea18462..d3bbaf554 100644 --- a/policy/modules/services/howl.if +++ b/policy/modules/services/howl.if @@ -37,7 +37,7 @@ interface(`howl_signal',` # interface(`howl_admin',` gen_require(` - type howl_t, howl_initrc_exec_t, howl_var_run_t; + type howl_t, howl_initrc_exec_t, howl_runtime_t; ') allow $1 howl_t:process { ptrace signal_perms }; @@ -46,5 +46,5 @@ interface(`howl_admin',` init_startstop_service($1, $2, howl_t, howl_initrc_exec_t) files_search_pids($1) - admin_pattern($1, howl_var_run_t) + admin_pattern($1, howl_runtime_t) ') diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te index 6bbede584..6f1930064 100644 --- a/policy/modules/services/howl.te +++ b/policy/modules/services/howl.te @@ -13,8 +13,8 @@ init_daemon_domain(howl_t, howl_exec_t) type howl_initrc_exec_t; init_script_file(howl_initrc_exec_t) -type howl_var_run_t; -files_pid_file(howl_var_run_t) +type howl_runtime_t alias howl_var_run_t; +files_pid_file(howl_runtime_t) ######################################## # @@ -27,8 +27,8 @@ allow howl_t self:process signal_perms; allow howl_t self:fifo_file rw_fifo_file_perms; allow howl_t self:tcp_socket { accept listen }; -manage_files_pattern(howl_t, howl_var_run_t, howl_var_run_t) -files_pid_filetrans(howl_t, howl_var_run_t, file) +manage_files_pattern(howl_t, howl_runtime_t, howl_runtime_t) +files_pid_filetrans(howl_t, howl_runtime_t, file) kernel_read_network_state(howl_t) kernel_read_kernel_sysctls(howl_t) diff --git a/policy/modules/services/i18n_input.fc b/policy/modules/services/i18n_input.fc index 9dcc65aaf..3abc1ccc9 100644 --- a/policy/modules/services/i18n_input.fc +++ b/policy/modules/services/i18n_input.fc @@ -15,4 +15,4 @@ /var/log/iiim(/.*)? gen_context(system_u:object_r:i18n_input_log_t,s0) -/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0) +/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_runtime_t,s0) diff --git a/policy/modules/services/i18n_input.if b/policy/modules/services/i18n_input.if index 4e08c3cfb..653ef150a 100644 --- a/policy/modules/services/i18n_input.if +++ b/policy/modules/services/i18n_input.if @@ -19,7 +19,7 @@ # interface(`i18n_input_admin',` gen_require(` - type i18n_input_t, i18n_input_initrc_exec_t, i18n_input_var_run_t; + type i18n_input_t, i18n_input_initrc_exec_t, i18n_input_runtime_t; type i18n_input_log_t; ') @@ -29,7 +29,7 @@ interface(`i18n_input_admin',` init_startstop_service($1, $2, i18n_input_t, i18n_input_initrc_exec_t) files_search_pids($1) - admin_pattern($1, i18n_input_var_run_t) + admin_pattern($1, i18n_input_runtime_t) logging_search_logs($1) admin_pattern($1, i18n_input_log_t) diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te index 7e76a4c3c..64387ee45 100644 --- a/policy/modules/services/i18n_input.te +++ b/policy/modules/services/i18n_input.te @@ -22,8 +22,8 @@ init_script_file(i18n_input_initrc_exec_t) type i18n_input_log_t; logging_log_file(i18n_input_log_t) -type i18n_input_var_run_t; -files_pid_file(i18n_input_var_run_t) +type i18n_input_runtime_t alias i18n_input_var_run_t; +files_pid_file(i18n_input_runtime_t) ######################################## # @@ -42,10 +42,10 @@ append_files_pattern(i18n_input_t, i18n_input_log_t, i18n_input_log_t) create_files_pattern(i18n_input_t, i18n_input_log_t, i18n_input_log_t) setattr_files_pattern(i18n_input_t, i18n_input_log_t, i18n_input_log_t) -manage_dirs_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -manage_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -manage_sock_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t) -files_pid_filetrans(i18n_input_t, i18n_input_var_run_t, file) +manage_dirs_pattern(i18n_input_t, i18n_input_runtime_t, i18n_input_runtime_t) +manage_files_pattern(i18n_input_t, i18n_input_runtime_t, i18n_input_runtime_t) +manage_sock_files_pattern(i18n_input_t, i18n_input_runtime_t, i18n_input_runtime_t) +files_pid_filetrans(i18n_input_t, i18n_input_runtime_t, file) can_exec(i18n_input_t, i18n_input_exec_t) diff --git a/policy/modules/services/icecast.fc b/policy/modules/services/icecast.fc index 6080443fe..cc6314856 100644 --- a/policy/modules/services/icecast.fc +++ b/policy/modules/services/icecast.fc @@ -4,5 +4,5 @@ /var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0) -/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) -/run/icecast\.pid -- gen_context(system_u:object_r:icecast_var_run_t,s0) +/run/icecast(/.*)? gen_context(system_u:object_r:icecast_runtime_t,s0) +/run/icecast\.pid -- gen_context(system_u:object_r:icecast_runtime_t,s0) diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if index 38ce1b7fa..5c88c424b 100644 --- a/policy/modules/services/icecast.if +++ b/policy/modules/services/icecast.if @@ -67,11 +67,11 @@ interface(`icecast_initrc_domtrans',` # interface(`icecast_read_pid_files',` gen_require(` - type icecast_var_run_t; + type icecast_runtime_t; ') files_search_pids($1) - allow $1 icecast_var_run_t:file read_file_perms; + allow $1 icecast_runtime_t:file read_file_perms; ') ######################################## @@ -87,11 +87,11 @@ interface(`icecast_read_pid_files',` # interface(`icecast_manage_pid_files',` gen_require(` - type icecast_var_run_t; + type icecast_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t) + manage_files_pattern($1, icecast_runtime_t, icecast_runtime_t) ') ######################################## @@ -173,7 +173,7 @@ interface(`icecast_manage_log',` interface(`icecast_admin',` gen_require(` type icecast_t, icecast_initrc_exec_t, icecast_log_t; - type icecast_var_run_t; + type icecast_runtime_t; ') init_startstop_service($1, $2, icecast_t, icecast_initrc_exec_t) @@ -185,5 +185,5 @@ interface(`icecast_admin',` admin_pattern($1, icecast_log_t) files_search_pids($1) - admin_pattern($1, icecast_var_run_t) + admin_pattern($1, icecast_runtime_t) ') diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te index acbb3fc69..d010186a8 100644 --- a/policy/modules/services/icecast.te +++ b/policy/modules/services/icecast.te @@ -24,8 +24,8 @@ init_script_file(icecast_initrc_exec_t) type icecast_log_t; logging_log_file(icecast_log_t) -type icecast_var_run_t; -files_pid_file(icecast_var_run_t) +type icecast_runtime_t alias icecast_var_run_t; +files_pid_file(icecast_runtime_t) ######################################## # @@ -43,9 +43,9 @@ append_files_pattern(icecast_t, icecast_log_t, icecast_log_t) create_files_pattern(icecast_t, icecast_log_t, icecast_log_t) setattr_files_pattern(icecast_t, icecast_log_t, icecast_log_t) -manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) -manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) -files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) +manage_dirs_pattern(icecast_t, icecast_runtime_t, icecast_runtime_t) +manage_files_pattern(icecast_t, icecast_runtime_t, icecast_runtime_t) +files_pid_filetrans(icecast_t, icecast_runtime_t, { file dir }) kernel_read_system_state(icecast_t) diff --git a/policy/modules/services/ifplugd.fc b/policy/modules/services/ifplugd.fc index 2a1e92907..967018118 100644 --- a/policy/modules/services/ifplugd.fc +++ b/policy/modules/services/ifplugd.fc @@ -6,4 +6,4 @@ /usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0) -/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0) +/run/ifplugd.* gen_context(system_u:object_r:ifplugd_runtime_t,s0) diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if index 3cd19b368..277e746ef 100644 --- a/policy/modules/services/ifplugd.if +++ b/policy/modules/services/ifplugd.if @@ -89,11 +89,11 @@ interface(`ifplugd_manage_config',` # interface(`ifplugd_read_pid_files',` gen_require(` - type ifplugd_var_run_t; + type ifplugd_runtime_t; ') files_search_pids($1) - allow $1 ifplugd_var_run_t:file read_file_perms; + allow $1 ifplugd_runtime_t:file read_file_perms; ') ######################################## @@ -115,7 +115,7 @@ interface(`ifplugd_read_pid_files',` # interface(`ifplugd_admin',` gen_require(` - type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t; + type ifplugd_t, ifplugd_etc_t, ifplugd_runtime_t; type ifplugd_initrc_exec_t; ') @@ -128,5 +128,5 @@ interface(`ifplugd_admin',` admin_pattern($1, ifplugd_etc_t) files_list_pids($1) - admin_pattern($1, ifplugd_var_run_t) + admin_pattern($1, ifplugd_runtime_t) ') diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te index 58b729573..fbec06792 100644 --- a/policy/modules/services/ifplugd.te +++ b/policy/modules/services/ifplugd.te @@ -15,8 +15,8 @@ files_type(ifplugd_etc_t) type ifplugd_initrc_exec_t; init_script_file(ifplugd_initrc_exec_t) -type ifplugd_var_run_t; -files_pid_file(ifplugd_var_run_t) +type ifplugd_runtime_t alias ifplugd_var_run_t; +files_pid_file(ifplugd_runtime_t) ######################################## # @@ -34,9 +34,9 @@ allow ifplugd_t self:netlink_route_socket nlmsg_write; read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t) -manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) -manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t) -files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file }) +manage_files_pattern(ifplugd_t, ifplugd_runtime_t, ifplugd_runtime_t) +manage_sock_files_pattern(ifplugd_t, ifplugd_runtime_t, ifplugd_runtime_t) +files_pid_filetrans(ifplugd_t, ifplugd_runtime_t, { file sock_file }) kernel_read_kernel_sysctls(ifplugd_t) kernel_read_network_state(ifplugd_t) diff --git a/policy/modules/services/imaze.fc b/policy/modules/services/imaze.fc index eb9416e87..c189a1953 100644 --- a/policy/modules/services/imaze.fc +++ b/policy/modules/services/imaze.fc @@ -4,4 +4,4 @@ /var/log/imaze\.log.* -- gen_context(system_u:object_r:imazesrv_log_t,s0) -/run/imaze\.pid -- gen_context(system_u:object_r:imazesrv_var_run_t,s0) +/run/imaze\.pid -- gen_context(system_u:object_r:imazesrv_runtime_t,s0) diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te index 7649b91aa..ad46dc689 100644 --- a/policy/modules/services/imaze.te +++ b/policy/modules/services/imaze.te @@ -16,8 +16,8 @@ files_type(imazesrv_data_t) type imazesrv_log_t; logging_log_file(imazesrv_log_t) -type imazesrv_var_run_t; -files_pid_file(imazesrv_var_run_t) +type imazesrv_runtime_t alias imazesrv_var_run_t; +files_pid_file(imazesrv_runtime_t) ######################################## # @@ -38,8 +38,8 @@ read_lnk_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t) allow imazesrv_t imazesrv_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(imazesrv_t, imazesrv_log_t, file) -manage_files_pattern(imazesrv_t, imazesrv_var_run_t, imazesrv_var_run_t) -files_pid_filetrans(imazesrv_t, imazesrv_var_run_t, file) +manage_files_pattern(imazesrv_t, imazesrv_runtime_t, imazesrv_runtime_t) +files_pid_filetrans(imazesrv_t, imazesrv_runtime_t, file) kernel_list_proc(imazesrv_t) kernel_read_kernel_sysctls(imazesrv_t) diff --git a/policy/modules/services/inetd.fc b/policy/modules/services/inetd.fc index 3329de47b..627aee36c 100644 --- a/policy/modules/services/inetd.fc +++ b/policy/modules/services/inetd.fc @@ -16,4 +16,4 @@ /var/log/(x)?inetd\.log.* -- gen_context(system_u:object_r:inetd_log_t,s0) -/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) +/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_runtime_t,s0) diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index 277a8ad40..3ad5772d5 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -15,8 +15,8 @@ logging_log_file(inetd_log_t) type inetd_tmp_t; files_tmp_file(inetd_tmp_t) -type inetd_var_run_t; -files_pid_file(inetd_var_run_t) +type inetd_runtime_t; +files_pid_file(inetd_runtime_t) type inetd_child_t; type inetd_child_exec_t; @@ -25,8 +25,8 @@ inetd_service_domain(inetd_child_t, inetd_child_exec_t) type inetd_child_tmp_t; files_tmp_file(inetd_child_tmp_t) -type inetd_child_var_run_t; -files_pid_file(inetd_child_var_run_t) +type inetd_child_runtime_t alias inetd_child_var_run_t; +files_pid_file(inetd_child_runtime_t) ifdef(`enable_mcs',` init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh) @@ -51,8 +51,8 @@ manage_dirs_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) manage_files_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t) files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir }) -allow inetd_t inetd_var_run_t:file manage_file_perms; -files_pid_filetrans(inetd_t, inetd_var_run_t, file) +allow inetd_t inetd_runtime_t:file manage_file_perms; +files_pid_filetrans(inetd_t, inetd_runtime_t, file) kernel_read_kernel_sysctls(inetd_t) kernel_list_proc(inetd_t) @@ -214,8 +214,8 @@ manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) manage_files_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t) files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir }) -manage_files_pattern(inetd_child_t, inetd_child_var_run_t, inetd_child_var_run_t) -files_pid_filetrans(inetd_child_t, inetd_child_var_run_t, file) +manage_files_pattern(inetd_child_t, inetd_child_runtime_t, inetd_child_runtime_t) +files_pid_filetrans(inetd_child_t, inetd_child_runtime_t, file) kernel_read_kernel_sysctls(inetd_child_t) kernel_read_network_state(inetd_child_t) diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc index eb9bda28a..df371a2f0 100644 --- a/policy/modules/services/inn.fc +++ b/policy/modules/services/inn.fc @@ -52,9 +52,9 @@ /var/log/news.* -- gen_context(system_u:object_r:innd_log_t,s0) -/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) -/run/innd\.pid -- gen_context(system_u:object_r:innd_var_run_t,s0) -/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) -/run/news\.pid -- gen_context(system_u:object_r:innd_var_run_t,s0) +/run/innd(/.*)? gen_context(system_u:object_r:innd_runtime_t,s0) +/run/innd\.pid -- gen_context(system_u:object_r:innd_runtime_t,s0) +/run/news(/.*)? gen_context(system_u:object_r:innd_runtime_t,s0) +/run/news\.pid -- gen_context(system_u:object_r:innd_runtime_t,s0) /var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0) diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if index 8e24feb99..e109d8f6c 100644 --- a/policy/modules/services/inn.if +++ b/policy/modules/services/inn.if @@ -99,13 +99,13 @@ interface(`inn_generic_log_filetrans_innd_log',` # interface(`inn_manage_pid',` gen_require(` - type innd_var_run_t; + type innd_runtime_t; ') files_search_pids($1) - allow $1 innd_var_run_t:dir manage_dir_perms; - allow $1 innd_var_run_t:file manage_file_perms; - allow $1 innd_var_run_t:sock_file manage_sock_file_perms; + allow $1 innd_runtime_t:dir manage_dir_perms; + allow $1 innd_runtime_t:file manage_file_perms; + allow $1 innd_runtime_t:sock_file manage_sock_file_perms; ') ######################################## @@ -180,11 +180,11 @@ interface(`inn_read_news_spool',` # interface(`inn_dgram_send',` gen_require(` - type innd_t, innd_var_run_t; + type innd_t, innd_runtime_t; ') files_search_pids($1) - dgram_send_pattern($1, innd_var_run_t, innd_var_run_t, innd_t) + dgram_send_pattern($1, innd_runtime_t, innd_runtime_t, innd_t) ') ######################################## @@ -227,7 +227,7 @@ interface(`inn_admin',` gen_require(` type innd_t, innd_etc_t, innd_log_t; type news_spool_t, innd_var_lib_t; - type innd_var_run_t, innd_initrc_exec_t; + type innd_runtime_t, innd_initrc_exec_t; ') init_startstop_service($1, $2, innd_t, innd_initrc_exec_t) @@ -245,7 +245,7 @@ interface(`inn_admin',` admin_pattern($1, innd_var_lib_t) files_list_pids($1) - admin_pattern($1, innd_var_run_t) + admin_pattern($1, innd_runtime_t) files_list_spool($1) admin_pattern($1, news_spool_t) diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te index a1575e90c..577b72b23 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -21,8 +21,8 @@ logging_log_file(innd_log_t) type innd_var_lib_t; files_type(innd_var_lib_t) -type innd_var_run_t; -files_pid_file(innd_var_run_t) +type innd_runtime_t alias innd_var_run_t; +files_pid_file(innd_runtime_t) type news_spool_t; files_mountpoint(news_spool_t) @@ -51,10 +51,10 @@ setattr_files_pattern(innd_t, innd_log_t, innd_log_t) manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) -manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) -manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) -manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) -files_pid_filetrans(innd_t, innd_var_run_t, file) +manage_dirs_pattern(innd_t, innd_runtime_t, innd_runtime_t) +manage_files_pattern(innd_t, innd_runtime_t, innd_runtime_t) +manage_sock_files_pattern(innd_t, innd_runtime_t, innd_runtime_t) +files_pid_filetrans(innd_t, innd_runtime_t, file) manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) manage_files_pattern(innd_t, news_spool_t, news_spool_t) diff --git a/policy/modules/services/iodine.fc b/policy/modules/services/iodine.fc index 7ae0c0693..525b480e6 100644 --- a/policy/modules/services/iodine.fc +++ b/policy/modules/services/iodine.fc @@ -1,6 +1,6 @@ /etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0) -/run/iodine(/.*)? gen_context(system_u:object_r:iodined_var_run_t,s0) +/run/iodine(/.*)? gen_context(system_u:object_r:iodined_runtime_t,s0) /usr/bin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) diff --git a/policy/modules/services/iodine.te b/policy/modules/services/iodine.te index c918bbf43..e9c3efdd5 100644 --- a/policy/modules/services/iodine.te +++ b/policy/modules/services/iodine.te @@ -12,8 +12,8 @@ init_daemon_domain(iodined_t, iodined_exec_t) type iodined_initrc_exec_t; init_script_file(iodined_initrc_exec_t) -type iodined_var_run_t; -files_pid_file(iodined_var_run_t) +type iodined_runtime_t alias iodined_var_run_t; +files_pid_file(iodined_runtime_t) ######################################## # @@ -26,8 +26,8 @@ allow iodined_t self:tun_socket create_socket_perms; allow iodined_t self:udp_socket connected_socket_perms; allow iodined_t self:netlink_route_socket rw_netlink_socket_perms; -manage_dirs_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t) -manage_files_pattern(iodined_t, iodined_var_run_t, iodined_var_run_t) +manage_dirs_pattern(iodined_t, iodined_runtime_t, iodined_runtime_t) +manage_files_pattern(iodined_t, iodined_runtime_t, iodined_runtime_t) kernel_read_net_sysctls(iodined_t) kernel_read_network_state(iodined_t) diff --git a/policy/modules/services/ircd.fc b/policy/modules/services/ircd.fc index f1944c754..ff31b55f0 100644 --- a/policy/modules/services/ircd.fc +++ b/policy/modules/services/ircd.fc @@ -19,5 +19,5 @@ /var/log/ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0) /var/log/ngircd\.log.* -- gen_context(system_u:object_r:ircd_log_t,s0) -/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0) -/run/ngircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0) +/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_runtime_t,s0) +/run/ngircd(/.*)? gen_context(system_u:object_r:ircd_runtime_t,s0) diff --git a/policy/modules/services/ircd.if b/policy/modules/services/ircd.if index 3dbe87d67..fadc6e9e5 100644 --- a/policy/modules/services/ircd.if +++ b/policy/modules/services/ircd.if @@ -20,7 +20,7 @@ interface(`ircd_admin',` gen_require(` type ircd_t, ircd_initrc_exec_t, ircd_etc_t; - type ircd_log_t, ircd_var_lib_t, ircd_var_run_t; + type ircd_log_t, ircd_var_lib_t, ircd_runtime_t; ') init_startstop_service($1, $2, ircd_t, ircd_initrc_exec_t) @@ -38,5 +38,5 @@ interface(`ircd_admin',` admin_pattern($1, ircd_var_lib_t) files_search_pids($1) - admin_pattern($1, ircd_var_run_t) + admin_pattern($1, ircd_runtime_t) ') diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te index a50373e07..feebb5df6 100644 --- a/policy/modules/services/ircd.te +++ b/policy/modules/services/ircd.te @@ -21,8 +21,8 @@ logging_log_file(ircd_log_t) type ircd_var_lib_t; files_type(ircd_var_lib_t) -type ircd_var_run_t; -files_pid_file(ircd_var_run_t) +type ircd_runtime_t alias ircd_var_run_t; +files_pid_file(ircd_runtime_t) ######################################## # @@ -44,8 +44,8 @@ logging_log_filetrans(ircd_t, ircd_log_t, file) manage_files_pattern(ircd_t, ircd_var_lib_t, ircd_var_lib_t) -manage_files_pattern(ircd_t, ircd_var_run_t, ircd_var_run_t) -files_pid_filetrans(ircd_t, ircd_var_run_t, file) +manage_files_pattern(ircd_t, ircd_runtime_t, ircd_runtime_t) +files_pid_filetrans(ircd_t, ircd_runtime_t, file) kernel_read_system_state(ircd_t) kernel_read_kernel_sysctls(ircd_t) diff --git a/policy/modules/services/isns.fc b/policy/modules/services/isns.fc index 488e9a0cc..46cdd189f 100644 --- a/policy/modules/services/isns.fc +++ b/policy/modules/services/isns.fc @@ -6,5 +6,5 @@ /var/lib/isns(/.*)? gen_context(system_u:object_r:isnsd_var_lib_t,s0) -/run/isnsd\.pid -- gen_context(system_u:object_r:isnsd_var_run_t,s0) -/run/isnsctl -s gen_context(system_u:object_r:isnsd_var_run_t,s0) +/run/isnsd\.pid -- gen_context(system_u:object_r:isnsd_runtime_t,s0) +/run/isnsctl -s gen_context(system_u:object_r:isnsd_runtime_t,s0) diff --git a/policy/modules/services/isns.if b/policy/modules/services/isns.if index 4d847e9cc..734e9122f 100644 --- a/policy/modules/services/isns.if +++ b/policy/modules/services/isns.if @@ -20,7 +20,7 @@ interface(`isnsd_admin',` gen_require(` type isnsd_t, isnsd_initrc_exec_t, isnsd_var_lib_t; - type isnsd_var_run_t; + type isnsd_runtime_t; ') allow $1 isnsd_t:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`isnsd_admin',` admin_pattern($1, isnsd_var_lib_t) files_search_pids($1) - admin_pattern($1, isnsd_var_run_t) + admin_pattern($1, isnsd_runtime_t) ') diff --git a/policy/modules/services/isns.te b/policy/modules/services/isns.te index b6780d1ef..4b664ca74 100644 --- a/policy/modules/services/isns.te +++ b/policy/modules/services/isns.te @@ -15,8 +15,8 @@ init_script_file(isnsd_initrc_exec_t) type isnsd_var_lib_t; files_type(isnsd_var_lib_t) -type isnsd_var_run_t; -files_pid_file(isnsd_var_run_t) +type isnsd_runtime_t alias isnsd_var_run_t; +files_pid_file(isnsd_runtime_t) ######################################## # @@ -33,9 +33,9 @@ manage_dirs_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t) manage_files_pattern(isnsd_t, isnsd_var_lib_t, isnsd_var_lib_t) files_var_lib_filetrans(isnsd_t, isnsd_var_lib_t, dir) -manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) -manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) -files_pid_filetrans(isnsd_t, isnsd_var_run_t, { file sock_file }) +manage_sock_files_pattern(isnsd_t, isnsd_runtime_t, isnsd_runtime_t) +manage_files_pattern(isnsd_t, isnsd_runtime_t, isnsd_runtime_t) +files_pid_filetrans(isnsd_t, isnsd_runtime_t, { file sock_file }) corenet_all_recvfrom_unlabeled(isnsd_t) corenet_all_recvfrom_netlabel(isnsd_t) diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc index bda8b8c50..b9723ffa6 100644 --- a/policy/modules/services/jabber.fc +++ b/policy/modules/services/jabber.fc @@ -25,8 +25,8 @@ /var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/lib/prosody(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) /var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) -/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0) +/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_runtime_t,s0) -/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) -/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) -/run/prosody(/.*)? -- gen_context(system_u:object_r:jabberd_var_run_t,s0) +/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_runtime_t,s0) +/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_runtime_t,s0) +/run/prosody(/.*)? -- gen_context(system_u:object_r:jabberd_runtime_t,s0) diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if index 9a31ee513..fc1b0a0cb 100644 --- a/policy/modules/services/jabber.if +++ b/policy/modules/services/jabber.if @@ -61,7 +61,7 @@ interface(`jabber_admin',` gen_require(` attribute jabberd_domain; type jabberd_lock_t, jabberd_log_t, jabberd_spool_t; - type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t; + type jabberd_var_lib_t, jabberd_runtime_t, jabberd_initrc_exec_t; ') allow $1 jabberd_domain:process { ptrace signal_perms }; @@ -82,5 +82,5 @@ interface(`jabber_admin',` admin_pattern($1, jabberd_var_lib_t) files_search_pids($1) - admin_pattern($1, jabberd_var_run_t) + admin_pattern($1, jabberd_runtime_t) ') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te index 83c6a4117..a7b90c575 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -25,8 +25,8 @@ files_type(jabberd_spool_t) type jabberd_var_lib_t; files_type(jabberd_var_lib_t) -type jabberd_var_run_t; -files_pid_file(jabberd_var_run_t) +type jabberd_runtime_t alias jabberd_var_run_t; +files_pid_file(jabberd_runtime_t) ######################################## # @@ -86,8 +86,8 @@ logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) -manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) -files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) +manage_files_pattern(jabberd_t, jabberd_runtime_t, jabberd_runtime_t) +files_pid_filetrans(jabberd_t, jabberd_runtime_t, file) domain_dontaudit_search_all_domains_state(jabberd_t) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index c8c5a37d3..409a6ad13 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -443,10 +443,10 @@ interface(`kerberos_connect_524',` interface(`kerberos_admin',` gen_require(` type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; - type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; + type kadmind_log_t, kadmind_tmp_t, kadmind_runtime_t; type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; - type krb5kdc_var_run_t, krb5_host_rcache_t; + type krb5kdc_runtime_t, krb5_host_rcache_t; ') allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms }; @@ -470,7 +470,7 @@ interface(`kerberos_admin',` kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") files_list_pids($1) - admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t }) + admin_pattern($1, { kadmind_runtime_t krb5kdc_runtime_t }) files_list_etc($1) admin_pattern($1, krb5_conf_t) diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index 91ca8aac2..f0dd1a563 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -23,8 +23,8 @@ logging_log_file(kadmind_log_t) type kadmind_tmp_t; files_tmp_file(kadmind_tmp_t) -type kadmind_var_run_t; -files_pid_file(kadmind_var_run_t) +type kadmind_runtime_t; +files_pid_file(kadmind_runtime_t) type kerberos_initrc_exec_t; init_script_file(kerberos_initrc_exec_t) @@ -66,8 +66,8 @@ logging_log_file(krb5kdc_log_t) type krb5kdc_tmp_t; files_tmp_file(krb5kdc_tmp_t) -type krb5kdc_var_run_t; -files_pid_file(krb5kdc_var_run_t) +type krb5kdc_runtime_t alias krb5kdc_var_run_t; +files_pid_file(krb5kdc_runtime_t) ######################################## # @@ -100,8 +100,8 @@ manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) -manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) -files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) +manage_files_pattern(kadmind_t, kadmind_runtime_t, kadmind_runtime_t) +files_pid_filetrans(kadmind_t, kadmind_runtime_t, file) can_exec(kadmind_t, kadmind_exec_t) @@ -200,8 +200,8 @@ manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) -manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) -files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) +manage_files_pattern(krb5kdc_t, krb5kdc_runtime_t, krb5kdc_runtime_t) +files_pid_filetrans(krb5kdc_t, krb5kdc_runtime_t, file) can_exec(krb5kdc_t, krb5kdc_exec_t) diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc index 68f3623b9..19766bf18 100644 --- a/policy/modules/services/ksmtuned.fc +++ b/policy/modules/services/ksmtuned.fc @@ -6,4 +6,4 @@ /var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) -/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0) +/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_runtime_t,s0) diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if index 59f401bf9..9d3b81d25 100644 --- a/policy/modules/services/ksmtuned.if +++ b/policy/modules/services/ksmtuned.if @@ -57,7 +57,7 @@ interface(`ksmtuned_initrc_domtrans',` # interface(`ksmtuned_admin',` gen_require(` - type ksmtuned_t, ksmtuned_var_run_t; + type ksmtuned_t, ksmtuned_runtime_t; type ksmtuned_initrc_exec_t, ksmtuned_log_t; ') @@ -67,7 +67,7 @@ interface(`ksmtuned_admin',` ps_process_pattern($1, ksmtuned_t) files_list_pids($1) - admin_pattern($1, ksmtuned_var_run_t) + admin_pattern($1, ksmtuned_runtime_t) logging_search_logs($1) admin_pattern($1, ksmtuned_log_t) diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te index 97cfdc2d4..d00d97ee6 100644 --- a/policy/modules/services/ksmtuned.te +++ b/policy/modules/services/ksmtuned.te @@ -15,8 +15,8 @@ init_script_file(ksmtuned_initrc_exec_t) type ksmtuned_log_t; logging_log_file(ksmtuned_log_t) -type ksmtuned_var_run_t; -files_pid_file(ksmtuned_var_run_t) +type ksmtuned_runtime_t alias ksmtuned_var_run_t; +files_pid_file(ksmtuned_runtime_t) ######################################## # @@ -32,8 +32,8 @@ create_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) setattr_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir }) -manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) -files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) +manage_files_pattern(ksmtuned_t, ksmtuned_runtime_t, ksmtuned_runtime_t) +files_pid_filetrans(ksmtuned_t, ksmtuned_runtime_t, file) kernel_read_system_state(ksmtuned_t) diff --git a/policy/modules/services/l2tp.fc b/policy/modules/services/l2tp.fc index 499c7de6e..af0d4e9a4 100644 --- a/policy/modules/services/l2tp.fc +++ b/policy/modules/services/l2tp.fc @@ -8,6 +8,6 @@ /usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) -/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) -/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) -/run/.*l2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) +/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_runtime_t,s0) +/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_runtime_t,s0) +/run/.*l2tpd\.pid -- gen_context(system_u:object_r:l2tpd_runtime_t,s0) diff --git a/policy/modules/services/l2tp.if b/policy/modules/services/l2tp.if index 24d3c444d..96ff7dc15 100644 --- a/policy/modules/services/l2tp.if +++ b/policy/modules/services/l2tp.if @@ -13,12 +13,12 @@ # interface(`l2tpd_dgram_send',` gen_require(` - type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; + type l2tpd_t, l2tpd_tmp_t, l2tpd_runtime_t; ') files_search_pids($1) files_search_tmp($1) - dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) + dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_runtime_t }, { l2tpd_tmp_t l2tpd_runtime_t }, l2tpd_t) ') ######################################## @@ -52,12 +52,12 @@ interface(`l2tpd_rw_socket',` # interface(`l2tpd_stream_connect',` gen_require(` - type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t; + type l2tpd_t, l2tpd_runtime_t, l2tpd_tmp_t; ') files_search_pids($1) files_search_tmp($1) - stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) + stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_runtime_t }, { l2tpd_tmp_t l2tpd_runtime_t }, l2tpd_t) ') ######################################## @@ -79,7 +79,7 @@ interface(`l2tpd_stream_connect',` # interface(`l2tp_admin',` gen_require(` - type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; + type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_runtime_t; type l2tp_conf_t, l2tpd_tmp_t; ') @@ -92,7 +92,7 @@ interface(`l2tp_admin',` admin_pattern($1, l2tp_conf_t) files_search_pids($1) - admin_pattern($1, l2tpd_var_run_t) + admin_pattern($1, l2tpd_runtime_t) files_search_tmp($1) admin_pattern($1, l2tpd_tmp_t) diff --git a/policy/modules/services/l2tp.te b/policy/modules/services/l2tp.te index 2fd536984..57a8b674d 100644 --- a/policy/modules/services/l2tp.te +++ b/policy/modules/services/l2tp.te @@ -18,8 +18,8 @@ files_config_file(l2tp_conf_t) type l2tpd_tmp_t; files_tmp_file(l2tpd_tmp_t) -type l2tpd_var_run_t; -files_pid_file(l2tpd_var_run_t) +type l2tpd_runtime_t alias l2tpd_var_run_t; +files_pid_file(l2tpd_runtime_t) ######################################## # @@ -38,11 +38,11 @@ allow l2tpd_t self:unix_stream_socket { accept listen }; read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t) -manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file }) +manage_dirs_pattern(l2tpd_t, l2tpd_runtime_t, l2tpd_runtime_t) +manage_files_pattern(l2tpd_t, l2tpd_runtime_t, l2tpd_runtime_t) +manage_sock_files_pattern(l2tpd_t, l2tpd_runtime_t, l2tpd_runtime_t) +manage_fifo_files_pattern(l2tpd_t, l2tpd_runtime_t, l2tpd_runtime_t) +files_pid_filetrans(l2tpd_t, l2tpd_runtime_t, { dir file sock_file }) manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc index 174f4d73b..0a1d08d0f 100644 --- a/policy/modules/services/ldap.fc +++ b/policy/modules/services/ldap.fc @@ -25,8 +25,8 @@ /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) -/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) -/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) -/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) -/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) -/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/run/ldapi -s gen_context(system_u:object_r:slapd_runtime_t,s0) +/run/openldap(/.*)? gen_context(system_u:object_r:slapd_runtime_t,s0) +/run/slapd.* -s gen_context(system_u:object_r:slapd_runtime_t,s0) +/run/slapd\.args -- gen_context(system_u:object_r:slapd_runtime_t,s0) +/run/slapd\.pid -- gen_context(system_u:object_r:slapd_runtime_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if index 59752140d..92fa2ea77 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if @@ -52,11 +52,11 @@ interface(`ldap_read_config',` # interface(`ldap_stream_connect',` gen_require(` - type slapd_t, slapd_var_run_t; + type slapd_t, slapd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) + stream_connect_pattern($1, slapd_runtime_t, slapd_runtime_t, slapd_t) ') ######################################## @@ -100,7 +100,7 @@ interface(`ldap_tcp_connect',` interface(`ldap_admin',` gen_require(` type slapd_t, slapd_tmp_t, slapd_replog_t; - type slapd_lock_t, slapd_etc_t, slapd_var_run_t; + type slapd_lock_t, slapd_etc_t, slapd_runtime_t; type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; type slapd_db_t, slapd_keytab_t; ') @@ -126,7 +126,7 @@ interface(`ldap_admin',` admin_pattern($1, slapd_tmp_t) files_list_pids($1) - admin_pattern($1, slapd_var_run_t) + admin_pattern($1, slapd_runtime_t) ') ######################################## diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index 4a525e6d1..4e581acb1 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -42,8 +42,8 @@ files_tmpfs_file(slapd_tmpfs_t) type slapd_unit_t; init_unit_file(slapd_unit_t) -type slapd_var_run_t; -files_pid_file(slapd_var_run_t) +type slapd_runtime_t alias slapd_var_run_t; +files_pid_file(slapd_runtime_t) ######################################## # @@ -88,10 +88,10 @@ files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file) -manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) -files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) +manage_dirs_pattern(slapd_t, slapd_runtime_t, slapd_runtime_t) +manage_files_pattern(slapd_t, slapd_runtime_t, slapd_runtime_t) +manage_sock_files_pattern(slapd_t, slapd_runtime_t, slapd_runtime_t) +files_pid_filetrans(slapd_t, slapd_runtime_t, { dir file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc index c95fd7d58..fb89307e1 100644 --- a/policy/modules/services/likewise.fc +++ b/policy/modules/services/likewise.fc @@ -101,9 +101,9 @@ /var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) /var/lib/likewise-open/run/rpcdep\.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t,s0) -/run/eventlogd\.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0) -/run/lsassd\.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) -/run/lwiod\.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) -/run/lwregd\.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) -/run/netlogond\.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) -/run/srvsvcd\.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) +/run/eventlogd\.pid -- gen_context(system_u:object_r:eventlogd_runtime_t,s0) +/run/lsassd\.pid -- gen_context(system_u:object_r:lsassd_runtime_t,s0) +/run/lwiod\.pid -- gen_context(system_u:object_r:lwiod_runtime_t,s0) +/run/lwregd\.pid -- gen_context(system_u:object_r:lwregd_runtime_t,s0) +/run/netlogond\.pid -- gen_context(system_u:object_r:netlogond_runtime_t,s0) +/run/srvsvcd\.pid -- gen_context(system_u:object_r:srvsvcd_runtime_t,s0) diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if index 2b884e640..6bec87524 100644 --- a/policy/modules/services/likewise.if +++ b/policy/modules/services/likewise.if @@ -27,8 +27,8 @@ template(`likewise_domain_template',` typeattribute $1_t likewise_domains; - type $1_var_run_t; - files_pid_file($1_var_run_t) + type $1_runtime_t alias $1_var_run_t; + files_pid_file($1_runtime_t) type $1_var_socket_t; files_type($1_var_socket_t) @@ -47,8 +47,8 @@ template(`likewise_domain_template',` allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, file) + manage_files_pattern($1_t, $1_runtime_t, $1_runtime_t) + files_pid_filetrans($1_t, $1_runtime_t, file) manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t) filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file) @@ -103,8 +103,8 @@ interface(`likewise_admin',` type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t; type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t; type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t; - type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t; - type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t; + type eventlogd_runtime_t, lsassd_runtime_t, lwiod_runtime_t; + type lwregd_runtime_t, netlogond_runtime_t, srvsvcd_runtime_t; ') allow $1 likewise_domains:process { ptrace signal_perms }; @@ -126,6 +126,6 @@ interface(`likewise_admin',` admin_pattern($1, lsassd_tmp_t) files_list_pids($1) - admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t }) - admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t }) + admin_pattern($1, { eventlogd_runtime_t lsassd_runtime_t lwiod_runtime_t }) + admin_pattern($1, { lwregd_runtime_t netlogond_runtime_t srvsvcd_runtime_t }) ') diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc index 79947d0ca..66432d154 100644 --- a/policy/modules/services/lircd.fc +++ b/policy/modules/services/lircd.fc @@ -1,4 +1,4 @@ -/dev/lircd -s gen_context(system_u:object_r:lircd_var_run_t,s0) +/dev/lircd -s gen_context(system_u:object_r:lircd_runtime_t,s0) /etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0) /etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0) @@ -12,6 +12,6 @@ /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) -/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) -/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) -/run/lircd\.pid -- gen_context(system_u:object_r:lircd_var_run_t,s0) +/run/lirc(/.*)? gen_context(system_u:object_r:lircd_runtime_t,s0) +/run/lircd(/.*)? gen_context(system_u:object_r:lircd_runtime_t,s0) +/run/lircd\.pid -- gen_context(system_u:object_r:lircd_runtime_t,s0) diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if index de2543bc0..04b3ad235 100644 --- a/policy/modules/services/lircd.if +++ b/policy/modules/services/lircd.if @@ -32,11 +32,11 @@ interface(`lircd_domtrans',` # interface(`lircd_stream_connect',` gen_require(` - type lircd_var_run_t, lircd_t; + type lircd_runtime_t, lircd_t; ') files_search_pids($1) - stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t) + stream_connect_pattern($1, lircd_runtime_t, lircd_runtime_t, lircd_t) ') ####################################### @@ -77,7 +77,7 @@ interface(`lircd_read_config',` # interface(`lircd_admin',` gen_require(` - type lircd_t, lircd_var_run_t; + type lircd_t, lircd_runtime_t; type lircd_initrc_exec_t, lircd_etc_t; ') @@ -90,6 +90,6 @@ interface(`lircd_admin',` admin_pattern($1, lircd_etc_t) files_search_pids($1) - admin_pattern($1, lircd_var_run_t) + admin_pattern($1, lircd_runtime_t) dev_list_all_dev_nodes($1) ') diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te index e85b2aa95..0f2e5f2b1 100644 --- a/policy/modules/services/lircd.te +++ b/policy/modules/services/lircd.te @@ -18,8 +18,8 @@ files_type(lircd_etc_t) type lircd_unit_t; init_unit_file(lircd_unit_t) -type lircd_var_run_t alias lircd_sock_t; -files_pid_file(lircd_var_run_t) +type lircd_runtime_t alias lircd_var_run_t; +files_pid_file(lircd_runtime_t) ######################################## # @@ -33,12 +33,12 @@ allow lircd_t self:tcp_socket { accept listen }; read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) -manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) -files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) +manage_dirs_pattern(lircd_t, lircd_runtime_t, lircd_runtime_t) +manage_files_pattern(lircd_t, lircd_runtime_t, lircd_runtime_t) +manage_sock_files_pattern(lircd_t, lircd_runtime_t, lircd_runtime_t) +files_pid_filetrans(lircd_t, lircd_runtime_t, { dir file }) -dev_filetrans(lircd_t, lircd_var_run_t, sock_file) +dev_filetrans(lircd_t, lircd_runtime_t, sock_file) kernel_request_load_module(lircd_t) diff --git a/policy/modules/services/lldpad.fc b/policy/modules/services/lldpad.fc index 305b8de7b..6f8eb90ea 100644 --- a/policy/modules/services/lldpad.fc +++ b/policy/modules/services/lldpad.fc @@ -6,4 +6,4 @@ /var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0) -/run/lldpad.* gen_context(system_u:object_r:lldpad_var_run_t,s0) +/run/lldpad.* gen_context(system_u:object_r:lldpad_runtime_t,s0) diff --git a/policy/modules/services/lldpad.if b/policy/modules/services/lldpad.if index 8d7692a36..72cbf92ee 100644 --- a/policy/modules/services/lldpad.if +++ b/policy/modules/services/lldpad.if @@ -12,11 +12,11 @@ # interface(`lldpad_dgram_send',` gen_require(` - type lldpad_t, lldpad_var_run_t; + type lldpad_t, lldpad_runtime_t; ') files_search_pids($1) - dgram_send_pattern($1, lldpad_var_run_t, lldpad_var_run_t, lldpad_t) + dgram_send_pattern($1, lldpad_runtime_t, lldpad_runtime_t, lldpad_t) ') ######################################## @@ -39,7 +39,7 @@ interface(`lldpad_dgram_send',` interface(`lldpad_admin',` gen_require(` type lldpad_t, lldpad_initrc_exec_t, lldpad_var_lib_t; - type lldpad_var_run_t; + type lldpad_runtime_t; ') allow $1 lldpad_t:process { ptrace signal_perms }; @@ -51,5 +51,5 @@ interface(`lldpad_admin',` admin_pattern($1, lldpad_var_lib_t) files_search_pids($1) - admin_pattern($1, lldpad_var_run_t) + admin_pattern($1, lldpad_runtime_t) ') diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te index 3251f91da..429ac0d52 100644 --- a/policy/modules/services/lldpad.te +++ b/policy/modules/services/lldpad.te @@ -18,8 +18,8 @@ files_tmpfs_file(lldpad_tmpfs_t) type lldpad_var_lib_t; files_type(lldpad_var_lib_t) -type lldpad_var_run_t; -files_pid_file(lldpad_var_run_t) +type lldpad_runtime_t alias lldpad_var_run_t; +files_pid_file(lldpad_runtime_t) ######################################## # @@ -40,10 +40,10 @@ fs_tmpfs_filetrans(lldpad_t, lldpad_tmpfs_t, file) manage_dirs_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t) manage_files_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t) -manage_dirs_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) -manage_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) -manage_sock_files_pattern(lldpad_t, lldpad_var_run_t, lldpad_var_run_t) -files_pid_filetrans(lldpad_t, lldpad_var_run_t, { dir file sock_file }) +manage_dirs_pattern(lldpad_t, lldpad_runtime_t, lldpad_runtime_t) +manage_files_pattern(lldpad_t, lldpad_runtime_t, lldpad_runtime_t) +manage_sock_files_pattern(lldpad_t, lldpad_runtime_t, lldpad_runtime_t) +files_pid_filetrans(lldpad_t, lldpad_runtime_t, { dir file sock_file }) kernel_read_all_sysctls(lldpad_t) kernel_read_network_state(lldpad_t) diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc index 8916d38e6..9217e0055 100644 --- a/policy/modules/services/lpd.fc +++ b/policy/modules/services/lpd.fc @@ -34,6 +34,6 @@ /var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0) -/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0) +/run/lprng(/.*)? gen_context(system_u:object_r:lpd_runtime_t,s0) -/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_var_run_t,mls_systemhigh) +/var/spool/turboprint(/.*)? gen_context(system_u:object_r:lpd_runtime_t,mls_systemhigh) diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 149a30ac6..6fbc07acb 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -30,8 +30,8 @@ init_daemon_domain(lpd_t, lpd_exec_t) type lpd_tmp_t; files_tmp_file(lpd_tmp_t) -type lpd_var_run_t; -files_pid_file(lpd_var_run_t) +type lpd_runtime_t alias lpd_var_run_t; +files_pid_file(lpd_runtime_t) type lpr_t; type lpr_exec_t; @@ -71,7 +71,7 @@ allow checkpc_t self:udp_socket create_socket_perms; allow checkpc_t checkpc_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(checkpc_t, checkpc_log_t, file) -allow checkpc_t lpd_var_run_t:dir search_dir_perms; +allow checkpc_t lpd_runtime_t:dir search_dir_perms; rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) @@ -138,10 +138,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) -manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t) -files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file }) +manage_dirs_pattern(lpd_t, lpd_runtime_t, lpd_runtime_t) +manage_files_pattern(lpd_t, lpd_runtime_t, lpd_runtime_t) +manage_sock_files_pattern(lpd_t, lpd_runtime_t, lpd_runtime_t) +files_pid_filetrans(lpd_t, lpd_runtime_t, { dir file }) manage_files_pattern(lpd_t, print_spool_t, print_spool_t) @@ -262,7 +262,7 @@ userdom_read_user_tmp_files(lpr_t) tunable_policy(`use_lpd_server',` allow lpr_t lpd_t:process signal; - write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t) + write_sock_files_pattern(lpr_t, lpd_runtime_t, lpd_runtime_t) files_read_var_files(lpr_t) stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t) diff --git a/policy/modules/services/lsm.fc b/policy/modules/services/lsm.fc index f8a447096..3fb9a4ec7 100644 --- a/policy/modules/services/lsm.fc +++ b/policy/modules/services/lsm.fc @@ -1,3 +1,3 @@ /usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) -/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0) +/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_runtime_t,s0) diff --git a/policy/modules/services/lsm.if b/policy/modules/services/lsm.if index 44910afaf..a75248b43 100644 --- a/policy/modules/services/lsm.if +++ b/policy/modules/services/lsm.if @@ -19,12 +19,12 @@ # interface(`lsmd_admin',` gen_require(` - type lsmd_t, lsmd_var_run_t; + type lsmd_t, lsmd_runtime_t; ') allow $1 lsmd_t:process { ptrace signal_perms }; ps_process_pattern($1, lsmd_t) files_search_pids($1) - admin_pattern($1, lsmd_var_run_t) + admin_pattern($1, lsmd_runtime_t) ') diff --git a/policy/modules/services/lsm.te b/policy/modules/services/lsm.te index 8e3d6df0c..83be0253b 100644 --- a/policy/modules/services/lsm.te +++ b/policy/modules/services/lsm.te @@ -9,8 +9,8 @@ type lsmd_t; type lsmd_exec_t; init_daemon_domain(lsmd_t, lsmd_exec_t) -type lsmd_var_run_t; -files_pid_file(lsmd_var_run_t) +type lsmd_runtime_t alias lsmd_var_run_t; +files_pid_file(lsmd_runtime_t) ######################################## # @@ -20,10 +20,10 @@ files_pid_file(lsmd_var_run_t) allow lsmd_t self:capability setgid; allow lsmd_t self:unix_stream_socket create_stream_socket_perms; -manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) +manage_dirs_pattern(lsmd_t, lsmd_runtime_t, lsmd_runtime_t) +manage_files_pattern(lsmd_t, lsmd_runtime_t, lsmd_runtime_t) +manage_lnk_files_pattern(lsmd_t, lsmd_runtime_t, lsmd_runtime_t) +manage_sock_files_pattern(lsmd_t, lsmd_runtime_t, lsmd_runtime_t) +files_pid_filetrans(lsmd_t, lsmd_runtime_t, { dir file sock_file }) logging_send_syslog_msg(lsmd_t) diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc index fe7a51595..729b2aeb7 100644 --- a/policy/modules/services/mailman.fc +++ b/policy/modules/services/mailman.fc @@ -13,7 +13,7 @@ /var/log/mailman.* gen_context(system_u:object_r:mailman_log_t,s0) -/run/mailman.* gen_context(system_u:object_r:mailman_var_run_t,s0) +/run/mailman.* gen_context(system_u:object_r:mailman_runtime_t,s0) /var/spool/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index ca7f7b450..d7de6e3c7 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -23,8 +23,8 @@ logging_log_file(mailman_log_t) type mailman_lock_t; files_lock_file(mailman_lock_t) -type mailman_var_run_t; -files_pid_file(mailman_var_run_t) +type mailman_runtime_t alias mailman_var_run_t; +files_pid_file(mailman_runtime_t) mailman_domain_template(mail) init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) @@ -164,9 +164,9 @@ allow mailman_mail_t mailman_queue_exec_t:file ioctl; can_exec(mailman_mail_t, mailman_mail_exec_t) -manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) -manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) -files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) +manage_files_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t) +manage_dirs_pattern(mailman_mail_t, mailman_runtime_t, mailman_runtime_t) +files_pid_filetrans(mailman_mail_t, mailman_runtime_t, { file dir }) kernel_read_system_state(mailman_mail_t) diff --git a/policy/modules/services/mailscanner.fc b/policy/modules/services/mailscanner.fc index cc6a8f886..9e33585c0 100644 --- a/policy/modules/services/mailscanner.fc +++ b/policy/modules/services/mailscanner.fc @@ -10,6 +10,6 @@ /usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0) -/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0) +/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_runtime_t,s0) /var/spool/MailScanner(/.*)? gen_context(system_u:object_r:mscan_spool_t,s0) diff --git a/policy/modules/services/mailscanner.if b/policy/modules/services/mailscanner.if index a684cfdb1..9c3a0bec0 100644 --- a/policy/modules/services/mailscanner.if +++ b/policy/modules/services/mailscanner.if @@ -41,7 +41,7 @@ interface(`mscan_manage_spool_content',` interface(`mscan_admin',` gen_require(` type mscan_t, mscan_etc_t, mscan_initrc_exec_t; - type mscan_var_run_t, mscan_spool_t; + type mscan_runtime_t, mscan_spool_t; ') allow $1 mscan_t:process { ptrace signal_perms }; @@ -53,7 +53,7 @@ interface(`mscan_admin',` admin_pattern($1, mscan_etc_t) files_search_pids($1) - admin_pattern($1, mscan_var_run_t) + admin_pattern($1, mscan_runtime_t) files_search_spool($1) admin_pattern($1, mscan_spool_t) diff --git a/policy/modules/services/mailscanner.te b/policy/modules/services/mailscanner.te index 1011e3b26..e5df2e40b 100644 --- a/policy/modules/services/mailscanner.te +++ b/policy/modules/services/mailscanner.te @@ -21,8 +21,8 @@ files_type(mscan_spool_t) type mscan_tmp_t; files_tmp_file(mscan_tmp_t) -type mscan_var_run_t; -files_pid_file(mscan_var_run_t) +type mscan_runtime_t alias mscan_var_run_t; +files_pid_file(mscan_runtime_t) ######################################## # @@ -35,8 +35,8 @@ allow mscan_t self:fifo_file rw_fifo_file_perms; read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t) -manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t) -files_pid_filetrans(mscan_t, mscan_var_run_t, file) +manage_files_pattern(mscan_t, mscan_runtime_t, mscan_runtime_t) +files_pid_filetrans(mscan_t, mscan_runtime_t, file) manage_dirs_pattern(mscan_t, mscan_spool_t, mscan_spool_t) manage_files_pattern(mscan_t, mscan_spool_t, mscan_spool_t) diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc index 37429fd4f..ae9047461 100644 --- a/policy/modules/services/memcached.fc +++ b/policy/modules/services/memcached.fc @@ -2,5 +2,5 @@ /usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) -/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) -/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) +/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_runtime_t,s0) +/run/memcached(/.*)? gen_context(system_u:object_r:memcached_runtime_t,s0) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if index 5c12b31a3..b65b3d7e2 100644 --- a/policy/modules/services/memcached.if +++ b/policy/modules/services/memcached.if @@ -32,11 +32,11 @@ interface(`memcached_domtrans',` # interface(`memcached_manage_pid_files',` gen_require(` - type memcached_var_run_t; + type memcached_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) + manage_files_pattern($1, memcached_runtime_t, memcached_runtime_t) ') ######################################## @@ -51,11 +51,11 @@ interface(`memcached_manage_pid_files',` # interface(`memcached_read_pid_files',` gen_require(` - type memcached_var_run_t; + type memcached_runtime_t; ') files_search_pids($1) - allow $1 memcached_var_run_t:file read_file_perms; + allow $1 memcached_runtime_t:file read_file_perms; ') ######################################## @@ -71,11 +71,11 @@ interface(`memcached_read_pid_files',` # interface(`memcached_stream_connect',` gen_require(` - type memcached_t, memcached_var_run_t; + type memcached_t, memcached_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t) + stream_connect_pattern($1, memcached_runtime_t, memcached_runtime_t, memcached_t) ') ######################################## @@ -118,7 +118,7 @@ interface(`memcached_tcp_connect',` # interface(`memcached_admin',` gen_require(` - type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; + type memcached_t, memcached_initrc_exec_t, memcached_runtime_t; ') allow $1 memcached_t:process { ptrace signal_perms }; @@ -127,5 +127,5 @@ interface(`memcached_admin',` init_startstop_service($1, $2, memcached_t, memcached_initrc_exec_t) files_search_pids($1) - admin_pattern($1, memcached_var_run_t) + admin_pattern($1, memcached_runtime_t) ') diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te index c90c632fe..e1ad83294 100644 --- a/policy/modules/services/memcached.te +++ b/policy/modules/services/memcached.te @@ -12,8 +12,8 @@ init_daemon_domain(memcached_t, memcached_exec_t) type memcached_initrc_exec_t; init_script_file(memcached_initrc_exec_t) -type memcached_var_run_t; -files_pid_file(memcached_var_run_t) +type memcached_runtime_t alias memcached_var_run_t; +files_pid_file(memcached_runtime_t) ######################################## # @@ -28,10 +28,10 @@ allow memcached_t self:udp_socket { accept listen }; allow memcached_t self:fifo_file rw_fifo_file_perms; allow memcached_t self:unix_stream_socket create_stream_socket_perms; -manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -files_pid_filetrans(memcached_t, memcached_var_run_t, dir) +manage_dirs_pattern(memcached_t, memcached_runtime_t, memcached_runtime_t) +manage_files_pattern(memcached_t, memcached_runtime_t, memcached_runtime_t) +manage_sock_files_pattern(memcached_t, memcached_runtime_t, memcached_runtime_t) +files_pid_filetrans(memcached_t, memcached_runtime_t, dir) kernel_read_kernel_sysctls(memcached_t) kernel_read_system_state(memcached_t) diff --git a/policy/modules/services/minidlna.fc b/policy/modules/services/minidlna.fc index 79af2d745..82021c9d4 100644 --- a/policy/modules/services/minidlna.fc +++ b/policy/modules/services/minidlna.fc @@ -13,4 +13,4 @@ /var/log/minidlna(/.*)? gen_context(system_u:object_r:minidlna_log_t,s0) /var/log/minidlna\.log.* -- gen_context(system_u:object_r:minidlna_log_t,s0) -/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_var_run_t,s0) +/run/minidlna(/.*)? gen_context(system_u:object_r:minidlna_runtime_t,s0) diff --git a/policy/modules/services/minidlna.if b/policy/modules/services/minidlna.if index 7aa4fc997..ee33d2c94 100644 --- a/policy/modules/services/minidlna.if +++ b/policy/modules/services/minidlna.if @@ -19,7 +19,7 @@ # interface(`minidlna_admin',` gen_require(` - type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t; + type minidlna_t, minidlna_runtime_t, minidlna_initrc_exec_t; type minidlna_conf_t, minidlna_log_t, minidlna_db_t; ') @@ -38,7 +38,7 @@ interface(`minidlna_admin',` admin_pattern($1, minidlna_db_t) files_search_pids($1) - admin_pattern($1, minidlna_var_run_t) + admin_pattern($1, minidlna_runtime_t) ') ######################################## diff --git a/policy/modules/services/minidlna.te b/policy/modules/services/minidlna.te index 2609ef284..f4b98a62c 100644 --- a/policy/modules/services/minidlna.te +++ b/policy/modules/services/minidlna.te @@ -28,8 +28,8 @@ init_script_file(minidlna_initrc_exec_t) type minidlna_log_t; logging_log_file(minidlna_log_t) -type minidlna_var_run_t; -files_pid_file(minidlna_var_run_t) +type minidlna_runtime_t alias minidlna_var_run_t; +files_pid_file(minidlna_runtime_t) ############################################### # @@ -48,9 +48,9 @@ allow minidlna_t minidlna_db_t:file manage_file_perms; allow minidlna_t minidlna_log_t:file append_file_perms; create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t) -allow minidlna_t minidlna_var_run_t:file manage_file_perms; -allow minidlna_t minidlna_var_run_t:dir rw_dir_perms; -files_pid_filetrans(minidlna_t, minidlna_var_run_t, file) +allow minidlna_t minidlna_runtime_t:file manage_file_perms; +allow minidlna_t minidlna_runtime_t:dir rw_dir_perms; +files_pid_filetrans(minidlna_t, minidlna_runtime_t, file) kernel_read_fs_sysctls(minidlna_t) kernel_read_system_state(minidlna_t) diff --git a/policy/modules/services/minissdpd.fc b/policy/modules/services/minissdpd.fc index cdad38ed2..d69c755cb 100644 --- a/policy/modules/services/minissdpd.fc +++ b/policy/modules/services/minissdpd.fc @@ -6,5 +6,5 @@ /usr/sbin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0) -/run/minissdpd\.pid -- gen_context(system_u:object_r:minissdpd_var_run_t,s0) -/run/minissdpd\.sock -s gen_context(system_u:object_r:minissdpd_var_run_t,s0) +/run/minissdpd\.pid -- gen_context(system_u:object_r:minissdpd_runtime_t,s0) +/run/minissdpd\.sock -s gen_context(system_u:object_r:minissdpd_runtime_t,s0) diff --git a/policy/modules/services/minissdpd.if b/policy/modules/services/minissdpd.if index d4bdf6c40..063d3abf7 100644 --- a/policy/modules/services/minissdpd.if +++ b/policy/modules/services/minissdpd.if @@ -39,7 +39,7 @@ interface(`minissdpd_read_config',` interface(`minissdpd_admin',` gen_require(` type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t; - type minissdpd_var_run_t; + type minissdpd_runtime_t; ') allow $1 minissdpd_t:process { ptrace signal_perms }; @@ -51,5 +51,5 @@ interface(`minissdpd_admin',` admin_pattern($1, minissdpd_conf_t) files_search_pids($1) - admin_pattern($1, minissdpd_var_run_t) + admin_pattern($1, minissdpd_runtime_t) ') diff --git a/policy/modules/services/minissdpd.te b/policy/modules/services/minissdpd.te index 64179142b..c3bce5e5b 100644 --- a/policy/modules/services/minissdpd.te +++ b/policy/modules/services/minissdpd.te @@ -15,8 +15,8 @@ init_script_file(minissdpd_initrc_exec_t) type minissdpd_conf_t; files_config_file(minissdpd_conf_t) -type minissdpd_var_run_t; -files_pid_file(minissdpd_var_run_t) +type minissdpd_runtime_t alias minissdpd_var_run_t; +files_pid_file(minissdpd_runtime_t) ######################################## # @@ -29,9 +29,9 @@ allow minissdpd_t self:udp_socket create_socket_perms; allow minissdpd_t self:unix_dgram_socket create_socket_perms; allow minissdpd_t self:unix_stream_socket create_stream_socket_perms; -allow minissdpd_t minissdpd_var_run_t:file manage_file_perms; -allow minissdpd_t minissdpd_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(minissdpd_t, minissdpd_var_run_t, { file sock_file }) +allow minissdpd_t minissdpd_runtime_t:file manage_file_perms; +allow minissdpd_t minissdpd_runtime_t:sock_file manage_sock_file_perms; +files_pid_filetrans(minissdpd_t, minissdpd_runtime_t, { file sock_file }) kernel_load_module(minissdpd_t) kernel_read_network_state(minissdpd_t) diff --git a/policy/modules/services/mon.fc b/policy/modules/services/mon.fc index 6a136c2ef..cd32798d5 100644 --- a/policy/modules/services/mon.fc +++ b/policy/modules/services/mon.fc @@ -1,4 +1,4 @@ -/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0) +/run/mon(/.*)? gen_context(system_u:object_r:mon_runtime_t,s0) /usr/bin/mon -- gen_context(system_u:object_r:mon_exec_t,s0) diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te index e9fd1c9ac..8d31583f8 100644 --- a/policy/modules/services/mon.te +++ b/policy/modules/services/mon.te @@ -25,8 +25,8 @@ domain_type(mon_local_test_t) domain_entry_file(mon_local_test_t, mon_local_test_exec_t) role system_r types mon_local_test_t; -type mon_var_run_t; -files_pid_file(mon_var_run_t) +type mon_runtime_t alias mon_var_run_t; +files_pid_file(mon_runtime_t) type mon_var_lib_t; files_type(mon_var_lib_t) @@ -58,8 +58,8 @@ manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t) manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t) -manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t) -files_pid_filetrans(mon_t, mon_var_run_t, file) +manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t) +files_pid_filetrans(mon_t, mon_runtime_t, file) kernel_read_kernel_sysctls(mon_t) kernel_read_network_state(mon_t) diff --git a/policy/modules/services/mongodb.fc b/policy/modules/services/mongodb.fc index 8d8517cd7..c0753a5c2 100644 --- a/policy/modules/services/mongodb.fc +++ b/policy/modules/services/mongodb.fc @@ -6,4 +6,4 @@ /var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0) -/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/run/mongo.* gen_context(system_u:object_r:mongod_runtime_t,s0) diff --git a/policy/modules/services/mongodb.if b/policy/modules/services/mongodb.if index 9a184f2a4..a261c483e 100644 --- a/policy/modules/services/mongodb.if +++ b/policy/modules/services/mongodb.if @@ -20,7 +20,7 @@ interface(`mongodb_admin',` gen_require(` type mongod_t, mongod_initrc_exec_t, mongod_log_t; - type mongod_var_lib_t, mongod_var_run_t; + type mongod_var_lib_t, mongod_runtime_t; ') allow $1 mongod_t:process { ptrace signal_perms }; @@ -35,5 +35,5 @@ interface(`mongodb_admin',` admin_pattern($1, mongod_var_lib_t) files_search_pids($1) - admin_pattern($1, mongod_var_run_t) + admin_pattern($1, mongod_runtime_t) ') diff --git a/policy/modules/services/mongodb.te b/policy/modules/services/mongodb.te index bf2b56f75..92fb42986 100644 --- a/policy/modules/services/mongodb.te +++ b/policy/modules/services/mongodb.te @@ -18,8 +18,8 @@ logging_log_file(mongod_log_t) type mongod_var_lib_t; files_type(mongod_var_lib_t) -type mongod_var_run_t; -files_pid_file(mongod_var_run_t) +type mongod_runtime_t alias mongod_var_run_t; +files_pid_file(mongod_runtime_t) ######################################## # @@ -39,9 +39,9 @@ manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) -manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -files_pid_filetrans(mongod_t, mongod_var_run_t, dir) +manage_dirs_pattern(mongod_t, mongod_runtime_t, mongod_runtime_t) +manage_files_pattern(mongod_t, mongod_runtime_t, mongod_runtime_t) +files_pid_filetrans(mongod_t, mongod_runtime_t, dir) kernel_read_system_state(mongod_t) diff --git a/policy/modules/services/monop.fc b/policy/modules/services/monop.fc index f89b50f91..4c31a5a36 100644 --- a/policy/modules/services/monop.fc +++ b/policy/modules/services/monop.fc @@ -8,4 +8,4 @@ /usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0) -/run/monopd\.pid -- gen_context(system_u:object_r:monopd_var_run_t,s0) +/run/monopd\.pid -- gen_context(system_u:object_r:monopd_runtime_t,s0) diff --git a/policy/modules/services/monop.if b/policy/modules/services/monop.if index 01060047e..999afa4e6 100644 --- a/policy/modules/services/monop.if +++ b/policy/modules/services/monop.if @@ -20,7 +20,7 @@ interface(`monop_admin',` gen_require(` type monopd_t, monopd_initrc_exec_t, monopd_share_t; - type monopd_etc_t, monopd_var_run_t; + type monopd_etc_t, monopd_runtime_t; ') allow $1 monopd_t:process { ptrace signal_perms }; @@ -32,7 +32,7 @@ interface(`monop_admin',` admin_pattern($1, monopd_etc_t) files_search_pids($1) - admin_pattern($1, monopd_var_run_t) + admin_pattern($1, monopd_runtime_t) files_search_usr($1) admin_pattern($1, monopd_share_t) diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te index b27c06c34..df90d359a 100644 --- a/policy/modules/services/monop.te +++ b/policy/modules/services/monop.te @@ -18,8 +18,8 @@ files_config_file(monopd_etc_t) type monopd_share_t; files_type(monopd_share_t) -type monopd_var_run_t; -files_pid_file(monopd_var_run_t) +type monopd_runtime_t alias monopd_var_run_t; +files_pid_file(monopd_runtime_t) ######################################## # @@ -36,8 +36,8 @@ allow monopd_t monopd_share_t:dir list_dir_perms; read_files_pattern(monopd_t, monopd_share_t, monopd_share_t) read_lnk_files_pattern(monopd_t, monopd_share_t, monopd_share_t) -manage_files_pattern(monopd_t, monopd_var_run_t, monopd_var_run_t) -files_pid_filetrans(monopd_t, monopd_var_run_t, file) +manage_files_pattern(monopd_t, monopd_runtime_t, monopd_runtime_t) +files_pid_filetrans(monopd_t, monopd_runtime_t, file) kernel_read_kernel_sysctls(monopd_t) kernel_list_proc(monopd_t) diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc index 8beeff98f..c24f24c60 100644 --- a/policy/modules/services/munin.fc +++ b/policy/modules/services/munin.fc @@ -71,7 +71,7 @@ /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) -/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0) +/run/munin.* gen_context(system_u:object_r:munin_runtime_t,s0) /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if index cd6749943..cf50ae306 100644 --- a/policy/modules/services/munin.if +++ b/policy/modules/services/munin.if @@ -57,11 +57,11 @@ template(`munin_plugin_template',` # interface(`munin_stream_connect',` gen_require(` - type munin_var_run_t, munin_t; + type munin_runtime_t, munin_t; ') files_search_pids($1) - stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t) + stream_connect_pattern($1, munin_runtime_t, munin_runtime_t, munin_t) ') ####################################### @@ -166,7 +166,7 @@ interface(`munin_admin',` gen_require(` attribute munin_plugin_domain, munin_plugin_tmp_content; type munin_t, munin_etc_t, munin_tmp_t; - type munin_log_t, munin_var_lib_t, munin_var_run_t; + type munin_log_t, munin_var_lib_t, munin_runtime_t; type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; ') @@ -188,7 +188,7 @@ interface(`munin_admin',` admin_pattern($1, { munin_var_lib_t munin_plugin_state_t }) files_list_pids($1) - admin_pattern($1, munin_var_run_t) + admin_pattern($1, munin_runtime_t) admin_pattern($1, httpd_munin_content_t) ') diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te index 137c82e67..0942552d7 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -30,8 +30,8 @@ files_type(munin_var_lib_t) type munin_plugin_state_t; files_type(munin_plugin_state_t) -type munin_var_run_t alias lrrd_var_run_t; -files_pid_file(munin_var_run_t) +type munin_runtime_t alias munin_var_run_t; +files_pid_file(munin_runtime_t) munin_plugin_template(disk) munin_plugin_template(mail) @@ -120,10 +120,10 @@ manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) -manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) -manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -files_pid_filetrans(munin_t, munin_var_run_t, { dir file }) +manage_dirs_pattern(munin_t, munin_runtime_t, munin_runtime_t) +manage_files_pattern(munin_t, munin_runtime_t, munin_runtime_t) +manage_sock_files_pattern(munin_t, munin_runtime_t, munin_runtime_t) +files_pid_filetrans(munin_t, munin_runtime_t, { dir file }) can_exec(munin_t, munin_exec_t) diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc index 8213e53ca..e1f090fa4 100644 --- a/policy/modules/services/mysql.fc +++ b/policy/modules/services/mysql.fc @@ -22,14 +22,14 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) /usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) -/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0) +/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0) /var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) -/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) -/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) -/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) +/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0) +/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) +/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) ifdef(`distro_gentoo',` diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index af59114ab..82b5f1e23 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -97,11 +97,11 @@ interface(`mysql_tcp_connect',` # interface(`mysql_stream_connect',` gen_require(` - type mysqld_t, mysqld_var_run_t, mysqld_db_t; + type mysqld_t, mysqld_runtime_t, mysqld_db_t; ') files_search_pids($1) - stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) + stream_connect_pattern($1, { mysqld_db_t mysqld_runtime_t }, mysqld_runtime_t, mysqld_t) ') ######################################## @@ -361,11 +361,11 @@ interface(`mysql_domtrans_mysql_safe',` # interface(`mysql_read_pid_files',` gen_require(` - type mysqld_var_run_t; + type mysqld_runtime_t; ') files_search_pids($1) - read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) + read_files_pattern($1, mysqld_runtime_t, mysqld_runtime_t) ') ##################################### @@ -381,11 +381,11 @@ interface(`mysql_read_pid_files',` # interface(`mysql_search_pid_files',` gen_require(` - type mysqld_var_run_t; + type mysqld_runtime_t; ') files_search_pids($1) - search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) + search_dirs_pattern($1, mysqld_runtime_t, mysqld_runtime_t) ') ######################################## @@ -407,9 +407,9 @@ interface(`mysql_search_pid_files',` # interface(`mysql_admin',` gen_require(` - type mysqld_t, mysqld_var_run_t, mysqld_etc_t; + type mysqld_t, mysqld_runtime_t, mysqld_etc_t; type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; - type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; + type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_runtime_t; type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t; ') @@ -420,7 +420,7 @@ interface(`mysql_admin',` init_startstop_service($1, $2, mysqlmanagerd_t, mysqlmanagerd_initrc_exec_t) files_search_pids($1) - admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) + admin_pattern($1, { mysqlmanagerd_runtime_t mysqld_runtime_t }) files_search_var_lib($1) admin_pattern($1, mysqld_db_t) diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index df8e78996..638c00409 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -25,9 +25,9 @@ type mysqld_safe_t; type mysqld_safe_exec_t; init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) -type mysqld_var_run_t; -files_pid_file(mysqld_var_run_t) -init_daemon_pid_file(mysqld_var_run_t, dir, "mysqld") +type mysqld_runtime_t alias mysqld_var_run_t; +files_pid_file(mysqld_runtime_t) +init_daemon_pid_file(mysqld_runtime_t, dir, "mysqld") type mysqld_db_t; files_type(mysqld_db_t) @@ -57,8 +57,8 @@ init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t) type mysqlmanagerd_initrc_exec_t; init_script_file(mysqlmanagerd_initrc_exec_t) -type mysqlmanagerd_var_run_t; -files_pid_file(mysqlmanagerd_var_run_t) +type mysqlmanagerd_runtime_t alias mysqlmanagerd_var_run_t; +files_pid_file(mysqlmanagerd_runtime_t) ######################################## # @@ -78,7 +78,7 @@ manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) -filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) +filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_runtime_t, sock_file) allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; @@ -93,10 +93,10 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) -manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) -files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) +manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t) +manage_files_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t) +manage_sock_files_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t) +files_pid_filetrans(mysqld_t, mysqld_runtime_t, { dir file sock_file }) kernel_read_kernel_sysctls(mysqld_t) kernel_read_network_state(mysqld_t) @@ -180,8 +180,8 @@ manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) -manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) -delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t) +manage_files_pattern(mysqld_safe_t, mysqld_runtime_t, mysqld_runtime_t) +delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_runtime_t }, mysqld_runtime_t) domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) @@ -230,11 +230,11 @@ allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms; domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) -manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) -filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) +manage_files_pattern(mysqlmanagerd_t, mysqld_runtime_t, mysqlmanagerd_runtime_t) +manage_sock_files_pattern(mysqlmanagerd_t, mysqld_runtime_t, mysqlmanagerd_runtime_t) +filetrans_pattern(mysqlmanagerd_t, mysqld_runtime_t, mysqlmanagerd_runtime_t, { file sock_file }) -stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) +stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_runtime_t }, mysqld_runtime_t, mysqld_t) kernel_read_system_state(mysqlmanagerd_t) diff --git a/policy/modules/services/nagios.fc b/policy/modules/services/nagios.fc index ee84bd7b7..8e39ecffa 100644 --- a/policy/modules/services/nagios.fc +++ b/policy/modules/services/nagios.fc @@ -82,7 +82,7 @@ /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) -/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) +/run/nagios.* -- gen_context(system_u:object_r:nagios_runtime_t,s0) +/run/nrpe.* -- gen_context(system_u:object_r:nrpe_runtime_t,s0) /var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if index 5df0af435..25a7dda5f 100644 --- a/policy/modules/services/nagios.if +++ b/policy/modules/services/nagios.if @@ -196,8 +196,8 @@ interface(`nagios_admin',` attribute nagios_plugin_domain; type nagios_t, nrpe_t, nagios_initrc_exec_t; type nagios_tmp_t, nagios_log_t, nagios_var_lib_t; - type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t; - type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t; + type nagios_etc_t, nrpe_etc_t, nrpe_runtime_t; + type nagios_spool_t, nagios_runtime_t, nagios_system_plugin_tmp_t; type nagios_eventhandler_plugin_tmp_t; ') @@ -219,7 +219,7 @@ interface(`nagios_admin',` admin_pattern($1, nagios_spool_t) files_search_pids($1) - admin_pattern($1, { nrpe_var_run_t nagios_var_run_t }) + admin_pattern($1, { nrpe_runtime_t nagios_runtime_t }) files_search_var_lib($1) admin_pattern($1, nagios_var_lib_t) diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te index 031c43e46..39625e8f4 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -23,8 +23,8 @@ logging_log_file(nagios_log_t) type nagios_tmp_t; files_tmp_file(nagios_tmp_t) -type nagios_var_run_t; -files_pid_file(nagios_var_run_t) +type nagios_runtime_t alias nagios_var_run_t; +files_pid_file(nagios_runtime_t) type nagios_spool_t; files_type(nagios_spool_t) @@ -53,8 +53,8 @@ init_daemon_domain(nrpe_t, nrpe_exec_t) type nrpe_etc_t; files_config_file(nrpe_etc_t) -type nrpe_var_run_t; -files_pid_file(nrpe_var_run_t) +type nrpe_runtime_t alias nrpe_var_run_t; +files_pid_file(nrpe_runtime_t) ###################################### # @@ -106,8 +106,8 @@ manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) files_tmp_filetrans(nagios_t, nagios_tmp_t, { dir file }) -manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) -files_pid_filetrans(nagios_t, nagios_var_run_t, file) +manage_files_pattern(nagios_t, nagios_runtime_t, nagios_runtime_t) +files_pid_filetrans(nagios_t, nagios_runtime_t, file) manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) @@ -229,8 +229,8 @@ allow nrpe_t nagios_plugin_domain:process { signal sigkill }; read_files_pattern(nrpe_t, nagios_etc_t, nrpe_etc_t) -manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t) -files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) +manage_files_pattern(nrpe_t, nrpe_runtime_t, nrpe_runtime_t) +files_pid_filetrans(nrpe_t, nrpe_runtime_t, file) domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc index 2065c1b88..ea39f537d 100644 --- a/policy/modules/services/nessus.fc +++ b/policy/modules/services/nessus.fc @@ -12,4 +12,4 @@ /var/log/nessus(/.*)? gen_context(system_u:object_r:nessusd_log_t,s0) -/run/nessus.* -- gen_context(system_u:object_r:nessusd_var_run_t,s0) +/run/nessus.* -- gen_context(system_u:object_r:nessusd_runtime_t,s0) diff --git a/policy/modules/services/nessus.if b/policy/modules/services/nessus.if index 57bed0335..663523a49 100644 --- a/policy/modules/services/nessus.if +++ b/policy/modules/services/nessus.if @@ -20,7 +20,7 @@ interface(`nessus_admin',` gen_require(` type nessusd_t, nessusd_db_t, nessusd_initrc_exec_t; - type nessusd_etc_t, nessusd_log_t, nessusd_var_run_t; + type nessusd_etc_t, nessusd_log_t, nessusd_runtime_t; ') allow $1 nessusd_t:process { ptrace signal_perms }; @@ -35,7 +35,7 @@ interface(`nessus_admin',` admin_pattern($1, nessusd_etc_t) files_search_pids($1) - admin_pattern($1, nessusd_var_run_t) + admin_pattern($1, nessusd_runtime_t) files_search_var_lib($1) admin_pattern($1, nessusd_db_t) diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te index a9eaab63c..48e8e0544 100644 --- a/policy/modules/services/nessus.te +++ b/policy/modules/services/nessus.te @@ -21,8 +21,8 @@ files_config_file(nessusd_etc_t) type nessusd_log_t; logging_log_file(nessusd_log_t) -type nessusd_var_run_t; -files_pid_file(nessusd_var_run_t) +type nessusd_runtime_t alias nessud_var_run_t; +files_pid_file(nessusd_runtime_t) ######################################## # @@ -50,8 +50,8 @@ create_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) setattr_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) logging_log_filetrans(nessusd_t, nessusd_log_t, file) -manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t) -files_pid_filetrans(nessusd_t, nessusd_var_run_t, file) +manage_files_pattern(nessusd_t, nessusd_runtime_t, nessusd_runtime_t) +files_pid_filetrans(nessusd_t, nessusd_runtime_t, file) kernel_read_system_state(nessusd_t) kernel_read_kernel_sysctls(nessusd_t) diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc index 16b3c06f9..d37b86def 100644 --- a/policy/modules/services/networkmanager.fc +++ b/policy/modules/services/networkmanager.fc @@ -41,10 +41,10 @@ /var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) -/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_runtime_t,s0) +/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_runtime_t,s0) +/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_runtime_t,s0) +/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_runtime_t,s0) +/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_runtime_t,s0) +/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_runtime_t,s0) /run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if index 39ff8cc0e..67e0223a9 100644 --- a/policy/modules/services/networkmanager.if +++ b/policy/modules/services/networkmanager.if @@ -265,12 +265,12 @@ interface(`networkmanager_append_log_files',` # interface(`networkmanager_read_pid_files',` gen_require(` - type NetworkManager_var_run_t; + type NetworkManager_runtime_t; ') files_search_pids($1) - allow $1 NetworkManager_var_run_t:dir search_dir_perms; - allow $1 NetworkManager_var_run_t:file read_file_perms; + allow $1 NetworkManager_runtime_t:dir search_dir_perms; + allow $1 NetworkManager_runtime_t:file read_file_perms; ') #################################### @@ -286,11 +286,11 @@ interface(`networkmanager_read_pid_files',` # interface(`networkmanager_stream_connect',` gen_require(` - type NetworkManager_t, NetworkManager_var_run_t; + type NetworkManager_t, NetworkManager_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) + stream_connect_pattern($1, NetworkManager_runtime_t, NetworkManager_runtime_t, NetworkManager_t) ') ######################################## @@ -371,7 +371,7 @@ interface(`networkmanager_admin',` gen_require(` type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; - type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t; + type NetworkManager_var_lib_t, NetworkManager_runtime_t, wpa_cli_t; ') allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; @@ -390,7 +390,7 @@ interface(`networkmanager_admin',` allow $1 NetworkManager_var_lib_t:file map; files_search_pids($1) - admin_pattern($1, NetworkManager_var_run_t) + admin_pattern($1, NetworkManager_runtime_t) files_search_tmp($1) admin_pattern($1, NetworkManager_tmp_t) diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index 4dfdc23a0..5f7390adc 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -30,8 +30,8 @@ init_unit_file(NetworkManager_unit_t) type NetworkManager_var_lib_t; files_type(NetworkManager_var_lib_t) -type NetworkManager_var_run_t; -files_pid_file(NetworkManager_var_run_t) +type NetworkManager_runtime_t alias NetworkManager_var_run_t; +files_pid_file(NetworkManager_runtime_t) type wpa_cli_t; type wpa_cli_exec_t; @@ -89,10 +89,10 @@ manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_v manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir) -manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) +manage_dirs_pattern(NetworkManager_t, NetworkManager_runtime_t, NetworkManager_runtime_t) +manage_files_pattern(NetworkManager_t, NetworkManager_runtime_t, NetworkManager_runtime_t) +manage_sock_files_pattern(NetworkManager_t, NetworkManager_runtime_t, NetworkManager_runtime_t) +files_pid_filetrans(NetworkManager_t, NetworkManager_runtime_t, { dir file sock_file }) can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t }) @@ -394,8 +394,8 @@ allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file) -list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t) +list_dirs_pattern(wpa_cli_t, NetworkManager_runtime_t, NetworkManager_runtime_t) +rw_sock_files_pattern(wpa_cli_t, NetworkManager_runtime_t, NetworkManager_runtime_t) init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc index 46f101bcc..f8ce340cc 100644 --- a/policy/modules/services/nis.fc +++ b/policy/modules/services/nis.fc @@ -24,7 +24,7 @@ /var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) -/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) -/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) -/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) -/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0) +/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_runtime_t,s0) +/run/ypbind.* -- gen_context(system_u:object_r:ypbind_runtime_t,s0) +/run/ypserv.* -- gen_context(system_u:object_r:ypserv_runtime_t,s0) +/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_runtime_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if index 66a3ba284..ef94300c2 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -225,11 +225,11 @@ interface(`nis_list_var_yp',` # interface(`nis_read_ypbind_pid',` gen_require(` - type ypbind_var_run_t; + type ypbind_runtime_t; ') files_search_pids($1) - allow $1 ypbind_var_run_t:file read_file_perms; + allow $1 ypbind_runtime_t:file read_file_perms; ') ######################################## @@ -244,10 +244,10 @@ interface(`nis_read_ypbind_pid',` # interface(`nis_delete_ypbind_pid',` gen_require(` - type ypbind_var_run_t; + type ypbind_runtime_t; ') - allow $1 ypbind_var_run_t:file delete_file_perms; + allow $1 ypbind_runtime_t:file delete_file_perms; ') ######################################## @@ -348,7 +348,7 @@ interface(`nis_admin',` gen_require(` type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; - type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; + type ypbind_runtime_t, yppasswdd_runtime_t, ypserv_runtime_t; type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t; ') @@ -362,7 +362,7 @@ interface(`nis_admin',` admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t }) files_list_pids($1) - admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t }) + admin_pattern($1, { ypserv_runtime_t ypbind_runtime_t yppasswdd_runtime_t }) files_list_etc($1) admin_pattern($1, ypserv_conf_t) diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index cb1fc97a6..567f454c8 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -30,16 +30,16 @@ files_tmp_file(ypbind_tmp_t) type ypbind_unit_t; init_unit_file(ypbind_unit_t) -type ypbind_var_run_t; -files_pid_file(ypbind_var_run_t) +type ypbind_runtime_t alias ypbind_var_run_t; +files_pid_file(ypbind_runtime_t) type yppasswdd_t; type yppasswdd_exec_t; init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) domain_obj_id_change_exemption(yppasswdd_t) -type yppasswdd_var_run_t; -files_pid_file(yppasswdd_var_run_t) +type yppasswdd_runtime_t alias yppasswdd_var_run_t; +files_pid_file(yppasswdd_runtime_t) type ypserv_t; type ypserv_exec_t; @@ -51,15 +51,15 @@ files_type(ypserv_conf_t) type ypserv_tmp_t; files_tmp_file(ypserv_tmp_t) -type ypserv_var_run_t; -files_pid_file(ypserv_var_run_t) +type ypserv_runtime_t alias ypserv_var_run_t; +files_pid_file(ypserv_runtime_t) type ypxfr_t; type ypxfr_exec_t; init_daemon_domain(ypxfr_t, ypxfr_exec_t) -type ypxfr_var_run_t; -files_pid_file(ypxfr_var_run_t) +type ypxfr_runtime_t alias ypxfr_var_run_t; +files_pid_file(ypxfr_runtime_t) ######################################## # @@ -76,8 +76,8 @@ manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t) files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir }) -manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t) -files_pid_filetrans(ypbind_t, ypbind_var_run_t, file) +manage_files_pattern(ypbind_t, ypbind_runtime_t, ypbind_runtime_t) +files_pid_filetrans(ypbind_t, ypbind_runtime_t, file) manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) @@ -160,8 +160,8 @@ allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; allow yppasswdd_t self:tcp_socket create_stream_socket_perms; allow yppasswdd_t self:udp_socket create_socket_perms; -manage_files_pattern(yppasswdd_t, yppasswdd_var_run_t, yppasswdd_var_run_t) -files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) +manage_files_pattern(yppasswdd_t, yppasswdd_runtime_t, yppasswdd_runtime_t) +files_pid_filetrans(yppasswdd_t, yppasswdd_runtime_t, file) manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) @@ -253,8 +253,8 @@ manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir }) -manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t) -files_pid_filetrans(ypserv_t, ypserv_var_run_t, file) +manage_files_pattern(ypserv_t, ypserv_runtime_t, ypserv_runtime_t) +files_pid_filetrans(ypserv_t, ypserv_runtime_t, file) kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) @@ -329,8 +329,8 @@ allow ypxfr_t ypserv_t:udp_socket { read write }; allow ypxfr_t ypserv_conf_t:file read_file_perms; -manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) -files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) +manage_files_pattern(ypxfr_t, ypxfr_runtime_t, ypxfr_runtime_t) +files_pid_filetrans(ypxfr_t, ypxfr_runtime_t, file) corenet_all_recvfrom_unlabeled(ypxfr_t) corenet_all_recvfrom_netlabel(ypxfr_t) diff --git a/policy/modules/services/nscd.fc b/policy/modules/services/nscd.fc index 4857b5b73..6d8840455 100644 --- a/policy/modules/services/nscd.fc +++ b/policy/modules/services/nscd.fc @@ -4,12 +4,12 @@ /usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) -/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) +/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_runtime_t,s0) -/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) +/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_runtime_t,s0) /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) -/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) -/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) -/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) +/run/nscd(/.*)? gen_context(system_u:object_r:nscd_runtime_t,s0) +/run/nscd\.pid -- gen_context(system_u:object_r:nscd_runtime_t,s0) +/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_runtime_t,s0) diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if index d6b3687a0..8da972f8f 100644 --- a/policy/modules/services/nscd.if +++ b/policy/modules/services/nscd.if @@ -105,7 +105,7 @@ interface(`nscd_exec',` # interface(`nscd_socket_use',` gen_require(` - type nscd_t, nscd_var_run_t; + type nscd_t, nscd_runtime_t; class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; ') @@ -117,8 +117,8 @@ interface(`nscd_socket_use',` dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file read_file_perms; + stream_connect_pattern($1, nscd_runtime_t, nscd_runtime_t, nscd_t) + dontaudit $1 nscd_runtime_t:file read_file_perms; ps_process_pattern(nscd_t, $1) ') @@ -137,7 +137,7 @@ interface(`nscd_socket_use',` # interface(`nscd_shm_use',` gen_require(` - type nscd_t, nscd_var_run_t; + type nscd_t, nscd_runtime_t; class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; ') @@ -147,11 +147,11 @@ interface(`nscd_shm_use',` allow $1 nscd_t:fd use; files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file read_file_perms; + stream_connect_pattern($1, nscd_runtime_t, nscd_runtime_t, nscd_t) + dontaudit $1 nscd_runtime_t:file read_file_perms; - allow $1 nscd_var_run_t:dir list_dir_perms; - allow $1 nscd_var_run_t:sock_file read_sock_file_perms; + allow $1 nscd_runtime_t:dir list_dir_perms; + allow $1 nscd_runtime_t:sock_file read_sock_file_perms; ') ######################################## @@ -185,10 +185,10 @@ interface(`nscd_use',` # interface(`nscd_dontaudit_search_pid',` gen_require(` - type nscd_var_run_t; + type nscd_runtime_t; ') - dontaudit $1 nscd_var_run_t:dir search_dir_perms; + dontaudit $1 nscd_runtime_t:dir search_dir_perms; ') ######################################## @@ -203,11 +203,11 @@ interface(`nscd_dontaudit_search_pid',` # interface(`nscd_read_pid',` gen_require(` - type nscd_var_run_t; + type nscd_runtime_t; ') files_search_pids($1) - read_files_pattern($1, nscd_var_run_t, nscd_var_run_t) + read_files_pattern($1, nscd_runtime_t, nscd_runtime_t) ') ######################################## @@ -292,7 +292,7 @@ interface(`nscd_initrc_domtrans',` # interface(`nscd_admin',` gen_require(` - type nscd_t, nscd_log_t, nscd_var_run_t; + type nscd_t, nscd_log_t, nscd_runtime_t; type nscd_initrc_exec_t; ') @@ -305,7 +305,7 @@ interface(`nscd_admin',` admin_pattern($1, nscd_log_t) files_list_pids($1) - admin_pattern($1, nscd_var_run_t) + admin_pattern($1, nscd_runtime_t) nscd_run($1, $2) ') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index 6a905d983..de2b009e3 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -19,9 +19,9 @@ gen_tunable(nscd_use_shm, false) attribute_role nscd_roles; -type nscd_var_run_t; -files_pid_file(nscd_var_run_t) -init_daemon_pid_file(nscd_var_run_t, dir, "nscd") +type nscd_runtime_t alias nscd_var_run_t; +files_pid_file(nscd_runtime_t) +init_daemon_pid_file(nscd_runtime_t, dir, "nscd") type nscd_t; type nscd_exec_t; @@ -54,9 +54,9 @@ allow nscd_t self:nscd { admin getstat }; allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(nscd_t, nscd_log_t, file) -manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) -manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) -files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) +manage_files_pattern(nscd_t, nscd_runtime_t, nscd_runtime_t) +manage_sock_files_pattern(nscd_t, nscd_runtime_t, nscd_runtime_t) +files_pid_filetrans(nscd_t, nscd_runtime_t, { file sock_file }) can_exec(nscd_t, nscd_exec_t) diff --git a/policy/modules/services/nsd.fc b/policy/modules/services/nsd.fc index d4fc584e4..60d115094 100644 --- a/policy/modules/services/nsd.fc +++ b/policy/modules/services/nsd.fc @@ -18,4 +18,4 @@ /var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) -/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) +/run/nsd\.pid -- gen_context(system_u:object_r:nsd_runtime_t,s0) diff --git a/policy/modules/services/nsd.if b/policy/modules/services/nsd.if index e071bcd05..e5f4f168d 100644 --- a/policy/modules/services/nsd.if +++ b/policy/modules/services/nsd.if @@ -19,7 +19,7 @@ # interface(`nsd_admin',` gen_require(` - type nsd_t, nsd_conf_t, nsd_var_run_t; + type nsd_t, nsd_conf_t, nsd_runtime_t; type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t; ') @@ -35,5 +35,5 @@ interface(`nsd_admin',` admin_pattern($1, nsd_zone_t) files_list_pids($1) - admin_pattern($1, nsd_var_run_t) + admin_pattern($1, nsd_runtime_t) ') diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te index dc8b6bf50..8144349bb 100644 --- a/policy/modules/services/nsd.te +++ b/policy/modules/services/nsd.te @@ -23,8 +23,8 @@ role system_r types nsd_crond_t; type nsd_db_t; files_type(nsd_db_t) -type nsd_var_run_t; -files_pid_file(nsd_var_run_t) +type nsd_runtime_t alias nsd_var_run_t; +files_pid_file(nsd_runtime_t) type nsd_zone_t; files_type(nsd_zone_t) @@ -47,8 +47,8 @@ allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms; allow nsd_t nsd_db_t:file { manage_file_perms map }; filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file) -manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) -files_pid_filetrans(nsd_t, nsd_var_run_t, file) +manage_files_pattern(nsd_t, nsd_runtime_t, nsd_runtime_t) +files_pid_filetrans(nsd_t, nsd_runtime_t, file) allow nsd_t nsd_zone_t:file map; manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t) diff --git a/policy/modules/services/nslcd.fc b/policy/modules/services/nslcd.fc index 89543b3e0..24d8df98d 100644 --- a/policy/modules/services/nslcd.fc +++ b/policy/modules/services/nslcd.fc @@ -6,4 +6,4 @@ /usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) -/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) +/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_runtime_t,s0) diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if index b3747dab4..f70bf1b22 100644 --- a/policy/modules/services/nslcd.if +++ b/policy/modules/services/nslcd.if @@ -49,11 +49,11 @@ interface(`nslcd_initrc_domtrans',` # interface(`nslcd_read_pid_files',` gen_require(` - type nslcd_var_run_t; + type nslcd_runtime_t; ') files_search_pids($1) - allow $1 nslcd_var_run_t:file read_file_perms; + allow $1 nslcd_runtime_t:file read_file_perms; ') ######################################## @@ -69,11 +69,11 @@ interface(`nslcd_read_pid_files',` # interface(`nslcd_stream_connect',` gen_require(` - type nslcd_t, nslcd_var_run_t; + type nslcd_t, nslcd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) + stream_connect_pattern($1, nslcd_runtime_t, nslcd_runtime_t, nslcd_t) ') ######################################## @@ -95,7 +95,7 @@ interface(`nslcd_stream_connect',` # interface(`nslcd_admin',` gen_require(` - type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t; + type nslcd_t, nslcd_initrc_exec_t, nslcd_runtime_t; type nslcd_conf_t; ') @@ -108,5 +108,5 @@ interface(`nslcd_admin',` admin_pattern($1, nslcd_conf_t) files_search_pids($1) - admin_pattern($1, nslcd_var_run_t) + admin_pattern($1, nslcd_runtime_t) ') diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te index 9f30667af..e60ac7e8a 100644 --- a/policy/modules/services/nslcd.te +++ b/policy/modules/services/nslcd.te @@ -12,8 +12,8 @@ init_daemon_domain(nslcd_t, nslcd_exec_t) type nslcd_initrc_exec_t; init_script_file(nslcd_initrc_exec_t) -type nslcd_var_run_t; -files_pid_file(nslcd_var_run_t) +type nslcd_runtime_t alias nslcd_var_run_t; +files_pid_file(nslcd_runtime_t) type nslcd_conf_t; files_config_file(nslcd_conf_t) @@ -29,10 +29,10 @@ allow nslcd_t self:unix_stream_socket { accept listen }; allow nslcd_t nslcd_conf_t:file read_file_perms; -manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) -files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) +manage_dirs_pattern(nslcd_t, nslcd_runtime_t, nslcd_runtime_t) +manage_files_pattern(nslcd_t, nslcd_runtime_t, nslcd_runtime_t) +manage_sock_files_pattern(nslcd_t, nslcd_runtime_t, nslcd_runtime_t) +files_pid_filetrans(nslcd_t, nslcd_runtime_t, { file dir }) kernel_read_system_state(nslcd_t) diff --git a/policy/modules/services/ntop.fc b/policy/modules/services/ntop.fc index 3ededdd2f..921d1930f 100644 --- a/policy/modules/services/ntop.fc +++ b/policy/modules/services/ntop.fc @@ -8,4 +8,4 @@ /var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0) -/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0) +/run/ntop\.pid -- gen_context(system_u:object_r:ntop_runtime_t,s0) diff --git a/policy/modules/services/ntop.if b/policy/modules/services/ntop.if index 60c779397..9557f338f 100644 --- a/policy/modules/services/ntop.if +++ b/policy/modules/services/ntop.if @@ -19,7 +19,7 @@ # interface(`ntop_admin',` gen_require(` - type ntop_t, ntop_etc_t, ntop_var_run_t; + type ntop_t, ntop_etc_t, ntop_runtime_t; type ntop_initrc_exec_t, ntop_var_lib_t; ') @@ -35,5 +35,5 @@ interface(`ntop_admin',` admin_pattern($1, ntop_var_lib_t) files_list_pids($1) - admin_pattern($1, ntop_var_run_t) + admin_pattern($1, ntop_runtime_t) ') diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te index 178bbb1d7..8d5f93586 100644 --- a/policy/modules/services/ntop.te +++ b/policy/modules/services/ntop.te @@ -21,8 +21,8 @@ files_tmp_file(ntop_tmp_t) type ntop_var_lib_t; files_type(ntop_var_lib_t) -type ntop_var_run_t; -files_pid_file(ntop_var_run_t) +type ntop_runtime_t alias ntop_var_run_t; +files_pid_file(ntop_runtime_t) ######################################## # @@ -50,8 +50,8 @@ manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t) files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir } ) -manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) -files_pid_filetrans(ntop_t, ntop_var_run_t, file) +manage_files_pattern(ntop_t, ntop_runtime_t, ntop_runtime_t) +files_pid_filetrans(ntop_t, ntop_runtime_t, file) kernel_request_load_module(ntop_t) kernel_read_system_state(ntop_t) diff --git a/policy/modules/services/numad.fc b/policy/modules/services/numad.fc index 277ad1dd0..630080cc4 100644 --- a/policy/modules/services/numad.fc +++ b/policy/modules/services/numad.fc @@ -4,4 +4,4 @@ /var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0) -/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) +/run/numad\.pid -- gen_context(system_u:object_r:numad_runtime_t,s0) diff --git a/policy/modules/services/numad.if b/policy/modules/services/numad.if index d1c6b8f3b..8f66d572f 100644 --- a/policy/modules/services/numad.if +++ b/policy/modules/services/numad.if @@ -20,7 +20,7 @@ interface(`numad_admin',` gen_require(` type numad_t, numad_initrc_exec_t, numad_log_t; - type numad_var_run_t; + type numad_runtime_t; ') allow $1 numad_t:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`numad_admin',` admin_pattern($1, numad_log_t) files_search_pids($1) - admin_pattern($1, numad_var_run_t) + admin_pattern($1, numad_runtime_t) ') diff --git a/policy/modules/services/numad.te b/policy/modules/services/numad.te index f3d831ae5..d93f0d601 100644 --- a/policy/modules/services/numad.te +++ b/policy/modules/services/numad.te @@ -16,8 +16,8 @@ init_script_file(numad_initrc_exec_t) type numad_log_t; logging_log_file(numad_log_t) -type numad_var_run_t; -files_pid_file(numad_var_run_t) +type numad_runtime_t alias numad_var_run_t; +files_pid_file(numad_runtime_t) ######################################## # @@ -32,8 +32,8 @@ allow numad_t self:unix_stream_socket create_stream_socket_perms; allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(numad_t, numad_log_t, file) -manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) -files_pid_filetrans(numad_t, numad_var_run_t, file) +manage_files_pattern(numad_t, numad_runtime_t, numad_runtime_t) +files_pid_filetrans(numad_t, numad_runtime_t, file) kernel_read_system_state(numad_t) diff --git a/policy/modules/services/nut.fc b/policy/modules/services/nut.fc index 6dbfbde13..1aaa1ffa1 100644 --- a/policy/modules/services/nut.fc +++ b/policy/modules/services/nut.fc @@ -16,7 +16,7 @@ /usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) -/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) +/run/nut(/.*)? gen_context(system_u:object_r:nut_runtime_t,s0) /var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) /var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) diff --git a/policy/modules/services/nut.if b/policy/modules/services/nut.if index 462c079ea..0ae3d78db 100644 --- a/policy/modules/services/nut.if +++ b/policy/modules/services/nut.if @@ -20,7 +20,7 @@ interface(`nut_admin',` gen_require(` attribute nut_domain; - type nut_initrc_exec_t, nut_var_run_t, nut_conf_t; + type nut_initrc_exec_t, nut_runtime_t, nut_conf_t; ') allow $1 nut_domain:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`nut_admin',` admin_pattern($1, nut_conf_t) files_search_pids($1) - admin_pattern($1, nut_var_run_t) + admin_pattern($1, nut_runtime_t) ') diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te index 05be01952..9f79f7107 100644 --- a/policy/modules/services/nut.te +++ b/policy/modules/services/nut.te @@ -25,9 +25,9 @@ init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) type nut_initrc_exec_t; init_script_file(nut_initrc_exec_t) -type nut_var_run_t; -files_pid_file(nut_var_run_t) -init_daemon_pid_file(nut_var_run_t, dir, "nut") +type nut_runtime_t alias nut_var_run_t; +files_pid_file(nut_runtime_t) +init_daemon_pid_file(nut_runtime_t, dir, "nut") ######################################## # @@ -43,9 +43,9 @@ allow nut_domain nut_conf_t:dir list_dir_perms; allow nut_domain nut_conf_t:file read_file_perms; allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms; -manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) -manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_domain, nut_var_run_t, { dir file }) +manage_files_pattern(nut_domain, nut_runtime_t, nut_runtime_t) +manage_dirs_pattern(nut_domain, nut_runtime_t, nut_runtime_t) +files_pid_filetrans(nut_domain, nut_runtime_t, { dir file }) kernel_read_kernel_sysctls(nut_domain) @@ -60,10 +60,10 @@ miscfiles_read_localization(nut_domain) allow nut_upsd_t self:tcp_socket { accept listen }; -manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file) +manage_sock_files_pattern(nut_upsd_t, nut_runtime_t, nut_runtime_t) +files_pid_filetrans(nut_upsd_t, nut_runtime_t, sock_file) -stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) +stream_connect_pattern(nut_upsd_t, nut_runtime_t, nut_runtime_t, nut_upsdrvctl_t) corenet_all_recvfrom_unlabeled(nut_upsd_t) corenet_all_recvfrom_netlabel(nut_upsd_t) @@ -131,8 +131,8 @@ optional_policy(` allow nut_upsdrvctl_t self:fd use; -manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) +manage_sock_files_pattern(nut_upsdrvctl_t, nut_runtime_t, nut_runtime_t) +files_pid_filetrans(nut_upsdrvctl_t, nut_runtime_t, sock_file) corecmd_exec_bin(nut_upsdrvctl_t) diff --git a/policy/modules/services/nx.fc b/policy/modules/services/nx.fc index 18a9af5df..4f0c1b55a 100644 --- a/policy/modules/services/nx.fc +++ b/policy/modules/services/nx.fc @@ -1,7 +1,7 @@ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) /opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0) /opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0) -/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0) +/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_runtime_t,s0) /usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0) diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te index 6409cc4fc..2e7eb50e6 100644 --- a/policy/modules/services/nx.te +++ b/policy/modules/services/nx.te @@ -24,8 +24,8 @@ files_tmp_file(nx_server_tmp_t) type nx_server_var_lib_t; files_type(nx_server_var_lib_t) -type nx_server_var_run_t; -files_pid_file(nx_server_var_run_t) +type nx_server_runtime_t alias nx_server_var_run_t; +files_pid_file(nx_server_runtime_t) ######################################## # @@ -47,8 +47,8 @@ manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t) files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) -manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) -files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) +manage_files_pattern(nx_server_t, nx_server_runtime_t, nx_server_runtime_t) +files_pid_filetrans(nx_server_t, nx_server_runtime_t, file) kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te index e2b36d4f9..a44f80a7c 100644 --- a/policy/modules/services/oav.te +++ b/policy/modules/services/oav.te @@ -28,8 +28,8 @@ files_config_file(scannerdaemon_etc_t) type scannerdaemon_log_t; logging_log_file(scannerdaemon_log_t) -type scannerdaemon_var_run_t; -files_pid_file(scannerdaemon_var_run_t) +type scannerdaemon_runtime_t alias scannerdaemon_var_run_t; +files_pid_file(scannerdaemon_runtime_t) ######################################## # @@ -82,8 +82,8 @@ allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms; allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms; logging_log_filetrans(scannerdaemon_t, scannerdaemon_log_t, file) -manage_files_pattern(scannerdaemon_t, scannerdaemon_var_run_t, scannerdaemon_var_run_t) -files_pid_filetrans(scannerdaemon_t, scannerdaemon_var_run_t, file) +manage_files_pattern(scannerdaemon_t, scannerdaemon_runtime_t, scannerdaemon_runtime_t) +files_pid_filetrans(scannerdaemon_t, scannerdaemon_runtime_t, file) kernel_read_system_state(scannerdaemon_t) kernel_read_kernel_sysctls(scannerdaemon_t) diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc index f1c819ef4..02d6c852f 100644 --- a/policy/modules/services/oddjob.fc +++ b/policy/modules/services/oddjob.fc @@ -8,4 +8,4 @@ /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) /usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_runtime_t,s0) diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te index 39e2dcf5d..5cbd063a3 100644 --- a/policy/modules/services/oddjob.te +++ b/policy/modules/services/oddjob.te @@ -22,8 +22,8 @@ domain_obj_id_change_exemption(oddjob_mkhomedir_t) init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) role oddjob_mkhomedir_roles types oddjob_mkhomedir_t; -type oddjob_var_run_t; -files_pid_file(oddjob_var_run_t) +type oddjob_runtime_t alias oddjob_var_run_t; +files_pid_file(oddjob_runtime_t) ifdef(`enable_mcs',` init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) @@ -39,9 +39,9 @@ allow oddjob_t self:process { setexec signal }; allow oddjob_t self:fifo_file rw_fifo_file_perms; allow oddjob_t self:unix_stream_socket create_stream_socket_perms; -manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) -manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) -files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file }) +manage_files_pattern(oddjob_t, oddjob_runtime_t, oddjob_runtime_t) +manage_sock_files_pattern(oddjob_t, oddjob_runtime_t, oddjob_runtime_t) +files_pid_filetrans(oddjob_t, oddjob_runtime_t, { file sock_file }) domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) diff --git a/policy/modules/services/openct.fc b/policy/modules/services/openct.fc index 4c0236d2a..62ea64735 100644 --- a/policy/modules/services/openct.fc +++ b/policy/modules/services/openct.fc @@ -6,4 +6,4 @@ /usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0) /usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0) -/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0) +/run/openct(/.*)? gen_context(system_u:object_r:openct_runtime_t,s0) diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if index 61c3eb8bc..e4a8e6a9e 100644 --- a/policy/modules/services/openct.if +++ b/policy/modules/services/openct.if @@ -68,11 +68,11 @@ interface(`openct_domtrans',` # interface(`openct_read_pid_files',` gen_require(` - type openct_var_run_t; + type openct_runtime_t; ') files_search_pids($1) - read_files_pattern($1, openct_var_run_t, openct_var_run_t) + read_files_pattern($1, openct_runtime_t, openct_runtime_t) ') ######################################## @@ -88,11 +88,11 @@ interface(`openct_read_pid_files',` # interface(`openct_stream_connect',` gen_require(` - type openct_t, openct_var_run_t; + type openct_t, openct_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, openct_var_run_t, openct_var_run_t, openct_t) + stream_connect_pattern($1, openct_runtime_t, openct_runtime_t, openct_t) ') ######################################## @@ -114,7 +114,7 @@ interface(`openct_stream_connect',` # interface(`openct_admin',` gen_require(` - type openct_t, openct_initrc_exec_t, openct_var_run_t; + type openct_t, openct_initrc_exec_t, openct_runtime_t; ') allow $1 openct_t:process { ptrace signal_perms }; @@ -123,5 +123,5 @@ interface(`openct_admin',` init_startstop_service($1, $2, openct_t, openct_initrc_exec_t) files_search_pids($1) - admin_pattern($1, openct_var_run_t) + admin_pattern($1, openct_runtime_t) ') diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te index 3f424656d..d9fd5ea1f 100644 --- a/policy/modules/services/openct.te +++ b/policy/modules/services/openct.te @@ -12,8 +12,8 @@ init_daemon_domain(openct_t, openct_exec_t) type openct_initrc_exec_t; init_script_file(openct_initrc_exec_t) -type openct_var_run_t; -files_pid_file(openct_var_run_t) +type openct_runtime_t alias openct_var_run_t; +files_pid_file(openct_runtime_t) ######################################## # @@ -24,10 +24,10 @@ dontaudit openct_t self:capability sys_tty_config; allow openct_t self:process signal_perms; allow openct_t self:netlink_kobject_uevent_socket create_socket_perms; -manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) -manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) -manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) -files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) +manage_dirs_pattern(openct_t, openct_runtime_t, openct_runtime_t) +manage_files_pattern(openct_t, openct_runtime_t, openct_runtime_t) +manage_sock_files_pattern(openct_t, openct_runtime_t, openct_runtime_t) +files_pid_filetrans(openct_t, openct_runtime_t, { dir file sock_file }) can_exec(openct_t, openct_exec_t) diff --git a/policy/modules/services/openhpi.fc b/policy/modules/services/openhpi.fc index 1ce9da3d4..29d1c245b 100644 --- a/policy/modules/services/openhpi.fc +++ b/policy/modules/services/openhpi.fc @@ -6,4 +6,4 @@ /var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0) -/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0) +/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_runtime_t,s0) diff --git a/policy/modules/services/openhpi.if b/policy/modules/services/openhpi.if index ca1e226e2..434451505 100644 --- a/policy/modules/services/openhpi.if +++ b/policy/modules/services/openhpi.if @@ -20,7 +20,7 @@ interface(`openhpi_admin',` gen_require(` type openhpid_t, openhpid_initrc_exec_t, openhpid_var_lib_t; - type openhpid_var_run_t; + type openhpid_runtime_t; ') allow $1 openhpid_t:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`openhpi_admin',` admin_pattern($1, openhpid_var_lib_t) files_search_pids($1) - admin_pattern($1, openhpid_var_run_t) + admin_pattern($1, openhpid_runtime_t) ') diff --git a/policy/modules/services/openhpi.te b/policy/modules/services/openhpi.te index 65b538c0b..0acbbef37 100644 --- a/policy/modules/services/openhpi.te +++ b/policy/modules/services/openhpi.te @@ -15,8 +15,8 @@ init_script_file(openhpid_initrc_exec_t) type openhpid_var_lib_t; files_type(openhpid_var_lib_t) -type openhpid_var_run_t; -files_pid_file(openhpid_var_run_t) +type openhpid_runtime_t alias openhpid_var_run_t; +files_pid_file(openhpid_runtime_t) ######################################## # @@ -35,8 +35,8 @@ manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t) files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir) -manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t) -files_pid_filetrans(openhpid_t, openhpid_var_run_t, file) +manage_files_pattern(openhpid_t, openhpid_runtime_t, openhpid_runtime_t) +files_pid_filetrans(openhpid_t, openhpid_runtime_t, file) corenet_all_recvfrom_unlabeled(openhpid_t) corenet_all_recvfrom_netlabel(openhpid_t) diff --git a/policy/modules/services/openvpn.fc b/policy/modules/services/openvpn.fc index 7a00b7a8f..b2ca95f03 100644 --- a/policy/modules/services/openvpn.fc +++ b/policy/modules/services/openvpn.fc @@ -11,5 +11,5 @@ /var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) -/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) -/run/openvpn\.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0) +/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_runtime_t,s0) +/run/openvpn\.client.* -- gen_context(system_u:object_r:openvpn_runtime_t,s0) diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if index a03c2582e..dabca5021 100644 --- a/policy/modules/services/openvpn.if +++ b/policy/modules/services/openvpn.if @@ -143,7 +143,7 @@ interface(`openvpn_read_config',` interface(`openvpn_admin',` gen_require(` type openvpn_t, openvpn_etc_t, openvpn_var_log_t; - type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t; + type openvpn_runtime_t, openvpn_initrc_exec_t, openvpn_etc_rw_t; type openvpn_status_t; ') @@ -159,5 +159,5 @@ interface(`openvpn_admin',` admin_pattern($1, { openvpn_status_t openvpn_var_log_t }) files_list_pids($1) - admin_pattern($1, openvpn_var_run_t) + admin_pattern($1, openvpn_runtime_t) ') diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index e9f0465a1..740c8fb50 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -46,8 +46,8 @@ files_tmp_file(openvpn_tmp_t) type openvpn_var_log_t; logging_log_file(openvpn_var_log_t) -type openvpn_var_run_t; -files_pid_file(openvpn_var_run_t) +type openvpn_runtime_t alias openvpn_var_run_t; +files_pid_file(openvpn_runtime_t) ######################################## # @@ -82,9 +82,9 @@ create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) -manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) -manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) -files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) +manage_dirs_pattern(openvpn_t, openvpn_runtime_t, openvpn_runtime_t) +manage_files_pattern(openvpn_t, openvpn_runtime_t, openvpn_runtime_t) +files_pid_filetrans(openvpn_t, openvpn_runtime_t, { file dir }) can_exec(openvpn_t, openvpn_etc_t) diff --git a/policy/modules/services/openvswitch.fc b/policy/modules/services/openvswitch.fc index 04dabe8cb..eed22d5a8 100644 --- a/policy/modules/services/openvswitch.fc +++ b/policy/modules/services/openvswitch.fc @@ -9,4 +9,4 @@ /var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) -/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) +/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_runtime_t,s0) diff --git a/policy/modules/services/openvswitch.if b/policy/modules/services/openvswitch.if index f0133ed3f..c2ba28603 100644 --- a/policy/modules/services/openvswitch.if +++ b/policy/modules/services/openvswitch.if @@ -31,11 +31,11 @@ interface(`openvswitch_domtrans',` # interface(`openvswitch_read_pid_files',` gen_require(` - type openvswitch_var_run_t; + type openvswitch_runtime_t; ') files_search_pids($1) - read_files_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t) + read_files_pattern($1, openvswitch_runtime_t, openvswitch_runtime_t) ') ######################################## @@ -58,7 +58,7 @@ interface(`openvswitch_read_pid_files',` interface(`openvswitch_admin',` gen_require(` type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t; - type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t; + type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_runtime_t; ') allow $1 openvswitch_t:process { ptrace signal_perms }; @@ -76,5 +76,5 @@ interface(`openvswitch_admin',` admin_pattern($1, openvswitch_log_t) files_search_pids($1) - admin_pattern($1, openvswitch_var_run_t) + admin_pattern($1, openvswitch_runtime_t) ') diff --git a/policy/modules/services/openvswitch.te b/policy/modules/services/openvswitch.te index b9790021c..9fc8be3da 100644 --- a/policy/modules/services/openvswitch.te +++ b/policy/modules/services/openvswitch.te @@ -24,8 +24,8 @@ logging_log_file(openvswitch_log_t) type openvswitch_tmp_t; files_tmp_file(openvswitch_tmp_t) -type openvswitch_var_run_t; -files_pid_file(openvswitch_var_run_t) +type openvswitch_runtime_t alias openvswitch_var_run_t; +files_pid_file(openvswitch_runtime_t) ######################################## # @@ -59,11 +59,11 @@ manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir }) -manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) -files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) +manage_dirs_pattern(openvswitch_t, openvswitch_runtime_t, openvswitch_runtime_t) +manage_files_pattern(openvswitch_t, openvswitch_runtime_t, openvswitch_runtime_t) +manage_sock_files_pattern(openvswitch_t, openvswitch_runtime_t, openvswitch_runtime_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_runtime_t, openvswitch_runtime_t) +files_pid_filetrans(openvswitch_t, openvswitch_runtime_t, { dir file lnk_file }) can_exec(openvswitch_t, openvswitch_exec_t) diff --git a/policy/modules/services/pacemaker.fc b/policy/modules/services/pacemaker.fc index 3b398450f..0df77ee6b 100644 --- a/policy/modules/services/pacemaker.fc +++ b/policy/modules/services/pacemaker.fc @@ -8,4 +8,4 @@ /var/lib/pacemaker(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) /var/lib/pengine(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) -/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_run_t,s0) +/run/crm(/.*)? gen_context(system_u:object_r:pacemaker_runtime_t,s0) diff --git a/policy/modules/services/pacemaker.if b/policy/modules/services/pacemaker.if index 44d1cf636..75456402b 100644 --- a/policy/modules/services/pacemaker.if +++ b/policy/modules/services/pacemaker.if @@ -20,7 +20,7 @@ interface(`pacemaker_admin',` gen_require(` type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t; - type pacemaker_var_run_t; + type pacemaker_runtime_t; ') allow $1 pacemaker_t:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`pacemaker_admin',` admin_pattern($1, pacemaker_var_lib_t) files_search_pids($1) - admin_pattern($1, pacemaker_var_run_t) + admin_pattern($1, pacemaker_runtime_t) ') diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te index a7c5c2f9e..b914dd195 100644 --- a/policy/modules/services/pacemaker.te +++ b/policy/modules/services/pacemaker.te @@ -21,8 +21,8 @@ files_tmpfs_file(pacemaker_tmpfs_t) type pacemaker_var_lib_t; files_type(pacemaker_var_lib_t) -type pacemaker_var_run_t; -files_pid_file(pacemaker_var_run_t) +type pacemaker_runtime_t alias pacemaker_var_run_t; +files_pid_file(pacemaker_runtime_t) ######################################## # @@ -46,9 +46,9 @@ manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t) manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t) files_var_lib_filetrans(pacemaker_t, pacemaker_var_lib_t, { dir file }) -manage_dirs_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t) -manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t) -files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file }) +manage_dirs_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t) +manage_files_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t) +files_pid_filetrans(pacemaker_t, pacemaker_runtime_t, { dir file }) kernel_getattr_core_if(pacemaker_t) kernel_read_all_sysctls(pacemaker_t) diff --git a/policy/modules/services/pads.fc b/policy/modules/services/pads.fc index 8a7e20b57..9df0d7ba4 100644 --- a/policy/modules/services/pads.fc +++ b/policy/modules/services/pads.fc @@ -7,4 +7,4 @@ /usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t,s0) -/run/pads\.pid -- gen_context(system_u:object_r:pads_var_run_t,s0) +/run/pads\.pid -- gen_context(system_u:object_r:pads_runtime_t,s0) diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if index 4dd357452..516e9f523 100644 --- a/policy/modules/services/pads.if +++ b/policy/modules/services/pads.if @@ -19,7 +19,7 @@ # interface(`pads_admin', ` gen_require(` - type pads_t, pads_config_t, pads_var_run_t; + type pads_t, pads_config_t, pads_runtime_t; type pads_initrc_exec_t; ') @@ -29,7 +29,7 @@ interface(`pads_admin', ` init_startstop_service($1, $2, pads_t, pads_initrc_exec_t) files_search_pids($1) - admin_pattern($1, pads_var_run_t) + admin_pattern($1, pads_runtime_t) files_search_etc($1) admin_pattern($1, pads_config_t) diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te index 98d22bfd0..35c3b3554 100644 --- a/policy/modules/services/pads.te +++ b/policy/modules/services/pads.te @@ -16,8 +16,8 @@ init_script_file(pads_initrc_exec_t) type pads_config_t; files_config_file(pads_config_t) -type pads_var_run_t; -files_pid_file(pads_var_run_t) +type pads_runtime_t alias pads_var_run_t; +files_pid_file(pads_runtime_t) ######################################## # @@ -31,8 +31,8 @@ allow pads_t self:socket create_socket_perms; allow pads_t pads_config_t:file manage_file_perms; files_etc_filetrans(pads_t, pads_config_t, file) -allow pads_t pads_var_run_t:file manage_file_perms; -files_pid_filetrans(pads_t, pads_var_run_t, file) +allow pads_t pads_runtime_t:file manage_file_perms; +files_pid_filetrans(pads_t, pads_runtime_t, file) kernel_read_sysctl(pads_t) kernel_read_network_state(pads_t) diff --git a/policy/modules/services/pcscd.fc b/policy/modules/services/pcscd.fc index 4d667ea2f..3f1579167 100644 --- a/policy/modules/services/pcscd.fc +++ b/policy/modules/services/pcscd.fc @@ -7,8 +7,8 @@ # Systemd unit file /usr/lib/systemd/system/[^/]*pcscd.* -- gen_context(system_u:object_r:pcscd_unit_t,s0) -/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) -/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) -/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) -/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) -/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) +/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_runtime_t,s0) +/run/pcscd(/.*)? gen_context(system_u:object_r:pcscd_runtime_t,s0) +/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_runtime_t,s0) +/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_runtime_t,s0) +/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_runtime_t,s0) diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if index 412c24aa4..79e2162f6 100644 --- a/policy/modules/services/pcscd.if +++ b/policy/modules/services/pcscd.if @@ -31,11 +31,11 @@ interface(`pcscd_domtrans',` # interface(`pcscd_read_pid_files',` gen_require(` - type pcscd_var_run_t; + type pcscd_runtime_t; ') files_search_pids($1) - read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) + read_files_pattern($1, pcscd_runtime_t, pcscd_runtime_t) ') ######################################## @@ -51,11 +51,11 @@ interface(`pcscd_read_pid_files',` # interface(`pcscd_stream_connect',` gen_require(` - type pcscd_t, pcscd_var_run_t; + type pcscd_t, pcscd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) + stream_connect_pattern($1, pcscd_runtime_t, pcscd_runtime_t, pcscd_t) allow pcscd_t $1:dir list_dir_perms; allow pcscd_t $1:file read_file_perms; @@ -80,7 +80,7 @@ interface(`pcscd_stream_connect',` # interface(`pcscd_admin',` gen_require(` - type pcscd_t, pcscd_initrc_exec_t, pcscd_var_run_t; + type pcscd_t, pcscd_initrc_exec_t, pcscd_runtime_t; ') allow $1 pcscd_t:process { ptrace signal_perms }; @@ -89,5 +89,5 @@ interface(`pcscd_admin',` init_startstop_service($1, $2, pcscd_t, pcscd_initrc_exec_t) files_search_pids($1) - admin_pattern($1, pcscd_var_run_t) + admin_pattern($1, pcscd_runtime_t) ') diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te index 247fe5c8a..53b5c7cd2 100644 --- a/policy/modules/services/pcscd.te +++ b/policy/modules/services/pcscd.te @@ -15,9 +15,9 @@ init_script_file(pcscd_initrc_exec_t) type pcscd_unit_t; init_unit_file(pcscd_unit_t) -type pcscd_var_run_t; -files_pid_file(pcscd_var_run_t) -init_daemon_pid_file(pcscd_var_run_t, dir, "pcscd") +type pcscd_runtime_t alias pcscd_var_run_t; +files_pid_file(pcscd_runtime_t) +init_daemon_pid_file(pcscd_runtime_t, dir, "pcscd") ######################################## # @@ -31,11 +31,11 @@ allow pcscd_t self:unix_stream_socket { accept listen }; allow pcscd_t self:tcp_socket { accept listen }; allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; -manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) +manage_dirs_pattern(pcscd_t, pcscd_runtime_t, pcscd_runtime_t) +manage_files_pattern(pcscd_t, pcscd_runtime_t, pcscd_runtime_t) +manage_fifo_files_pattern(pcscd_t, pcscd_runtime_t, pcscd_runtime_t) +manage_sock_files_pattern(pcscd_t, pcscd_runtime_t, pcscd_runtime_t) +files_pid_filetrans(pcscd_t, pcscd_runtime_t, { file sock_file dir }) kernel_read_system_state(pcscd_t) diff --git a/policy/modules/services/pegasus.fc b/policy/modules/services/pegasus.fc index 0f7fe6172..fa3a5fa95 100644 --- a/policy/modules/services/pegasus.fc +++ b/policy/modules/services/pegasus.fc @@ -13,6 +13,6 @@ /var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) +/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_runtime_t,s0) /usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) diff --git a/policy/modules/services/pegasus.if b/policy/modules/services/pegasus.if index eadb01296..4d2134044 100644 --- a/policy/modules/services/pegasus.if +++ b/policy/modules/services/pegasus.if @@ -21,7 +21,7 @@ interface(`pegasus_admin',` gen_require(` type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t; type pegasus_cache_t, pegasus_data_t, pegasus_conf_t; - type pegasus_mof_t, pegasus_var_run_t; + type pegasus_mof_t, pegasus_runtime_t; ') allow $1 pegasus_t:process { ptrace signal_perms }; @@ -45,5 +45,5 @@ interface(`pegasus_admin',` admin_pattern($1, pegasus_data_t) files_search_pids($1) - admin_pattern($1, pegasus_var_run_t) + admin_pattern($1, pegasus_runtime_t) ') diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index 2af2dda53..16d3c9408 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -27,8 +27,8 @@ files_config_file(pegasus_conf_t) type pegasus_mof_t; files_type(pegasus_mof_t) -type pegasus_var_run_t; -files_pid_file(pegasus_var_run_t) +type pegasus_runtime_t alias pegasus_var_run_t; +files_pid_file(pegasus_runtime_t) ######################################## # @@ -64,10 +64,10 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file }) -manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) -manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) -manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) -files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file }) +manage_dirs_pattern(pegasus_t, pegasus_runtime_t, pegasus_runtime_t) +manage_files_pattern(pegasus_t, pegasus_runtime_t, pegasus_runtime_t) +manage_sock_files_pattern(pegasus_t, pegasus_runtime_t, pegasus_runtime_t) +files_pid_filetrans(pegasus_t, pegasus_runtime_t, { dir file sock_file }) can_exec(pegasus_t, pegasus_exec_t) diff --git a/policy/modules/services/perdition.fc b/policy/modules/services/perdition.fc index f9f88dfb6..f27d17934 100644 --- a/policy/modules/services/perdition.fc +++ b/policy/modules/services/perdition.fc @@ -6,4 +6,4 @@ /usr/sbin/perdition.* -- gen_context(system_u:object_r:perdition_exec_t,s0) -/run/perdition\.pid -- gen_context(system_u:object_r:perdition_var_run_t,s0) +/run/perdition\.pid -- gen_context(system_u:object_r:perdition_runtime_t,s0) diff --git a/policy/modules/services/perdition.if b/policy/modules/services/perdition.if index 4d69d9092..c8fc5c61a 100644 --- a/policy/modules/services/perdition.if +++ b/policy/modules/services/perdition.if @@ -20,7 +20,7 @@ interface(`perdition_admin',` gen_require(` type perdition_t, perdition_initrc_exec_t, perdition_etc_t; - type perdition_var_run_t; + type perdition_runtime_t; ') allow $1 perdition_t:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`perdition_admin',` admin_pattern($1, perdition_etc_t) files_search_pids($1) - admin_pattern($1, perdition_var_run_t) + admin_pattern($1, perdition_runtime_t) ') diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te index 82e24cc8e..3d5d34b16 100644 --- a/policy/modules/services/perdition.te +++ b/policy/modules/services/perdition.te @@ -15,8 +15,8 @@ init_script_file(perdition_initrc_exec_t) type perdition_etc_t; files_config_file(perdition_etc_t) -type perdition_var_run_t; -files_pid_file(perdition_var_run_t) +type perdition_runtime_t alias perdition_var_run_t; +files_pid_file(perdition_runtime_t) ######################################## # @@ -32,9 +32,9 @@ allow perdition_t perdition_etc_t:dir list_dir_perms; allow perdition_t perdition_etc_t:file read_file_perms; allow perdition_t perdition_etc_t:lnk_file read_lnk_file_perms; -manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) -manage_dirs_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t) -files_pid_filetrans(perdition_t, perdition_var_run_t, { file dir }) +manage_files_pattern(perdition_t, perdition_runtime_t, perdition_runtime_t) +manage_dirs_pattern(perdition_t, perdition_runtime_t, perdition_runtime_t) +files_pid_filetrans(perdition_t, perdition_runtime_t, { file dir }) kernel_read_kernel_sysctls(perdition_t) kernel_list_proc(perdition_t) diff --git a/policy/modules/services/pkcs.fc b/policy/modules/services/pkcs.fc index 3c60dd860..2698b6383 100644 --- a/policy/modules/services/pkcs.fc +++ b/policy/modules/services/pkcs.fc @@ -8,4 +8,4 @@ /var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0) -/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0) +/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_runtime_t,s0) diff --git a/policy/modules/services/pkcs.if b/policy/modules/services/pkcs.if index 9d1af4e5e..d1db8c7d2 100644 --- a/policy/modules/services/pkcs.if +++ b/policy/modules/services/pkcs.if @@ -20,7 +20,7 @@ interface(`pkcs_admin_slotd',` gen_require(` type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t; - type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t; + type pkcs_slotd_runtime_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t; ') allow $1 pkcs_slotd_t:process { ptrace signal_perms }; @@ -32,7 +32,7 @@ interface(`pkcs_admin_slotd',` admin_pattern($1, pkcs_slotd_var_lib_t) files_search_pids($1) - admin_pattern($1, pkcs_slotd_var_run_t) + admin_pattern($1, pkcs_slotd_runtime_t) files_search_tmp($1) admin_pattern($1, pkcs_slotd_tmp_t) diff --git a/policy/modules/services/pkcs.te b/policy/modules/services/pkcs.te index 192a31b34..ccc1d68e1 100644 --- a/policy/modules/services/pkcs.te +++ b/policy/modules/services/pkcs.te @@ -15,8 +15,8 @@ init_script_file(pkcs_slotd_initrc_exec_t) type pkcs_slotd_var_lib_t; files_type(pkcs_slotd_var_lib_t) -type pkcs_slotd_var_run_t; -files_pid_file(pkcs_slotd_var_run_t) +type pkcs_slotd_runtime_t alias pkcs_slotd_var_run_t; +files_pid_file(pkcs_slotd_runtime_t) type pkcs_slotd_tmp_t; files_tmp_file(pkcs_slotd_tmp_t) @@ -43,10 +43,10 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir) -manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) -manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) -manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) -files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, { sock_file file dir }) +manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_runtime_t, pkcs_slotd_runtime_t) +manage_files_pattern(pkcs_slotd_t, pkcs_slotd_runtime_t, pkcs_slotd_runtime_t) +manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_runtime_t, pkcs_slotd_runtime_t) +files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_runtime_t, { sock_file file dir }) manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t) diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc index c99ccd2d7..6494e7286 100644 --- a/policy/modules/services/plymouthd.fc +++ b/policy/modules/services/plymouthd.fc @@ -10,6 +10,6 @@ /var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) -/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) +/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_runtime_t,s0) /var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if index 3cc08b961..32a8722d9 100644 --- a/policy/modules/services/plymouthd.if +++ b/policy/modules/services/plymouthd.if @@ -243,12 +243,12 @@ interface(`plymouthd_manage_lib_files',` # interface(`plymouthd_read_pid_files',` gen_require(` - type plymouthd_var_run_t; + type plymouthd_runtime_t; ') files_search_pids($1) - allow $1 plymouthd_var_run_t:dir search_dir_perms; - allow $1 plymouthd_var_run_t:file read_file_perms; + allow $1 plymouthd_runtime_t:dir search_dir_perms; + allow $1 plymouthd_runtime_t:file read_file_perms; ') ######################################## @@ -263,11 +263,11 @@ interface(`plymouthd_read_pid_files',` # interface(`plymouthd_delete_pid_files',` gen_require(` - type plymouthd_var_run_t; + type plymouthd_runtime_t; ') files_search_pids($1) - delete_files_pattern($1, plymouthd_var_run_t, plymouthd_var_run_t) + delete_files_pattern($1, plymouthd_runtime_t, plymouthd_runtime_t) ') ######################################## @@ -290,7 +290,7 @@ interface(`plymouthd_delete_pid_files',` interface(`plymouthd_admin',` gen_require(` type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; - type plymouthd_var_run_t; + type plymouthd_runtime_t; ') allow $1 plymouthd_t:process { ptrace signal_perms }; @@ -303,5 +303,5 @@ interface(`plymouthd_admin',` admin_pattern($1, plymouthd_var_lib_t) files_search_pids($1) - admin_pattern($1, plymouthd_var_run_t) + admin_pattern($1, plymouthd_runtime_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te index dcb30a203..605a5ec00 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te @@ -25,8 +25,8 @@ files_type(plymouthd_var_lib_t) type plymouthd_var_log_t; logging_log_file(plymouthd_var_log_t) -type plymouthd_var_run_t; -files_pid_file(plymouthd_var_run_t) +type plymouthd_runtime_t alias plymouthd_var_run_t; +files_pid_file(plymouthd_runtime_t) ######################################## # @@ -55,9 +55,9 @@ create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) -manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) +manage_dirs_pattern(plymouthd_t, plymouthd_runtime_t, plymouthd_runtime_t) +manage_files_pattern(plymouthd_t, plymouthd_runtime_t, plymouthd_runtime_t) +files_pid_filetrans(plymouthd_t, plymouthd_runtime_t, { file dir }) kernel_read_system_state(plymouthd_t) kernel_request_load_module(plymouthd_t) diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc index 4d1171ffa..e2782838b 100644 --- a/policy/modules/services/policykit.fc +++ b/policy/modules/services/policykit.fc @@ -23,4 +23,4 @@ /var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) +/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_runtime_t,s0) diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index a0ab1f456..078307750 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -40,8 +40,8 @@ init_unit_file(policykit_unit_t) type policykit_var_lib_t alias polkit_var_lib_t; files_type(policykit_var_lib_t) -type policykit_var_run_t alias polkit_var_run_t; -files_pid_file(policykit_var_run_t) +type policykit_runtime_t alias policykit_var_run_t; +files_pid_file(policykit_runtime_t) ####################################### # @@ -76,9 +76,9 @@ rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t) -manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) -manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) -files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) +manage_dirs_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t) +manage_files_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t) +files_pid_filetrans(policykit_t, policykit_runtime_t, { file dir }) can_exec(policykit_t, policykit_exec_t) @@ -169,9 +169,9 @@ files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir }) manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t) -manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) -manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) -files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) +manage_dirs_pattern(policykit_auth_t, policykit_runtime_t, policykit_runtime_t) +manage_files_pattern(policykit_auth_t, policykit_runtime_t, policykit_runtime_t) +files_pid_filetrans(policykit_auth_t, policykit_runtime_t, { file dir }) can_exec(policykit_auth_t, policykit_auth_exec_t) @@ -240,7 +240,7 @@ ps_process_pattern(policykit_grant_t, policykit_domain) rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) -manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t) +manage_files_pattern(policykit_grant_t, policykit_runtime_t, policykit_runtime_t) manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) diff --git a/policy/modules/services/polipo.fc b/policy/modules/services/polipo.fc index 1cfd0761c..6e1b4703c 100644 --- a/policy/modules/services/polipo.fc +++ b/policy/modules/services/polipo.fc @@ -12,4 +12,4 @@ HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t, /var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0) -/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0) +/run/polipo(/.*)? gen_context(system_u:object_r:polipo_runtime_t,s0) diff --git a/policy/modules/services/polipo.if b/policy/modules/services/polipo.if index 4b1988dec..26e48bd61 100644 --- a/policy/modules/services/polipo.if +++ b/policy/modules/services/polipo.if @@ -119,7 +119,7 @@ interface(`polipo_log_filetrans_log',` interface(`polipo_admin',` gen_require(` type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t; - type polipo_conf_t, polipo_log_t, polipo_var_run_t; + type polipo_conf_t, polipo_log_t, polipo_runtime_t; ') allow $1 polipo_system_t:process { ptrace signal_perms }; @@ -137,5 +137,5 @@ interface(`polipo_admin',` admin_pattern($1, polipo_log_t) files_search_pids($1) - admin_pattern($1, polipo_var_run_t) + admin_pattern($1, polipo_runtime_t) ') diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te index 5f724161f..fbe2091a2 100644 --- a/policy/modules/services/polipo.te +++ b/policy/modules/services/polipo.te @@ -56,8 +56,8 @@ files_type(polipo_cache_t) type polipo_log_t; logging_log_file(polipo_log_t) -type polipo_var_run_t; -files_pid_file(polipo_var_run_t) +type polipo_runtime_t alias polipo_var_run_t; +files_pid_file(polipo_runtime_t) type polipo_session_t, polipo_daemon; userdom_user_application_domain(polipo_session_t, polipo_exec_t) @@ -115,8 +115,8 @@ create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) logging_log_filetrans(polipo_system_t, polipo_log_t, file) -manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t) -files_pid_filetrans(polipo_system_t, polipo_var_run_t, file) +manage_files_pattern(polipo_system_t, polipo_runtime_t, polipo_runtime_t) +files_pid_filetrans(polipo_system_t, polipo_runtime_t, file) auth_use_nsswitch(polipo_system_t) diff --git a/policy/modules/services/portmap.fc b/policy/modules/services/portmap.fc index b33b5f4ed..1a98cba66 100644 --- a/policy/modules/services/portmap.fc +++ b/policy/modules/services/portmap.fc @@ -8,5 +8,5 @@ /usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) /usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) -/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) -/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) +/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_runtime_t,s0) +/run/portmap_mapping -- gen_context(system_u:object_r:portmap_runtime_t,s0) diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if index 52208ce0a..d884fa47c 100644 --- a/policy/modules/services/portmap.if +++ b/policy/modules/services/portmap.if @@ -66,7 +66,7 @@ interface(`portmap_run_helper',` interface(`portmap_admin',` gen_require(` type portmap_t, portmap_initrc_exec_t, portmap_helper_t; - type portmap_var_run_t, portmap_tmp_t; + type portmap_runtime_t, portmap_tmp_t; ') allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms }; @@ -75,7 +75,7 @@ interface(`portmap_admin',` init_startstop_service($1, $2, portmap_t, portmap_initrc_exec_t) files_search_pids($1) - admin_pattern($1, portmap_var_run_t) + admin_pattern($1, portmap_runtime_t) files_search_tmp($1) admin_pattern($1, portmap_tmp_t) diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te index 4620bb8c7..e84e57c27 100644 --- a/policy/modules/services/portmap.te +++ b/policy/modules/services/portmap.te @@ -22,8 +22,8 @@ init_script_file(portmap_initrc_exec_t) type portmap_tmp_t; files_tmp_file(portmap_tmp_t) -type portmap_var_run_t; -files_pid_file(portmap_var_run_t) +type portmap_runtime_t alias portmap_var_run_t; +files_pid_file(portmap_runtime_t) ######################################## # @@ -39,8 +39,8 @@ manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t) files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir }) -manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t) -files_pid_filetrans(portmap_t, portmap_var_run_t, file) +manage_files_pattern(portmap_t, portmap_runtime_t, portmap_runtime_t) +files_pid_filetrans(portmap_t, portmap_runtime_t, file) kernel_read_system_state(portmap_t) kernel_read_kernel_sysctls(portmap_t) @@ -103,8 +103,8 @@ optional_policy(` dontaudit portmap_helper_t self:capability net_admin; allow portmap_helper_t self:tcp_socket { accept listen }; -allow portmap_helper_t portmap_var_run_t:file manage_file_perms; -files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) +allow portmap_helper_t portmap_runtime_t:file manage_file_perms; +files_pid_filetrans(portmap_helper_t, portmap_runtime_t, file) corenet_all_recvfrom_unlabeled(portmap_helper_t) corenet_all_recvfrom_netlabel(portmap_helper_t) diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc index d649d58dc..450230101 100644 --- a/policy/modules/services/portreserve.fc +++ b/policy/modules/services/portreserve.fc @@ -6,4 +6,4 @@ /usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) -/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0) +/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_runtime_t,s0) diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if index 0a90afd62..0082f49e0 100644 --- a/policy/modules/services/portreserve.if +++ b/policy/modules/services/portreserve.if @@ -101,7 +101,7 @@ interface(`portreserve_initrc_domtrans',` # interface(`portreserve_admin',` gen_require(` - type portreserve_t, portreserve_etc_t, portreserve_var_run_t; + type portreserve_t, portreserve_etc_t, portreserve_runtime_t; type portreserve_initrc_exec_t; ') @@ -114,5 +114,5 @@ interface(`portreserve_admin',` admin_pattern($1, portreserve_etc_t) files_list_pids($1) - admin_pattern($1, portreserve_var_run_t) + admin_pattern($1, portreserve_runtime_t) ') diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te index 4a42d7ceb..ff45e37da 100644 --- a/policy/modules/services/portreserve.te +++ b/policy/modules/services/portreserve.te @@ -15,8 +15,8 @@ init_script_file(portreserve_initrc_exec_t) type portreserve_etc_t; files_config_file(portreserve_etc_t) -type portreserve_var_run_t; -files_pid_file(portreserve_var_run_t) +type portreserve_runtime_t alias portreserve_var_run_t; +files_pid_file(portreserve_runtime_t) ######################################## # @@ -34,10 +34,10 @@ allow portreserve_t portreserve_etc_t:dir list_dir_perms; allow portreserve_t portreserve_etc_t:file read_file_perms; allow portreserve_t portreserve_etc_t:lnk_file read_lnk_file_perms; -manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) -files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }) +manage_dirs_pattern(portreserve_t, portreserve_runtime_t, portreserve_runtime_t) +manage_files_pattern(portreserve_t, portreserve_runtime_t, portreserve_runtime_t) +manage_sock_files_pattern(portreserve_t, portreserve_runtime_t, portreserve_runtime_t) +files_pid_filetrans(portreserve_t, portreserve_runtime_t, { file sock_file dir }) corecmd_getattr_bin_files(portreserve_t) diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc index ecf447d60..2eb2afa97 100644 --- a/policy/modules/services/postfix.fc +++ b/policy/modules/services/postfix.fc @@ -63,7 +63,7 @@ /var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) +/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_runtime_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index fa17bde44..97c745ea1 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -680,7 +680,7 @@ interface(`postfix_admin',` gen_require(` attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content; type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t; - type postfix_data_t, postfix_var_run_t, postfix_public_t; + type postfix_data_t, postfix_runtime_t, postfix_public_t; type postfix_private_t, postfix_map_tmp_t, postfix_exec_t; type postfix_keytab_t; ') @@ -700,7 +700,7 @@ interface(`postfix_admin',` admin_pattern($1, postfix_data_t) files_search_pids($1) - admin_pattern($1, postfix_var_run_t) + admin_pattern($1, postfix_runtime_t) files_search_tmp($1) admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t }) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 5fbb5f1b1..fa75428e9 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -94,8 +94,8 @@ files_type(postfix_spool_flush_t) type postfix_public_t; files_type(postfix_public_t) -type postfix_var_run_t; -files_pid_file(postfix_var_run_t) +type postfix_runtime_t alias postfix_var_run_t; +files_pid_file(postfix_runtime_t) type postfix_data_t; files_type(postfix_data_t) @@ -126,8 +126,8 @@ allow postfix_domain postfix_master_t:process sigchld; allow postfix_domain postfix_spool_t:dir list_dir_perms; -manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) -files_pid_filetrans(postfix_domain, postfix_var_run_t, file) +manage_files_pattern(postfix_domain, postfix_runtime_t, postfix_runtime_t) +files_pid_filetrans(postfix_domain, postfix_runtime_t, file) kernel_read_system_state(postfix_domain) kernel_read_network_state(postfix_domain) @@ -256,9 +256,9 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred") filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") +create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_runtime_t) +setattr_dirs_pattern(postfix_master_t, postfix_runtime_t, postfix_runtime_t) +filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_runtime_t, dir, "pid") can_exec(postfix_master_t, postfix_exec_t) diff --git a/policy/modules/services/postfixpolicyd.fc b/policy/modules/services/postfixpolicyd.fc index a8fb9f8c6..5adcece7b 100644 --- a/policy/modules/services/postfixpolicyd.fc +++ b/policy/modules/services/postfixpolicyd.fc @@ -6,4 +6,4 @@ /usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t,s0) -/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t,s0) +/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_runtime_t,s0) diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if index e462ac04c..f8d1588b1 100644 --- a/policy/modules/services/postfixpolicyd.if +++ b/policy/modules/services/postfixpolicyd.if @@ -20,7 +20,7 @@ interface(`postfixpolicyd_admin',` gen_require(` type postfix_policyd_t, postfix_policyd_conf_t; - type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; + type postfix_policyd_runtime_t, postfix_policyd_initrc_exec_t; ') allow $1 postfix_policyd_t:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`postfixpolicyd_admin',` admin_pattern($1, postfix_policyd_conf_t) files_list_pids($1) - admin_pattern($1, postfix_policyd_var_run_t) + admin_pattern($1, postfix_policyd_runtime_t) ') diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te index 78e565bed..25077147f 100644 --- a/policy/modules/services/postfixpolicyd.te +++ b/policy/modules/services/postfixpolicyd.te @@ -18,8 +18,8 @@ init_script_file(postfix_policyd_initrc_exec_t) type postfix_policyd_tmp_t; files_type(postfix_policyd_tmp_t) -type postfix_policyd_var_run_t; -files_pid_file(postfix_policyd_var_run_t) +type postfix_policyd_runtime_t alias postfix_policyd_var_run_t; +files_pid_file(postfix_policyd_runtime_t) ######################################## # @@ -34,8 +34,8 @@ allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms; allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms; allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; -manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) -files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) +manage_files_pattern(postfix_policyd_t, postfix_policyd_runtime_t, postfix_policyd_runtime_t) +files_pid_filetrans(postfix_policyd_t, postfix_policyd_runtime_t, file) allow postfix_policyd_t postfix_policyd_tmp_t:{ file sock_file } manage_file_perms; files_tmp_filetrans(postfix_policyd_t, postfix_policyd_tmp_t, { file sock_file }) diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc index d01346815..f31a52cf8 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc @@ -51,6 +51,6 @@ ifdef(`distro_redhat', ` /var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) ') -/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) +/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_runtime_t,s0) -/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +/run/postmaster.* gen_context(system_u:object_r:postgresql_runtime_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 32e5d0630..734dccf20 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -443,10 +443,10 @@ interface(`postgresql_tcp_connect',` # interface(`postgresql_stream_connect',` gen_require(` - type postgresql_t, postgresql_var_run_t, postgresql_tmp_t; + type postgresql_t, postgresql_runtime_t, postgresql_tmp_t; ') - stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) + stream_connect_pattern($1, { postgresql_runtime_t postgresql_tmp_t }, { postgresql_runtime_t postgresql_tmp_t }, postgresql_t) files_search_pids($1) files_search_tmp($1) @@ -584,7 +584,7 @@ interface(`postgresql_admin',` attribute sepgsql_admin_type; attribute sepgsql_client_type; - type postgresql_t, postgresql_var_run_t; + type postgresql_t, postgresql_runtime_t; type postgresql_tmp_t, postgresql_db_t; type postgresql_etc_t, postgresql_log_t; type postgresql_initrc_exec_t, postgresql_unit_t; @@ -597,7 +597,7 @@ interface(`postgresql_admin',` init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t) - admin_pattern($1, postgresql_var_run_t) + admin_pattern($1, postgresql_runtime_t) admin_pattern($1, postgresql_db_t) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index df7541d1b..9eff226ab 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -64,9 +64,9 @@ files_tmp_file(postgresql_tmp_t) type postgresql_unit_t; init_unit_file(postgresql_unit_t) -type postgresql_var_run_t; -files_pid_file(postgresql_var_run_t) -init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql") +type postgresql_runtime_t alias postgresql_var_run_t; +files_pid_file(postgresql_runtime_t) +init_daemon_pid_file(postgresql_runtime_t, dir, "postgresql") # database clients attribute attribute sepgsql_admin_type; @@ -299,10 +299,10 @@ manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) -manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) -manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) -manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) -files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file }) +manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t) +manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t) +manage_sock_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t) +files_pid_filetrans(postgresql_t, postgresql_runtime_t, { dir file }) kernel_read_kernel_sysctls(postgresql_t) kernel_read_system_state(postgresql_t) diff --git a/policy/modules/services/postgrey.fc b/policy/modules/services/postgrey.fc index 076987a60..3e5958d59 100644 --- a/policy/modules/services/postgrey.fc +++ b/policy/modules/services/postgrey.fc @@ -8,7 +8,7 @@ /var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0) -/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0) -/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0) +/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_runtime_t,s0) +/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_runtime_t,s0) /var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0) diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if index d63198e92..bc4ad0eef 100644 --- a/policy/modules/services/postgrey.if +++ b/policy/modules/services/postgrey.if @@ -13,12 +13,12 @@ # interface(`postgrey_stream_connect',` gen_require(` - type postgrey_var_run_t, postgrey_t, postgrey_spool_t; + type postgrey_runtime_t, postgrey_t, postgrey_spool_t; ') files_search_pids($1) files_search_spool($1) - stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) + stream_connect_pattern($1, { postgrey_spool_t postgrey_runtime_t }, { postgrey_spool_t postgrey_runtime_t }, postgrey_t) ') ######################################## @@ -60,7 +60,7 @@ interface(`postgrey_search_spool',` interface(`postgrey_admin',` gen_require(` type postgrey_t, postgrey_etc_t, postgrey_spool_t; - type postgrey_var_lib_t, postgrey_var_run_t; + type postgrey_var_lib_t, postgrey_runtime_t; type postgrey_initrc_exec_t; ') @@ -79,5 +79,5 @@ interface(`postgrey_admin',` admin_pattern($1, postgrey_spool_t) files_list_pids($1) - admin_pattern($1, postgrey_var_run_t) + admin_pattern($1, postgrey_runtime_t) ') diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te index 70aaf77eb..c263ea53b 100644 --- a/policy/modules/services/postgrey.te +++ b/policy/modules/services/postgrey.te @@ -21,8 +21,8 @@ files_type(postgrey_spool_t) type postgrey_var_lib_t; files_type(postgrey_var_lib_t) -type postgrey_var_run_t; -files_pid_file(postgrey_var_run_t) +type postgrey_runtime_t alias postgrey_var_run_t; +files_pid_file(postgrey_runtime_t) ######################################## # @@ -49,10 +49,10 @@ manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) -manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t) -files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) +manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t) +manage_files_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t) +manage_sock_files_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t) +files_pid_filetrans(postgrey_t, postgrey_runtime_t, { dir file sock_file }) kernel_read_system_state(postgrey_t) kernel_read_kernel_sysctls(postgrey_t) diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc index 67de5b3e1..98b57f108 100644 --- a/policy/modules/services/ppp.fc +++ b/policy/modules/services/ppp.fc @@ -29,7 +29,7 @@ HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0) /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) /var/log/pptp.* -- gen_context(system_u:object_r:pptp_log_t,s0) -/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) -/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) -/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) -/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) +/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_runtime_t,s0) +/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_runtime_t,s0) +/run/ppp(/.*)? gen_context(system_u:object_r:pppd_runtime_t,s0) +/run/pptp(/.*)? gen_context(system_u:object_r:pptp_runtime_t,s0) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index 070e565ce..7b6c4a488 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -365,11 +365,11 @@ interface(`ppp_read_secrets',` # interface(`ppp_read_pid_files',` gen_require(` - type pppd_var_run_t; + type pppd_runtime_t; ') files_search_pids($1) - allow $1 pppd_var_run_t:file read_file_perms; + allow $1 pppd_runtime_t:file read_file_perms; ') ######################################## @@ -385,11 +385,11 @@ interface(`ppp_read_pid_files',` # interface(`ppp_manage_pid_files',` gen_require(` - type pppd_var_run_t; + type pppd_runtime_t; ') files_search_pids($1) - allow $1 pppd_var_run_t:file manage_file_perms; + allow $1 pppd_runtime_t:file manage_file_perms; ') ######################################## @@ -415,10 +415,10 @@ interface(`ppp_manage_pid_files',` # interface(`ppp_pid_filetrans',` gen_require(` - type pppd_var_run_t; + type pppd_runtime_t; ') - files_pid_filetrans($1, pppd_var_run_t, $2, $3) + files_pid_filetrans($1, pppd_runtime_t, $2, $3) ') ######################################## @@ -461,8 +461,8 @@ interface(`ppp_admin',` gen_require(` type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t; - type pppd_var_run_t, pppd_initrc_exec_t; - type pptp_t, pptp_log_t, pptp_var_run_t; + type pppd_runtime_t, pppd_initrc_exec_t; + type pptp_t, pptp_log_t, pptp_runtime_t; ') allow $1 { pptp_t pppd_t }:process { ptrace signal_perms }; @@ -483,5 +483,5 @@ interface(`ppp_admin',` admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t }) files_list_pids($1) - admin_pattern($1, { pptp_var_run_t pppd_var_run_t }) + admin_pattern($1, { pptp_runtime_t pppd_runtime_t }) ') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index d5c80292a..ff9322dbb 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -56,8 +56,8 @@ files_tmp_file(pppd_tmp_t) type pppd_unit_t; init_unit_file(pppd_unit_t) -type pppd_var_run_t; -files_pid_file(pppd_var_run_t) +type pppd_runtime_t alias pppd_var_run_t; +files_pid_file(pppd_runtime_t) type pptp_t; type pptp_exec_t; @@ -67,8 +67,8 @@ role pptp_roles types pptp_t; type pptp_log_t; logging_log_file(pptp_log_t) -type pptp_var_run_t; -files_pid_file(pptp_var_run_t) +type pptp_runtime_t alias pptp_var_run_t; +files_pid_file(pptp_runtime_t) type ppp_home_t; userdom_user_home_content(ppp_home_t) @@ -106,9 +106,9 @@ manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file}) -manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) -manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) -files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) +manage_dirs_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t) +manage_files_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t) +files_pid_filetrans(pppd_t, pppd_runtime_t, { dir file }) can_exec(pppd_t, pppd_exec_t) @@ -245,9 +245,9 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(pptp_t, pptp_log_t, file) -manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) -manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) -files_pid_filetrans(pptp_t, pptp_var_run_t, file) +manage_files_pattern(pptp_t, pptp_runtime_t, pptp_runtime_t) +manage_sock_files_pattern(pptp_t, pptp_runtime_t, pptp_runtime_t) +files_pid_filetrans(pptp_t, pptp_runtime_t, file) can_exec(pptp_t, pppd_etc_rw_t) diff --git a/policy/modules/services/prelude.fc b/policy/modules/services/prelude.fc index ca48c9823..28c71d2f6 100644 --- a/policy/modules/services/prelude.fc +++ b/policy/modules/services/prelude.fc @@ -17,8 +17,8 @@ /var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0) -/run/prelude-lml\.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0) -/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) +/run/prelude-lml\.pid -- gen_context(system_u:object_r:prelude_lml_runtime_t,s0) +/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_runtime_t,s0) /var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) /var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if index ceef90f2c..f08c9654a 100644 --- a/policy/modules/services/prelude.if +++ b/policy/modules/services/prelude.if @@ -116,9 +116,9 @@ interface(`prelude_manage_spool',` # interface(`prelude_admin',` gen_require(` - type prelude_t, prelude_spool_t, prelude_lml_var_run_t; - type prelude_var_run_t, prelude_var_lib_t, prelude_log_t; - type prelude_audisp_t, prelude_audisp_var_run_t; + type prelude_t, prelude_spool_t, prelude_lml_runtime_t; + type prelude_runtime_t, prelude_var_lib_t, prelude_log_t; + type prelude_audisp_t, prelude_audisp_runtime_t; type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t; type prelude_correlator_t; ') @@ -138,7 +138,7 @@ interface(`prelude_admin',` admin_pattern($1, prelude_var_lib_t) files_search_pids($1) - admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t }) + admin_pattern($1, { prelude_audisp_runtime_t prelude_runtime_t prelude_lml_runtime_t }) files_search_tmp($1) admin_pattern($1, prelude_lml_tmp_t) diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te index 187cac128..77983ec20 100644 --- a/policy/modules/services/prelude.te +++ b/policy/modules/services/prelude.te @@ -18,8 +18,8 @@ files_type(prelude_spool_t) type prelude_log_t; logging_log_file(prelude_log_t) -type prelude_var_run_t; -files_pid_file(prelude_var_run_t) +type prelude_runtime_t alias prelude_var_run_t; +files_pid_file(prelude_runtime_t) type prelude_var_lib_t; files_type(prelude_var_lib_t) @@ -29,8 +29,8 @@ type prelude_audisp_exec_t; init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t) -type prelude_audisp_var_run_t; -files_pid_file(prelude_audisp_var_run_t) +type prelude_audisp_runtime_t alias prelude_audisp_var_run_t; +files_pid_file(prelude_audisp_runtime_t) type prelude_correlator_t; type prelude_correlator_exec_t; @@ -46,8 +46,8 @@ init_daemon_domain(prelude_lml_t, prelude_lml_exec_t) type prelude_lml_tmp_t; files_tmp_file(prelude_lml_tmp_t) -type prelude_lml_var_run_t; -files_pid_file(prelude_lml_var_run_t) +type prelude_lml_runtime_t alias prelude_lml_var_run_t; +files_pid_file(prelude_lml_runtime_t) ######################################## # @@ -71,10 +71,10 @@ manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t) manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) -manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) -files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file }) +manage_dirs_pattern(prelude_t, prelude_runtime_t, prelude_runtime_t) +manage_files_pattern(prelude_t, prelude_runtime_t, prelude_runtime_t) +manage_sock_files_pattern(prelude_t, prelude_runtime_t, prelude_runtime_t) +files_pid_filetrans(prelude_t, prelude_runtime_t, { dir file }) kernel_read_system_state(prelude_t) kernel_read_sysctl(prelude_t) @@ -133,8 +133,8 @@ allow prelude_audisp_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) -manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t) -files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file) +manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_runtime_t, prelude_audisp_runtime_t) +files_pid_filetrans(prelude_audisp_t, prelude_audisp_runtime_t, sock_file) kernel_read_sysctl(prelude_audisp_t) kernel_read_system_state(prelude_audisp_t) @@ -225,8 +225,8 @@ manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t) manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t) -manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t) -files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file) +manage_files_pattern(prelude_lml_t, prelude_lml_runtime_t, prelude_lml_runtime_t) +files_pid_filetrans(prelude_lml_t, prelude_lml_runtime_t, file) kernel_read_system_state(prelude_lml_t) kernel_read_sysctl(prelude_lml_t) diff --git a/policy/modules/services/privoxy.fc b/policy/modules/services/privoxy.fc index 9feef4f7c..7a61ec9d0 100644 --- a/policy/modules/services/privoxy.fc +++ b/policy/modules/services/privoxy.fc @@ -8,4 +8,4 @@ /var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0) -/run/privoxy\.pid -- gen_context(system_u:object_r:privoxy_var_run_t,s0) +/run/privoxy\.pid -- gen_context(system_u:object_r:privoxy_runtime_t,s0) diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if index a35e6eab7..b20f66da1 100644 --- a/policy/modules/services/privoxy.if +++ b/policy/modules/services/privoxy.if @@ -20,7 +20,7 @@ interface(`privoxy_admin',` gen_require(` type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; - type privoxy_etc_rw_t, privoxy_var_run_t; + type privoxy_etc_rw_t, privoxy_runtime_t; ') allow $1 privoxy_t:process { ptrace signal_perms }; @@ -35,5 +35,5 @@ interface(`privoxy_admin',` admin_pattern($1, privoxy_etc_rw_t) files_list_pids($1) - admin_pattern($1, privoxy_var_run_t) + admin_pattern($1, privoxy_runtime_t) ') diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te index 8f6b50cbf..62c79df82 100644 --- a/policy/modules/services/privoxy.te +++ b/policy/modules/services/privoxy.te @@ -26,8 +26,8 @@ files_type(privoxy_etc_rw_t) type privoxy_log_t; logging_log_file(privoxy_log_t) -type privoxy_var_run_t; -files_pid_file(privoxy_var_run_t) +type privoxy_runtime_t alias privoxy_var_run_t; +files_pid_file(privoxy_runtime_t) ######################################## # @@ -46,8 +46,8 @@ create_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t) setattr_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t) logging_log_filetrans(privoxy_t, privoxy_log_t, file) -manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) -files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) +manage_files_pattern(privoxy_t, privoxy_runtime_t, privoxy_runtime_t) +files_pid_filetrans(privoxy_t, privoxy_runtime_t, file) kernel_read_kernel_sysctls(privoxy_t) kernel_read_network_state(privoxy_t) diff --git a/policy/modules/services/psad.fc b/policy/modules/services/psad.fc index d26a15b5f..c90070397 100644 --- a/policy/modules/services/psad.fc +++ b/policy/modules/services/psad.fc @@ -10,4 +10,4 @@ /var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0) -/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0) +/run/psad(/.*)? gen_context(system_u:object_r:psad_runtime_t,s0) diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if index 6ad870342..52f4d8bae 100644 --- a/policy/modules/services/psad.if +++ b/policy/modules/services/psad.if @@ -110,11 +110,11 @@ interface(`psad_manage_config',` # interface(`psad_read_pid_files',` gen_require(` - type psad_var_run_t; + type psad_runtime_t; ') files_search_pids($1) - read_files_pattern($1, psad_var_run_t, psad_var_run_t) + read_files_pattern($1, psad_runtime_t, psad_runtime_t) ') ######################################## @@ -129,11 +129,11 @@ interface(`psad_read_pid_files',` # interface(`psad_rw_pid_files',` gen_require(` - type psad_var_run_t; + type psad_runtime_t; ') files_search_pids($1) - rw_files_pattern($1, psad_var_run_t, psad_var_run_t) + rw_files_pattern($1, psad_runtime_t, psad_runtime_t) ') ######################################## @@ -234,7 +234,7 @@ interface(`psad_rw_tmp_files',` # interface(`psad_admin',` gen_require(` - type psad_t, psad_var_run_t, psad_var_log_t; + type psad_t, psad_runtime_t, psad_var_log_t; type psad_initrc_exec_t, psad_var_lib_t; type psad_tmp_t, psad_etc_t; ') @@ -248,7 +248,7 @@ interface(`psad_admin',` admin_pattern($1, psad_etc_t) files_search_pids($1) - admin_pattern($1, psad_var_run_t) + admin_pattern($1, psad_runtime_t) logging_search_logs($1) admin_pattern($1, psad_var_log_t) diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te index a18acb8c7..f38861b0b 100644 --- a/policy/modules/services/psad.te +++ b/policy/modules/services/psad.te @@ -21,8 +21,8 @@ files_type(psad_var_lib_t) type psad_var_log_t; logging_log_file(psad_var_log_t) -type psad_var_run_t; -files_pid_file(psad_var_run_t) +type psad_runtime_t alias psad_var_run_t; +files_pid_file(psad_runtime_t) type psad_tmp_t; files_tmp_file(psad_tmp_t) @@ -48,10 +48,10 @@ create_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) setattr_files_pattern(psad_t, psad_var_log_t, psad_var_log_t) logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) -manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t) -manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) -manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t) -files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file }) +manage_dirs_pattern(psad_t, psad_runtime_t, psad_runtime_t) +manage_files_pattern(psad_t, psad_runtime_t, psad_runtime_t) +manage_sock_files_pattern(psad_t, psad_runtime_t, psad_runtime_t) +files_pid_filetrans(psad_t, psad_runtime_t, { dir file sock_file }) manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t) manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t) diff --git a/policy/modules/services/pwauth.fc b/policy/modules/services/pwauth.fc index bef33518f..c8416779d 100644 --- a/policy/modules/services/pwauth.fc +++ b/policy/modules/services/pwauth.fc @@ -1,3 +1,3 @@ /usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0) -/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) +/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_runtime_t,s0) diff --git a/policy/modules/services/pwauth.te b/policy/modules/services/pwauth.te index dda037399..3c2000296 100644 --- a/policy/modules/services/pwauth.te +++ b/policy/modules/services/pwauth.te @@ -13,8 +13,8 @@ type pwauth_exec_t; application_domain(pwauth_t, pwauth_exec_t) role pwauth_roles types pwauth_t; -type pwauth_var_run_t; -files_pid_file(pwauth_var_run_t) +type pwauth_runtime_t alias pwauth_var_run_t; +files_pid_file(pwauth_runtime_t) ######################################## # @@ -26,8 +26,8 @@ allow pwauth_t self:process setrlimit; allow pwauth_t self:fifo_file manage_fifo_file_perms; allow pwauth_t self:unix_stream_socket { accept listen }; -manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t) -files_pid_filetrans(pwauth_t, pwauth_var_run_t, file) +manage_files_pattern(pwauth_t, pwauth_runtime_t, pwauth_runtime_t) +files_pid_filetrans(pwauth_t, pwauth_runtime_t, file) domain_use_interactive_fds(pwauth_t) diff --git a/policy/modules/services/pxe.fc b/policy/modules/services/pxe.fc index 56ca3ecd5..4afa973d3 100644 --- a/policy/modules/services/pxe.fc +++ b/policy/modules/services/pxe.fc @@ -6,4 +6,4 @@ /var/log/pxe\.log.* -- gen_context(system_u:object_r:pxe_log_t,s0) -/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0) +/run/pxe\.pid -- gen_context(system_u:object_r:pxe_runtime_t,s0) diff --git a/policy/modules/services/pxe.if b/policy/modules/services/pxe.if index e0068b794..2e8371e3f 100644 --- a/policy/modules/services/pxe.if +++ b/policy/modules/services/pxe.if @@ -20,7 +20,7 @@ interface(`pxe_admin',` gen_require(` type pxe_t, pxe_initrc_exec_t, pxe_log_t; - type pxe_var_run_t; + type pxe_runtime_t; ') allow $1 pxe_t:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`pxe_admin',` admin_pattern($1, pxe_log_t) files_search_pids($1) - admin_pattern($1, pxe_var_run_t) + admin_pattern($1, pxe_runtime_t) ') diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te index 66b5fda46..5d80d7274 100644 --- a/policy/modules/services/pxe.te +++ b/policy/modules/services/pxe.te @@ -15,8 +15,8 @@ init_script_file(pxe_initrc_exec_t) type pxe_log_t; logging_log_file(pxe_log_t) -type pxe_var_run_t; -files_pid_file(pxe_var_run_t) +type pxe_runtime_t alias pxe_var_run_t; +files_pid_file(pxe_runtime_t) ######################################## # @@ -30,8 +30,8 @@ allow pxe_t self:process signal_perms; allow pxe_t pxe_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(pxe_t, pxe_log_t, file) -manage_files_pattern(pxe_t, pxe_var_run_t, pxe_var_run_t) -files_pid_filetrans(pxe_t, pxe_var_run_t, file) +manage_files_pattern(pxe_t, pxe_runtime_t, pxe_runtime_t) +files_pid_filetrans(pxe_t, pxe_runtime_t, file) kernel_read_kernel_sysctls(pxe_t) kernel_read_system_state(pxe_t) diff --git a/policy/modules/services/pyicqt.fc b/policy/modules/services/pyicqt.fc index 4dd36d1cd..756de346f 100644 --- a/policy/modules/services/pyicqt.fc +++ b/policy/modules/services/pyicqt.fc @@ -6,6 +6,6 @@ /var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0) -/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) +/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_runtime_t,s0) /var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0) diff --git a/policy/modules/services/pyicqt.if b/policy/modules/services/pyicqt.if index 1742d8cf7..a9bdd7b19 100644 --- a/policy/modules/services/pyicqt.if +++ b/policy/modules/services/pyicqt.if @@ -20,7 +20,7 @@ interface(`pyicqt_admin',` gen_require(` type pyicqt_t, pyicqt_log_t, pyicqt_spool_t; - type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t; + type pyicqt_runtime_t, pyicqt_initrc_exec_t, pyicqt_conf_t; ') allow $1 pyicqt_t:process { ptrace signal_perms }; @@ -38,5 +38,5 @@ interface(`pyicqt_admin',` admin_pattern($1, pyicqt_spool_t) files_search_pids($1) - admin_pattern($1, pyicqt_var_run_t) + admin_pattern($1, pyicqt_runtime_t) ') diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te index 6861a4af8..7023b9f9a 100644 --- a/policy/modules/services/pyicqt.te +++ b/policy/modules/services/pyicqt.te @@ -21,8 +21,8 @@ logging_log_file(pyicqt_log_t) type pyicqt_spool_t; files_type(pyicqt_spool_t) -type pyicqt_var_run_t; -files_pid_file(pyicqt_var_run_t) +type pyicqt_runtime_t alias pyicqt_var_run_t; +files_pid_file(pyicqt_runtime_t) ######################################## # @@ -44,8 +44,8 @@ manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t) files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir) -manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t) -files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file) +manage_files_pattern(pyicqt_t, pyicqt_runtime_t, pyicqt_runtime_t) +files_pid_filetrans(pyicqt_t, pyicqt_runtime_t, file) kernel_read_system_state(pyicqt_t) diff --git a/policy/modules/services/qpid.fc b/policy/modules/services/qpid.fc index ed8f5432a..5235a0628 100644 --- a/policy/modules/services/qpid.fc +++ b/policy/modules/services/qpid.fc @@ -6,5 +6,5 @@ /var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0) -/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0) -/run/qpidd\.pid -- gen_context(system_u:object_r:qpidd_var_run_t,s0) +/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_runtime_t,s0) +/run/qpidd\.pid -- gen_context(system_u:object_r:qpidd_runtime_t,s0) diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if index 531bdc39f..62942763b 100644 --- a/policy/modules/services/qpid.if +++ b/policy/modules/services/qpid.if @@ -86,11 +86,11 @@ interface(`qpidd_initrc_domtrans',` # interface(`qpidd_read_pid_files',` gen_require(` - type qpidd_var_run_t; + type qpidd_runtime_t; ') files_search_pids($1) - allow $1 qpidd_var_run_t:file read_file_perms; + allow $1 qpidd_runtime_t:file read_file_perms; ') ######################################## @@ -171,7 +171,7 @@ interface(`qpidd_manage_lib_files',` interface(`qpidd_admin',` gen_require(` type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; - type qpidd_var_run_t; + type qpidd_runtime_t; ') allow $1 qpidd_t:process { ptrace signal_perms }; @@ -183,5 +183,5 @@ interface(`qpidd_admin',` admin_pattern($1, qpidd_var_lib_t) files_search_pids($1) - admin_pattern($1, qpidd_var_run_t) + admin_pattern($1, qpidd_runtime_t) ') diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te index 533fbb16a..010964d85 100644 --- a/policy/modules/services/qpid.te +++ b/policy/modules/services/qpid.te @@ -18,8 +18,8 @@ files_tmpfs_file(qpidd_tmpfs_t) type qpidd_var_lib_t; files_type(qpidd_var_lib_t) -type qpidd_var_run_t; -files_pid_file(qpidd_var_run_t) +type qpidd_runtime_t alias qpidd_var_run_t; +files_pid_file(qpidd_runtime_t) ######################################## # @@ -41,9 +41,9 @@ manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) -manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) +manage_dirs_pattern(qpidd_t, qpidd_runtime_t, qpidd_runtime_t) +manage_files_pattern(qpidd_t, qpidd_runtime_t, qpidd_runtime_t) +files_pid_filetrans(qpidd_t, qpidd_runtime_t, { file dir }) kernel_read_system_state(qpidd_t) diff --git a/policy/modules/services/rabbitmq.fc b/policy/modules/services/rabbitmq.fc index 88541bb7a..b9c898287 100644 --- a/policy/modules/services/rabbitmq.fc +++ b/policy/modules/services/rabbitmq.fc @@ -7,4 +7,4 @@ /var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) -/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) +/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_runtime_t,s0) diff --git a/policy/modules/services/rabbitmq.if b/policy/modules/services/rabbitmq.if index 854cd364d..c0114229e 100644 --- a/policy/modules/services/rabbitmq.if +++ b/policy/modules/services/rabbitmq.if @@ -41,7 +41,7 @@ interface(`rabbitmq_domtrans',` interface(`rabbitmq_admin',` gen_require(` type rabbitmq_epmd_t, rabbitmq_beam_t, rabbitmq_initrc_exec_t; - type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t; + type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_runtime_t; ') allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms }; @@ -56,5 +56,5 @@ interface(`rabbitmq_admin',` admin_pattern($1, rabbitmq_var_lib_t) files_search_pids($1) - admin_pattern($1, rabbitmq_var_run_t) + admin_pattern($1, rabbitmq_runtime_t) ') diff --git a/policy/modules/services/rabbitmq.te b/policy/modules/services/rabbitmq.te index c4ffec100..fca999f11 100644 --- a/policy/modules/services/rabbitmq.te +++ b/policy/modules/services/rabbitmq.te @@ -22,8 +22,8 @@ files_type(rabbitmq_var_lib_t) type rabbitmq_var_log_t; logging_log_file(rabbitmq_var_log_t) -type rabbitmq_var_run_t; -files_pid_file(rabbitmq_var_run_t) +type rabbitmq_runtime_t alias rabbitmq_var_run_t; +files_pid_file(rabbitmq_runtime_t) ###################################### # @@ -42,8 +42,8 @@ append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) -manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) -manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t) +manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_runtime_t, rabbitmq_runtime_t) +manage_files_pattern(rabbitmq_beam_t, rabbitmq_runtime_t, rabbitmq_runtime_t) can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc index 19ff8e93c..86eebcda2 100644 --- a/policy/modules/services/radius.fc +++ b/policy/modules/services/radius.fc @@ -22,5 +22,5 @@ /var/log/radutmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) /var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0) -/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0) -/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0) +/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_runtime_t,s0) +/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_runtime_t,s0) diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if index bce89c308..0d4e55326 100644 --- a/policy/modules/services/radius.if +++ b/policy/modules/services/radius.if @@ -20,7 +20,7 @@ interface(`radius_admin',` gen_require(` type radiusd_t, radiusd_etc_t, radiusd_log_t; - type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; + type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_runtime_t; type radiusd_initrc_exec_t; ') @@ -39,5 +39,5 @@ interface(`radius_admin',` admin_pattern($1, radiusd_var_lib_t) files_list_pids($1) - admin_pattern($1, radiusd_var_run_t) + admin_pattern($1, radiusd_runtime_t) ') diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index e6ff2d00f..6e596b3f7 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -24,8 +24,8 @@ logging_log_file(radiusd_log_t) type radiusd_var_lib_t; files_type(radiusd_var_lib_t) -type radiusd_var_run_t; -files_pid_file(radiusd_var_run_t) +type radiusd_runtime_t alias radiusd_var_run_t; +files_pid_file(radiusd_runtime_t) ######################################## # @@ -56,10 +56,10 @@ logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir }) manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) -manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) +manage_sock_files_pattern(radiusd_t, radiusd_runtime_t, radiusd_runtime_t) +manage_dirs_pattern(radiusd_t, radiusd_runtime_t, radiusd_runtime_t) +manage_files_pattern(radiusd_t, radiusd_runtime_t, radiusd_runtime_t) +files_pid_filetrans(radiusd_t, radiusd_runtime_t, { file sock_file dir }) kernel_read_kernel_sysctls(radiusd_t) kernel_read_system_state(radiusd_t) diff --git a/policy/modules/services/radvd.fc b/policy/modules/services/radvd.fc index 9765e4561..02d112e6f 100644 --- a/policy/modules/services/radvd.fc +++ b/policy/modules/services/radvd.fc @@ -6,5 +6,5 @@ /usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0) -/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0) -/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0) +/run/radvd(/.*)? gen_context(system_u:object_r:radvd_runtime_t,s0) +/run/radvd\.pid -- gen_context(system_u:object_r:radvd_runtime_t,s0) diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if index 38e35fe6c..4d813e147 100644 --- a/policy/modules/services/radvd.if +++ b/policy/modules/services/radvd.if @@ -20,7 +20,7 @@ interface(`radvd_admin',` gen_require(` type radvd_t, radvd_etc_t, radvd_initrc_exec_t; - type radvd_var_run_t; + type radvd_runtime_t; ') allow $1 radvd_t:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`radvd_admin',` admin_pattern($1, radvd_etc_t) files_list_pids($1) - admin_pattern($1, radvd_var_run_t) + admin_pattern($1, radvd_runtime_t) ') diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te index e06e52e6a..45301d56e 100644 --- a/policy/modules/services/radvd.te +++ b/policy/modules/services/radvd.te @@ -14,8 +14,8 @@ files_config_file(radvd_etc_t) type radvd_initrc_exec_t; init_script_file(radvd_initrc_exec_t) -type radvd_var_run_t; -files_pid_file(radvd_var_run_t) +type radvd_runtime_t alias radvd_var_run_t; +files_pid_file(radvd_runtime_t) ######################################## # @@ -31,9 +31,9 @@ allow radvd_t self:tcp_socket { accept listen }; allow radvd_t radvd_etc_t:file read_file_perms; -manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) -manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t) -files_pid_filetrans(radvd_t, radvd_var_run_t, { dir file }) +manage_dirs_pattern(radvd_t, radvd_runtime_t, radvd_runtime_t) +manage_files_pattern(radvd_t, radvd_runtime_t, radvd_runtime_t) +files_pid_filetrans(radvd_t, radvd_runtime_t, { dir file }) kernel_read_kernel_sysctls(radvd_t) kernel_rw_net_sysctls(radvd_t) diff --git a/policy/modules/services/redis.fc b/policy/modules/services/redis.fc index 74443abdd..ebde88a98 100644 --- a/policy/modules/services/redis.fc +++ b/policy/modules/services/redis.fc @@ -10,4 +10,4 @@ /var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) -/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) +/run/redis(/.*)? gen_context(system_u:object_r:redis_runtime_t,s0) diff --git a/policy/modules/services/redis.if b/policy/modules/services/redis.if index 276309a98..1e79f22e5 100644 --- a/policy/modules/services/redis.if +++ b/policy/modules/services/redis.if @@ -20,7 +20,7 @@ interface(`redis_admin',` gen_require(` type redis_t, redis_initrc_exec_t, redis_var_lib_t; - type redis_log_t, redis_var_run_t, redis_conf_t; + type redis_log_t, redis_runtime_t, redis_conf_t; ') allow $1 redis_t:process { ptrace signal_perms }; @@ -38,5 +38,5 @@ interface(`redis_admin',` admin_pattern($1, redis_var_lib_t) files_search_pids($1) - admin_pattern($1, redis_var_run_t) + admin_pattern($1, redis_runtime_t) ') diff --git a/policy/modules/services/redis.te b/policy/modules/services/redis.te index b7fef401d..f139e1c42 100644 --- a/policy/modules/services/redis.te +++ b/policy/modules/services/redis.te @@ -18,8 +18,8 @@ logging_log_file(redis_log_t) type redis_var_lib_t; files_type(redis_var_lib_t) -type redis_var_run_t; -files_pid_file(redis_var_run_t) +type redis_runtime_t alias redis_var_run_t; +files_pid_file(redis_runtime_t) type redis_conf_t; files_config_file(redis_conf_t) @@ -46,9 +46,9 @@ manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) files_search_var_lib(redis_t) -manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) -manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) -manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) +manage_dirs_pattern(redis_t, redis_runtime_t, redis_runtime_t) +manage_files_pattern(redis_t, redis_runtime_t, redis_runtime_t) +manage_lnk_files_pattern(redis_t, redis_runtime_t, redis_runtime_t) kernel_read_system_state(redis_t) diff --git a/policy/modules/services/resmgr.fc b/policy/modules/services/resmgr.fc index c5b467dc8..a100678f2 100644 --- a/policy/modules/services/resmgr.fc +++ b/policy/modules/services/resmgr.fc @@ -6,5 +6,5 @@ /usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0) -/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0) -/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0) +/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_runtime_t,s0) +/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_runtime_t,s0) diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if index a40693442..31f53ebca 100644 --- a/policy/modules/services/resmgr.if +++ b/policy/modules/services/resmgr.if @@ -13,11 +13,11 @@ # interface(`resmgr_stream_connect',` gen_require(` - type resmgrd_var_run_t, resmgrd_t; + type resmgrd_runtime_t, resmgrd_t; ') files_search_pids($1) - stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) + stream_connect_pattern($1, resmgrd_runtime_t, resmgrd_runtime_t, resmgrd_t) ') ######################################## @@ -39,7 +39,7 @@ interface(`resmgr_stream_connect',` # interface(`resmgr_admin',` gen_require(` - type resmgrd_t, resmgrd_initrc_exec_t, resmgrd_var_run_t; + type resmgrd_t, resmgrd_initrc_exec_t, resmgrd_runtime_t; type resmgrd_etc_t; ') @@ -52,5 +52,5 @@ interface(`resmgr_admin',` admin_pattern($1, resmgrd_etc_t) files_search_pids($1) - admin_pattern($1, resmgrd_var_run_t) + admin_pattern($1, resmgrd_runtime_t) ') diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te index d3a7890f0..579300ead 100644 --- a/policy/modules/services/resmgr.te +++ b/policy/modules/services/resmgr.te @@ -15,8 +15,8 @@ init_script_file(resmgrd_initrc_exec_t) type resmgrd_etc_t; files_config_file(resmgrd_etc_t) -type resmgrd_var_run_t; -files_pid_file(resmgrd_var_run_t) +type resmgrd_runtime_t alias resmgrd_var_run_t; +files_pid_file(resmgrd_runtime_t) ######################################## # @@ -29,9 +29,9 @@ allow resmgrd_t self:process signal_perms; allow resmgrd_t resmgrd_etc_t:file read_file_perms; -allow resmgrd_t resmgrd_var_run_t:file manage_file_perms; -allow resmgrd_t resmgrd_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(resmgrd_t, resmgrd_var_run_t, { file sock_file }) +allow resmgrd_t resmgrd_runtime_t:file manage_file_perms; +allow resmgrd_t resmgrd_runtime_t:sock_file manage_sock_file_perms; +files_pid_filetrans(resmgrd_t, resmgrd_runtime_t, { file sock_file }) kernel_list_proc(resmgrd_t) kernel_read_proc_symlinks(resmgrd_t) diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc index 0e0644444..b43ee0469 100644 --- a/policy/modules/services/rgmanager.fc +++ b/policy/modules/services/rgmanager.fc @@ -10,6 +10,6 @@ /var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) -/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) +/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_runtime_t,s0) -/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) +/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_runtime_t,s0) diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if index 943b0b875..0ddc17c54 100644 --- a/policy/modules/services/rgmanager.if +++ b/policy/modules/services/rgmanager.if @@ -32,11 +32,11 @@ interface(`rgmanager_domtrans',` # interface(`rgmanager_stream_connect',` gen_require(` - type rgmanager_t, rgmanager_var_run_t; + type rgmanager_t, rgmanager_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) + stream_connect_pattern($1, rgmanager_runtime_t, rgmanager_runtime_t, rgmanager_t) ') ###################################### @@ -99,7 +99,7 @@ interface(`rgmanager_manage_tmpfs_files',` interface(`rgmanager_admin',` gen_require(` type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; - type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; + type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_runtime_t; ') allow $1 rgmanager_t:process { ptrace signal_perms }; @@ -116,5 +116,5 @@ interface(`rgmanager_admin',` admin_pattern($1, rgmanager_var_log_t) files_list_pids($1) - admin_pattern($1, rgmanager_var_run_t) + admin_pattern($1, rgmanager_runtime_t) ') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te index 2329f8e39..ba83fc8bc 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -29,8 +29,8 @@ files_tmpfs_file(rgmanager_tmpfs_t) type rgmanager_var_log_t; logging_log_file(rgmanager_var_log_t) -type rgmanager_var_run_t; -files_pid_file(rgmanager_var_run_t) +type rgmanager_runtime_t alias rgmanager_var_run_t; +files_pid_file(rgmanager_runtime_t) ######################################## # @@ -54,9 +54,9 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file) -manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) +manage_files_pattern(rgmanager_t, rgmanager_runtime_t, rgmanager_runtime_t) +manage_sock_files_pattern(rgmanager_t, rgmanager_runtime_t, rgmanager_runtime_t) +files_pid_filetrans(rgmanager_t, rgmanager_runtime_t, { file sock_file }) kernel_read_kernel_sysctls(rgmanager_t) kernel_read_system_state(rgmanager_t) diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc index 90d0c0de5..d03725abe 100644 --- a/policy/modules/services/rhcs.fc +++ b/policy/modules/services/rhcs.fc @@ -30,11 +30,11 @@ /var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) /var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) -/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) -/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0) -/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) -/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) -/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) +/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_runtime_t,s0) +/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_runtime_t,s0) +/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_runtime_t,s0) +/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_runtime_t,s0) +/run/fenced\.pid -- gen_context(system_u:object_r:fenced_runtime_t,s0) +/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_runtime_t,s0) +/run/groupd\.pid -- gen_context(system_u:object_r:groupd_runtime_t,s0) +/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_runtime_t,s0) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if index 776c57017..9f0f5d744 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if @@ -31,8 +31,8 @@ template(`rhcs_domain_template',` type $1_var_log_t, cluster_log; logging_log_file($1_var_log_t) - type $1_var_run_t, cluster_pid; - files_pid_file($1_var_run_t) + type $1_runtime_t alias $1_var_run_t, cluster_pid; + files_pid_file($1_runtime_t) ############################## # @@ -50,11 +50,11 @@ template(`rhcs_domain_template',` manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) - manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file }) + manage_dirs_pattern($1_t, $1_runtime_t, $1_runtime_t) + manage_files_pattern($1_t, $1_runtime_t, $1_runtime_t) + manage_fifo_files_pattern($1_t, $1_runtime_t, $1_runtime_t) + manage_sock_files_pattern($1_t, $1_runtime_t, $1_runtime_t) + files_pid_filetrans($1_t, $1_runtime_t, { dir file sock_file fifo_file }) optional_policy(` dbus_system_bus_client($1_t) @@ -113,11 +113,11 @@ interface(`rhcs_getattr_fenced_exec_files',` # interface(`rhcs_stream_connect_dlm_controld',` gen_require(` - type dlm_controld_t, dlm_controld_var_run_t; + type dlm_controld_t, dlm_controld_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) + stream_connect_pattern($1, dlm_controld_runtime_t, dlm_controld_runtime_t, dlm_controld_t) ') ##################################### @@ -214,11 +214,11 @@ interface(`rhcs_stream_connect_cluster',` # interface(`rhcs_stream_connect_fenced',` gen_require(` - type fenced_var_run_t, fenced_t; + type fenced_runtime_t, fenced_t; ') files_search_pids($1) - stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) + stream_connect_pattern($1, fenced_runtime_t, fenced_runtime_t, fenced_t) ') ##################################### @@ -296,11 +296,11 @@ interface(`rhcs_rw_gfs_controld_shm',` # interface(`rhcs_stream_connect_gfs_controld',` gen_require(` - type gfs_controld_t, gfs_controld_var_run_t; + type gfs_controld_t, gfs_controld_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t) + stream_connect_pattern($1, gfs_controld_runtime_t, gfs_controld_runtime_t, gfs_controld_t) ') ###################################### @@ -335,11 +335,11 @@ interface(`rhcs_domtrans_groupd',` # interface(`rhcs_stream_connect_groupd',` gen_require(` - type groupd_t, groupd_var_run_t; + type groupd_t, groupd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) + stream_connect_pattern($1, groupd_runtime_t, groupd_runtime_t, groupd_t) ') ######################################## diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te index c0a7c3d54..c1feeb656 100644 --- a/policy/modules/services/rhcs.te +++ b/policy/modules/services/rhcs.te @@ -82,8 +82,8 @@ optional_policy(` allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; -stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) +stream_connect_pattern(dlm_controld_t, fenced_runtime_t, fenced_runtime_t, fenced_t) +stream_connect_pattern(dlm_controld_t, groupd_runtime_t, groupd_runtime_t, groupd_t) kernel_read_system_state(dlm_controld_t) kernel_rw_net_sysctls(dlm_controld_t) @@ -116,7 +116,7 @@ manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) -stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) +stream_connect_pattern(fenced_t, groupd_runtime_t, groupd_runtime_t, groupd_t) can_exec(fenced_t, fenced_exec_t) @@ -243,9 +243,9 @@ allow gfs_controld_t self:capability { net_admin sys_resource }; allow gfs_controld_t self:shm create_shm_perms; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; -stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) -stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) +stream_connect_pattern(gfs_controld_t, dlm_controld_runtime_t, dlm_controld_runtime_t, dlm_controld_t) +stream_connect_pattern(gfs_controld_t, fenced_runtime_t, fenced_runtime_t, fenced_t) +stream_connect_pattern(gfs_controld_t, groupd_runtime_t, groupd_runtime_t, groupd_t) kernel_read_system_state(gfs_controld_t) diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc index 95b6bc5ce..866ea574b 100644 --- a/policy/modules/services/rhsmcertd.fc +++ b/policy/modules/services/rhsmcertd.fc @@ -8,4 +8,4 @@ /var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0) -/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) +/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_runtime_t,s0) diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if index 7bdee3cbb..bc630cdda 100644 --- a/policy/modules/services/rhsmcertd.if +++ b/policy/modules/services/rhsmcertd.if @@ -189,11 +189,11 @@ interface(`rhsmcertd_manage_lib_dirs',` # interface(`rhsmcertd_read_pid_files',` gen_require(` - type rhsmcertd_var_run_t; + type rhsmcertd_runtime_t; ') files_search_pids($1) - allow $1 rhsmcertd_var_run_t:file read_file_perms; + allow $1 rhsmcertd_runtime_t:file read_file_perms; ') #################################### @@ -209,11 +209,11 @@ interface(`rhsmcertd_read_pid_files',` # interface(`rhsmcertd_stream_connect',` gen_require(` - type rhsmcertd_t, rhsmcertd_var_run_t; + type rhsmcertd_t, rhsmcertd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t) + stream_connect_pattern($1, rhsmcertd_runtime_t, rhsmcertd_runtime_t, rhsmcertd_t) ') ####################################### @@ -279,7 +279,7 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` interface(`rhsmcertd_admin',` gen_require(` type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; - type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t; + type rhsmcertd_var_lib_t, rhsmcertd_runtime_t, rhsmcertd_lock_t; ') allow $1 rhsmcertd_t:process { ptrace signal_perms }; @@ -294,7 +294,7 @@ interface(`rhsmcertd_admin',` admin_pattern($1, rhsmcertd_var_lib_t) files_search_pids($1) - admin_pattern($1, rhsmcertd_var_run_t) + admin_pattern($1, rhsmcertd_runtime_t) files_search_locks($1) admin_pattern($1, rhsmcertd_lock_t) diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te index 4419243e5..dc9f4d89a 100644 --- a/policy/modules/services/rhsmcertd.te +++ b/policy/modules/services/rhsmcertd.te @@ -21,8 +21,8 @@ files_lock_file(rhsmcertd_lock_t) type rhsmcertd_var_lib_t; files_type(rhsmcertd_var_lib_t) -type rhsmcertd_var_run_t; -files_pid_file(rhsmcertd_var_run_t) +type rhsmcertd_runtime_t alias rhsmcertd_var_run_t; +files_pid_file(rhsmcertd_runtime_t) ######################################## # @@ -45,9 +45,9 @@ files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) -manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) -files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_runtime_t, rhsmcertd_runtime_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_runtime_t, rhsmcertd_runtime_t) +files_pid_filetrans(rhsmcertd_t, rhsmcertd_runtime_t, { file dir }) kernel_read_network_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc index b7918a936..1cdd4bdc2 100644 --- a/policy/modules/services/ricci.fc +++ b/policy/modules/services/ricci.fc @@ -16,6 +16,6 @@ /var/log/clumond\.log.* -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0) -/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) -/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0) -/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0) +/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_runtime_t,s0) +/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_runtime_t,s0) +/run/ricci\.pid -- gen_context(system_u:object_r:ricci_runtime_t,s0) diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if index 086f434a0..ee0608c8a 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -90,11 +90,11 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` # interface(`ricci_stream_connect_modclusterd',` gen_require(` - type ricci_modclusterd_t, ricci_modcluster_var_run_t; + type ricci_modclusterd_t, ricci_modcluster_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t) + stream_connect_pattern($1, ricci_modcluster_runtime_t, ricci_modcluster_runtime_t, ricci_modclusterd_t) ') ######################################## @@ -197,7 +197,7 @@ interface(`ricci_domtrans_modstorage',` interface(`ricci_admin',` gen_require(` type ricci_t, ricci_initrc_exec_t, ricci_tmp_t; - type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; + type ricci_var_lib_t, ricci_var_log_t, ricci_runtime_t; ') allow $1 ricci_t:process { ptrace signal_perms }; @@ -215,5 +215,5 @@ interface(`ricci_admin',` admin_pattern($1, ricci_var_log_t) files_list_pids($1) - admin_pattern($1, ricci_var_run_t) + admin_pattern($1, ricci_runtime_t) ') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index d808ab663..6a30486c2 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -21,8 +21,8 @@ files_type(ricci_var_lib_t) type ricci_var_log_t; logging_log_file(ricci_var_log_t) -type ricci_var_run_t; -files_pid_file(ricci_var_run_t) +type ricci_runtime_t alias ricci_var_run_t; +files_pid_file(ricci_runtime_t) type ricci_modcluster_t; type ricci_modcluster_exec_t; @@ -36,8 +36,8 @@ files_type(ricci_modcluster_var_lib_t) type ricci_modcluster_var_log_t; logging_log_file(ricci_modcluster_var_log_t) -type ricci_modcluster_var_run_t; -files_pid_file(ricci_modcluster_var_run_t) +type ricci_modcluster_runtime_t alias ricci_modcluster_var_run_t; +files_pid_file(ricci_modcluster_runtime_t) type ricci_modclusterd_t; type ricci_modclusterd_exec_t; @@ -106,9 +106,9 @@ setattr_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) -manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) -manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) -files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) +manage_files_pattern(ricci_t, ricci_runtime_t, ricci_runtime_t) +manage_sock_files_pattern(ricci_t, ricci_runtime_t, ricci_runtime_t) +files_pid_filetrans(ricci_t, ricci_runtime_t, { file sock_file }) kernel_read_kernel_sysctls(ricci_t) kernel_read_system_state(ricci_t) @@ -300,9 +300,9 @@ setattr_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_mod manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir }) -manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) -manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) -files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file }) +manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_runtime_t, ricci_modcluster_runtime_t) +manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_runtime_t, ricci_modcluster_runtime_t) +files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_runtime_t, { file sock_file }) kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te index 0348564d9..c3da71b81 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -23,8 +23,8 @@ files_type(rlogind_keytab_t) type rlogind_tmp_t; files_tmp_file(rlogind_tmp_t) -type rlogind_var_run_t; -files_pid_file(rlogind_var_run_t) +type rlogind_runtime_t alias rlogind_var_run_t; +files_pid_file(rlogind_runtime_t) ######################################## # @@ -47,8 +47,8 @@ manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file }) -manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) -files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) +manage_files_pattern(rlogind_t, rlogind_runtime_t, rlogind_runtime_t) +files_pid_filetrans(rlogind_t, rlogind_runtime_t, file) can_exec(rlogind_t, rlogind_exec_t) diff --git a/policy/modules/services/rngd.fc b/policy/modules/services/rngd.fc index c49ab4ac8..382c067f9 100644 --- a/policy/modules/services/rngd.fc +++ b/policy/modules/services/rngd.fc @@ -4,4 +4,4 @@ /usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) -/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0) +/run/rngd\.pid -- gen_context(system_u:object_r:rngd_runtime_t,s0) diff --git a/policy/modules/services/rngd.if b/policy/modules/services/rngd.if index 7b26dc322..9b8bad065 100644 --- a/policy/modules/services/rngd.if +++ b/policy/modules/services/rngd.if @@ -19,7 +19,7 @@ # interface(`rngd_admin',` gen_require(` - type rngd_t, rngd_initrc_exec_t, rngd_var_run_t; + type rngd_t, rngd_initrc_exec_t, rngd_runtime_t; ') allow $1 rngd_t:process { ptrace signal_perms }; @@ -28,5 +28,5 @@ interface(`rngd_admin',` init_startstop_service($1, $2, rngd_t, rngd_initrc_exec_t) files_search_pids($1) - admin_pattern($1, rngd_var_run_t) + admin_pattern($1, rngd_runtime_t) ') diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te index 8cf7921dd..8e5d70c75 100644 --- a/policy/modules/services/rngd.te +++ b/policy/modules/services/rngd.te @@ -12,8 +12,8 @@ init_daemon_domain(rngd_t, rngd_exec_t) type rngd_initrc_exec_t; init_script_file(rngd_initrc_exec_t) -type rngd_var_run_t; -files_pid_file(rngd_var_run_t) +type rngd_runtime_t alias rngd_var_run_t; +files_pid_file(rngd_runtime_t) ######################################## # @@ -25,8 +25,8 @@ allow rngd_t self:process signal; allow rngd_t self:fifo_file rw_fifo_file_perms; allow rngd_t self:unix_stream_socket { accept listen }; -allow rngd_t rngd_var_run_t:file manage_file_perms; -files_pid_filetrans(rngd_t, rngd_var_run_t, file, "rngd.pid") +allow rngd_t rngd_runtime_t:file manage_file_perms; +files_pid_filetrans(rngd_t, rngd_runtime_t, file, "rngd.pid") kernel_rw_kernel_sysctl(rngd_t) diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if index c874017b6..44ba4577f 100644 --- a/policy/modules/services/roundup.if +++ b/policy/modules/services/roundup.if @@ -19,7 +19,7 @@ # interface(`roundup_admin',` gen_require(` - type roundup_t, roundup_var_lib_t, roundup_var_run_t; + type roundup_t, roundup_var_lib_t, roundup_runtime_t; type roundup_initrc_exec_t; ') @@ -32,5 +32,5 @@ interface(`roundup_admin',` admin_pattern($1, roundup_var_lib_t) files_list_pids($1) - admin_pattern($1, roundup_var_run_t) + admin_pattern($1, roundup_runtime_t) ') diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te index 015c344f1..1d350c826 100644 --- a/policy/modules/services/roundup.te +++ b/policy/modules/services/roundup.te @@ -12,8 +12,8 @@ init_daemon_domain(roundup_t, roundup_exec_t) type roundup_initrc_exec_t; init_script_file(roundup_initrc_exec_t) -type roundup_var_run_t; -files_pid_file(roundup_var_run_t) +type roundup_runtime_t alias roundup_var_run_t; +files_pid_file(roundup_runtime_t) type roundup_var_lib_t; files_type(roundup_var_lib_t) @@ -32,8 +32,8 @@ allow roundup_t self:tcp_socket { accept listen }; manage_files_pattern(roundup_t, roundup_var_lib_t, roundup_var_lib_t) files_var_lib_filetrans(roundup_t, roundup_var_lib_t, file) -manage_files_pattern(roundup_t, roundup_var_run_t, roundup_var_run_t) -files_pid_filetrans(roundup_t, roundup_var_run_t, file) +manage_files_pattern(roundup_t, roundup_runtime_t, roundup_runtime_t) +files_pid_filetrans(roundup_t, roundup_runtime_t, file) kernel_read_kernel_sysctls(roundup_t) kernel_list_proc(roundup_t) diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc index 6dfd45166..6d3c9b68b 100644 --- a/policy/modules/services/rpc.fc +++ b/policy/modules/services/rpc.fc @@ -27,6 +27,6 @@ /var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) -/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) -/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) -/run/sm-notify\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) +/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_runtime_t,s0) +/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_runtime_t,s0) +/run/sm-notify\.pid -- gen_context(system_u:object_r:rpcd_runtime_t,s0) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index 7063c42f6..d05a1b8ed 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -365,7 +365,7 @@ interface(`rpc_admin',` gen_require(` attribute rpc_domain; type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; - type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; + type var_lib_nfs_t, rpcd_runtime_t, gssd_tmp_t; type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t; type nfsd_t, rpcd_t; ') @@ -383,7 +383,7 @@ interface(`rpc_admin',` admin_pattern($1, var_lib_nfs_t) files_list_pids($1) - admin_pattern($1, rpcd_var_run_t) + admin_pattern($1, rpcd_runtime_t) files_list_all($1) admin_pattern($1, { nfsd_ro_t nfsd_rw_t }) diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 2eaf02afd..ad846093c 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -44,8 +44,8 @@ files_type(gssd_keytab_t) type gssd_tmp_t; files_tmp_file(gssd_tmp_t) -type rpcd_var_run_t; -files_pid_file(rpcd_var_run_t) +type rpcd_runtime_t alias rpcd_var_run_t; +files_pid_file(rpcd_runtime_t) rpc_domain_template(rpcd) @@ -150,9 +150,9 @@ allow rpcd_t self:capability2 block_suspend; allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; -manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) -manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) -files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) +manage_dirs_pattern(rpcd_t, rpcd_runtime_t, rpcd_runtime_t) +manage_files_pattern(rpcd_t, rpcd_runtime_t, rpcd_runtime_t) +files_pid_filetrans(rpcd_t, rpcd_runtime_t, { file dir }) can_exec(rpcd_t, rpcd_exec_t) diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc index 63c3027ef..e27ee02c7 100644 --- a/policy/modules/services/rpcbind.fc +++ b/policy/modules/services/rpcbind.fc @@ -8,4 +8,4 @@ /var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0) -/run/rpcbind.* gen_context(system_u:object_r:rpcbind_var_run_t,s0) +/run/rpcbind.* gen_context(system_u:object_r:rpcbind_runtime_t,s0) diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if index 78ca83a4a..5fd670607 100644 --- a/policy/modules/services/rpcbind.if +++ b/policy/modules/services/rpcbind.if @@ -32,11 +32,11 @@ interface(`rpcbind_domtrans',` # interface(`rpcbind_stream_connect',` gen_require(` - type rpcbind_t, rpcbind_var_run_t; + type rpcbind_t, rpcbind_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t) + stream_connect_pattern($1, rpcbind_runtime_t, rpcbind_runtime_t, rpcbind_t) ') ######################################## @@ -51,11 +51,11 @@ interface(`rpcbind_stream_connect',` # interface(`rpcbind_read_pid_files',` gen_require(` - type rpcbind_var_run_t; + type rpcbind_runtime_t; ') files_search_pids($1) - allow $1 rpcbind_var_run_t:file read_file_perms; + allow $1 rpcbind_runtime_t:file read_file_perms; ') ######################################## @@ -153,7 +153,7 @@ interface(`rpcbind_signull',` # interface(`rpcbind_admin',` gen_require(` - type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t; + type rpcbind_t, rpcbind_var_lib_t, rpcbind_runtime_t; type rpcbind_initrc_exec_t; ') @@ -163,7 +163,7 @@ interface(`rpcbind_admin',` init_startstop_service($1, $2, rpcbind_t, rpcbind_initrc_exec_t) files_search_pids($1) - admin_pattern($1, rpcbind_var_run_t) + admin_pattern($1, rpcbind_runtime_t) files_search_var_lib($1) admin_pattern($1, rpcbind_var_lib_t) diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te index 0f6605df4..f527577f0 100644 --- a/policy/modules/services/rpcbind.te +++ b/policy/modules/services/rpcbind.te @@ -8,14 +8,14 @@ policy_module(rpcbind, 1.12.1) type rpcbind_t; type rpcbind_exec_t; init_daemon_domain(rpcbind_t, rpcbind_exec_t) -init_named_socket_activation(rpcbind_t, rpcbind_var_run_t) +init_named_socket_activation(rpcbind_t, rpcbind_runtime_t) type rpcbind_initrc_exec_t; init_script_file(rpcbind_initrc_exec_t) -type rpcbind_var_run_t; -files_pid_file(rpcbind_var_run_t) -init_daemon_pid_file(rpcbind_var_run_t, dir, "rpcbind") +type rpcbind_runtime_t alias rpcbind_var_run_t; +files_pid_file(rpcbind_runtime_t) +init_daemon_pid_file(rpcbind_runtime_t, dir, "rpcbind") type rpcbind_var_lib_t; files_type(rpcbind_var_lib_t) @@ -32,9 +32,9 @@ allow rpcbind_t self:fifo_file rw_fifo_file_perms; allow rpcbind_t self:unix_stream_socket { accept listen }; allow rpcbind_t self:tcp_socket { accept listen }; -manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) -manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t) -files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file }) +manage_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t) +manage_sock_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t) +files_pid_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file }) manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t) diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc index 83b8b4bd5..32836f672 100644 --- a/policy/modules/services/rsync.fc +++ b/policy/modules/services/rsync.fc @@ -4,4 +4,4 @@ /var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) -/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) +/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_runtime_t,s0) diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if index 097f4d3a3..a2d747fe3 100644 --- a/policy/modules/services/rsync.if +++ b/policy/modules/services/rsync.if @@ -257,7 +257,7 @@ interface(`rsync_etc_filetrans_config',` interface(`rsync_admin',` gen_require(` type rsync_t, rsync_etc_t, rsync_data_t; - type rsync_log_t, rsync_tmp_t, rsync_var_run_t; + type rsync_log_t, rsync_tmp_t, rsync_runtime_t; ') allow $1 rsync_t:process { ptrace signal_perms }; @@ -275,5 +275,5 @@ interface(`rsync_admin',` admin_pattern($1, rsync_tmp_t) files_search_pids($1) - admin_pattern($1, rsync_var_run_t) + admin_pattern($1, rsync_runtime_t) ') diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index 600209ec7..ae0fd0246 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -75,8 +75,8 @@ logging_log_file(rsync_log_t) type rsync_tmp_t; files_tmp_file(rsync_tmp_t) -type rsync_var_run_t; -files_pid_file(rsync_var_run_t) +type rsync_runtime_t alias rsync_var_run_t; +files_pid_file(rsync_runtime_t) ######################################## # @@ -101,8 +101,8 @@ manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir }) -manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t) -files_pid_filetrans(rsync_t, rsync_var_run_t, file) +manage_files_pattern(rsync_t, rsync_runtime_t, rsync_runtime_t) +files_pid_filetrans(rsync_t, rsync_runtime_t, file) kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc index e104d2bad..29255ea90 100644 --- a/policy/modules/services/samba.fc +++ b/policy/modules/services/samba.fc @@ -26,32 +26,32 @@ /usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) /var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_runtime_t,s0) /var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_runtime_t,s0) /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) /var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -/run/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) - -/run/samba(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/brlock\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/connections\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/gencache\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/locking\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/messages\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/namelist\.debug -- gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/nmbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/share_info\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/smbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0) -/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) - -/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) -/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/run/nmbd(/.*)? gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/nmbd(/.*)? gen_context(system_u:object_r:samba_runtime_t,s0) + +/run/samba(/.*)? gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/brlock\.tdb -- gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/connections\.tdb -- gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/gencache\.tdb -- gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/locking\.tdb -- gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/messages\.tdb -- gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/namelist\.debug -- gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/nmbd\.pid -- gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/share_info\.tdb -- gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/smbd\.pid -- gen_context(system_u:object_r:samba_runtime_t,s0) +/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:samba_runtime_t,s0) + +/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_runtime_t,s0) +/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_runtime_t,s0) /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 3d729f0cc..ede3bc372 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -49,11 +49,11 @@ interface(`samba_signal_nmbd',` # interface(`samba_stream_connect_nmbd',` gen_require(` - type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t; + type samba_var_t, nmbd_t, samba_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t) + stream_connect_pattern($1, { samba_runtime_t samba_var_t }, samba_runtime_t, nmbd_t) ') ######################################## @@ -637,11 +637,11 @@ interface(`samba_run_winbind_helper',` # interface(`samba_read_winbind_pid',` gen_require(` - type winbind_var_run_t, smbd_var_run_t; + type winbind_runtime_t, samba_runtime_t; ') files_search_pids($1) - read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) + read_files_pattern($1, { samba_runtime_t winbind_runtime_t }, winbind_runtime_t) ') ######################################## @@ -657,11 +657,11 @@ interface(`samba_read_winbind_pid',` # interface(`samba_stream_connect_winbind',` gen_require(` - type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t; + type samba_var_t, winbind_t, winbind_runtime_t, smbd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t) + stream_connect_pattern($1, { smbd_runtime_t samba_var_t winbind_runtime_t }, winbind_runtime_t, winbind_t) ') ######################################## @@ -683,12 +683,12 @@ interface(`samba_stream_connect_winbind',` # interface(`samba_admin',` gen_require(` - type nmbd_t, nmbd_var_run_t, smbd_var_run_t; + type nmbd_t, samba_runtime_t; type smbd_t, smbd_tmp_t; type samba_log_t, samba_var_t, samba_secrets_t; type samba_etc_t, samba_share_t, samba_initrc_exec_t; - type swat_var_run_t, swat_tmp_t, winbind_log_t; - type winbind_var_run_t, winbind_tmp_t; + type swat_runtime_t, swat_tmp_t, winbind_log_t; + type winbind_runtime_t, winbind_tmp_t; type smbd_keytab_t; ') @@ -709,7 +709,7 @@ interface(`samba_admin',` files_list_spool($1) files_list_pids($1) - admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t }) + admin_pattern($1, { winbind_runtime_t samba_runtime_t swat_runtime_t }) files_list_tmp($1) admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 6d8c0cbe8..ff24031cf 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -112,9 +112,9 @@ type nmbd_t; type nmbd_exec_t; init_daemon_domain(nmbd_t, nmbd_exec_t) -type samba_var_run_t; -typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t }; -init_daemon_pid_file(samba_var_run_t, dir, "samba") +type samba_runtime_t alias samba_var_run_t; +typealias samba_runtime_t alias { nmbd_var_run_t smbd_var_run_t }; +init_daemon_pid_file(samba_runtime_t, dir, "samba") type samba_etc_t; files_config_file(samba_etc_t) @@ -174,8 +174,8 @@ role system_r types swat_t; type swat_tmp_t; files_tmp_file(swat_tmp_t) -type swat_var_run_t; -files_pid_file(swat_var_run_t) +type swat_runtime_t alias swat_var_run_t; +files_pid_file(swat_runtime_t) type winbind_t; type winbind_exec_t; @@ -192,8 +192,8 @@ logging_log_file(winbind_log_t) type winbind_tmp_t; files_tmp_file(winbind_tmp_t) -type winbind_var_run_t; -files_pid_file(winbind_var_run_t) +type winbind_runtime_t alias winbind_var_run_t; +files_pid_file(winbind_runtime_t) ######################################## # @@ -311,15 +311,15 @@ manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) -manage_dirs_pattern(smbd_t, samba_var_run_t, samba_var_run_t) -manage_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t) -manage_sock_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t) -files_pid_filetrans(smbd_t, samba_var_run_t, { dir file }) +manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t) +manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) +manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) +files_pid_filetrans(smbd_t, samba_runtime_t, { dir file }) -allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms; -stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t) +allow smbd_t winbind_runtime_t:sock_file read_sock_file_perms; +stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t) -stream_connect_pattern(smbd_t, samba_var_run_t, samba_var_run_t, nmbd_t) +stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t) kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) @@ -529,10 +529,10 @@ allow nmbd_t self:tcp_socket { accept listen }; allow nmbd_t self:unix_dgram_socket sendto; allow nmbd_t self:unix_stream_socket { accept connectto listen }; -manage_dirs_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) -manage_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) -manage_sock_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) -files_pid_filetrans(nmbd_t, samba_var_run_t, { dir file sock_file }) +manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) +manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) +manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) +files_pid_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file }) read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) @@ -551,7 +551,7 @@ files_var_filetrans(nmbd_t, samba_var_t, dir, "samba") allow nmbd_t { swat_t smbcontrol_t }:process signal; -allow nmbd_t samba_var_run_t:dir rw_dir_perms; +allow nmbd_t samba_runtime_t:dir rw_dir_perms; kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) @@ -630,7 +630,7 @@ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t self:process { signal signull }; allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; -read_files_pattern(smbcontrol_t, samba_var_run_t, samba_var_run_t) +read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) @@ -745,8 +745,8 @@ allow swat_t self:unix_stream_socket connectto; allow swat_t { nmbd_t smbd_t }:process { signal signull }; -allow swat_t samba_var_run_t:file read_file_perms; -allow swat_t samba_var_run_t:file { lock delete_file_perms }; +allow swat_t samba_runtime_t:file read_file_perms; +allow swat_t samba_runtime_t:file { lock delete_file_perms }; rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) @@ -771,15 +771,15 @@ manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) -manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) -files_pid_filetrans(swat_t, swat_var_run_t, file) +manage_files_pattern(swat_t, swat_runtime_t, swat_runtime_t) +files_pid_filetrans(swat_t, swat_runtime_t, file) -read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) -allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms }; -allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms }; +read_files_pattern(swat_t, winbind_runtime_t, winbind_runtime_t) +allow swat_t winbind_runtime_t:dir { add_entry_dir_perms del_entry_dir_perms }; +allow swat_t winbind_runtime_t:sock_file { create_sock_file_perms delete_sock_file_perms }; -read_files_pattern(swat_t, samba_var_run_t, samba_var_run_t) -stream_connect_pattern(swat_t, samba_var_run_t, samba_var_run_t, nmbd_t) +read_files_pattern(swat_t, samba_runtime_t, samba_runtime_t) +stream_connect_pattern(swat_t, samba_runtime_t, samba_runtime_t, nmbd_t) samba_domtrans_smbd(swat_t) samba_domtrans_nmbd(swat_t) @@ -864,8 +864,8 @@ allow winbind_t self:tcp_socket { accept listen }; allow winbind_t nmbd_t:process { signal signull }; -allow winbind_t samba_var_run_t:file read_file_perms; -stream_connect_pattern(winbind_t, samba_var_run_t, samba_var_run_t, nmbd_t) +allow winbind_t samba_runtime_t:file read_file_perms; +stream_connect_pattern(winbind_t, samba_runtime_t, samba_runtime_t, nmbd_t) allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) @@ -897,15 +897,15 @@ manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) -manage_dirs_pattern(winbind_t, { samba_var_run_t winbind_var_run_t }, winbind_var_run_t) -manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) -filetrans_pattern(winbind_t, samba_var_run_t, winbind_var_run_t, dir) +manage_dirs_pattern(winbind_t, { samba_runtime_t winbind_runtime_t }, winbind_runtime_t) +manage_files_pattern(winbind_t, winbind_runtime_t, winbind_runtime_t) +manage_sock_files_pattern(winbind_t, winbind_runtime_t, winbind_runtime_t) +files_pid_filetrans(winbind_t, winbind_runtime_t, { sock_file file dir }) +filetrans_pattern(winbind_t, samba_runtime_t, winbind_runtime_t, dir) -manage_dirs_pattern(winbind_t, samba_var_run_t, samba_var_run_t) -manage_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t) -manage_sock_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t) +manage_dirs_pattern(winbind_t, samba_runtime_t, samba_runtime_t) +manage_files_pattern(winbind_t, samba_runtime_t, samba_runtime_t) +manage_sock_files_pattern(winbind_t, samba_runtime_t, samba_runtime_t) kernel_read_network_state(winbind_t) kernel_read_kernel_sysctls(winbind_t) @@ -985,7 +985,7 @@ allow winbind_helper_t samba_var_t:dir search_dir_perms; allow winbind_t smbcontrol_t:process signal; -stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t) +stream_connect_pattern(winbind_helper_t, winbind_runtime_t, winbind_runtime_t, winbind_t) domain_use_interactive_fds(winbind_helper_t) diff --git a/policy/modules/services/sanlock.fc b/policy/modules/services/sanlock.fc index 6c6f3dec6..c6abc1be8 100644 --- a/policy/modules/services/sanlock.fc +++ b/policy/modules/services/sanlock.fc @@ -4,6 +4,6 @@ /usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) -/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) +/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_runtime_t,s0) /var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0) diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if index dbca6c8e0..91f256647 100644 --- a/policy/modules/services/sanlock.if +++ b/policy/modules/services/sanlock.if @@ -51,11 +51,11 @@ interface(`sanlock_initrc_domtrans',` # interface(`sanlock_manage_pid_files',` gen_require(` - type sanlock_var_run_t; + type sanlock_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, sanlock_var_run_t, sanlock_var_run_t) + manage_files_pattern($1, sanlock_runtime_t, sanlock_runtime_t) ') ######################################## @@ -71,11 +71,11 @@ interface(`sanlock_manage_pid_files',` # interface(`sanlock_stream_connect',` gen_require(` - type sanlock_t, sanlock_var_run_t; + type sanlock_t, sanlock_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) + stream_connect_pattern($1, sanlock_runtime_t, sanlock_runtime_t, sanlock_t) ') ######################################## @@ -97,7 +97,7 @@ interface(`sanlock_stream_connect',` # interface(`sanlock_admin',` gen_require(` - type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t; + type sanlock_t, sanlock_initrc_exec_t, sanlock_runtime_t; type sanlock_log_t; ') @@ -107,7 +107,7 @@ interface(`sanlock_admin',` init_startstop_service($1, $2, sanlock_t, sanlock_initrc_exec_t) files_search_pids($1) - admin_pattern($1, sanlock_var_run_t) + admin_pattern($1, sanlock_runtime_t) logging_search_logs($1) admin_pattern($1, sanlock_log_t) diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te index 6fc33eb85..4b9de1edf 100644 --- a/policy/modules/services/sanlock.te +++ b/policy/modules/services/sanlock.te @@ -25,8 +25,8 @@ type sanlock_t; type sanlock_exec_t; init_daemon_domain(sanlock_t, sanlock_exec_t) -type sanlock_var_run_t; -files_pid_file(sanlock_var_run_t) +type sanlock_runtime_t alias sanlock_var_run_t; +files_pid_file(sanlock_runtime_t) type sanlock_log_t; logging_log_file(sanlock_log_t) @@ -57,10 +57,10 @@ create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) logging_log_filetrans(sanlock_t, sanlock_log_t, file) -manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -manage_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) +manage_dirs_pattern(sanlock_t, sanlock_runtime_t, sanlock_runtime_t) +manage_files_pattern(sanlock_t, sanlock_runtime_t, sanlock_runtime_t) +manage_sock_files_pattern(sanlock_t, sanlock_runtime_t, sanlock_runtime_t) +files_pid_filetrans(sanlock_t, sanlock_runtime_t, { file dir sock_file }) kernel_read_system_state(sanlock_t) kernel_read_kernel_sysctls(sanlock_t) diff --git a/policy/modules/services/sasl.fc b/policy/modules/services/sasl.fc index 72551273e..06ee9710c 100644 --- a/policy/modules/services/sasl.fc +++ b/policy/modules/services/sasl.fc @@ -4,6 +4,6 @@ /usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) -/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) +/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_runtime_t,s0) -/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) +/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_runtime_t,s0) diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if index edb4de2ae..d463fa402 100644 --- a/policy/modules/services/sasl.if +++ b/policy/modules/services/sasl.if @@ -12,11 +12,11 @@ # interface(`sasl_connect',` gen_require(` - type saslauthd_t, saslauthd_var_run_t; + type saslauthd_t, saslauthd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t, saslauthd_t) + stream_connect_pattern($1, saslauthd_runtime_t, saslauthd_runtime_t, saslauthd_t) ') ######################################## @@ -38,7 +38,7 @@ interface(`sasl_connect',` # interface(`sasl_admin',` gen_require(` - type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t; + type saslauthd_t, saslauthd_runtime_t, saslauthd_initrc_exec_t; type saslauthd_keytab_t; ') @@ -51,5 +51,5 @@ interface(`sasl_admin',` admin_pattern($1, saslauthd_keytab_t) files_list_pids($1) - admin_pattern($1, saslauthd_var_run_t) + admin_pattern($1, saslauthd_runtime_t) ') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index 231d6b2b6..e19179eb9 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -23,8 +23,8 @@ init_script_file(saslauthd_initrc_exec_t) type saslauthd_keytab_t; files_type(saslauthd_keytab_t) -type saslauthd_var_run_t; -files_pid_file(saslauthd_var_run_t) +type saslauthd_runtime_t alias saslauthd_var_run_t; +files_pid_file(saslauthd_runtime_t) ######################################## # @@ -39,10 +39,10 @@ allow saslauthd_t self:unix_stream_socket { accept listen }; allow saslauthd_t saslauthd_keytab_t:file read_file_perms; -manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) -files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir }) +manage_dirs_pattern(saslauthd_t, saslauthd_runtime_t, saslauthd_runtime_t) +manage_files_pattern(saslauthd_t, saslauthd_runtime_t, saslauthd_runtime_t) +manage_sock_files_pattern(saslauthd_t, saslauthd_runtime_t, saslauthd_runtime_t) +files_pid_filetrans(saslauthd_t, saslauthd_runtime_t, { file dir }) kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc index f1450f0ff..d5c9ad48c 100644 --- a/policy/modules/services/sendmail.fc +++ b/policy/modules/services/sendmail.fc @@ -3,5 +3,5 @@ /var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) -/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_runtime_t,s0) +/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_runtime_t,s0) diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if index 5358d1597..627679883 100644 --- a/policy/modules/services/sendmail.if +++ b/policy/modules/services/sendmail.if @@ -337,7 +337,7 @@ interface(`sendmail_run_unconfined',` interface(`sendmail_admin',` gen_require(` type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; - type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; + type sendmail_tmp_t, sendmail_runtime_t, unconfined_sendmail_t; type sendmail_keytab_t; ') @@ -356,7 +356,7 @@ interface(`sendmail_admin',` admin_pattern($1, sendmail_tmp_t) files_list_pids($1) - admin_pattern($1, sendmail_var_run_t) + admin_pattern($1, sendmail_runtime_t) sendmail_run($1, $2) sendmail_run_unconfined($1, $2) diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index d5272a42b..5b6c429da 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -22,8 +22,8 @@ logging_log_file(sendmail_log_t) type sendmail_tmp_t; files_tmp_file(sendmail_tmp_t) -type sendmail_var_run_t; -files_pid_file(sendmail_var_run_t) +type sendmail_runtime_t alias sendmail_var_run_t; +files_pid_file(sendmail_runtime_t) type sendmail_t; mta_sendmail_mailserver(sendmail_t) @@ -59,8 +59,8 @@ manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) -allow sendmail_t sendmail_var_run_t:file manage_file_perms; -files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) +allow sendmail_t sendmail_runtime_t:file manage_file_perms; +files_pid_filetrans(sendmail_t, sendmail_runtime_t, file) kernel_read_network_state(sendmail_t) kernel_read_kernel_sysctls(sendmail_t) diff --git a/policy/modules/services/sensord.fc b/policy/modules/services/sensord.fc index 1216f4bf8..6033ce310 100644 --- a/policy/modules/services/sensord.fc +++ b/policy/modules/services/sensord.fc @@ -4,4 +4,4 @@ /usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) -/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) +/run/sensord\.pid -- gen_context(system_u:object_r:sensord_runtime_t,s0) diff --git a/policy/modules/services/sensord.if b/policy/modules/services/sensord.if index e58af365d..62a1c0d3b 100644 --- a/policy/modules/services/sensord.if +++ b/policy/modules/services/sensord.if @@ -19,7 +19,7 @@ # interface(`sensord_admin',` gen_require(` - type sensord_t, sensord_initrc_exec_t, sensord_var_run_t; + type sensord_t, sensord_initrc_exec_t, sensord_runtime_t; ') allow $1 sensord_t:process { ptrace signal_perms }; @@ -28,5 +28,5 @@ interface(`sensord_admin',` init_startstop_service($1, $2, sensord_t, sensord_initrc_exec_t) files_search_pids($1) - admin_pattern($1, sensord_var_run_t) + admin_pattern($1, sensord_runtime_t) ') diff --git a/policy/modules/services/sensord.te b/policy/modules/services/sensord.te index e880ae300..1cf0f08cc 100644 --- a/policy/modules/services/sensord.te +++ b/policy/modules/services/sensord.te @@ -12,8 +12,8 @@ init_daemon_domain(sensord_t, sensord_exec_t) type sensord_initrc_exec_t; init_script_file(sensord_initrc_exec_t) -type sensord_var_run_t; -files_pid_file(sensord_var_run_t) +type sensord_runtime_t alias sensord_var_run_t; +files_pid_file(sensord_runtime_t) ######################################## # @@ -23,8 +23,8 @@ files_pid_file(sensord_var_run_t) allow sensord_t self:fifo_file rw_fifo_file_perms; allow sensord_t self:unix_stream_socket create_stream_socket_perms; -manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t) -files_pid_filetrans(sensord_t, sensord_var_run_t, file) +manage_files_pattern(sensord_t, sensord_runtime_t, sensord_runtime_t) +files_pid_filetrans(sensord_t, sensord_runtime_t, file) dev_read_sysfs(sensord_t) diff --git a/policy/modules/services/setroubleshoot.fc b/policy/modules/services/setroubleshoot.fc index 096fd47ca..d23c569bd 100644 --- a/policy/modules/services/setroubleshoot.fc +++ b/policy/modules/services/setroubleshoot.fc @@ -4,7 +4,7 @@ /usr/share/setroubleshoot/SetroubleshootFixit\.py -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) -/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) +/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_runtime_t,s0) /var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if index f7d788b8e..dddd8dec9 100644 --- a/policy/modules/services/setroubleshoot.if +++ b/policy/modules/services/setroubleshoot.if @@ -13,12 +13,12 @@ # interface(`setroubleshoot_stream_connect',` gen_require(` - type setroubleshootd_t, setroubleshoot_var_run_t; + type setroubleshootd_t, setroubleshoot_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) - allow $1 setroubleshoot_var_run_t:sock_file read; + stream_connect_pattern($1, setroubleshoot_runtime_t, setroubleshoot_runtime_t, setroubleshootd_t) + allow $1 setroubleshoot_runtime_t:sock_file read; ') ######################################## @@ -35,10 +35,10 @@ interface(`setroubleshoot_stream_connect',` # interface(`setroubleshoot_dontaudit_stream_connect',` gen_require(` - type setroubleshootd_t, setroubleshoot_var_run_t; + type setroubleshootd_t, setroubleshoot_runtime_t; ') - dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms; + dontaudit $1 setroubleshoot_runtime_t:sock_file rw_sock_file_perms; dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; ') @@ -143,7 +143,7 @@ interface(`setroubleshoot_dbus_chat_fixit',` interface(`setroubleshoot_admin',` gen_require(` type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t; - type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; + type setroubleshoot_var_lib_t, setroubleshoot_runtime_t; ') allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms }; @@ -156,5 +156,5 @@ interface(`setroubleshoot_admin',` admin_pattern($1, setroubleshoot_var_lib_t) files_list_pids($1) - admin_pattern($1, setroubleshoot_var_run_t) + admin_pattern($1, setroubleshoot_runtime_t) ') diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index 3ee1e0d55..d4743fa1b 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -19,8 +19,8 @@ files_type(setroubleshoot_var_lib_t) type setroubleshoot_var_log_t; logging_log_file(setroubleshoot_var_log_t) -type setroubleshoot_var_run_t; -files_pid_file(setroubleshoot_var_run_t) +type setroubleshoot_runtime_t alias setroubleshoot_var_run_t; +files_pid_file(setroubleshoot_runtime_t) ######################################## # @@ -44,10 +44,10 @@ setattr_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoo manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) -manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir }) +manage_dirs_pattern(setroubleshootd_t, setroubleshoot_runtime_t, setroubleshoot_runtime_t) +manage_files_pattern(setroubleshootd_t, setroubleshoot_runtime_t, setroubleshoot_runtime_t) +manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_runtime_t, setroubleshoot_runtime_t) +files_pid_filetrans(setroubleshootd_t, setroubleshoot_runtime_t, { file sock_file dir }) kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) diff --git a/policy/modules/services/shibboleth.fc b/policy/modules/services/shibboleth.fc index fc32f7c9a..26a530c8e 100644 --- a/policy/modules/services/shibboleth.fc +++ b/policy/modules/services/shibboleth.fc @@ -5,4 +5,4 @@ /usr/sbin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0) /var/log/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_log_t,s0) -/run/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_var_run_t,s0) +/run/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_runtime_t,s0) diff --git a/policy/modules/services/shibboleth.if b/policy/modules/services/shibboleth.if index 4a3ba0225..07c6b1d6a 100644 --- a/policy/modules/services/shibboleth.if +++ b/policy/modules/services/shibboleth.if @@ -32,9 +32,9 @@ interface(`shibboleth_read_config',` interface(`shibboleth_stream_connect',` gen_require(` type shibboleth_t; - type shibboleth_var_run_t; + type shibboleth_runtime_t; ') - stream_connect_pattern($1, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t) + stream_connect_pattern($1, shibboleth_runtime_t, shibboleth_runtime_t, shibboleth_t) files_search_pids($1) ') diff --git a/policy/modules/services/shibboleth.te b/policy/modules/services/shibboleth.te index 8b52f701c..b7b1d317f 100644 --- a/policy/modules/services/shibboleth.te +++ b/policy/modules/services/shibboleth.te @@ -15,9 +15,9 @@ files_config_file(shibboleth_etc_t) type shibboleth_log_t; logging_log_file(shibboleth_log_t) -type shibboleth_var_run_t; -files_pid_file(shibboleth_var_run_t) -init_daemon_pid_file(shibboleth_var_run_t, dir, "shibboleth") +type shibboleth_runtime_t alias shibboleth_var_run_t; +files_pid_file(shibboleth_runtime_t) +init_daemon_pid_file(shibboleth_runtime_t, dir, "shibboleth") ######################################## # @@ -38,8 +38,8 @@ read_lnk_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t) manage_files_pattern(shibboleth_t, shibboleth_log_t, shibboleth_log_t) -manage_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t) -manage_sock_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t) +manage_files_pattern(shibboleth_t, shibboleth_runtime_t, shibboleth_runtime_t) +manage_sock_files_pattern(shibboleth_t, shibboleth_runtime_t, shibboleth_runtime_t) corenet_all_recvfrom_netlabel(shibboleth_t) corenet_all_recvfrom_unlabeled(shibboleth_t) diff --git a/policy/modules/services/slpd.fc b/policy/modules/services/slpd.fc index 77ff516b5..aa782f1e7 100644 --- a/policy/modules/services/slpd.fc +++ b/policy/modules/services/slpd.fc @@ -6,4 +6,4 @@ /var/log/slpd\.log.* -- gen_context(system_u:object_r:slpd_log_t,s0) -/run/slpd\.pid -- gen_context(system_u:object_r:slpd_var_run_t,s0) +/run/slpd\.pid -- gen_context(system_u:object_r:slpd_runtime_t,s0) diff --git a/policy/modules/services/slpd.if b/policy/modules/services/slpd.if index ffacc363d..4cbba06a5 100644 --- a/policy/modules/services/slpd.if +++ b/policy/modules/services/slpd.if @@ -20,7 +20,7 @@ interface(`slpd_admin',` gen_require(` type slpd_t, slpd_initrc_exec_t, slpd_log_t; - type slpd_var_run_t; + type slpd_runtime_t; ') allow $1 slpd_t:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`slpd_admin',` admin_pattern($1, slpd_log_t) files_search_pids($1) - admin_pattern($1, slpd_var_run_t) + admin_pattern($1, slpd_runtime_t) ') diff --git a/policy/modules/services/slpd.te b/policy/modules/services/slpd.te index a76acb7f7..f932d7d79 100644 --- a/policy/modules/services/slpd.te +++ b/policy/modules/services/slpd.te @@ -15,8 +15,8 @@ init_script_file(slpd_initrc_exec_t) type slpd_log_t; logging_log_file(slpd_log_t) -type slpd_var_run_t; -files_pid_file(slpd_var_run_t) +type slpd_runtime_t alias slpd_var_run_t; +files_pid_file(slpd_runtime_t) ######################################## # @@ -32,8 +32,8 @@ allow slpd_t self:unix_stream_socket create_stream_socket_perms; allow slpd_t slpd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(slpd_t, slpd_log_t, file) -manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t) -files_pid_filetrans(slpd_t, slpd_var_run_t, file) +manage_files_pattern(slpd_t, slpd_runtime_t, slpd_runtime_t) +files_pid_filetrans(slpd_t, slpd_runtime_t, file) corenet_all_recvfrom_unlabeled(slpd_t) corenet_all_recvfrom_netlabel(slpd_t) diff --git a/policy/modules/services/slrnpull.fc b/policy/modules/services/slrnpull.fc index d0f1dd7d9..eda6ba38a 100644 --- a/policy/modules/services/slrnpull.fc +++ b/policy/modules/services/slrnpull.fc @@ -2,6 +2,6 @@ /var/log/slrnpull\.log.* -- gen_context(system_u:object_r:slrnpull_log_t,s0) -/run/slrnpull\.pid -- gen_context(system_u:object_r:slrnpull_var_run_t,s0) +/run/slrnpull\.pid -- gen_context(system_u:object_r:slrnpull_runtime_t,s0) /var/spool/slrnpull(/.*)? gen_context(system_u:object_r:slrnpull_spool_t,s0) diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te index 9d4515abc..d22b7d32f 100644 --- a/policy/modules/services/slrnpull.te +++ b/policy/modules/services/slrnpull.te @@ -9,8 +9,8 @@ type slrnpull_t; type slrnpull_exec_t; init_system_domain(slrnpull_t, slrnpull_exec_t) -type slrnpull_var_run_t; -files_pid_file(slrnpull_var_run_t) +type slrnpull_runtime_t alias slrnpull_var_run_t; +files_pid_file(slrnpull_runtime_t) type slrnpull_spool_t; files_type(slrnpull_spool_t) @@ -33,8 +33,8 @@ manage_dirs_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) manage_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) manage_lnk_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t) -manage_files_pattern(slrnpull_t, slrnpull_var_run_t, slrnpull_var_run_t) -files_pid_filetrans(slrnpull_t, slrnpull_var_run_t, file) +manage_files_pattern(slrnpull_t, slrnpull_runtime_t, slrnpull_runtime_t) +files_pid_filetrans(slrnpull_t, slrnpull_runtime_t, file) kernel_list_proc(slrnpull_t) kernel_read_kernel_sysctls(slrnpull_t) diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc index daff956c5..7908ff2d0 100644 --- a/policy/modules/services/smartmon.fc +++ b/policy/modules/services/smartmon.fc @@ -5,6 +5,6 @@ /usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0) -/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) +/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_runtime_t,s0) /var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0) diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if index 08f4ee20c..153d29d4a 100644 --- a/policy/modules/services/smartmon.if +++ b/policy/modules/services/smartmon.if @@ -38,7 +38,7 @@ interface(`smartmon_read_tmp_files',` # interface(`smartmon_admin',` gen_require(` - type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t; + type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_runtime_t; type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; ') @@ -51,7 +51,7 @@ interface(`smartmon_admin',` admin_pattern($1, fsdaemon_tmp_t) files_list_pids($1) - admin_pattern($1, fsdaemon_var_run_t) + admin_pattern($1, fsdaemon_runtime_t) files_list_var_lib($1) admin_pattern($1, fsdaemon_var_lib_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index f1d7e36d4..081493cf0 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -20,8 +20,8 @@ init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) type fsdaemon_initrc_exec_t; init_script_file(fsdaemon_initrc_exec_t) -type fsdaemon_var_run_t; -files_pid_file(fsdaemon_var_run_t) +type fsdaemon_runtime_t alias fsdaemon_var_run_t; +files_pid_file(fsdaemon_runtime_t) type fsdaemon_var_lib_t; files_type(fsdaemon_var_lib_t) @@ -48,8 +48,8 @@ manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir }) -manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) -files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) +manage_files_pattern(fsdaemon_t, fsdaemon_runtime_t, fsdaemon_runtime_t) +files_pid_filetrans(fsdaemon_t, fsdaemon_runtime_t, file) manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t) diff --git a/policy/modules/services/smokeping.fc b/policy/modules/services/smokeping.fc index c75825e86..7a07ac71d 100644 --- a/policy/modules/services/smokeping.fc +++ b/policy/modules/services/smokeping.fc @@ -8,4 +8,4 @@ /var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) -/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0) +/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_runtime_t,s0) diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if index 4f49c998e..a20d4c06a 100644 --- a/policy/modules/services/smokeping.if +++ b/policy/modules/services/smokeping.if @@ -50,11 +50,11 @@ interface(`smokeping_initrc_domtrans',` # interface(`smokeping_read_pid_files',` gen_require(` - type smokeping_var_run_t; + type smokeping_runtime_t; ') files_search_pids($1) - allow $1 smokeping_var_run_t:file read_file_perms; + allow $1 smokeping_runtime_t:file read_file_perms; ') ######################################## @@ -70,11 +70,11 @@ interface(`smokeping_read_pid_files',` # interface(`smokeping_manage_pid_files',` gen_require(` - type smokeping_var_run_t; + type smokeping_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t) + manage_files_pattern($1, smokeping_runtime_t, smokeping_runtime_t) ') ######################################## @@ -155,7 +155,7 @@ interface(`smokeping_manage_lib_files',` interface(`smokeping_admin',` gen_require(` type smokeping_t, smokeping_initrc_exec_t, smokeping_var_lib_t; - type smokeping_var_run_t; + type smokeping_runtime_t; ') allow $1 smokeping_t:process { ptrace signal_perms }; @@ -167,5 +167,5 @@ interface(`smokeping_admin',` admin_pattern($1, smokeping_var_lib_t) files_search_pids($1) - admin_pattern($1, smokeping_var_run_t) + admin_pattern($1, smokeping_runtime_t) ') diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te index 65a3441dc..34f77c4bd 100644 --- a/policy/modules/services/smokeping.te +++ b/policy/modules/services/smokeping.te @@ -12,8 +12,8 @@ init_daemon_domain(smokeping_t, smokeping_exec_t) type smokeping_initrc_exec_t; init_script_file(smokeping_initrc_exec_t) -type smokeping_var_run_t; -files_pid_file(smokeping_var_run_t) +type smokeping_runtime_t alias smokeping_var_run_t; +files_pid_file(smokeping_runtime_t) type smokeping_var_lib_t; files_type(smokeping_var_lib_t) @@ -27,9 +27,9 @@ dontaudit smokeping_t self:capability { dac_override dac_read_search }; allow smokeping_t self:fifo_file rw_fifo_file_perms; allow smokeping_t self:unix_stream_socket { accept listen }; -manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) -manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) -files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir }) +manage_dirs_pattern(smokeping_t, smokeping_runtime_t, smokeping_runtime_t) +manage_files_pattern(smokeping_t, smokeping_runtime_t, smokeping_runtime_t) +files_pid_filetrans(smokeping_t, smokeping_runtime_t, { file dir }) manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) @@ -66,7 +66,7 @@ optional_policy(` manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) + getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_runtime_t, smokeping_runtime_t) files_read_etc_files(httpd_smokeping_cgi_script_t) files_search_tmp(httpd_smokeping_cgi_script_t) diff --git a/policy/modules/services/smstools.fc b/policy/modules/services/smstools.fc index 12a585110..b3db02e84 100644 --- a/policy/modules/services/smstools.fc +++ b/policy/modules/services/smstools.fc @@ -10,6 +10,6 @@ /var/log/smsd(/.*)? gen_context(system_u:object_r:smsd_log_t,s0) -/run/smsd(/.*)? gen_context(system_u:object_r:smsd_var_run_t,s0) +/run/smsd(/.*)? gen_context(system_u:object_r:smsd_runtime_t,s0) /var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0) diff --git a/policy/modules/services/smstools.if b/policy/modules/services/smstools.if index fc420a534..367a952c3 100644 --- a/policy/modules/services/smstools.if +++ b/policy/modules/services/smstools.if @@ -20,7 +20,7 @@ interface(`smstools_admin',` gen_require(` type smsd_t, smsd_initrc_exec_t, smsd_conf_t; - type smsd_log_t, smsd_var_lib_t, smsd_var_run_t; + type smsd_log_t, smsd_var_lib_t, smsd_runtime_t; type smsd_spool_t; ') @@ -39,7 +39,7 @@ interface(`smstools_admin',` admin_pattern($1, smsd_spool_t) files_search_pids($1) - admin_pattern($1, smsd_var_run_t) + admin_pattern($1, smsd_runtime_t) logging_search_logs($1) admin_pattern($1, smsd_log_t) diff --git a/policy/modules/services/smstools.te b/policy/modules/services/smstools.te index c5ec9f95b..8908cd4de 100644 --- a/policy/modules/services/smstools.te +++ b/policy/modules/services/smstools.te @@ -21,8 +21,8 @@ logging_log_file(smsd_log_t) type smsd_var_lib_t; files_type(smsd_var_lib_t) -type smsd_var_run_t; -files_pid_file(smsd_var_run_t) +type smsd_runtime_t alias smsd_var_run_t; +files_pid_file(smsd_runtime_t) type smsd_spool_t; files_type(smsd_spool_t) @@ -50,10 +50,10 @@ manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t) -manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) -manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) -manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t) -files_pid_filetrans(smsd_t, smsd_var_run_t, { dir file }) +manage_dirs_pattern(smsd_t, smsd_runtime_t, smsd_runtime_t) +manage_files_pattern(smsd_t, smsd_runtime_t, smsd_runtime_t) +manage_lnk_files_pattern(smsd_t, smsd_runtime_t, smsd_runtime_t) +files_pid_filetrans(smsd_t, smsd_runtime_t, { dir file }) manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t) manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t) diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc index 8974ac9d2..5891c4943 100644 --- a/policy/modules/services/snmp.fc +++ b/policy/modules/services/snmp.fc @@ -18,6 +18,6 @@ /var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) -/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) -/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) -/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) +/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_runtime_t,s0) +/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_runtime_t,s0) +/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_runtime_t,s0) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if index d8a75680e..395898e67 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -162,7 +162,7 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` interface(`snmp_admin',` gen_require(` type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; - type snmpd_var_lib_t, snmpd_var_run_t; + type snmpd_var_lib_t, snmpd_runtime_t; ') allow $1 snmpd_t:process { ptrace signal_perms }; @@ -177,7 +177,7 @@ interface(`snmp_admin',` admin_pattern($1, snmpd_var_lib_t) files_list_pids($1) - admin_pattern($1, snmpd_var_run_t) + admin_pattern($1, snmpd_runtime_t) ') # Gentoo stuff but cannot use ifdef distro_gentoo diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index af4897d8f..510364647 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -15,8 +15,8 @@ init_script_file(snmpd_initrc_exec_t) type snmpd_log_t; logging_log_file(snmpd_log_t) -type snmpd_var_run_t; -files_pid_file(snmpd_var_run_t) +type snmpd_runtime_t alias snmpd_var_run_t; +files_pid_file(snmpd_runtime_t) type snmpd_var_lib_t; files_type(snmpd_var_lib_t) @@ -44,9 +44,9 @@ files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file }) -manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) -manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) -files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir }) +manage_dirs_pattern(snmpd_t, snmpd_runtime_t, snmpd_runtime_t) +manage_files_pattern(snmpd_t, snmpd_runtime_t, snmpd_runtime_t) +files_pid_filetrans(snmpd_t, snmpd_runtime_t, { file dir }) kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) diff --git a/policy/modules/services/snort.fc b/policy/modules/services/snort.fc index 97797bd6a..6331f0daa 100644 --- a/policy/modules/services/snort.fc +++ b/policy/modules/services/snort.fc @@ -10,5 +10,5 @@ /var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0) -/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0) -/run/snort(/.*)? gen_context(system_u:object_r:snort_var_run_t,s0) +/run/snort.* -- gen_context(system_u:object_r:snort_runtime_t,s0) +/run/snort(/.*)? gen_context(system_u:object_r:snort_runtime_t,s0) diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if index e6ae26e5e..da6c6e1db 100644 --- a/policy/modules/services/snort.if +++ b/policy/modules/services/snort.if @@ -38,7 +38,7 @@ interface(`snort_domtrans',` # interface(`snort_admin',` gen_require(` - type snort_t, snort_var_run_t, snort_log_t; + type snort_t, snort_runtime_t, snort_log_t; type snort_etc_t, snort_initrc_exec_t; ') @@ -53,6 +53,6 @@ interface(`snort_admin',` admin_pattern($1, snort_log_t) logging_search_logs($1) - admin_pattern($1, snort_var_run_t) + admin_pattern($1, snort_runtime_t) files_search_pids($1) ') diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te index 9eaaa70ae..28340ef50 100644 --- a/policy/modules/services/snort.te +++ b/policy/modules/services/snort.te @@ -21,9 +21,9 @@ logging_log_file(snort_log_t) type snort_tmp_t; files_tmp_file(snort_tmp_t) -type snort_var_run_t; -files_pid_file(snort_var_run_t) -init_daemon_pid_file(snort_var_run_t, dir, "snort") +type snort_runtime_t alias snort_var_run_t; +files_pid_file(snort_runtime_t) +init_daemon_pid_file(snort_runtime_t, dir, "snort") ######################################## # @@ -53,8 +53,8 @@ manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) manage_files_pattern(snort_t, snort_tmp_t, snort_tmp_t) files_tmp_filetrans(snort_t, snort_tmp_t, { file dir }) -manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t) -files_pid_filetrans(snort_t, snort_var_run_t, file) +manage_files_pattern(snort_t, snort_runtime_t, snort_runtime_t) +files_pid_filetrans(snort_t, snort_runtime_t, file) kernel_read_kernel_sysctls(snort_t) kernel_read_sysctl(snort_t) diff --git a/policy/modules/services/soundserver.fc b/policy/modules/services/soundserver.fc index d1880f66a..1a6a29df2 100644 --- a/policy/modules/services/soundserver.fc +++ b/policy/modules/services/soundserver.fc @@ -9,7 +9,7 @@ /usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) -/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0) -/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) +/run/nasd(/.*)? gen_context(system_u:object_r:soundd_runtime_t,s0) +/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_runtime_t,s0) /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if index 106e07002..c0dd51840 100644 --- a/policy/modules/services/soundserver.if +++ b/policy/modules/services/soundserver.if @@ -20,7 +20,7 @@ interface(`soundserver_admin',` gen_require(` type soundd_t, soundd_etc_t, soundd_initrc_exec_t; - type soundd_tmp_t, soundd_var_run_t, soundd_tmpfs_t; + type soundd_tmp_t, soundd_runtime_t, soundd_tmpfs_t; type soundd_state_t; ') @@ -42,5 +42,5 @@ interface(`soundserver_admin',` admin_pattern($1, soundd_state_t) files_list_pids($1) - admin_pattern($1, soundd_var_run_t) + admin_pattern($1, soundd_runtime_t) ') diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te index 651420ca6..bba91561b 100644 --- a/policy/modules/services/soundserver.te +++ b/policy/modules/services/soundserver.te @@ -24,8 +24,8 @@ files_tmp_file(soundd_tmp_t) type soundd_tmpfs_t; files_tmpfs_file(soundd_tmpfs_t) -type soundd_var_run_t; -files_pid_file(soundd_var_run_t) +type soundd_runtime_t alias soundd_var_run_t; +files_pid_file(soundd_runtime_t) ######################################## # @@ -56,10 +56,10 @@ manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) -manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) -files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir }) +manage_files_pattern(soundd_t, soundd_runtime_t, soundd_runtime_t) +manage_dirs_pattern(soundd_t, soundd_runtime_t, soundd_runtime_t) +manage_sock_files_pattern(soundd_t, soundd_runtime_t, soundd_runtime_t) +files_pid_filetrans(soundd_t, soundd_runtime_t, { file dir }) kernel_read_kernel_sysctls(soundd_t) kernel_list_proc(soundd_t) diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc index a8b3c019d..435797626 100644 --- a/policy/modules/services/spamassassin.fc +++ b/policy/modules/services/spamassassin.fc @@ -28,12 +28,12 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) /var/vmail/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) -/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -/run/spamassassin\.pid -- gen_context(system_u:object_r:spamd_var_run_t,s0) -/run/spamd\.pid -- gen_context(system_u:object_r:spamd_var_run_t,s0) +/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_runtime_t,s0) +/run/spamassassin\.pid -- gen_context(system_u:object_r:spamd_runtime_t,s0) +/run/spamd\.pid -- gen_context(system_u:object_r:spamd_runtime_t,s0) /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_runtime_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_runtime_t,s0) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if index 75550eec9..7a3701d06 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -319,11 +319,11 @@ interface(`spamassassin_manage_lib_files',` # interface(`spamassassin_read_spamd_pid_files',` gen_require(` - type spamd_var_run_t; + type spamd_runtime_t; ') files_search_pids($1) - read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) + read_files_pattern($1, spamd_runtime_t, spamd_runtime_t) ') ######################################## @@ -376,11 +376,11 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` # interface(`spamassassin_stream_connect_spamd',` gen_require(` - type spamd_t, spamd_var_run_t; + type spamd_t, spamd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) + stream_connect_pattern($1, spamd_runtime_t, spamd_runtime_t, spamd_t) ') ######################################## @@ -403,7 +403,7 @@ interface(`spamassassin_stream_connect_spamd',` interface(`spamassassin_admin',` gen_require(` type spamd_t, spamd_tmp_t, spamd_log_t; - type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; + type spamd_spool_t, spamd_var_lib_t, spamd_runtime_t; type spamd_initrc_exec_t, spamassassin_unit_t; type spamd_gpg_t, spamd_update_t, spamd_update_tmp_t; ') @@ -425,7 +425,7 @@ interface(`spamassassin_admin',` admin_pattern($1, spamd_var_lib_t) files_list_pids($1) - admin_pattern($1, spamd_var_run_t) + admin_pattern($1, spamd_runtime_t) # This makes it impossible to apply _admin if _role has already been applied #spamassassin_role($2, $1) diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 000c67eab..3b13838c8 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -93,8 +93,8 @@ files_tmp_file(spamd_tmp_t) type spamd_var_lib_t; files_type(spamd_var_lib_t) -type spamd_var_run_t; -files_pid_file(spamd_var_run_t) +type spamd_runtime_t alias spamd_var_run_t; +files_pid_file(spamd_runtime_t) ######################################## # @@ -201,7 +201,7 @@ userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassi list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) -stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t) +stream_connect_pattern(spamc_t, { spamd_runtime_t spamd_tmp_t }, { spamd_runtime_t spamd_tmp_t }, spamd_t) kernel_read_kernel_sysctls(spamc_t) kernel_read_system_state(spamc_t) @@ -327,10 +327,10 @@ allow spamd_t spamd_var_lib_t:dir list_dir_perms; manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) -files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) +manage_dirs_pattern(spamd_t, spamd_runtime_t, spamd_runtime_t) +manage_files_pattern(spamd_t, spamd_runtime_t, spamd_runtime_t) +manage_sock_files_pattern(spamd_t, spamd_runtime_t, spamd_runtime_t) +files_pid_filetrans(spamd_t, spamd_runtime_t, { file dir }) can_exec(spamd_t, { spamd_exec_t spamd_compiled_t }) diff --git a/policy/modules/services/speedtouch.fc b/policy/modules/services/speedtouch.fc index 48fe2da36..890615144 100644 --- a/policy/modules/services/speedtouch.fc +++ b/policy/modules/services/speedtouch.fc @@ -2,4 +2,4 @@ /usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0) -/run/speedmgmt\.pid -- gen_context(system_u:object_r:speedmgmt_var_run_t,s0) +/run/speedmgmt\.pid -- gen_context(system_u:object_r:speedmgmt_runtime_t,s0) diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te index 68b45e060..606c26fb6 100644 --- a/policy/modules/services/speedtouch.te +++ b/policy/modules/services/speedtouch.te @@ -12,8 +12,8 @@ init_daemon_domain(speedmgmt_t, speedmgmt_exec_t) type speedmgmt_tmp_t; files_tmp_file(speedmgmt_tmp_t) -type speedmgmt_var_run_t; -files_pid_file(speedmgmt_var_run_t) +type speedmgmt_runtime_t alias speedmgmt_var_run_t; +files_pid_file(speedmgmt_runtime_t) ######################################## # @@ -27,8 +27,8 @@ manage_dirs_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) manage_files_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t) files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir }) -manage_files_pattern(speedmgmt_t, speedmgmt_var_run_t, speedmgmt_var_run_t) -files_pid_filetrans(speedmgmt_t, speedmgmt_var_run_t, file) +manage_files_pattern(speedmgmt_t, speedmgmt_runtime_t, speedmgmt_runtime_t) +files_pid_filetrans(speedmgmt_t, speedmgmt_runtime_t, file) kernel_read_kernel_sysctls(speedmgmt_t) kernel_list_proc(speedmgmt_t) diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc index 4d838b278..7e1b52d13 100644 --- a/policy/modules/services/squid.fc +++ b/policy/modules/services/squid.fc @@ -15,7 +15,7 @@ /var/log/squid.* gen_context(system_u:object_r:squid_log_t,s0) /var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) -/run/squid3.* gen_context(system_u:object_r:squid_var_run_t,s0) +/run/squid3.* gen_context(system_u:object_r:squid_runtime_t,s0) /var/spool/squid.* gen_context(system_u:object_r:squid_cache_t,s0) diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if index 2443afbde..37f174d39 100644 --- a/policy/modules/services/squid.if +++ b/policy/modules/services/squid.if @@ -214,7 +214,7 @@ interface(`squid_dontaudit_read_tmpfs_files',` interface(`squid_admin',` gen_require(` type squid_t, squid_cache_t, squid_conf_t; - type squid_log_t, squid_var_run_t, squid_tmpfs_t; + type squid_log_t, squid_runtime_t, squid_tmpfs_t; type squid_initrc_exec_t, squid_tmp_t; ') @@ -233,7 +233,7 @@ interface(`squid_admin',` admin_pattern($1, squid_log_t) files_list_pids($1) - admin_pattern($1, squid_var_run_t) + admin_pattern($1, squid_runtime_t) fs_list_tmpfs($1) admin_pattern($1, squid_tmpfs_t) diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index 05a87c133..1c9503dfa 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -51,8 +51,8 @@ files_tmp_file(squid_tmp_t) type squid_tmpfs_t; files_tmpfs_file(squid_tmpfs_t) -type squid_var_run_t; -files_pid_file(squid_var_run_t) +type squid_runtime_t alias squid_var_run_t; +files_pid_file(squid_runtime_t) ######################################## # @@ -93,8 +93,8 @@ files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) -manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) -files_pid_filetrans(squid_t, squid_var_run_t, file) +manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t) +files_pid_filetrans(squid_t, squid_runtime_t, file) can_exec(squid_t, squid_exec_t) diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index 4ac3e733a..c906decda 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -19,6 +19,6 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) -/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0) -/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) -/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) +/run/sshd(/.*)? gen_context(system_u:object_r:sshd_runtime_t,s0) +/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_runtime_t,s0) +/run/sshd\.pid -- gen_context(system_u:object_r:sshd_runtime_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index b5bd2762e..5a7b471d8 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -178,8 +178,8 @@ template(`ssh_server_template', ` type $1_tmpfs_t; files_tmpfs_file($1_tmpfs_t) - type $1_var_run_t; - files_pid_file($1_var_run_t) + type $1_runtime_t alias $1_var_run_t; + files_pid_file($1_runtime_t) allow $1_t self:capability { chown dac_read_search fowner fsetid kill setgid setuid sys_chroot sys_nice sys_resource sys_tty_config }; # net_admin is for SO_SNDBUFFORCE @@ -198,9 +198,9 @@ template(`ssh_server_template', ` manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) - allow $1_t $1_var_run_t:dir search_dir_perms; - allow $1_t $1_var_run_t:file manage_file_perms; - files_pid_filetrans($1_t, $1_var_run_t, file) + allow $1_t $1_runtime_t:dir search_dir_perms; + allow $1_t $1_runtime_t:file manage_file_perms; + files_pid_filetrans($1_t, $1_runtime_t, file) can_exec($1_t, sshd_exec_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 744c95a65..9436221d9 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -91,7 +91,7 @@ type sshd_keytab_t; files_type(sshd_keytab_t) ifdef(`distro_debian',` - init_daemon_pid_file(sshd_var_run_t, dir, "sshd") + init_daemon_pid_file(sshd_runtime_t, dir, "sshd") ') ############################## diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc index ef8a215ba..848b76336 100644 --- a/policy/modules/services/sssd.fc +++ b/policy/modules/services/sssd.fc @@ -14,4 +14,4 @@ /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) -/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/run/sssd\.pid -- gen_context(system_u:object_r:sssd_runtime_t,s0) diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if index bdb7f8810..a17631571 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -167,11 +167,11 @@ interface(`sssd_manage_public_files',` # interface(`sssd_read_pid_files',` gen_require(` - type sssd_var_run_t; + type sssd_runtime_t; ') files_search_pids($1) - allow $1 sssd_var_run_t:file read_file_perms; + allow $1 sssd_runtime_t:file read_file_perms; ') ######################################## @@ -187,12 +187,12 @@ interface(`sssd_read_pid_files',` # interface(`sssd_manage_pids',` gen_require(` - type sssd_var_run_t; + type sssd_runtime_t; ') files_search_pids($1) - manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) - manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) + manage_dirs_pattern($1, sssd_runtime_t, sssd_runtime_t) + manage_files_pattern($1, sssd_runtime_t, sssd_runtime_t) ') ######################################## @@ -335,7 +335,7 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; - type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t; + type sssd_var_lib_t, sssd_runtime_t, sssd_conf_t; type sssd_var_log_t; ') @@ -351,7 +351,7 @@ interface(`sssd_admin',` admin_pattern($1, { sssd_var_lib_t sssd_public_t }) files_search_pids($1) - admin_pattern($1, sssd_var_run_t) + admin_pattern($1, sssd_runtime_t) logging_search_logs($1) admin_pattern($1, sssd_var_log_t) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te index dc7917ba5..80b31efc8 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -25,8 +25,8 @@ mls_trusted_object(sssd_var_lib_t) type sssd_var_log_t; logging_log_file(sssd_var_log_t) -type sssd_var_run_t; -files_pid_file(sssd_var_run_t) +type sssd_runtime_t alias sssd_var_run_t; +files_pid_file(sssd_runtime_t) ######################################## # @@ -56,9 +56,9 @@ create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) +manage_dirs_pattern(sssd_t, sssd_runtime_t, sssd_runtime_t) +manage_files_pattern(sssd_t, sssd_runtime_t, sssd_runtime_t) +files_pid_filetrans(sssd_t, sssd_runtime_t, { file dir }) kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) diff --git a/policy/modules/services/stunnel.fc b/policy/modules/services/stunnel.fc index d85430625..ba3b9114b 100644 --- a/policy/modules/services/stunnel.fc +++ b/policy/modules/services/stunnel.fc @@ -4,4 +4,4 @@ /usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) -/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) +/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_runtime_t,s0) diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index a68d2b78f..fcaa98b60 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -15,8 +15,8 @@ files_config_file(stunnel_etc_t) type stunnel_tmp_t; files_tmp_file(stunnel_tmp_t) -type stunnel_var_run_t; -files_pid_file(stunnel_var_run_t) +type stunnel_runtime_t alias stunnel_var_run_t; +files_pid_file(stunnel_runtime_t) ######################################## # @@ -38,9 +38,9 @@ manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) -manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) -manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t) -files_pid_filetrans(stunnel_t, stunnel_var_run_t, { dir file }) +manage_dirs_pattern(stunnel_t, stunnel_runtime_t, stunnel_runtime_t) +manage_files_pattern(stunnel_t, stunnel_runtime_t, stunnel_runtime_t) +files_pid_filetrans(stunnel_t, stunnel_runtime_t, { dir file }) kernel_read_kernel_sysctls(stunnel_t) kernel_read_system_state(stunnel_t) diff --git a/policy/modules/services/svnserve.fc b/policy/modules/services/svnserve.fc index b1da9ca2d..1fad7832a 100644 --- a/policy/modules/services/svnserve.fc +++ b/policy/modules/services/svnserve.fc @@ -4,5 +4,5 @@ /var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) -/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) -/run/svnserve\.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) +/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_runtime_t,s0) +/run/svnserve\.pid -- gen_context(system_u:object_r:svnserve_runtime_t,s0) diff --git a/policy/modules/services/svnserve.if b/policy/modules/services/svnserve.if index 618dccb3e..996a2823f 100644 --- a/policy/modules/services/svnserve.if +++ b/policy/modules/services/svnserve.if @@ -19,7 +19,7 @@ # interface(`svnserve_admin',` gen_require(` - type svnserve_t, svnserve_initrc_exec_t, svnserve_var_run_t; + type svnserve_t, svnserve_initrc_exec_t, svnserve_runtime_t; ') allow $1 svnserve_t:process { ptrace signal_perms }; @@ -28,5 +28,5 @@ interface(`svnserve_admin',` init_startstop_service($1, $2, svnserve_t, svnserve_initrc_exec_t) files_search_pids($1) - admin_pattern($1, svnserve_var_run_t) + admin_pattern($1, svnserve_runtime_t) ') diff --git a/policy/modules/services/svnserve.te b/policy/modules/services/svnserve.te index 5fcd8b412..ce7904060 100644 --- a/policy/modules/services/svnserve.te +++ b/policy/modules/services/svnserve.te @@ -15,8 +15,8 @@ init_script_file(svnserve_initrc_exec_t) type svnserve_content_t; files_type(svnserve_content_t) -type svnserve_var_run_t; -files_pid_file(svnserve_var_run_t) +type svnserve_runtime_t alias svnserve_var_run_t; +files_pid_file(svnserve_runtime_t) ######################################## # @@ -30,9 +30,9 @@ allow svnserve_t self:unix_stream_socket { listen accept }; manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) -manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) -manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) -files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file }) +manage_dirs_pattern(svnserve_t, svnserve_runtime_t, svnserve_runtime_t) +manage_files_pattern(svnserve_t, svnserve_runtime_t, svnserve_runtime_t) +files_pid_filetrans(svnserve_t, svnserve_runtime_t, { dir file }) files_read_etc_files(svnserve_t) files_read_usr_files(svnserve_t) diff --git a/policy/modules/services/systemtap.fc b/policy/modules/services/systemtap.fc index 72cbadb8b..15f5a0745 100644 --- a/policy/modules/services/systemtap.fc +++ b/policy/modules/services/systemtap.fc @@ -8,4 +8,4 @@ /var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0) -/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) +/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_runtime_t,s0) diff --git a/policy/modules/services/systemtap.if b/policy/modules/services/systemtap.if index 62520b334..765ed89f4 100644 --- a/policy/modules/services/systemtap.if +++ b/policy/modules/services/systemtap.if @@ -20,7 +20,7 @@ interface(`stapserver_admin',` gen_require(` type stapserver_t, stapserver_conf_t, stapserver_log_t; - type stapserver_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t; + type stapserver_runtime_t, stapserver_initrc_exec_t, stapserver_var_lib_t; ') allow $1 stapserver_t:process { ptrace signal_perms }; @@ -38,5 +38,5 @@ interface(`stapserver_admin',` admin_pattern($1, stapserver_log_t) files_search_pids($1) - admin_pattern($1, stapserver_var_run_t) + admin_pattern($1, stapserver_runtime_t) ') diff --git a/policy/modules/services/systemtap.te b/policy/modules/services/systemtap.te index c0ddb6377..a7331e17d 100644 --- a/policy/modules/services/systemtap.te +++ b/policy/modules/services/systemtap.te @@ -21,8 +21,8 @@ files_type(stapserver_var_lib_t) type stapserver_log_t; logging_log_file(stapserver_log_t) -type stapserver_var_run_t; -files_pid_file(stapserver_var_run_t) +type stapserver_runtime_t alias stapserver_var_run_t; +files_pid_file(stapserver_runtime_t) ######################################## # @@ -48,9 +48,9 @@ create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) -manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) +manage_dirs_pattern(stapserver_t, stapserver_runtime_t, stapserver_runtime_t) +manage_files_pattern(stapserver_t, stapserver_runtime_t, stapserver_runtime_t) +files_pid_filetrans(stapserver_t, stapserver_runtime_t, dir ) kernel_read_kernel_sysctls(stapserver_t) kernel_read_system_state(stapserver_t) diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te index 76e257b5f..233d5632e 100644 --- a/policy/modules/services/telnet.te +++ b/policy/modules/services/telnet.te @@ -19,8 +19,8 @@ files_type(telnetd_keytab_t) type telnetd_tmp_t; files_tmp_file(telnetd_tmp_t) -type telnetd_var_run_t; -files_pid_file(telnetd_var_run_t) +type telnetd_runtime_t alias telnetd_var_run_t; +files_pid_file(telnetd_runtime_t) ######################################## # @@ -41,8 +41,8 @@ manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) -manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) -files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) +manage_files_pattern(telnetd_t, telnetd_runtime_t, telnetd_runtime_t) +files_pid_filetrans(telnetd_t, telnetd_runtime_t, file) kernel_read_kernel_sysctls(telnetd_t) kernel_read_system_state(telnetd_t) diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if index b32fa3c08..1ae85cd26 100644 --- a/policy/modules/services/tftp.if +++ b/policy/modules/services/tftp.if @@ -165,7 +165,7 @@ interface(`tftp_filetrans_tftpdir',` # interface(`tftp_admin',` gen_require(` - type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; + type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_runtime_t; type tftpd_conf_t; ') @@ -179,5 +179,5 @@ interface(`tftp_admin',` admin_pattern($1, { tftpdir_t tftpdir_rw_t }) files_list_pids($1) - admin_pattern($1, tftpd_var_run_t) + admin_pattern($1, tftpd_runtime_t) ') diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te index a4fcc9459..9b20d98e4 100644 --- a/policy/modules/services/tftp.te +++ b/policy/modules/services/tftp.te @@ -30,8 +30,8 @@ init_daemon_domain(tftpd_t, tftpd_exec_t) type tftpd_conf_t; files_config_file(tftpd_conf_t) -type tftpd_var_run_t; -files_pid_file(tftpd_var_run_t) +type tftpd_runtime_t alias tftpd_var_run_t; +files_pid_file(tftpd_runtime_t) type tftpdir_t; files_type(tftpdir_t) @@ -59,8 +59,8 @@ manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) -files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) +manage_files_pattern(tftpd_t, tftpd_runtime_t, tftpd_runtime_t) +files_pid_filetrans(tftpd_t, tftpd_runtime_t, file) kernel_read_system_state(tftpd_t) kernel_read_kernel_sysctls(tftpd_t) diff --git a/policy/modules/services/tgtd.fc b/policy/modules/services/tgtd.fc index 1989d0909..02bd2432d 100644 --- a/policy/modules/services/tgtd.fc +++ b/policy/modules/services/tgtd.fc @@ -6,4 +6,4 @@ /var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) -/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) +/run/tgtd.* -s gen_context(system_u:object_r:tgtd_runtime_t,s0) diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if index 3056b2edf..c04837a29 100644 --- a/policy/modules/services/tgtd.if +++ b/policy/modules/services/tgtd.if @@ -50,11 +50,11 @@ interface(`tgtd_manage_semaphores',` # interface(`tgtd_stream_connect',` gen_require(` - type tgtd_t, tgtd_var_run_t; + type tgtd_t, tgtd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t) + stream_connect_pattern($1, tgtd_runtime_t, tgtd_runtime_t, tgtd_t) ') ######################################## @@ -77,7 +77,7 @@ interface(`tgtd_stream_connect',` interface(`tgtd_admin',` gen_require(` type tgtd_t, tgtd_initrc_exec_t, tgtd_var_lib_t; - type tgtd_var_run_t, tgtd_tmp_t, tgtd_tmpfs_t; + type tgtd_runtime_t, tgtd_tmp_t, tgtd_tmpfs_t; ') allow $1 tgtd_t:process { ptrace signal_perms }; @@ -89,7 +89,7 @@ interface(`tgtd_admin',` admin_pattern($1, tgtd_var_lib_t) files_search_pids($1) - admin_pattern($1, tgtd_var_run_t) + admin_pattern($1, tgtd_runtime_t) files_search_tmp($1) admin_pattern($1, tgtd_tmp_t) diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te index c0f740098..9520c1859 100644 --- a/policy/modules/services/tgtd.te +++ b/policy/modules/services/tgtd.te @@ -21,8 +21,8 @@ files_tmpfs_file(tgtd_tmpfs_t) type tgtd_var_lib_t; files_type(tgtd_var_lib_t) -type tgtd_var_run_t; -files_pid_file(tgtd_var_run_t) +type tgtd_runtime_t alias tgtd_var_run_t; +files_pid_file(tgtd_runtime_t) ######################################## # @@ -49,10 +49,10 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) -manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) -manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) -manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) -files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) +manage_dirs_pattern(tgtd_t, tgtd_runtime_t,tgtd_runtime_t) +manage_files_pattern(tgtd_t, tgtd_runtime_t,tgtd_runtime_t) +manage_sock_files_pattern(tgtd_t, tgtd_runtime_t,tgtd_runtime_t) +files_pid_filetrans(tgtd_t,tgtd_runtime_t, { file sock_file }) kernel_read_system_state(tgtd_t) kernel_read_fs_sysctls(tgtd_t) diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc index 5c9507130..6da1b8775 100644 --- a/policy/modules/services/tor.fc +++ b/policy/modules/services/tor.fc @@ -12,4 +12,4 @@ /var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) -/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) +/run/tor(/.*)? gen_context(system_u:object_r:tor_runtime_t,s0) diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if index f2fc7a720..05a116925 100644 --- a/policy/modules/services/tor.if +++ b/policy/modules/services/tor.if @@ -39,7 +39,7 @@ interface(`tor_domtrans',` interface(`tor_admin',` gen_require(` type tor_t, tor_var_log_t, tor_etc_t; - type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t; + type tor_var_lib_t, tor_runtime_t, tor_initrc_exec_t; ') allow $1 tor_t:process { ptrace signal_perms }; @@ -57,5 +57,5 @@ interface(`tor_admin',` admin_pattern($1, tor_var_log_t) files_list_pids($1) - admin_pattern($1, tor_var_run_t) + admin_pattern($1, tor_runtime_t) ') diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te index 4040f15da..59d29161d 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te @@ -32,9 +32,9 @@ files_type(tor_var_lib_t) type tor_var_log_t; logging_log_file(tor_var_log_t) -type tor_var_run_t; -files_pid_file(tor_var_run_t) -init_daemon_pid_file(tor_var_run_t, dir, "tor") +type tor_runtime_t alias tor_var_run_t; +files_pid_file(tor_runtime_t) +init_daemon_pid_file(tor_runtime_t, dir, "tor") ######################################## # @@ -66,10 +66,10 @@ setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) -manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t) -manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) -manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) -files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file }) +manage_dirs_pattern(tor_t, tor_runtime_t, tor_runtime_t) +manage_files_pattern(tor_t, tor_runtime_t, tor_runtime_t) +manage_sock_files_pattern(tor_t, tor_runtime_t, tor_runtime_t) +files_pid_filetrans(tor_t, tor_runtime_t, { dir file sock_file }) kernel_read_kernel_sysctls(tor_t) kernel_read_net_sysctls(tor_t) diff --git a/policy/modules/services/transproxy.fc b/policy/modules/services/transproxy.fc index ce0eb7d6a..98cf07e8f 100644 --- a/policy/modules/services/transproxy.fc +++ b/policy/modules/services/transproxy.fc @@ -4,4 +4,4 @@ /usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0) -/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0) +/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_runtime_t,s0) diff --git a/policy/modules/services/transproxy.if b/policy/modules/services/transproxy.if index 946881b3d..4684bccd4 100644 --- a/policy/modules/services/transproxy.if +++ b/policy/modules/services/transproxy.if @@ -19,7 +19,7 @@ # interface(`transproxy_admin',` gen_require(` - type transproxy_t, transproxy_initrc_exec_t, transproxy_var_run_t; + type transproxy_t, transproxy_initrc_exec_t, transproxy_runtime_t; ') allow $1 transproxy_t:process { ptrace signal_perms }; @@ -28,5 +28,5 @@ interface(`transproxy_admin',` init_startstop_service($1, $2, transproxy_t, transproxy_initrc_exec_t) files_search_pids($1) - admin_pattern($1, transproxy_var_run_t) + admin_pattern($1, transproxy_runtime_t) ') diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te index f267800ca..bf472120f 100644 --- a/policy/modules/services/transproxy.te +++ b/policy/modules/services/transproxy.te @@ -12,8 +12,8 @@ init_daemon_domain(transproxy_t, transproxy_exec_t) type transproxy_initrc_exec_t; init_script_file(transproxy_initrc_exec_t) -type transproxy_var_run_t; -files_pid_file(transproxy_var_run_t) +type transproxy_runtime_t alias transproxy_var_run_t; +files_pid_file(transproxy_runtime_t) ######################################## # @@ -25,8 +25,8 @@ dontaudit transproxy_t self:capability sys_tty_config; allow transproxy_t self:process signal_perms; allow transproxy_t self:tcp_socket create_stream_socket_perms; -manage_files_pattern(transproxy_t, transproxy_var_run_t, transproxy_var_run_t) -files_pid_filetrans(transproxy_t, transproxy_var_run_t, file) +manage_files_pattern(transproxy_t, transproxy_runtime_t, transproxy_runtime_t) +files_pid_filetrans(transproxy_t, transproxy_runtime_t, file) kernel_read_kernel_sysctls(transproxy_t) kernel_list_proc(transproxy_t) diff --git a/policy/modules/services/tuned.fc b/policy/modules/services/tuned.fc index 21ea12951..a88f16d13 100644 --- a/policy/modules/services/tuned.fc +++ b/policy/modules/services/tuned.fc @@ -10,5 +10,5 @@ /var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0) /var/log/tuned\.log.* -- gen_context(system_u:object_r:tuned_log_t,s0) -/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0) -/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) +/run/tuned(/.*)? gen_context(system_u:object_r:tuned_runtime_t,s0) +/run/tuned\.pid -- gen_context(system_u:object_r:tuned_runtime_t,s0) diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if index 5ca6fa59a..d7bfbc796 100644 --- a/policy/modules/services/tuned.if +++ b/policy/modules/services/tuned.if @@ -50,11 +50,11 @@ interface(`tuned_exec',` # interface(`tuned_read_pid_files',` gen_require(` - type tuned_var_run_t; + type tuned_runtime_t; ') files_search_pids($1) - read_files_pattern($1, tuned_var_run_t, tuned_var_run_t) + read_files_pattern($1, tuned_runtime_t, tuned_runtime_t) ') ####################################### @@ -70,11 +70,11 @@ interface(`tuned_read_pid_files',` # interface(`tuned_manage_pid_files',` gen_require(` - type tuned_var_run_t; + type tuned_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t) + manage_files_pattern($1, tuned_runtime_t, tuned_runtime_t) ') ######################################## @@ -115,7 +115,7 @@ interface(`tuned_initrc_domtrans',` # interface(`tuned_admin',` gen_require(` - type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; + type tuned_t, tuned_runtime_t, tuned_initrc_exec_t; type tuned_etc_t, tuned_rw_etc_t, tuned_log_t; ') @@ -131,5 +131,5 @@ interface(`tuned_admin',` admin_pattern($1, tuned_log_t) files_search_pids($1) - admin_pattern($1, tuned_var_run_t) + admin_pattern($1, tuned_runtime_t) ') diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te index d6808dcfd..b443fee94 100644 --- a/policy/modules/services/tuned.te +++ b/policy/modules/services/tuned.te @@ -21,8 +21,8 @@ files_config_file(tuned_rw_etc_t) type tuned_log_t; logging_log_file(tuned_log_t) -type tuned_var_run_t; -files_pid_file(tuned_var_run_t) +type tuned_runtime_t alias tuned_var_run_t; +files_pid_file(tuned_runtime_t) ######################################## # @@ -46,9 +46,9 @@ create_files_pattern(tuned_t, tuned_log_t, tuned_log_t) setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t) logging_log_filetrans(tuned_t, tuned_log_t, file) -manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) -manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) -files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) +manage_files_pattern(tuned_t, tuned_runtime_t, tuned_runtime_t) +manage_dirs_pattern(tuned_t, tuned_runtime_t, tuned_runtime_t) +files_pid_filetrans(tuned_t, tuned_runtime_t, { dir file }) kernel_read_system_state(tuned_t) kernel_read_network_state(tuned_t) diff --git a/policy/modules/services/uptime.fc b/policy/modules/services/uptime.fc index 535dda0b4..5c79f39ed 100644 --- a/policy/modules/services/uptime.fc +++ b/policy/modules/services/uptime.fc @@ -6,6 +6,6 @@ /usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0) -/run/uptimed\.pid -- gen_context(system_u:object_r:uptimed_var_run_t,s0) +/run/uptimed\.pid -- gen_context(system_u:object_r:uptimed_runtime_t,s0) /var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0) diff --git a/policy/modules/services/uptime.if b/policy/modules/services/uptime.if index ce3bc3b9f..63d9b4093 100644 --- a/policy/modules/services/uptime.if +++ b/policy/modules/services/uptime.if @@ -20,7 +20,7 @@ interface(`uptime_admin',` gen_require(` type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t; - type uptimed_spool_t, uptimed_var_run_t; + type uptimed_spool_t, uptimed_runtime_t; ') allow $1 uptimed_t:process { ptrace signal_perms }; @@ -35,5 +35,5 @@ interface(`uptime_admin',` admin_pattern($1, uptimed_spool_t) files_search_pids($1) - admin_pattern($1, uptimed_var_run_t) + admin_pattern($1, uptimed_runtime_t) ') diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te index c131e543c..bd0bd4780 100644 --- a/policy/modules/services/uptime.te +++ b/policy/modules/services/uptime.te @@ -18,8 +18,8 @@ init_script_file(uptimed_initrc_exec_t) type uptimed_spool_t; files_type(uptimed_spool_t) -type uptimed_var_run_t; -files_pid_file(uptimed_var_run_t) +type uptimed_runtime_t alias uptimed_var_run_t; +files_pid_file(uptimed_runtime_t) ######################################## # @@ -32,8 +32,8 @@ allow uptimed_t self:fifo_file rw_fifo_file_perms; allow uptimed_t uptimed_etc_t:file read_file_perms; -manage_files_pattern(uptimed_t, uptimed_var_run_t, uptimed_var_run_t) -files_pid_filetrans(uptimed_t, uptimed_var_run_t, file) +manage_files_pattern(uptimed_t, uptimed_runtime_t, uptimed_runtime_t) +files_pid_filetrans(uptimed_t, uptimed_runtime_t, file) manage_dirs_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) manage_files_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t) diff --git a/policy/modules/services/usbmuxd.fc b/policy/modules/services/usbmuxd.fc index dd949dde1..e44113889 100644 --- a/policy/modules/services/usbmuxd.fc +++ b/policy/modules/services/usbmuxd.fc @@ -2,4 +2,4 @@ /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) -/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_runtime_t,s0) diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if index 1ec5e996b..202575e25 100644 --- a/policy/modules/services/usbmuxd.if +++ b/policy/modules/services/usbmuxd.if @@ -32,9 +32,9 @@ interface(`usbmuxd_domtrans',` # interface(`usbmuxd_stream_connect',` gen_require(` - type usbmuxd_t, usbmuxd_var_run_t; + type usbmuxd_t, usbmuxd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) + stream_connect_pattern($1, usbmuxd_runtime_t, usbmuxd_runtime_t, usbmuxd_t) ') diff --git a/policy/modules/services/usbmuxd.te b/policy/modules/services/usbmuxd.te index 32036a2e5..12f16eca1 100644 --- a/policy/modules/services/usbmuxd.te +++ b/policy/modules/services/usbmuxd.te @@ -13,8 +13,8 @@ type usbmuxd_exec_t; application_domain(usbmuxd_t, usbmuxd_exec_t) role usbmuxd_roles types usbmuxd_t; -type usbmuxd_var_run_t; -files_pid_file(usbmuxd_var_run_t) +type usbmuxd_runtime_t alias usbmuxd_var_run_t; +files_pid_file(usbmuxd_runtime_t) ######################################## # @@ -25,10 +25,10 @@ allow usbmuxd_t self:capability { kill setgid setuid }; allow usbmuxd_t self:process { signal signull }; allow usbmuxd_t self:fifo_file rw_fifo_file_perms; -manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) -files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) +manage_dirs_pattern(usbmuxd_t, usbmuxd_runtime_t, usbmuxd_runtime_t) +manage_files_pattern(usbmuxd_t, usbmuxd_runtime_t, usbmuxd_runtime_t) +manage_sock_files_pattern(usbmuxd_t, usbmuxd_runtime_t, usbmuxd_runtime_t) +files_pid_filetrans(usbmuxd_t, usbmuxd_runtime_t, { file dir sock_file }) kernel_read_kernel_sysctls(usbmuxd_t) kernel_read_system_state(usbmuxd_t) diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if index a06faaf98..8d3256a69 100644 --- a/policy/modules/services/uucp.if +++ b/policy/modules/services/uucp.if @@ -101,7 +101,7 @@ interface(`uucp_admin',` gen_require(` type uucpd_t, uucpd_tmp_t, uucpd_log_t; type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t; - type uucpd_var_run_t, uucpd_initrc_exec_t; + type uucpd_runtime_t, uucpd_initrc_exec_t; ') init_startstop_service($1, $2, uucpd_t, uucpd_initrc_exec_t) @@ -121,5 +121,5 @@ interface(`uucp_admin',` admin_pattern($1, uucpd_tmp_t) files_list_pids($1) - admin_pattern($1, uucpd_var_run_t) + admin_pattern($1, uucpd_runtime_t) ') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index c18f3557d..2fb421eb0 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -21,8 +21,8 @@ files_lock_file(uucpd_lock_t) type uucpd_tmp_t; files_tmp_file(uucpd_tmp_t) -type uucpd_var_run_t; -files_pid_file(uucpd_var_run_t) +type uucpd_runtime_t alias uucpd_var_run_t; +files_pid_file(uucpd_runtime_t) type uucpd_rw_t; files_type(uucpd_rw_t) @@ -77,8 +77,8 @@ manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir }) -manage_files_pattern(uucpd_t, uucpd_var_run_t, uucpd_var_run_t) -files_pid_filetrans(uucpd_t, uucpd_var_run_t, file) +manage_files_pattern(uucpd_t, uucpd_runtime_t, uucpd_runtime_t) +files_pid_filetrans(uucpd_t, uucpd_runtime_t, file) kernel_read_kernel_sysctls(uucpd_t) kernel_read_system_state(uucpd_t) diff --git a/policy/modules/services/uuidd.fc b/policy/modules/services/uuidd.fc index d0a8520da..6990a0d5e 100644 --- a/policy/modules/services/uuidd.fc +++ b/policy/modules/services/uuidd.fc @@ -6,4 +6,4 @@ /var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0) -/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0) +/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_runtime_t,s0) diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if index 30f45ebf3..65fc849ef 100644 --- a/policy/modules/services/uuidd.if +++ b/policy/modules/services/uuidd.if @@ -128,11 +128,11 @@ interface(`uuidd_manage_lib_dirs',` # interface(`uuidd_read_pid_files',` gen_require(` - type uuidd_var_run_t; + type uuidd_runtime_t; ') files_search_pids($1) - allow $1 uuidd_var_run_t:file read_file_perms; + allow $1 uuidd_runtime_t:file read_file_perms; ') ######################################## @@ -148,11 +148,11 @@ interface(`uuidd_read_pid_files',` # interface(`uuidd_stream_connect_manager',` gen_require(` - type uuidd_t, uuidd_var_run_t; + type uuidd_t, uuidd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) + stream_connect_pattern($1, uuidd_runtime_t, uuidd_runtime_t, uuidd_t) ') ######################################## @@ -175,7 +175,7 @@ interface(`uuidd_stream_connect_manager',` interface(`uuidd_admin',` gen_require(` type uuidd_t, uuidd_initrc_exec_t; - type uuidd_var_run_t, uuidd_var_lib_t; + type uuidd_runtime_t, uuidd_var_lib_t; ') allow $1 uuidd_t:process signal_perms; @@ -187,5 +187,5 @@ interface(`uuidd_admin',` admin_pattern($1, uuidd_var_lib_t) files_search_pids($1) - admin_pattern($1, uuidd_var_run_t) + admin_pattern($1, uuidd_runtime_t) ') diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te index 8c0defb36..cce22ad06 100644 --- a/policy/modules/services/uuidd.te +++ b/policy/modules/services/uuidd.te @@ -15,8 +15,8 @@ init_script_file(uuidd_initrc_exec_t) type uuidd_var_lib_t; files_type(uuidd_var_lib_t) -type uuidd_var_run_t; -files_pid_file(uuidd_var_run_t) +type uuidd_runtime_t alias uuidd_var_run_t; +files_pid_file(uuidd_runtime_t) ######################################## # @@ -33,10 +33,10 @@ manage_dirs_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) manage_files_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) files_var_lib_filetrans(uuidd_t, uuidd_var_lib_t, { dir file }) -manage_dirs_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) -manage_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) -manage_sock_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) -files_pid_filetrans(uuidd_t, uuidd_var_run_t, { dir file sock_file }) +manage_dirs_pattern(uuidd_t, uuidd_runtime_t, uuidd_runtime_t) +manage_files_pattern(uuidd_t, uuidd_runtime_t, uuidd_runtime_t) +manage_sock_files_pattern(uuidd_t, uuidd_runtime_t, uuidd_runtime_t) +files_pid_filetrans(uuidd_t, uuidd_runtime_t, { dir file sock_file }) dev_read_urand(uuidd_t) diff --git a/policy/modules/services/uwimap.fc b/policy/modules/services/uwimap.fc index 92db9eaca..19029062b 100644 --- a/policy/modules/services/uwimap.fc +++ b/policy/modules/services/uwimap.fc @@ -1,3 +1,3 @@ /usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0) -/run/imapd\.pid -- gen_context(system_u:object_r:imapd_var_run_t,s0) +/run/imapd\.pid -- gen_context(system_u:object_r:imapd_runtime_t,s0) diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te index 02a45cf17..f7ccd23d6 100644 --- a/policy/modules/services/uwimap.te +++ b/policy/modules/services/uwimap.te @@ -12,8 +12,8 @@ init_daemon_domain(imapd_t, imapd_exec_t) type imapd_tmp_t; files_tmp_file(imapd_tmp_t) -type imapd_var_run_t; -files_pid_file(imapd_var_run_t) +type imapd_runtime_t alias imapd_var_run_t; +files_pid_file(imapd_runtime_t) ######################################## # @@ -30,8 +30,8 @@ manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t) files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir }) -manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t) -files_pid_filetrans(imapd_t, imapd_var_run_t, file) +manage_files_pattern(imapd_t, imapd_runtime_t, imapd_runtime_t) +files_pid_filetrans(imapd_t, imapd_runtime_t, file) kernel_read_kernel_sysctls(imapd_t) kernel_list_proc(imapd_t) diff --git a/policy/modules/services/varnishd.fc b/policy/modules/services/varnishd.fc index 5d3f0915a..c14077503 100644 --- a/policy/modules/services/varnishd.fc +++ b/policy/modules/services/varnishd.fc @@ -14,6 +14,6 @@ /var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0) -/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0) -/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) -/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0) +/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_runtime_t,s0) +/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_runtime_t,s0) +/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_runtime_t,s0) diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if index e2dc5ea1e..baa19577d 100644 --- a/policy/modules/services/varnishd.if +++ b/policy/modules/services/varnishd.if @@ -154,7 +154,7 @@ interface(`varnishd_manage_log',` interface(`varnishd_admin_varnishlog',` gen_require(` type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; - type varnishlog_var_run_t; + type varnishlog_runtime_t; ') allow $1 varnishlog_t:process { ptrace signal_perms }; @@ -163,7 +163,7 @@ interface(`varnishd_admin_varnishlog',` init_startstop_service($1, $2, varnishlog_t, varnishlog_initrc_exec_t) files_list_pids($1) - admin_pattern($1, varnishlog_var_run_t) + admin_pattern($1, varnishlog_runtime_t) logging_list_logs($1) admin_pattern($1, varnishlog_log_t) @@ -189,7 +189,7 @@ interface(`varnishd_admin_varnishlog',` interface(`varnishd_admin',` gen_require(` type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; - type varnishd_var_run_t, varnishd_tmp_t; + type varnishd_runtime_t, varnishd_tmp_t; type varnishd_initrc_exec_t; ') @@ -205,7 +205,7 @@ interface(`varnishd_admin',` admin_pattern($1, varnishd_etc_t) files_list_pids($1) - admin_pattern($1, varnishd_var_run_t) + admin_pattern($1, varnishd_runtime_t) files_list_tmp($1) admin_pattern($1, varnishd_tmp_t) diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te index 665e31c80..39a5e091a 100644 --- a/policy/modules/services/varnishd.te +++ b/policy/modules/services/varnishd.te @@ -29,8 +29,8 @@ files_tmp_file(varnishd_tmp_t) type varnishd_var_lib_t; files_type(varnishd_var_lib_t) -type varnishd_var_run_t; -files_pid_file(varnishd_var_run_t) +type varnishd_runtime_t alias varnishd_var_run_t; +files_pid_file(varnishd_runtime_t) type varnishlog_t; type varnishlog_exec_t; @@ -39,8 +39,8 @@ init_daemon_domain(varnishlog_t, varnishlog_exec_t) type varnishlog_initrc_exec_t; init_script_file(varnishlog_initrc_exec_t) -type varnishlog_var_run_t; -files_pid_file(varnishlog_var_run_t) +type varnishlog_runtime_t alias varnishlog_var_run_t; +files_pid_file(varnishlog_runtime_t) type varnishlog_log_t; files_type(varnishlog_log_t) @@ -68,8 +68,8 @@ manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file }) -manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t) -files_pid_filetrans(varnishd_t, varnishd_var_run_t, file) +manage_files_pattern(varnishd_t, varnishd_runtime_t, varnishd_runtime_t) +files_pid_filetrans(varnishd_t, varnishd_runtime_t, file) can_exec(varnishd_t, varnishd_var_lib_t) @@ -126,8 +126,8 @@ tunable_policy(`varnishd_connect_any',` # Log local policy # -manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t) -files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file) +manage_files_pattern(varnishlog_t, varnishlog_runtime_t, varnishlog_runtime_t) +files_pid_filetrans(varnishlog_t, varnishlog_runtime_t, file) manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) append_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc index 13aecb581..12c03ab57 100644 --- a/policy/modules/services/vdagent.fc +++ b/policy/modules/services/vdagent.fc @@ -7,5 +7,5 @@ /var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) /var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0) -/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) -/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) +/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_runtime_t,s0) +/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_runtime_t,s0) diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if index c4a5ed7ef..e0aaa2e46 100644 --- a/policy/modules/services/vdagent.if +++ b/policy/modules/services/vdagent.if @@ -68,11 +68,11 @@ interface(`vdagent_getattr_log',` # interface(`vdagent_read_pid_files',` gen_require(` - type vdagent_var_run_t; + type vdagent_runtime_t; ') files_search_pids($1) - allow $1 vdagent_var_run_t:file read_file_perms; + allow $1 vdagent_runtime_t:file read_file_perms; ') ##################################### @@ -88,11 +88,11 @@ interface(`vdagent_read_pid_files',` # interface(`vdagent_stream_connect',` gen_require(` - type vdagent_var_run_t, vdagent_t; + type vdagent_runtime_t, vdagent_t; ') files_search_pids($1) - stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) + stream_connect_pattern($1, vdagent_runtime_t, vdagent_runtime_t, vdagent_t) ') ######################################## @@ -114,7 +114,7 @@ interface(`vdagent_stream_connect',` # interface(`vdagent_admin',` gen_require(` - type vdagent_t, vdagent_var_run_t, vdagentd_initrc_exec_t; + type vdagent_t, vdagent_runtime_t, vdagentd_initrc_exec_t; type vdagent_log_t; ') @@ -127,5 +127,5 @@ interface(`vdagent_admin',` admin_pattern($1, vdagent_log_t) files_search_pids($1) - admin_pattern($1, vdagent_var_run_t) + admin_pattern($1, vdagent_runtime_t) ') diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te index 1c7919c3a..91f270e7e 100644 --- a/policy/modules/services/vdagent.te +++ b/policy/modules/services/vdagent.te @@ -12,8 +12,8 @@ init_daemon_domain(vdagent_t, vdagent_exec_t) type vdagentd_initrc_exec_t; init_script_file(vdagentd_initrc_exec_t) -type vdagent_var_run_t; -files_pid_file(vdagent_var_run_t) +type vdagent_runtime_t alias vdagent_var_run_t; +files_pid_file(vdagent_runtime_t) type vdagent_log_t; logging_log_file(vdagent_log_t) @@ -28,10 +28,10 @@ allow vdagent_t self:process signal; allow vdagent_t self:fifo_file rw_fifo_file_perms; allow vdagent_t self:unix_stream_socket { accept listen }; -manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) -manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) -manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) -files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file }) +manage_dirs_pattern(vdagent_t, vdagent_runtime_t, vdagent_runtime_t) +manage_files_pattern(vdagent_t, vdagent_runtime_t, vdagent_runtime_t) +manage_sock_files_pattern(vdagent_t, vdagent_runtime_t, vdagent_runtime_t) +files_pid_filetrans(vdagent_t, vdagent_runtime_t, { dir file sock_file }) manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) append_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) diff --git a/policy/modules/services/vhostmd.fc b/policy/modules/services/vhostmd.fc index ded76282e..4d4670f89 100644 --- a/policy/modules/services/vhostmd.fc +++ b/policy/modules/services/vhostmd.fc @@ -4,4 +4,4 @@ /usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) -/run/vhostmd.* gen_context(system_u:object_r:vhostmd_var_run_t,s0) +/run/vhostmd.* gen_context(system_u:object_r:vhostmd_runtime_t,s0) diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if index 3c66a92ca..0a8111013 100644 --- a/policy/modules/services/vhostmd.if +++ b/policy/modules/services/vhostmd.if @@ -127,11 +127,11 @@ interface(`vhostmd_manage_tmpfs_files',` # interface(`vhostmd_read_pid_files',` gen_require(` - type vhostmd_var_run_t; + type vhostmd_runtime_t; ') files_search_pids($1) - allow $1 vhostmd_var_run_t:file read_file_perms; + allow $1 vhostmd_runtime_t:file read_file_perms; ') ######################################## @@ -147,11 +147,11 @@ interface(`vhostmd_read_pid_files',` # interface(`vhostmd_manage_pid_files',` gen_require(` - type vhostmd_var_run_t; + type vhostmd_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) + manage_files_pattern($1, vhostmd_runtime_t, vhostmd_runtime_t) ') ######################################## @@ -167,11 +167,11 @@ interface(`vhostmd_manage_pid_files',` # interface(`vhostmd_stream_connect',` gen_require(` - type vhostmd_t, vhostmd_var_run_t; + type vhostmd_t, vhostmd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t) + stream_connect_pattern($1, vhostmd_runtime_t, vhostmd_runtime_t, vhostmd_t) ') ####################################### @@ -212,7 +212,7 @@ interface(`vhostmd_dontaudit_rw_stream_connect',` # interface(`vhostmd_admin',` gen_require(` - type vhostmd_t, vhostmd_initrc_exec_t, vhostmd_var_run_t; + type vhostmd_t, vhostmd_initrc_exec_t, vhostmd_runtime_t; type vhostmd_tmpfs_t; ') @@ -225,5 +225,5 @@ interface(`vhostmd_admin',` admin_pattern($1, vhostmd_tmpfs_t) files_search_pids($1) - admin_pattern($1, vhostmd_var_run_t) + admin_pattern($1, vhostmd_runtime_t) ') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te index 685e7b8b8..c5d92c525 100644 --- a/policy/modules/services/vhostmd.te +++ b/policy/modules/services/vhostmd.te @@ -15,8 +15,8 @@ init_script_file(vhostmd_initrc_exec_t) type vhostmd_tmpfs_t; files_tmpfs_file(vhostmd_tmpfs_t) -type vhostmd_var_run_t; -files_pid_file(vhostmd_var_run_t) +type vhostmd_runtime_t alias vhostmd_var_run_t; +files_pid_file(vhostmd_runtime_t) ######################################## # @@ -31,10 +31,10 @@ manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir }) -manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) -manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) -manage_sock_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) -files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir sock_file }) +manage_dirs_pattern(vhostmd_t, vhostmd_runtime_t, vhostmd_runtime_t) +manage_files_pattern(vhostmd_t, vhostmd_runtime_t, vhostmd_runtime_t) +manage_sock_files_pattern(vhostmd_t, vhostmd_runtime_t, vhostmd_runtime_t) +files_pid_filetrans(vhostmd_t, vhostmd_runtime_t, { file dir sock_file }) kernel_read_kernel_sysctls(vhostmd_t) kernel_read_system_state(vhostmd_t) diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc index cec5d545e..5266b68c1 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -46,22 +46,22 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) /var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_runtime_t,s0-mls_systemhigh) /var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virtlockd_var_lib_t,s0) /var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) /var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/vdsm(/.*)? gen_context(system_u:object_r:virt_runtime_t,s0) -/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) -/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) -/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) -/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) +/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_runtime_t,s0) +/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_runtime_t,s0) +/run/libvirt(/.*)? gen_context(system_u:object_r:virt_runtime_t,s0) +/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_runtime_t,s0) +/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_runtime_t,s0) +/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_runtime_t,s0-mls_systemhigh) /run/libvirt/virtlockd-sock -s gen_context(system_u:object_r:virtlockd_run_t,s0) /run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/run/vdsm(/.*)? gen_context(system_u:object_r:virt_runtime_t,s0) /run/virtlockd\.pid -- gen_context(system_u:object_r:virtlockd_run_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 993ee6c84..e19330bdf 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -366,11 +366,11 @@ interface(`virt_getattr_virtd_exec_files',` # interface(`virt_stream_connect',` gen_require(` - type virtd_t, virt_var_run_t; + type virtd_t, virt_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) + stream_connect_pattern($1, virt_runtime_t, virt_runtime_t, virtd_t) ') ######################################## @@ -807,11 +807,11 @@ interface(`virt_home_filetrans_virt_home',` # interface(`virt_read_pid_files',` gen_require(` - type virt_var_run_t; + type virt_runtime_t; ') files_search_pids($1) - read_files_pattern($1, virt_var_run_t, virt_var_run_t) + read_files_pattern($1, virt_runtime_t, virt_runtime_t) ') ######################################## @@ -827,11 +827,11 @@ interface(`virt_read_pid_files',` # interface(`virt_manage_pid_files',` gen_require(` - type virt_var_run_t; + type virt_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) + manage_files_pattern($1, virt_runtime_t, virt_runtime_t) ') ######################################## @@ -922,11 +922,11 @@ interface(`virt_manage_lib_files',` # interface(`virt_pid_filetrans',` gen_require(` - type virt_var_run_t; + type virt_runtime_t; ') files_search_pids($1) - filetrans_pattern($1, virt_var_run_t, $2, $3, $4) + filetrans_pattern($1, virt_runtime_t, $2, $3, $4) ') ######################################## @@ -1147,10 +1147,10 @@ interface(`virt_admin',` attribute virt_domain, virt_image_type, virt_tmpfs_type; attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type; type virtd_t, virtd_initrc_exec_t, virtd_lxc_t; - type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t; + type virsh_t, virtd_lxc_runtime_t, svirt_lxc_file_t; type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t; - type virt_var_run_t, virt_tmp_t, virt_log_t; - type virt_lock_t, svirt_var_run_t, virt_etc_rw_t; + type virt_runtime_t, virt_tmp_t, virt_log_t; + type virt_lock_t, svirt_runtime_t, virt_etc_rw_t; type virt_etc_t, svirt_cache_t, virtd_keytab_t; ') @@ -1174,7 +1174,7 @@ interface(`virt_admin',` admin_pattern($1, virt_log_t) files_search_pids($1) - admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) + admin_pattern($1, { virt_runtime_t virtd_lxc_runtime_t svirt_runtime_t }) files_search_var($1) admin_pattern($1, svirt_cache_t) diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 181488ef4..36e4a804b 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -113,9 +113,9 @@ userdom_user_home_content(virt_home_t) type svirt_home_t; userdom_user_home_content(svirt_home_t) -type svirt_var_run_t; -files_pid_file(svirt_var_run_t) -mls_trusted_object(svirt_var_run_t) +type svirt_runtime_t alias svirt_var_run_t; +files_pid_file(svirt_runtime_t) +mls_trusted_object(svirt_runtime_t) type virt_image_t; # customizable virt_image(virt_image_t) @@ -138,8 +138,8 @@ files_tmp_file(virt_tmp_t) type virt_tmpfs_t; files_tmpfs_file(virt_tmpfs_t) -type virt_var_run_t; -files_pid_file(virt_var_run_t) +type virt_runtime_t alias virt_var_run_t; +files_pid_file(virt_runtime_t) type virt_var_lib_t; files_mountpoint(virt_var_lib_t) @@ -184,8 +184,8 @@ type virtd_lxc_t; type virtd_lxc_exec_t; init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) -type virtd_lxc_var_run_t; -files_pid_file(virtd_lxc_var_run_t) +type virtd_lxc_runtime_t alias virtd_lxc_var_run_t; +files_pid_file(virtd_lxc_runtime_t) type svirt_lxc_file_t; files_mountpoint(svirt_lxc_file_t) @@ -252,14 +252,14 @@ manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) files_var_filetrans(virt_domain, virt_cache_t, { file dir }) -manage_dirs_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) -manage_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) -manage_sock_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) -manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t) -files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file }) +manage_dirs_pattern(virt_domain, svirt_runtime_t, svirt_runtime_t) +manage_files_pattern(virt_domain, svirt_runtime_t, svirt_runtime_t) +manage_sock_files_pattern(virt_domain, svirt_runtime_t, svirt_runtime_t) +manage_lnk_files_pattern(virt_domain, svirt_runtime_t, svirt_runtime_t) +files_pid_filetrans(virt_domain, svirt_runtime_t, { dir file }) -stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t) -stream_connect_pattern(virt_domain, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virt_domain, svirt_runtime_t, svirt_runtime_t, virtd_t) +stream_connect_pattern(virt_domain, virt_runtime_t, virtlockd_run_t, virtlockd_t) dontaudit virt_domain virt_tmpfs_type:file { read write }; @@ -502,12 +502,12 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; -allow virtd_t svirt_var_run_t:file relabel_file_perms; -allow virtd_t svirt_var_run_t:dir { mounton relabel_dir_perms }; -manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu") +allow virtd_t svirt_runtime_t:file relabel_file_perms; +allow virtd_t svirt_runtime_t:dir { mounton relabel_dir_perms }; +manage_dirs_pattern(virtd_t, svirt_runtime_t, svirt_runtime_t) +manage_files_pattern(virtd_t, svirt_runtime_t, svirt_runtime_t) +manage_sock_files_pattern(virtd_t, svirt_runtime_t, svirt_runtime_t) +filetrans_pattern(virtd_t, virt_runtime_t, svirt_runtime_t, dir, "qemu") read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) @@ -572,19 +572,19 @@ manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) -manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) +manage_dirs_pattern(virtd_t, virt_runtime_t, virt_runtime_t) +manage_files_pattern(virtd_t, virt_runtime_t, virt_runtime_t) +manage_sock_files_pattern(virtd_t, virt_runtime_t, virt_runtime_t) +files_pid_filetrans(virtd_t, virt_runtime_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +manage_dirs_pattern(virtd_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t) +manage_files_pattern(virtd_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t) +filetrans_pattern(virtd_t, virt_runtime_t, virtd_lxc_runtime_t, dir, "lxc") -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) -stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) -stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) +stream_connect_pattern(virtd_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t, virtd_lxc_t) +stream_connect_pattern(virtd_t, { virt_image_type svirt_runtime_t }, { virt_image_type svirt_runtime_t}, virt_domain) +stream_connect_pattern(virtd_t, virt_runtime_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_runtime_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -780,8 +780,8 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) - dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network") - dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid") + dnsmasq_spec_filetrans_pid(virtd_t, virt_runtime_t, dir, "network") + dnsmasq_spec_filetrans_pid(virtd_t, virt_runtime_t, file, "dnsmasq.pid") dnsmasq_manage_pid_files(virtd_t) ') @@ -861,9 +861,9 @@ manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +manage_dirs_pattern(virsh_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t) +manage_files_pattern(virsh_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t) +filetrans_pattern(virsh_t, virt_runtime_t, virtd_lxc_runtime_t, dir, "lxc") dontaudit virsh_t virt_var_lib_t:file read_file_perms; @@ -1004,11 +1004,11 @@ allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transitio allow virtd_lxc_t virt_image_type:dir mounton; manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) -allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; -manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir }) +allow virtd_lxc_t virt_runtime_t:dir search_dir_perms; +manage_dirs_pattern(virtd_lxc_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t) +manage_files_pattern(virtd_lxc_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t) +manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t) +files_pid_filetrans(virtd_lxc_t, virtd_lxc_runtime_t, { file dir }) manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -1107,8 +1107,8 @@ allow svirt_lxc_domain virsh_t:fd use; allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; allow svirt_lxc_domain virsh_t:process sigchld; -allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; -allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +allow svirt_lxc_domain virtd_lxc_runtime_t:dir list_dir_perms; +allow svirt_lxc_domain virtd_lxc_runtime_t:file read_file_perms; manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -1315,8 +1315,8 @@ manage_dirs_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virt_leaseshelper_t, virt_var_lib_t, virt_var_lib_t) files_var_lib_filetrans(virt_leaseshelper_t, virt_var_lib_t, { file dir }) -manage_files_pattern(virt_leaseshelper_t, virt_var_run_t, virt_var_run_t) -files_pid_filetrans(virt_leaseshelper_t, virt_var_run_t, file) +manage_files_pattern(virt_leaseshelper_t, virt_runtime_t, virt_runtime_t) +files_pid_filetrans(virt_leaseshelper_t, virt_runtime_t, file) kernel_dontaudit_read_system_state(virt_leaseshelper_t) @@ -1343,9 +1343,9 @@ manage_dirs_pattern(virtlockd_t, { virt_var_lib_t virtlockd_var_lib_t }, virtloc manage_files_pattern(virtlockd_t, virtlockd_var_lib_t, virtlockd_var_lib_t) filetrans_pattern(virtlockd_t, virt_var_lib_t, virtlockd_var_lib_t, dir) -manage_files_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t) -manage_sock_files_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t) -filetrans_pattern(virtlockd_t, virt_var_run_t, virtlockd_run_t, sock_file) +manage_files_pattern(virtlockd_t, virt_runtime_t, virtlockd_run_t) +manage_sock_files_pattern(virtlockd_t, virt_runtime_t, virtlockd_run_t) +filetrans_pattern(virtlockd_t, virt_runtime_t, virtlockd_run_t, sock_file) files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) @@ -1373,9 +1373,9 @@ allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; can_exec(virtlogd_t, virtlogd_exec_t) -manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) -manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) -filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +manage_files_pattern(virtlogd_t, virt_runtime_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_runtime_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_runtime_t, virtlogd_run_t, sock_file) files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) kernel_read_system_state(virtlogd_t) diff --git a/policy/modules/services/watchdog.fc b/policy/modules/services/watchdog.fc index 1e4f11583..263bc1e5b 100644 --- a/policy/modules/services/watchdog.fc +++ b/policy/modules/services/watchdog.fc @@ -6,4 +6,4 @@ /var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0) -/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) +/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_runtime_t,s0) diff --git a/policy/modules/services/watchdog.if b/policy/modules/services/watchdog.if index b0fe9221e..ef6ccfa4b 100644 --- a/policy/modules/services/watchdog.if +++ b/policy/modules/services/watchdog.if @@ -20,7 +20,7 @@ interface(`watchdog_admin',` gen_require(` type watchdog_t, watchdog_initrc_exec_t, watchdog_log_t; - type watchdog_var_run_t; + type watchdog_runtime_t; ') allow $1 watchdog_t:process { ptrace signal_perms }; @@ -32,5 +32,5 @@ interface(`watchdog_admin',` admin_pattern($1, watchdog_log_t) files_search_pids($1) - admin_pattern($1, watchdog_var_run_t) + admin_pattern($1, watchdog_runtime_t) ') diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te index d1e4ea8ce..f35117429 100644 --- a/policy/modules/services/watchdog.te +++ b/policy/modules/services/watchdog.te @@ -15,8 +15,8 @@ init_script_file(watchdog_initrc_exec_t) type watchdog_log_t; logging_log_file(watchdog_log_t) -type watchdog_var_run_t; -files_pid_file(watchdog_var_run_t) +type watchdog_runtime_t alias watchdog_var_run_t; +files_pid_file(watchdog_runtime_t) ######################################## # @@ -33,8 +33,8 @@ allow watchdog_t self:tcp_socket { accept listen }; allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(watchdog_t, watchdog_log_t, file) -manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) -files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) +manage_files_pattern(watchdog_t, watchdog_runtime_t, watchdog_runtime_t) +files_pid_filetrans(watchdog_t, watchdog_runtime_t, file) kernel_read_network_state(watchdog_t) kernel_read_system_state(watchdog_t) diff --git a/policy/modules/services/wdmd.fc b/policy/modules/services/wdmd.fc index 849f93ccd..2a77bc9c0 100644 --- a/policy/modules/services/wdmd.fc +++ b/policy/modules/services/wdmd.fc @@ -4,4 +4,4 @@ /usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) -/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) +/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_runtime_t,s0) diff --git a/policy/modules/services/wdmd.if b/policy/modules/services/wdmd.if index 53de648e8..589690fe0 100644 --- a/policy/modules/services/wdmd.if +++ b/policy/modules/services/wdmd.if @@ -13,11 +13,11 @@ # interface(`wdmd_stream_connect',` gen_require(` - type wdmd_t, wdmd_var_run_t; + type wdmd_t, wdmd_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t) + stream_connect_pattern($1, wdmd_runtime_t, wdmd_runtime_t, wdmd_t) ') ######################################## @@ -39,7 +39,7 @@ interface(`wdmd_stream_connect',` # interface(`wdmd_admin',` gen_require(` - type wdmd_t, wdmd_initrc_exec_t, wdmd_var_run_t; + type wdmd_t, wdmd_initrc_exec_t, wdmd_runtime_t; ') allow $1 wdmd_t:process { ptrace signal_perms }; @@ -48,5 +48,5 @@ interface(`wdmd_admin',` init_startstop_service($1, $2, wdmd_t, wdmd_initrc_exec_t) files_search_pids($1) - admin_pattern($1, wdmd_var_run_t) + admin_pattern($1, wdmd_runtime_t) ') diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te index b1a6a4825..968e5272d 100644 --- a/policy/modules/services/wdmd.te +++ b/policy/modules/services/wdmd.te @@ -15,8 +15,8 @@ init_script_file(wdmd_initrc_exec_t) type wdmd_tmpfs_t; files_tmpfs_file(wdmd_tmpfs_t) -type wdmd_var_run_t; -files_pid_file(wdmd_var_run_t) +type wdmd_runtime_t alias wdmd_var_run_t; +files_pid_file(wdmd_runtime_t) ######################################## # @@ -28,10 +28,10 @@ allow wdmd_t self:process { setsched signal }; allow wdmd_t self:fifo_file rw_fifo_file_perms; allow wdmd_t self:unix_stream_socket { accept listen }; -manage_dirs_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) -manage_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) -manage_sock_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t) -files_pid_filetrans(wdmd_t, wdmd_var_run_t, { file dir sock_file }) +manage_dirs_pattern(wdmd_t, wdmd_runtime_t, wdmd_runtime_t) +manage_files_pattern(wdmd_t, wdmd_runtime_t, wdmd_runtime_t) +manage_sock_files_pattern(wdmd_t, wdmd_runtime_t, wdmd_runtime_t) +files_pid_filetrans(wdmd_t, wdmd_runtime_t, { file dir sock_file }) manage_dirs_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t) manage_files_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t) diff --git a/policy/modules/services/xfs.fc b/policy/modules/services/xfs.fc index 5702b94ad..494ba01e2 100644 --- a/policy/modules/services/xfs.fc +++ b/policy/modules/services/xfs.fc @@ -8,4 +8,4 @@ /usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) /usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0) -/run/xfs.* -- gen_context(system_u:object_r:xfs_var_run_t,s0) +/run/xfs.* -- gen_context(system_u:object_r:xfs_runtime_t,s0) diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if index 1aafbbc1a..d18f4a945 100644 --- a/policy/modules/services/xfs.if +++ b/policy/modules/services/xfs.if @@ -96,7 +96,7 @@ interface(`xfs_create_tmp_dirs',` # interface(`xfs_admin',` gen_require(` - type xfs_t, xfs_initrc_exec_t, xfs_var_run_t; + type xfs_t, xfs_initrc_exec_t, xfs_runtime_t; type xfs_tmp_t; ') @@ -106,7 +106,7 @@ interface(`xfs_admin',` init_startstop_service($1, $2, xfs_t, xfs_initrc_exec_t) files_search_pids($1) - admin_pattern($1, xfs_var_run_t) + admin_pattern($1, xfs_runtime_t) files_search_tmp($1) admin_pattern($1, xfs_tmp_t) diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te index 1469f2fdf..16c1561f8 100644 --- a/policy/modules/services/xfs.te +++ b/policy/modules/services/xfs.te @@ -15,8 +15,8 @@ init_script_file(xfs_initrc_exec_t) type xfs_tmp_t; files_tmp_file(xfs_tmp_t) -type xfs_var_run_t; -files_pid_file(xfs_var_run_t) +type xfs_runtime_t alias xfs_var_run_t; +files_pid_file(xfs_runtime_t) ######################################## # @@ -33,8 +33,8 @@ manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir }) -manage_files_pattern(xfs_t, xfs_var_run_t, xfs_var_run_t) -files_pid_filetrans(xfs_t, xfs_var_run_t, file) +manage_files_pattern(xfs_t, xfs_runtime_t, xfs_runtime_t) +files_pid_filetrans(xfs_t, xfs_runtime_t, file) can_exec(xfs_t, xfs_exec_t) diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te index 3c44d8493..516e3ce52 100644 --- a/policy/modules/services/xprint.te +++ b/policy/modules/services/xprint.te @@ -9,8 +9,8 @@ type xprint_t; type xprint_exec_t; init_daemon_domain(xprint_t, xprint_exec_t) -type xprint_var_run_t; -files_pid_file(xprint_var_run_t) +type xprint_runtime_t alias xprint_var_run_t; +files_pid_file(xprint_runtime_t) ######################################## # @@ -23,8 +23,8 @@ allow xprint_t self:fifo_file rw_fifo_file_perms; allow xprint_t self:tcp_socket create_stream_socket_perms; allow xprint_t self:udp_socket create_socket_perms; -manage_files_pattern(xprint_t, xprint_var_run_t, xprint_var_run_t) -files_pid_filetrans(xprint_t, xprint_var_run_t, file) +manage_files_pattern(xprint_t, xprint_runtime_t, xprint_runtime_t) +files_pid_filetrans(xprint_t, xprint_runtime_t, file) kernel_read_system_state(xprint_t) kernel_read_kernel_sysctls(xprint_t) diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc index 076e85442..80c3afbb5 100644 --- a/policy/modules/services/zabbix.fc +++ b/policy/modules/services/zabbix.fc @@ -15,4 +15,4 @@ /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) -/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) +/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_runtime_t,s0) diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if index d71bce09d..bf345c7dd 100644 --- a/policy/modules/services/zabbix.if +++ b/policy/modules/services/zabbix.if @@ -91,11 +91,11 @@ interface(`zabbix_append_log',` # interface(`zabbix_read_pid_files',` gen_require(` - type zabbix_var_run_t; + type zabbix_runtime_t; ') files_search_pids($1) - allow $1 zabbix_var_run_t:file read_file_perms; + allow $1 zabbix_runtime_t:file read_file_perms; ') ######################################## @@ -138,7 +138,7 @@ interface(`zabbix_agent_tcp_connect',` # interface(`zabbix_admin',` gen_require(` - type zabbix_t, zabbix_agent_t, zabbix_log_t, zabbix_var_run_t; + type zabbix_t, zabbix_agent_t, zabbix_log_t, zabbix_runtime_t; type zabbix_initrc_exec_t, zabbix_agent_initrc_exec_t, zabbix_tmp_t; type zabbix_tmpfs_t; ') @@ -153,7 +153,7 @@ interface(`zabbix_admin',` admin_pattern($1, zabbix_log_t) files_list_pids($1) - admin_pattern($1, zabbix_var_run_t) + admin_pattern($1, zabbix_runtime_t) files_list_tmp($1) admin_pattern($1, zabbix_tmp_t) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te index 68b8d99ce..96807186f 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -36,8 +36,8 @@ files_tmp_file(zabbix_tmp_t) type zabbix_tmpfs_t; files_tmpfs_file(zabbix_tmpfs_t) -type zabbix_var_run_t; -files_pid_file(zabbix_var_run_t) +type zabbix_runtime_t alias zabbix_var_run_t; +files_pid_file(zabbix_runtime_t) ######################################## # @@ -65,9 +65,9 @@ files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file }) rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) -manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) -manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) -files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) +manage_dirs_pattern(zabbix_t, zabbix_runtime_t, zabbix_runtime_t) +manage_files_pattern(zabbix_t, zabbix_runtime_t, zabbix_runtime_t) +files_pid_filetrans(zabbix_t, zabbix_runtime_t, { dir file }) kernel_read_system_state(zabbix_t) kernel_read_kernel_sysctls(zabbix_t) @@ -148,8 +148,8 @@ filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) -files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) +manage_files_pattern(zabbix_agent_t, zabbix_runtime_t, zabbix_runtime_t) +files_pid_filetrans(zabbix_agent_t, zabbix_runtime_t, file) kernel_read_all_sysctls(zabbix_agent_t) kernel_read_system_state(zabbix_agent_t) diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc index 72c6f4594..5084e0841 100644 --- a/policy/modules/services/zarafa.fc +++ b/policy/modules/services/zarafa.fc @@ -22,12 +22,12 @@ /var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0) /var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) -/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) -/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) -/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) -/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) -/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) -/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) -/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) +/run/zarafa -s gen_context(system_u:object_r:zarafa_server_runtime_t,s0) +/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_runtime_t,s0) +/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_runtime_t,s0) +/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_runtime_t,s0) +/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_runtime_t,s0) +/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_runtime_t,s0) +/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_runtime_t,s0) +/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_runtime_t,s0) +/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_runtime_t,s0) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if index 37a7434e6..906d49a2a 100644 --- a/policy/modules/services/zarafa.if +++ b/policy/modules/services/zarafa.if @@ -27,17 +27,17 @@ template(`zarafa_domain_template',` type zarafa_$1_log_t, zarafa_logfile; logging_log_file(zarafa_$1_log_t) - type zarafa_$1_var_run_t, zarafa_pidfile; - files_pid_file(zarafa_$1_var_run_t) + type zarafa_$1_runtime_t alias zarafa_$1_var_run_t, zarafa_pidfile; + files_pid_file(zarafa_$1_runtime_t) ######################################## # # Policy # - manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) + manage_files_pattern(zarafa_$1_t, zarafa_$1_runtime_t, zarafa_$1_runtime_t) + manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_runtime_t, zarafa_$1_runtime_t) + files_pid_filetrans(zarafa_$1_t, zarafa_$1_runtime_t, { file sock_file }) append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) @@ -117,11 +117,11 @@ interface(`zarafa_domtrans_server',` # interface(`zarafa_stream_connect_server',` gen_require(` - type zarafa_server_t, zarafa_server_var_run_t; + type zarafa_server_t, zarafa_server_runtime_t; ') files_search_var_lib($1) - stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) + stream_connect_pattern($1, zarafa_server_runtime_t, zarafa_server_runtime_t, zarafa_server_t) ') ######################################## diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te index 506952fba..de5d091a8 100644 --- a/policy/modules/services/zarafa.te +++ b/policy/modules/services/zarafa.te @@ -107,7 +107,7 @@ manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) manage_lnk_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }) -stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) +stream_connect_pattern(zarafa_server_t, zarafa_indexer_runtime_t, zarafa_indexer_runtime_t, zarafa_indexer_t) corenet_all_recvfrom_unlabeled(zarafa_server_t) corenet_all_recvfrom_netlabel(zarafa_server_t) @@ -164,7 +164,7 @@ allow zarafa_domain self:fifo_file rw_fifo_file_perms; allow zarafa_domain self:tcp_socket { accept listen }; allow zarafa_domain self:unix_stream_socket { accept listen }; -stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) +stream_connect_pattern(zarafa_domain, zarafa_server_runtime_t, zarafa_server_runtime_t, zarafa_server_t) read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) diff --git a/policy/modules/services/zebra.fc b/policy/modules/services/zebra.fc index 3ded81f8e..4c6c45a1e 100644 --- a/policy/modules/services/zebra.fc +++ b/policy/modules/services/zebra.fc @@ -21,6 +21,6 @@ /var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) /var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) -/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) -/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) -/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) +/run/\.zebra -s gen_context(system_u:object_r:zebra_runtime_t,s0) +/run/\.zserv -s gen_context(system_u:object_r:zebra_runtime_t,s0) +/run/quagga(/.*)? gen_context(system_u:object_r:zebra_runtime_t,s0) diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if index 21da77a4b..7b4dff1f5 100644 --- a/policy/modules/services/zebra.if +++ b/policy/modules/services/zebra.if @@ -35,11 +35,11 @@ interface(`zebra_read_config',` # interface(`zebra_stream_connect',` gen_require(` - type zebra_t, zebra_var_run_t; + type zebra_t, zebra_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) + stream_connect_pattern($1, zebra_runtime_t, zebra_runtime_t, zebra_t) ') ######################################## @@ -62,7 +62,7 @@ interface(`zebra_stream_connect',` interface(`zebra_admin',` gen_require(` type zebra_t, zebra_tmp_t, zebra_log_t; - type zebra_conf_t, zebra_var_run_t; + type zebra_conf_t, zebra_runtime_t; type zebra_initrc_exec_t; ') @@ -81,5 +81,5 @@ interface(`zebra_admin',` admin_pattern($1, zebra_tmp_t) files_list_pids($1) - admin_pattern($1, zebra_var_run_t) + admin_pattern($1, zebra_runtime_t) ') diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index 19bc99432..dea4dd7ea 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -29,8 +29,8 @@ logging_log_file(zebra_log_t) type zebra_tmp_t; files_tmp_file(zebra_tmp_t) -type zebra_var_run_t; -files_pid_file(zebra_var_run_t) +type zebra_runtime_t alias zebra_var_run_t; +files_pid_file(zebra_runtime_t) ######################################## # @@ -61,10 +61,10 @@ logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) -manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) -files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file }) +manage_dirs_pattern(zebra_t, zebra_runtime_t, zebra_runtime_t) +manage_files_pattern(zebra_t, zebra_runtime_t, zebra_runtime_t) +manage_sock_files_pattern(zebra_t, zebra_runtime_t, zebra_runtime_t) +files_pid_filetrans(zebra_t, zebra_runtime_t, { dir file sock_file }) kernel_read_system_state(zebra_t) kernel_read_network_state(zebra_t) @@ -96,7 +96,7 @@ corenet_sendrecv_router_server_packets(zebra_t) corenet_udp_bind_router_port(zebra_t) corenet_udp_sendrecv_router_port(zebra_t) -dev_associate_usbfs(zebra_var_run_t) +dev_associate_usbfs(zebra_runtime_t) dev_list_all_dev_nodes(zebra_t) dev_read_sysfs(zebra_t) dev_rw_zero(zebra_t) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index 9edac1ae9..7fd315706 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -46,10 +46,10 @@ ifdef(`distro_suse', ` /run/motd -- gen_context(system_u:object_r:pam_motd_runtime_t,s0) /run/motd\.dynamic -- gen_context(system_u:object_r:pam_motd_runtime_t,s0) /run/motd\.dynamic\.new -- gen_context(system_u:object_r:pam_motd_runtime_t,s0) -/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_runtime_t,s0) /run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) -/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -/run/sudo/ts/%{USERNAME} gen_context(system_u:object_r:pam_var_run_t,s0) -/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +/run/sepermit(/.*)? gen_context(system_u:object_r:pam_runtime_t,s0) +/run/sudo(/.*)? gen_context(system_u:object_r:pam_runtime_t,s0) +/run/sudo/ts/%{USERNAME} gen_context(system_u:object_r:pam_runtime_t,s0) +/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_runtime_t,s0) +/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_runtime_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 2bd382de8..9718e91b3 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -1100,12 +1100,12 @@ interface(`auth_manage_var_auth',` # interface(`auth_read_pam_pid',` gen_require(` - type pam_var_run_t; + type pam_runtime_t; ') files_search_pids($1) - allow $1 pam_var_run_t:dir list_dir_perms; - allow $1 pam_var_run_t:file read_file_perms; + allow $1 pam_runtime_t:dir list_dir_perms; + allow $1 pam_runtime_t:file read_file_perms; ') ####################################### @@ -1120,10 +1120,10 @@ interface(`auth_read_pam_pid',` # interface(`auth_dontaudit_read_pam_pid',` gen_require(` - type pam_var_run_t; + type pam_runtime_t; ') - dontaudit $1 pam_var_run_t:file { getattr read }; + dontaudit $1 pam_runtime_t:file { getattr read }; ') ######################################## @@ -1151,10 +1151,10 @@ interface(`auth_dontaudit_read_pam_pid',` # interface(`auth_pid_filetrans_pam_var_run',` gen_require(` - type pam_var_run_t; + type pam_runtime_t; ') - files_pid_filetrans($1, pam_var_run_t, $2, $3) + files_pid_filetrans($1, pam_runtime_t, $2, $3) ') ######################################## @@ -1169,12 +1169,12 @@ interface(`auth_pid_filetrans_pam_var_run',` # interface(`auth_delete_pam_pid',` gen_require(` - type pam_var_run_t; + type pam_runtime_t; ') files_search_pids($1) - allow $1 pam_var_run_t:dir del_entry_dir_perms; - allow $1 pam_var_run_t:file delete_file_perms; + allow $1 pam_runtime_t:dir del_entry_dir_perms; + allow $1 pam_runtime_t:file delete_file_perms; ') ######################################## @@ -1189,12 +1189,12 @@ interface(`auth_delete_pam_pid',` # interface(`auth_manage_pam_pid',` gen_require(` - type pam_var_run_t; + type pam_runtime_t; ') files_search_pids($1) - allow $1 pam_var_run_t:dir manage_dir_perms; - allow $1 pam_var_run_t:file manage_file_perms; + allow $1 pam_runtime_t:dir manage_dir_perms; + allow $1 pam_runtime_t:file manage_file_perms; ') ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index ac2c3bc5a..f6a179f1b 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -58,8 +58,8 @@ files_tmp_file(pam_tmp_t) type pam_var_console_t; files_pid_file(pam_var_console_t) -type pam_var_run_t; -files_pid_file(pam_var_run_t) +type pam_runtime_t alias pam_var_run_t; +files_pid_file(pam_runtime_t) type shadow_t; files_auth_file(shadow_t) @@ -179,8 +179,8 @@ allow pam_t self:sem create_sem_perms; allow pam_t self:msgq create_msgq_perms; allow pam_t self:msg { send receive }; -delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) -read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) +delete_files_pattern(pam_t, pam_runtime_t, pam_runtime_t) +read_files_pattern(pam_t, pam_runtime_t, pam_runtime_t) files_list_pids(pam_t) allow pam_t pam_tmp_t:dir manage_dir_perms; diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc index 76a72119d..0dafb6b48 100644 --- a/policy/modules/system/hotplug.fc +++ b/policy/modules/system/hotplug.fc @@ -4,8 +4,8 @@ /etc/hotplug\.d/.* -- gen_context(system_u:object_r:hotplug_exec_t,s0) -/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) -/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0) +/run/usb(/.*)? gen_context(system_u:object_r:hotplug_runtime_t,s0) +/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_runtime_t,s0) /usr/bin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) /usr/bin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if index 40eb10c60..cd1783e4d 100644 --- a/policy/modules/system/hotplug.if +++ b/policy/modules/system/hotplug.if @@ -167,9 +167,9 @@ interface(`hotplug_read_config',` # interface(`hotplug_search_pids',` gen_require(` - type hotplug_var_run_t; + type hotplug_runtime_t; ') - allow $1 hotplug_var_run_t:dir search_dir_perms; + allow $1 hotplug_runtime_t:dir search_dir_perms; files_search_pids($1) ') diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index 242093a7d..e5a1a3ffe 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -14,8 +14,8 @@ type hotplug_etc_t; files_config_file(hotplug_etc_t) init_daemon_domain(hotplug_t, hotplug_etc_t) -type hotplug_var_run_t; -files_pid_file(hotplug_var_run_t) +type hotplug_runtime_t alias hotplug_var_run_t; +files_pid_file(hotplug_runtime_t) ######################################## # @@ -39,9 +39,9 @@ allow hotplug_t hotplug_etc_t:dir list_dir_perms; can_exec(hotplug_t, hotplug_exec_t) -manage_dirs_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t) -manage_files_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t) -files_pid_filetrans(hotplug_t, hotplug_var_run_t, { dir file }) +manage_dirs_pattern(hotplug_t, hotplug_runtime_t, hotplug_runtime_t) +manage_files_pattern(hotplug_t, hotplug_runtime_t, hotplug_runtime_t) +files_pid_filetrans(hotplug_t, hotplug_runtime_t, { dir file }) kernel_sigchld(hotplug_t) kernel_setpgid(hotplug_t) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 51415ad4d..eeeb32bea 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -58,17 +58,17 @@ ifdef(`distro_redhat',` /var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0) /run/initctl -p gen_context(system_u:object_r:initctl_t,s0) -/run/kerneloops\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0) -/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) -/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/run/kerneloops\.pid -- gen_context(system_u:object_r:initrc_runtime_t,s0) +/run/utmp -- gen_context(system_u:object_r:initrc_runtime_t,s0) +/run/runlevel\.dir gen_context(system_u:object_r:initrc_runtime_t,s0) +/run/random-seed -- gen_context(system_u:object_r:initrc_runtime_t,s0) +/run/setmixer_flag -- gen_context(system_u:object_r:initrc_runtime_t,s0) +/run/systemd(/.*)? gen_context(system_u:object_r:init_runtime_t,s0) +/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_runtime_t,s0) ifdef(`distro_debian',` -/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/run/hotkey-setup -- gen_context(system_u:object_r:initrc_runtime_t,s0) +/run/kdm/.* -- gen_context(system_u:object_r:initrc_runtime_t,s0) /etc/network/if-pre-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/network/if-up\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/network/if-down\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -77,15 +77,15 @@ ifdef(`distro_debian',` ifdef(`distro_gentoo', ` /var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) -/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/run/svscan\.pid -- gen_context(system_u:object_r:initrc_runtime_t,s0) ') ifdef(`distro_suse', ` -/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0) -/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) -/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0) +/run/bootsplashctl -p gen_context(system_u:object_r:initrc_runtime_t,s0) +/run/keymap -- gen_context(system_u:object_r:initrc_runtime_t,s0) +/run/numlock-on -- gen_context(system_u:object_r:initrc_runtime_t,s0) +/run/setleds-on -- gen_context(system_u:object_r:initrc_runtime_t,s0) +/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_runtime_t,s0) ') ifdef(`distro_gentoo',` diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 411c5cc86..bd6c965ef 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -848,10 +848,10 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` - type init_t, init_var_run_t; + type init_t, init_runtime_t; ') - stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) + stream_connect_pattern($1, init_runtime_t, init_runtime_t, init_t) files_search_pids($1) allow $1 init_t:unix_stream_socket getattr; ') @@ -946,10 +946,10 @@ interface(`init_dontaudit_use_fds',` # interface(`init_dgram_send',` gen_require(` - type init_t, init_var_run_t; + type init_t, init_runtime_t; ') - dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t) + dgram_send_pattern($1, init_runtime_t, init_runtime_t, init_t) files_search_pids($1) allow $1 init_t:unix_stream_socket getattr; ') @@ -1315,10 +1315,10 @@ interface(`init_var_lib_filetrans',` # interface(`init_search_pids',` gen_require(` - type init_var_run_t; + type init_runtime_t; ') - allow $1 init_var_run_t:dir search_dir_perms; + allow $1 init_runtime_t:dir search_dir_perms; ') ###################################### @@ -1333,10 +1333,10 @@ interface(`init_search_pids',` # interface(`init_list_pids',` gen_require(` - type init_var_run_t; + type init_runtime_t; ') - allow $1 init_var_run_t:dir list_dir_perms; + allow $1 init_runtime_t:dir list_dir_perms; files_search_pids($1) ') @@ -1367,11 +1367,11 @@ interface(`init_list_pids',` # interface(`init_pid_filetrans',` gen_require(` - type init_var_run_t; + type init_runtime_t; ') files_search_pids($1) - filetrans_pattern($1, init_var_run_t, $2, $3, $4) + filetrans_pattern($1, init_runtime_t, $2, $3, $4) ') ######################################## @@ -2505,11 +2505,11 @@ interface(`init_dontaudit_read_script_status_files',` # interface(`init_search_run',` gen_require(` - type init_var_run_t; + type init_runtime_t; ') files_search_pids($1) - allow $1 init_var_run_t:dir search_dir_perms; + allow $1 init_runtime_t:dir search_dir_perms; ') ######################################## @@ -2615,10 +2615,10 @@ interface(`init_script_tmp_filetrans',` # interface(`init_getattr_utmp',` gen_require(` - type initrc_var_run_t; + type initrc_runtime_t; ') - allow $1 initrc_var_run_t:file getattr; + allow $1 initrc_runtime_t:file getattr; ') ######################################## @@ -2633,11 +2633,11 @@ interface(`init_getattr_utmp',` # interface(`init_read_utmp',` gen_require(` - type initrc_var_run_t; + type initrc_runtime_t; ') files_list_pids($1) - allow $1 initrc_var_run_t:file read_file_perms; + allow $1 initrc_runtime_t:file read_file_perms; ') ######################################## @@ -2652,10 +2652,10 @@ interface(`init_read_utmp',` # interface(`init_dontaudit_write_utmp',` gen_require(` - type initrc_var_run_t; + type initrc_runtime_t; ') - dontaudit $1 initrc_var_run_t:file { write lock }; + dontaudit $1 initrc_runtime_t:file { write lock }; ') ######################################## @@ -2670,11 +2670,11 @@ interface(`init_dontaudit_write_utmp',` # interface(`init_write_utmp',` gen_require(` - type initrc_var_run_t; + type initrc_runtime_t; ') files_list_pids($1) - allow $1 initrc_var_run_t:file { getattr open write }; + allow $1 initrc_runtime_t:file { getattr open write }; ') ######################################## @@ -2690,10 +2690,10 @@ interface(`init_write_utmp',` # interface(`init_dontaudit_lock_utmp',` gen_require(` - type initrc_var_run_t; + type initrc_runtime_t; ') - dontaudit $1 initrc_var_run_t:file lock; + dontaudit $1 initrc_runtime_t:file lock; ') ######################################## @@ -2708,11 +2708,11 @@ interface(`init_dontaudit_lock_utmp',` # interface(`init_rw_utmp',` gen_require(` - type initrc_var_run_t; + type initrc_runtime_t; ') files_list_pids($1) - allow $1 initrc_var_run_t:file rw_file_perms; + allow $1 initrc_runtime_t:file rw_file_perms; ') ######################################## @@ -2727,10 +2727,10 @@ interface(`init_rw_utmp',` # interface(`init_dontaudit_rw_utmp',` gen_require(` - type initrc_var_run_t; + type initrc_runtime_t; ') - dontaudit $1 initrc_var_run_t:file rw_file_perms; + dontaudit $1 initrc_runtime_t:file rw_file_perms; ') ######################################## @@ -2745,11 +2745,11 @@ interface(`init_dontaudit_rw_utmp',` # interface(`init_manage_utmp',` gen_require(` - type initrc_var_run_t; + type initrc_runtime_t; ') files_search_pids($1) - allow $1 initrc_var_run_t:file manage_file_perms; + allow $1 initrc_runtime_t:file manage_file_perms; ') ######################################## @@ -2764,10 +2764,10 @@ interface(`init_manage_utmp',` # interface(`init_relabel_utmp',` gen_require(` - type initrc_var_run_t; + type initrc_runtime_t; ') - allow $1 initrc_var_run_t:file { relabelfrom relabelto }; + allow $1 initrc_runtime_t:file { relabelfrom relabelto }; ') ######################################## @@ -2799,10 +2799,10 @@ interface(`init_pid_filetrans_utmp',` # interface(`init_runtime_filetrans_utmp',` gen_require(` - type initrc_var_run_t; + type initrc_runtime_t; ') - files_pid_filetrans($1, initrc_var_run_t, file, "utmp") + files_pid_filetrans($1, initrc_runtime_t, file, "utmp") ') ####################################### @@ -2832,16 +2832,16 @@ interface(`init_create_pid_dirs',` # interface(`init_create_runtime_dirs',` gen_require(` - type init_var_run_t; + type init_runtime_t; ') - allow $1 init_var_run_t:dir list_dir_perms; - create_dirs_pattern($1, init_var_run_t, init_var_run_t) + allow $1 init_runtime_t:dir list_dir_perms; + create_dirs_pattern($1, init_runtime_t, init_runtime_t) ') ######################################## ## <summary> -## Rename init_var_run_t files +## Rename init_runtime_t files ## </summary> ## <param name="domain"> ## <summary> @@ -2856,7 +2856,7 @@ interface(`init_rename_pid_files',` ######################################## ## <summary> -## Rename init_var_run_t files +## Rename init_runtime_t files ## </summary> ## <param name="domain"> ## <summary> @@ -2866,15 +2866,15 @@ interface(`init_rename_pid_files',` # interface(`init_rename_runtime_files',` gen_require(` - type init_var_run_t; + type init_runtime_t; ') - rename_files_pattern($1, init_var_run_t, init_var_run_t) + rename_files_pattern($1, init_runtime_t, init_runtime_t) ') ######################################## ## <summary> -## Delete init_var_run_t files +## Delete init_runtime_t files ## </summary> ## <param name="domain"> ## <summary> @@ -2889,7 +2889,7 @@ interface(`init_delete_pid_files',` ######################################## ## <summary> -## Delete init_var_run_t files +## Delete init_runtime_t files ## </summary> ## <param name="domain"> ## <summary> @@ -2899,10 +2899,10 @@ interface(`init_delete_pid_files',` # interface(`init_delete_runtime_files',` gen_require(` - type init_var_run_t; + type init_runtime_t; ') - delete_files_pattern($1, init_var_run_t, init_var_run_t) + delete_files_pattern($1, init_runtime_t, init_runtime_t) ') ####################################### @@ -2934,10 +2934,10 @@ interface(`init_write_pid_socket',` # interface(`init_write_runtime_socket',` gen_require(` - type init_var_run_t; + type init_runtime_t; ') - allow $1 init_var_run_t:sock_file write; + allow $1 init_runtime_t:sock_file write; ') ######################################## @@ -2967,10 +2967,10 @@ interface(`init_read_pid_pipes',` # interface(`init_read_runtime_pipes',` gen_require(` - type init_var_run_t; + type init_runtime_t; ') - read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) + read_fifo_files_pattern($1, init_runtime_t, init_runtime_t) ') ###################################### @@ -2985,10 +2985,10 @@ interface(`init_read_runtime_pipes',` # interface(`init_read_runtime_symlinks',` gen_require(` - type init_var_run_t; + type init_runtime_t; ') - read_lnk_files_pattern($1, init_var_run_t, init_var_run_t) + read_lnk_files_pattern($1, init_runtime_t, init_runtime_t) ') ######################################## @@ -3095,10 +3095,10 @@ interface(`init_script_readable_type',` # interface(`init_search_units',` gen_require(` - type init_var_run_t, systemd_unit_t; + type init_runtime_t, systemd_unit_t; ') - search_dirs_pattern($1, init_var_run_t, systemd_unit_t) + search_dirs_pattern($1, init_runtime_t, systemd_unit_t) # Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd files_search_etc($1) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index d53944766..bba3b845e 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -47,10 +47,10 @@ kernel_domtrans_to(init_t, init_exec_t) role system_r types init_t; # -# init_var_run_t is the type for /var/run/shutdown.pid and /var/run/systemd. +# init_runtime_t is the type for /var/run/shutdown.pid and /var/run/systemd. # -type init_var_run_t; -files_pid_file(init_var_run_t) +type init_runtime_t alias init_var_run_t; +files_pid_file(init_runtime_t) # # init_var_lib_t is the type for /var/lib/systemd. @@ -71,7 +71,7 @@ type initrc_t, init_script_domain_type, init_run_all_scripts_domain; type initrc_exec_t, init_script_file_type; domain_type(initrc_t) domain_entry_file(initrc_t, initrc_exec_t) -init_named_socket_activation(initrc_t, init_var_run_t) +init_named_socket_activation(initrc_t, init_runtime_t) role system_r types initrc_t; # should be part of the true block # of the below init_upstart tunable @@ -94,8 +94,8 @@ files_tmp_file(initrc_tmp_t) type initrc_var_log_t; logging_log_file(initrc_var_log_t) -type initrc_var_run_t; -files_pid_file(initrc_var_run_t) +type initrc_runtime_t alias initrc_var_run_t; +files_pid_file(initrc_runtime_t) type systemd_unit_t; init_unit_file(systemd_unit_t) @@ -132,23 +132,23 @@ can_exec(init_t, init_exec_t) allow init_t initrc_t:unix_stream_socket connectto; # For /var/run/shutdown.pid. -allow init_t init_var_run_t:file manage_file_perms; -files_pid_filetrans(init_t, init_var_run_t, file) +allow init_t init_runtime_t:file manage_file_perms; +files_pid_filetrans(init_t, init_runtime_t, file) # for /run/initctl -allow init_t init_var_run_t:fifo_file manage_fifo_file_perms; +allow init_t init_runtime_t:fifo_file manage_fifo_file_perms; -allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; +allow init_t init_runtime_t:lnk_file manage_lnk_file_perms; # for systemd to manage service file symlinks -allow init_t init_var_run_t:file manage_lnk_file_perms; +allow init_t init_runtime_t:file manage_lnk_file_perms; allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) files_pid_filetrans(init_t, initctl_t, fifo_file) # Modify utmp. -allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +allow init_t initrc_runtime_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -233,8 +233,8 @@ ifdef(`init_systemd',` allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; # for /run/systemd/inaccessible/{chr,blk} - allow init_t init_var_run_t:blk_file { create getattr }; - allow init_t init_var_run_t:chr_file { create getattr }; + allow init_t init_runtime_t:blk_file { create getattr }; + allow init_t init_runtime_t:chr_file { create getattr }; allow init_t systemprocess:process { dyntransition siginh }; allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; @@ -246,7 +246,7 @@ ifdef(`init_systemd',` allow init_t self:netlink_kobject_uevent_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; - allow init_t init_var_run_t:sock_file manage_sock_file_perms; + allow init_t init_runtime_t:sock_file manage_sock_file_perms; allow init_t daemon:unix_stream_socket create_stream_socket_perms; allow init_t daemon:unix_dgram_socket create_socket_perms; @@ -260,10 +260,10 @@ ifdef(`init_systemd',` allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; - manage_files_pattern(init_t, init_var_run_t, init_var_run_t) - manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t) - manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t) - manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t) + manage_files_pattern(init_t, init_runtime_t, init_runtime_t) + manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t) + manage_sock_files_pattern(init_t, init_runtime_t, init_runtime_t) + manage_dirs_pattern(init_t, init_runtime_t, init_runtime_t) manage_files_pattern(init_t, systemd_unit_t, systemdunit) @@ -477,8 +477,8 @@ ifdef(`init_systemd',` ifdef(`distro_debian',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl") - allow init_t initrc_var_run_t:file manage_file_perms; - fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp") + allow init_t initrc_runtime_t:file manage_file_perms; + fs_tmpfs_filetrans(init_t, initrc_runtime_t, file, "utmp") fs_manage_tmpfs_files(initrc_t) sysnet_manage_config(initrc_t) @@ -577,8 +577,8 @@ manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t) manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t) manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) -allow initrc_t initrc_var_run_t:file manage_file_perms; -files_pid_filetrans(initrc_t, initrc_var_run_t, file) +allow initrc_t initrc_runtime_t:file manage_file_perms; +files_pid_filetrans(initrc_t, initrc_runtime_t, file) allow initrc_t daemon:process siginh; @@ -779,7 +779,7 @@ ifdef(`distro_debian',` dev_getattr_generic_blk_files(initrc_t) - fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir) + fs_tmpfs_filetrans(initrc_t, initrc_runtime_t, dir) # for storing state under /dev/shm fs_setattr_tmpfs_dirs(initrc_t) @@ -970,15 +970,15 @@ ifdef(`init_systemd',` manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) files_lock_filetrans(initrc_t, initrc_lock_t, file) - manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t) - allow initrc_t init_var_run_t:file create_file_perms; - allow initrc_t init_var_run_t:lnk_file create_lnk_file_perms; - allow initrc_t init_var_run_t:service { start status }; + manage_dirs_pattern(initrc_t, init_runtime_t, init_runtime_t) + allow initrc_t init_runtime_t:file create_file_perms; + allow initrc_t init_runtime_t:lnk_file create_lnk_file_perms; + allow initrc_t init_runtime_t:service { start status }; - manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) - manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) - manage_lnk_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) - files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set) + manage_dirs_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t) + manage_chr_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t) + manage_lnk_files_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t) + files_pid_filetrans(initrc_t, initrc_runtime_t, dir_file_class_set) create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t) allow initrc_t systemd_unit_t:service reload; diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index 992b6a35e..fa34c33bc 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -50,14 +50,14 @@ /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) /usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -/var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_runtime_t,s0) /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) /var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) -/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_runtime_t,s0) -/run/charon\.[^/]+ -- gen_context(system_u:object_r:ipsec_var_run_t,s0) -/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) -/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) +/run/charon\.[^/]+ -- gen_context(system_u:object_r:ipsec_runtime_t,s0) +/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_runtime_t,s0) +/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_runtime_t,s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if index eec93e653..94b44a45d 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -30,11 +30,11 @@ interface(`ipsec_domtrans',` # interface(`ipsec_stream_connect',` gen_require(` - type ipsec_t, ipsec_var_run_t; + type ipsec_t, ipsec_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) + stream_connect_pattern($1, ipsec_runtime_t, ipsec_runtime_t, ipsec_t) ') ######################################## @@ -67,11 +67,11 @@ interface(`ipsec_domtrans_mgmt',` # interface(`ipsec_stream_connect_racoon',` gen_require(` - type racoon_t, ipsec_var_run_t; + type racoon_t, ipsec_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t) + stream_connect_pattern($1, ipsec_runtime_t, ipsec_runtime_t, racoon_t) ') ######################################## @@ -248,7 +248,7 @@ interface(`ipsec_setcontext_default_spd',` ######################################## ## <summary> -## write the ipsec_var_run_t files. +## write the ipsec_runtime_t files. ## </summary> ## <param name="domain"> ## <summary> @@ -258,11 +258,11 @@ interface(`ipsec_setcontext_default_spd',` # interface(`ipsec_write_pid',` gen_require(` - type ipsec_var_run_t; + type ipsec_runtime_t; ') files_search_pids($1) - write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) + write_files_pattern($1, ipsec_runtime_t, ipsec_runtime_t) ') ######################################## @@ -277,11 +277,11 @@ interface(`ipsec_write_pid',` # interface(`ipsec_manage_pid',` gen_require(` - type ipsec_var_run_t; + type ipsec_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) + manage_files_pattern($1, ipsec_runtime_t, ipsec_runtime_t) ') ######################################## @@ -391,8 +391,8 @@ interface(`ipsec_admin',` gen_require(` type ipsec_t, ipsec_initrc_exec_t, ipsec_conf_file_t; type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t; - type ipsec_var_run_t, ipsec_mgmt_lock_t; - type ipsec_mgmt_var_run_t, racoon_tmp_t; + type ipsec_runtime_t, ipsec_mgmt_lock_t; + type ipsec_mgmt_runtime_t, racoon_tmp_t; type ipsec_unit_t; ') @@ -413,7 +413,7 @@ interface(`ipsec_admin',` admin_pattern($1, { ipsec_tmp_t racoon_tmp_t }) files_search_pids($1) - admin_pattern($1, { ipsec_var_run_t ipsec_mgmt_var_run_t }) + admin_pattern($1, { ipsec_runtime_t ipsec_mgmt_runtime_t }) files_search_locks($1) admin_pattern($1, ipsec_mgmt_lock_t) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 97411bc95..968788c74 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -42,8 +42,8 @@ type ipsec_unit_t; init_unit_file(ipsec_unit_t) # type for runtime files, including pluto.ctl -type ipsec_var_run_t; -files_pid_file(ipsec_var_run_t) +type ipsec_runtime_t alias ipsec_var_run_t; +files_pid_file(ipsec_runtime_t) type ipsec_mgmt_t; type ipsec_mgmt_exec_t; @@ -54,8 +54,8 @@ role system_r types ipsec_mgmt_t; type ipsec_mgmt_lock_t; files_lock_file(ipsec_mgmt_lock_t) -type ipsec_mgmt_var_run_t; -files_pid_file(ipsec_mgmt_var_run_t) +type ipsec_mgmt_runtime_t alias ipsec_mgmt_var_run_t; +files_pid_file(ipsec_mgmt_runtime_t) type ipsec_supervisor_t; type ipsec_supervisor_exec_t; @@ -104,10 +104,10 @@ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) -manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file }) +manage_dirs_pattern(ipsec_t, ipsec_runtime_t, ipsec_runtime_t) +manage_files_pattern(ipsec_t, ipsec_runtime_t, ipsec_runtime_t) +manage_sock_files_pattern(ipsec_t, ipsec_runtime_t, ipsec_runtime_t) +files_pid_filetrans(ipsec_t, ipsec_runtime_t, { dir file sock_file }) can_exec(ipsec_t, ipsec_mgmt_exec_t) @@ -231,20 +231,20 @@ manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t) files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) -allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; -manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) -manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) -files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) +allow ipsec_mgmt_t ipsec_mgmt_runtime_t:file manage_file_perms; +manage_files_pattern(ipsec_mgmt_t, ipsec_runtime_t, ipsec_runtime_t) +manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_runtime_t, ipsec_runtime_t) +files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_runtime_t, file) -allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) +allow ipsec_mgmt_t ipsec_runtime_t:sock_file manage_sock_file_perms; +files_pid_filetrans(ipsec_mgmt_t, ipsec_runtime_t, sock_file) # logger, running in ipsec_mgmt_t needs to use sockets allow ipsec_mgmt_t self:unix_dgram_socket { create connect write }; allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write }; # whack needs to connect to pluto -stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) +stream_connect_pattern(ipsec_mgmt_t, ipsec_runtime_t, ipsec_runtime_t, ipsec_t) can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; @@ -366,9 +366,9 @@ can_exec(racoon_t, racoon_exec_t) can_exec(racoon_t, setkey_exec_t) # manage pid file -manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) -manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) -files_pid_filetrans(racoon_t, ipsec_var_run_t, file) +manage_files_pattern(racoon_t, ipsec_runtime_t, ipsec_runtime_t) +manage_sock_files_pattern(racoon_t, ipsec_runtime_t, ipsec_runtime_t) +files_pid_filetrans(racoon_t, ipsec_runtime_t, file) allow racoon_t ipsec_conf_file_t:dir list_dir_perms; read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t) @@ -478,10 +478,10 @@ manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t) allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto }; allow ipsec_supervisor_t ipsec_t:process { signal signull }; -allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink }; -manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) -manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t) -files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file }) +allow ipsec_supervisor_t ipsec_runtime_t:sock_file { rw_sock_file_perms unlink }; +manage_dirs_pattern(ipsec_supervisor_t, ipsec_runtime_t, ipsec_runtime_t) +manage_files_pattern(ipsec_supervisor_t, ipsec_runtime_t, ipsec_runtime_t) +files_pid_filetrans(ipsec_supervisor_t, ipsec_runtime_t, { dir file sock_file }) domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t) diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc index 9503952e2..343e4be23 100644 --- a/policy/modules/system/iscsi.fc +++ b/policy/modules/system/iscsi.fc @@ -15,5 +15,5 @@ /var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) /var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) -/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) -/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) +/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_runtime_t,s0) +/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_runtime_t,s0) diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if index 44a891d2a..5c543d2b9 100644 --- a/policy/modules/system/iscsi.if +++ b/policy/modules/system/iscsi.if @@ -98,7 +98,7 @@ interface(`iscsi_read_lib_files',` interface(`iscsi_admin',` gen_require(` type iscsid_t, iscsi_lock_t, iscsi_log_t; - type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; + type iscsi_var_lib_t, iscsi_runtime_t, iscsi_tmp_t; type iscsi_initrc_exec_t; ') @@ -117,7 +117,7 @@ interface(`iscsi_admin',` admin_pattern($1, iscsi_var_lib_t) files_search_pids($1) - admin_pattern($1, iscsi_var_run_t) + admin_pattern($1, iscsi_runtime_t) files_search_tmp($1) admin_pattern($1, iscsi_tmp_t) diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te index 3026f832c..b79c3f6fa 100644 --- a/policy/modules/system/iscsi.te +++ b/policy/modules/system/iscsi.te @@ -25,8 +25,8 @@ files_tmp_file(iscsi_tmp_t) type iscsi_var_lib_t; files_type(iscsi_var_lib_t) -type iscsi_var_run_t; -files_pid_file(iscsi_var_run_t) +type iscsi_runtime_t alias iscsi_var_run_t; +files_pid_file(iscsi_runtime_t) ######################################## # @@ -61,8 +61,8 @@ allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) -manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) -files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) +manage_files_pattern(iscsid_t, iscsi_runtime_t, iscsi_runtime_t) +files_pid_filetrans(iscsid_t, iscsi_runtime_t, file) can_exec(iscsid_t, iscsid_exec_t) diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index 2e73cbfdc..6390510dc 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -61,7 +61,7 @@ ifdef(`distro_suse', ` /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) -/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) +/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_runtime_t,mls_systemhigh) ifndef(`distro_gentoo',` /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) @@ -72,20 +72,20 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') -/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) -/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) +/run/audit_events -s gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh) +/run/audispd_events -s gen_context(system_u:object_r:audisp_runtime_t,mls_systemhigh) +/run/auditd\.pid -- gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh) +/run/auditd_sock -s gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh) +/run/klogd\.pid -- gen_context(system_u:object_r:klogd_runtime_t,s0) /run/log -s gen_context(system_u:object_r:devlog_t,s0) /run/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) -/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) -/run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) -/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) -/run/syslog-ng\.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) -/run/syslog-ng\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) -/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) -/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) +/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_runtime_t,s0) +/run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_runtime_t,mls_systemhigh) +/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_runtime_t,mls_systemhigh) +/run/syslog-ng\.ctl -- gen_context(system_u:object_r:syslogd_runtime_t,s0) +/run/syslog-ng\.pid -- gen_context(system_u:object_r:syslogd_runtime_t,mls_systemhigh) +/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_runtime_t,s0) +/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_runtime_t,mls_systemhigh) /run/systemd/journal/socket -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 77122445e..c2143ec00 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -315,11 +315,11 @@ interface(`logging_dispatcher_domain',` # interface(`logging_stream_connect_dispatcher',` gen_require(` - type audisp_t, audisp_var_run_t; + type audisp_t, audisp_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t) + stream_connect_pattern($1, audisp_runtime_t, audisp_runtime_t, audisp_t) ') ######################################## @@ -619,14 +619,14 @@ interface(`logging_log_filetrans',` # interface(`logging_send_syslog_msg',` gen_require(` - type syslogd_t, syslogd_var_run_t, devlog_t; + type syslogd_t, syslogd_runtime_t, devlog_t; ') allow $1 devlog_t:sock_file write_sock_file_perms; # systemd journal socket is in /run/systemd/journal/dev-log init_search_run($1) - allow $1 syslogd_var_run_t:dir search_dir_perms; + allow $1 syslogd_runtime_t:dir search_dir_perms; # the type of socket depends on the syslog daemon allow $1 syslogd_t:unix_dgram_socket sendto; @@ -780,10 +780,10 @@ interface(`logging_delete_devlog_socket',` # interface(`logging_manage_pid_sockets',` gen_require(` - type syslogd_var_run_t; + type syslogd_runtime_t; ') - manage_sock_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + manage_sock_files_pattern($1, syslogd_runtime_t, syslogd_runtime_t) files_search_pids($1) ') @@ -1245,7 +1245,7 @@ interface(`logging_manage_generic_logs',` interface(`logging_admin_audit',` gen_require(` type auditd_t, auditd_etc_t, auditd_log_t; - type auditd_var_run_t; + type auditd_runtime_t; type auditd_initrc_exec_t, auditd_unit_t; ') @@ -1258,8 +1258,8 @@ interface(`logging_admin_audit',` manage_dirs_pattern($1, auditd_log_t, auditd_log_t) manage_files_pattern($1, auditd_log_t, auditd_log_t) - manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) - manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) + manage_dirs_pattern($1, auditd_runtime_t, auditd_runtime_t) + manage_files_pattern($1, auditd_runtime_t, auditd_runtime_t) logging_run_auditctl($1, $2) @@ -1290,7 +1290,7 @@ interface(`logging_admin_syslog',` gen_require(` type syslogd_t, klogd_t, syslog_conf_t; type syslogd_tmp_t, syslogd_var_lib_t; - type syslogd_var_run_t, klogd_var_run_t; + type syslogd_runtime_t, klogd_runtime_t; type klogd_tmp_t, var_log_t; type syslogd_initrc_exec_t, syslogd_unit_t; ') @@ -1300,8 +1300,8 @@ interface(`logging_admin_syslog',` ps_process_pattern($1, syslogd_t) ps_process_pattern($1, klogd_t) - manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) - manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) + manage_dirs_pattern($1, klogd_runtime_t, klogd_runtime_t) + manage_files_pattern($1, klogd_runtime_t, klogd_runtime_t) manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t) manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t) @@ -1317,8 +1317,8 @@ interface(`logging_admin_syslog',` manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) - manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) - manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + manage_dirs_pattern($1, syslogd_runtime_t, syslogd_runtime_t) + manage_files_pattern($1, syslogd_runtime_t, syslogd_runtime_t) logging_manage_all_logs($1) @@ -1428,8 +1428,8 @@ interface(`logging_syslog_managed_log_dir',` # interface(`logging_mmap_journal',` gen_require(` - type syslogd_var_run_t; + type syslogd_runtime_t; ') - allow $1 syslogd_var_run_t:file map; + allow $1 syslogd_runtime_t:file map; ') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 555af9312..70c2af6c8 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -33,15 +33,15 @@ init_script_file(auditd_initrc_exec_t) type auditd_unit_t; init_unit_file(auditd_unit_t) -type auditd_var_run_t; -files_pid_file(auditd_var_run_t) +type auditd_runtime_t alias auditd_var_run_t; +files_pid_file(auditd_runtime_t) type audisp_t; type audisp_exec_t; init_system_domain(audisp_t, audisp_exec_t) -type audisp_var_run_t; -files_pid_file(audisp_var_run_t) +type audisp_runtime_t alias audisp_var_run_t; +files_pid_file(audisp_runtime_t) type audisp_remote_t; type audisp_remote_exec_t; @@ -58,8 +58,8 @@ init_daemon_domain(klogd_t, klogd_exec_t) type klogd_tmp_t; files_tmp_file(klogd_tmp_t) -type klogd_var_run_t; -files_pid_file(klogd_var_run_t) +type klogd_runtime_t alias klogd_var_run_t; +files_pid_file(klogd_runtime_t) type syslog_conf_t; files_config_file(syslog_conf_t) @@ -67,7 +67,7 @@ files_config_file(syslog_conf_t) type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) -init_named_socket_activation(syslogd_t, syslogd_var_run_t) +init_named_socket_activation(syslogd_t, syslogd_runtime_t) mls_trusted_socket(syslogd_t) type syslogd_initrc_exec_t; @@ -82,8 +82,8 @@ init_unit_file(syslogd_unit_t) type syslogd_var_lib_t; files_type(syslogd_var_lib_t) -type syslogd_var_run_t; -files_pid_file(syslogd_var_run_t) +type syslogd_runtime_t alias syslogd_var_run_t; +files_pid_file(syslogd_runtime_t) type var_log_t; logging_log_file(var_log_t) @@ -162,9 +162,9 @@ allow auditd_t auditd_log_t:dir setattr; manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) allow auditd_t var_log_t:dir search_dir_perms; -manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) +manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) +manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) +files_pid_filetrans(auditd_t, auditd_runtime_t, { file sock_file }) kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf @@ -249,8 +249,8 @@ allow audisp_t self:unix_dgram_socket create_socket_perms; allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; -manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) -files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) +manage_sock_files_pattern(audisp_t, audisp_runtime_t, audisp_runtime_t) +files_pid_filetrans(audisp_t, audisp_runtime_t, sock_file) kernel_read_system_state(audisp_t) @@ -323,8 +323,8 @@ manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t) manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t) files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir }) -manage_files_pattern(klogd_t, klogd_var_run_t, klogd_var_run_t) -files_pid_filetrans(klogd_t, klogd_var_run_t, file) +manage_files_pattern(klogd_t, klogd_runtime_t, klogd_runtime_t) +files_pid_filetrans(klogd_t, klogd_runtime_t, file) kernel_read_system_state(klogd_t) kernel_read_messages(klogd_t) @@ -426,11 +426,11 @@ allow syslogd_t syslogd_var_lib_t:file map; files_search_var_lib(syslogd_t) # manage pid file -manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) -allow syslogd_t syslogd_var_run_t:file map; +manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) +allow syslogd_t syslogd_runtime_t:file map; -files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -allow syslogd_t syslogd_var_run_t:dir create_dir_perms; +files_pid_filetrans(syslogd_t, syslogd_runtime_t, file) +allow syslogd_t syslogd_runtime_t:dir create_dir_perms; kernel_read_crypto_sysctls(syslogd_t) kernel_read_system_state(syslogd_t) @@ -541,7 +541,7 @@ ifdef(`init_systemd',` domain_read_all_domains_state(syslogd_t) init_create_runtime_dirs(syslogd_t) - init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") + init_daemon_pid_file(syslogd_runtime_t, dir, "syslogd") init_getattr(syslogd_t) init_rename_runtime_files(syslogd_t) init_delete_runtime_files(syslogd_t) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc index 4ef5eaa4f..a3c68a978 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -148,9 +148,9 @@ /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) -/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) -/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) -/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) +/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_runtime_t,s0) +/run/dmevent.* gen_context(system_u:object_r:lvm_runtime_t,s0) +/run/lvm(/.*)? gen_context(system_u:object_r:lvm_runtime_t,s0) ifdef(`distro_gentoo',` # Bug 529430 comment 8 diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if index 9f0ee13f5..b20362ca5 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -155,10 +155,10 @@ interface(`lvm_create_lock_dirs',` # interface(`lvm_rw_inherited_pid_pipes',` gen_require(` - type lvm_var_run_t; + type lvm_runtime_t; ') - allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; + allow $1 lvm_runtime_t:fifo_file rw_inherited_fifo_file_perms; ') ###################################### @@ -200,7 +200,7 @@ interface(`lvm_admin',` gen_require(` type clvmd_t, clvmd_initrc_exec_t, lvm_t, lvm_unit_t; type lvm_etc_t, lvm_lock_t, lvm_metadata_t; - type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t; + type lvm_var_lib_t, lvm_runtime_t, clvmd_runtime_t, lvm_tmp_t; ') admin_process_pattern($1, { clvmd_t lvm_t }) @@ -217,7 +217,7 @@ interface(`lvm_admin',` admin_pattern($1, lvm_var_lib_t) files_search_pids($1) - admin_pattern($1, { lvm_var_run_t clvmd_var_run_t }) + admin_pattern($1, { lvm_runtime_t clvmd_runtime_t }) files_search_tmp($1) admin_pattern($1, lvm_tmp_t) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index aafc2bc9f..866f33480 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,13 +12,13 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) type clvmd_initrc_exec_t; init_script_file(clvmd_initrc_exec_t) -type clvmd_var_run_t; -files_pid_file(clvmd_var_run_t) +type clvmd_runtime_t alias clvmd_var_run_t; +files_pid_file(clvmd_runtime_t) type lvm_t; type lvm_exec_t; init_system_domain(lvm_t, lvm_exec_t) -init_named_socket_activation(lvm_t, lvm_var_run_t) +init_named_socket_activation(lvm_t, lvm_runtime_t) # needs privowner because it assigns the identity system_u to device nodes # but runs as the identity of the sysadmin domain_obj_id_change_exemption(lvm_t) @@ -39,8 +39,8 @@ init_unit_file(lvm_unit_t) type lvm_var_lib_t; files_type(lvm_var_lib_t) -type lvm_var_run_t; -files_pid_file(lvm_var_run_t) +type lvm_runtime_t alias lvm_var_run_t; +files_pid_file(lvm_runtime_t) type lvm_tmp_t; files_tmp_file(lvm_tmp_t) @@ -60,8 +60,8 @@ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; -manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) -files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) +manage_files_pattern(clvmd_t, clvmd_runtime_t, clvmd_runtime_t) +files_pid_filetrans(clvmd_t, clvmd_runtime_t, file) read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t) @@ -205,10 +205,10 @@ manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) -manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) +manage_dirs_pattern(lvm_t, lvm_runtime_t, lvm_runtime_t) +manage_files_pattern(lvm_t, lvm_runtime_t, lvm_runtime_t) +manage_sock_files_pattern(lvm_t, lvm_runtime_t, lvm_runtime_t) +files_pid_filetrans(lvm_t, lvm_runtime_t, { file sock_file }) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) allow lvm_t lvm_etc_t:file map; diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 2df2f6303..a76d44e8b 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -204,7 +204,7 @@ interface(`mount_list_runtime',` ######################################## ## <summary> -## Getattr on mount_var_run_t files +## Getattr on mount_runtime_t files ## </summary> ## <param name="domain"> ## <summary> diff --git a/policy/modules/system/pcmcia.fc b/policy/modules/system/pcmcia.fc index f9fadf5f3..c8e2bd04c 100644 --- a/policy/modules/system/pcmcia.fc +++ b/policy/modules/system/pcmcia.fc @@ -6,7 +6,7 @@ /usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0) /usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0) -/var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0) +/var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_runtime_t,s0) -/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) -/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) +/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_runtime_t,s0) +/run/stab -- gen_context(system_u:object_r:cardmgr_runtime_t,s0) diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if index 965b4086f..8c09e1ada 100644 --- a/policy/modules/system/pcmcia.if +++ b/policy/modules/system/pcmcia.if @@ -111,11 +111,11 @@ interface(`pcmcia_run_cardctl',` # interface(`pcmcia_read_pid',` gen_require(` - type cardmgr_var_run_t; + type cardmgr_runtime_t; ') files_search_pids($1) - read_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) + read_files_pattern($1, cardmgr_runtime_t, cardmgr_runtime_t) ') ######################################## @@ -131,11 +131,11 @@ interface(`pcmcia_read_pid',` # interface(`pcmcia_manage_pid',` gen_require(` - type cardmgr_var_run_t; + type cardmgr_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) + manage_files_pattern($1, cardmgr_runtime_t, cardmgr_runtime_t) ') ######################################## @@ -151,9 +151,9 @@ interface(`pcmcia_manage_pid',` # interface(`pcmcia_manage_pid_chr_files',` gen_require(` - type cardmgr_var_run_t; + type cardmgr_runtime_t; ') files_search_pids($1) - manage_chr_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) + manage_chr_files_pattern($1, cardmgr_runtime_t, cardmgr_runtime_t) ') diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te index 9074bcbd0..94f9aa779 100644 --- a/policy/modules/system/pcmcia.te +++ b/policy/modules/system/pcmcia.te @@ -17,8 +17,8 @@ files_type(cardmgr_lnk_t) type cardmgr_var_lib_t; files_type(cardmgr_var_lib_t) -type cardmgr_var_run_t; -files_pid_file(cardmgr_var_run_t) +type cardmgr_runtime_t alias cardmgr_var_run_t; +files_pid_file(cardmgr_runtime_t) type cardctl_exec_t; application_domain(cardmgr_t, cardctl_exec_t) @@ -41,8 +41,8 @@ dev_filetrans(cardmgr_t, cardmgr_lnk_t, lnk_file) manage_files_pattern(cardmgr_t, cardmgr_var_lib_t, cardmgr_var_lib_t) files_var_lib_filetrans(cardmgr_t, cardmgr_var_lib_t, file) -allow cardmgr_t cardmgr_var_run_t:file manage_file_perms; -files_pid_filetrans(cardmgr_t, cardmgr_var_run_t, file) +allow cardmgr_t cardmgr_runtime_t:file manage_file_perms; +files_pid_filetrans(cardmgr_t, cardmgr_runtime_t, file) kernel_read_kernel_sysctls(cardmgr_t) kernel_read_system_state(cardmgr_t) diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc index 323a88652..84f1ab02a 100644 --- a/policy/modules/system/raid.fc +++ b/policy/modules/system/raid.fc @@ -1,5 +1,5 @@ -/dev/\.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0) -/dev/md/.* -- gen_context(system_u:object_r:mdadm_var_run_t,s0) +/dev/\.mdadm\.map -- gen_context(system_u:object_r:mdadm_runtime_t,s0) +/dev/md/.* -- gen_context(system_u:object_r:mdadm_runtime_t,s0) /etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0) @@ -23,4 +23,4 @@ /usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) -/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) +/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_runtime_t,s0) diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if index 063bf4813..7b403d3c0 100644 --- a/policy/modules/system/raid.if +++ b/policy/modules/system/raid.if @@ -58,12 +58,12 @@ interface(`raid_run_mdadm',` # interface(`raid_read_mdadm_pid',` gen_require(` - type mdadm_var_run_t; + type mdadm_runtime_t; ') files_search_pids($1) - allow $1 mdadm_var_run_t:dir list_dir_perms; - allow $1 mdadm_var_run_t:file read_file_perms; + allow $1 mdadm_runtime_t:dir list_dir_perms; + allow $1 mdadm_runtime_t:file read_file_perms; ') ######################################## @@ -79,11 +79,11 @@ interface(`raid_read_mdadm_pid',` # interface(`raid_manage_mdadm_pid',` gen_require(` - type mdadm_var_run_t; + type mdadm_runtime_t; ') files_search_pids($1) - allow $1 mdadm_var_run_t:file manage_file_perms; + allow $1 mdadm_runtime_t:file manage_file_perms; ') ######################################## @@ -105,7 +105,7 @@ interface(`raid_manage_mdadm_pid',` # interface(`raid_admin_mdadm',` gen_require(` - type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t; + type mdadm_t, mdadm_initrc_exec_t, mdadm_runtime_t; ') allow $1 mdadm_t:process { ptrace signal_perms }; @@ -114,5 +114,5 @@ interface(`raid_admin_mdadm',` init_startstop_service($1, $2, mdadm_t, mdadm_initrc_exec_t) files_search_pids($1) - admin_pattern($1, mdadm_var_run_t) + admin_pattern($1, mdadm_runtime_t) ') diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index d281bae70..17cf98432 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -18,9 +18,9 @@ init_script_file(mdadm_initrc_exec_t) type mdadm_unit_t; init_unit_file(mdadm_unit_t) -type mdadm_var_run_t alias mdadm_map_t; -files_pid_file(mdadm_var_run_t) -dev_associate(mdadm_var_run_t) +type mdadm_runtime_t alias mdadm_var_run_t; +files_pid_file(mdadm_runtime_t) +dev_associate(mdadm_runtime_t) ######################################## # @@ -33,12 +33,12 @@ allow mdadm_t self:process { getsched setsched signal_perms }; allow mdadm_t self:fifo_file rw_fifo_file_perms; allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; -manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -dev_filetrans(mdadm_t, mdadm_var_run_t, file) -files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file }) +manage_dirs_pattern(mdadm_t, mdadm_runtime_t, mdadm_runtime_t) +manage_files_pattern(mdadm_t, mdadm_runtime_t, mdadm_runtime_t) +manage_lnk_files_pattern(mdadm_t, mdadm_runtime_t, mdadm_runtime_t) +manage_sock_files_pattern(mdadm_t, mdadm_runtime_t, mdadm_runtime_t) +dev_filetrans(mdadm_t, mdadm_runtime_t, file) +files_pid_filetrans(mdadm_t, mdadm_runtime_t, { dir file }) kernel_getattr_core_if(mdadm_t) kernel_read_system_state(mdadm_t) diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc index 007720650..0af2e47f8 100644 --- a/policy/modules/system/setrans.fc +++ b/policy/modules/system/setrans.fc @@ -1,6 +1,6 @@ /etc/rc\.d/init\.d/mcstrans -- gen_context(system_u:object_r:setrans_initrc_exec_t,s0) -/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) +/run/setrans(/.*)? gen_context(system_u:object_r:setrans_runtime_t,mls_systemhigh) /usr/bin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if index 03afaa924..9727edc1b 100644 --- a/policy/modules/system/setrans.if +++ b/policy/modules/system/setrans.if @@ -52,7 +52,7 @@ interface(`setrans_translate_context',` interface(`setrans_admin',` gen_require(` type setrans_t, setrans_initrc_exec_t; - type setrans_var_run_t, setrans_unit_t; + type setrans_runtime_t, setrans_unit_t; ') allow $1 setrans_t:process { ptrace signal_perms }; @@ -61,5 +61,5 @@ interface(`setrans_admin',` init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t) files_search_pids($1) - admin_pattern($1, setrans_var_run_t) + admin_pattern($1, setrans_runtime_t) ') diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 805185953..4e5ea5565 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -19,12 +19,12 @@ init_script_file(setrans_initrc_exec_t) type setrans_unit_t; init_unit_file(setrans_unit_t) -type setrans_var_run_t; -files_pid_file(setrans_var_run_t) -mls_trusted_object(setrans_var_run_t) +type setrans_runtime_t alias setrans_var_run_t; +files_pid_file(setrans_runtime_t) +mls_trusted_object(setrans_runtime_t) ifdef(`distro_debian',` - init_daemon_pid_file(setrans_var_run_t, dir, "setrans") + init_daemon_pid_file(setrans_runtime_t, dir, "setrans") ') ifdef(`enable_mcs',` @@ -51,10 +51,10 @@ can_exec(setrans_t, setrans_exec_t) corecmd_search_bin(setrans_t) # create unix domain socket in /var -manage_dirs_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) -manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) -manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) -files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir }) +manage_dirs_pattern(setrans_t, setrans_runtime_t, setrans_runtime_t) +manage_files_pattern(setrans_t, setrans_runtime_t, setrans_runtime_t) +manage_sock_files_pattern(setrans_t, setrans_runtime_t, setrans_runtime_t) +files_pid_filetrans(setrans_t, setrans_runtime_t, { file dir }) kernel_read_kernel_sysctls(setrans_t) kernel_read_system_state(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index cd8a9e80a..69b6ce88c 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -79,8 +79,8 @@ ifdef(`distro_redhat',` /var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) /var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) -/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0) -/run/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_var_run_t,s0) +/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_runtime_t,s0) +/run/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_runtime_t,s0) ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 4b556e821..ded7461c0 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -503,11 +503,11 @@ interface(`sysnet_manage_config',` # interface(`sysnet_read_dhcpc_pid',` gen_require(` - type dhcpc_var_run_t; + type dhcpc_runtime_t; ') files_list_pids($1) - allow $1 dhcpc_var_run_t:file read_file_perms; + allow $1 dhcpc_runtime_t:file read_file_perms; ') ####################################### @@ -522,10 +522,10 @@ interface(`sysnet_read_dhcpc_pid',` # interface(`sysnet_delete_dhcpc_pid',` gen_require(` - type dhcpc_var_run_t; + type dhcpc_runtime_t; ') - allow $1 dhcpc_var_run_t:file unlink; + allow $1 dhcpc_runtime_t:file unlink; ') ####################################### diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index ccba17e36..b745ca893 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -28,8 +28,8 @@ files_type(dhcpc_state_t) type dhcpc_tmp_t; files_tmp_file(dhcpc_tmp_t) -type dhcpc_var_run_t; -files_pid_file(dhcpc_var_run_t) +type dhcpc_runtime_t alias dhcpc_var_run_t; +files_pid_file(dhcpc_runtime_t) type ifconfig_t; type ifconfig_exec_t; @@ -71,11 +71,11 @@ filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) allow dhcpc_t dhcpc_state_t:file map; # create pid file -manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -create_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) +manage_files_pattern(dhcpc_t, dhcpc_runtime_t, dhcpc_runtime_t) +create_dirs_pattern(dhcpc_t, dhcpc_runtime_t, dhcpc_runtime_t) # Create /var/run/dhcpc directory (state directory), needed for /run/dhcpc # Gets done through the dhcpcd-hooks -files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) +files_pid_filetrans(dhcpc_t, dhcpc_runtime_t, { file dir }) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index d1759d9cf..c87311a6c 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -53,19 +53,19 @@ /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) /var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0) -/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) -/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) +/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) +/run/nologin -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) -/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) -/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) -/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) -/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) -/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0) -/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) -/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0) -/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0) -/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) -/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) +/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0) +/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0) +/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0) +/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) +/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) +/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_runtime_t,s0) +/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0) +/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0) +/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_runtime_t,s0) +/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_runtime_t,s0) ifdef(`init_systemd',` /run/tmpfiles\.d -d gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 59fe6cc7b..0fd37fe87 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -145,12 +145,12 @@ interface(`systemd_map_hwdb',` # interface(`systemd_read_logind_pids',` gen_require(` - type systemd_logind_var_run_t; + type systemd_logind_runtime_t; ') files_search_pids($1) - allow $1 systemd_logind_var_run_t:dir list_dir_perms; - allow $1 systemd_logind_var_run_t:file read_file_perms; + allow $1 systemd_logind_runtime_t:dir list_dir_perms; + allow $1 systemd_logind_runtime_t:file read_file_perms; ') ###################################### @@ -165,11 +165,11 @@ interface(`systemd_read_logind_pids',` # interface(`systemd_manage_logind_pid_pipes',` gen_require(` - type systemd_logind_var_run_t; + type systemd_logind_runtime_t; ') files_search_pids($1) - manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) + manage_fifo_files_pattern($1, systemd_logind_runtime_t, systemd_logind_runtime_t) ') ###################################### @@ -184,12 +184,12 @@ interface(`systemd_manage_logind_pid_pipes',` # interface(`systemd_write_logind_pid_pipes',` gen_require(` - type systemd_logind_var_run_t; + type systemd_logind_runtime_t; ') init_search_run($1) files_search_pids($1) - allow $1 systemd_logind_var_run_t:fifo_file { getattr write }; + allow $1 systemd_logind_runtime_t:fifo_file { getattr write }; ') ###################################### @@ -223,13 +223,13 @@ interface(`systemd_use_logind_fds',` # interface(`systemd_read_logind_sessions_files',` gen_require(` - type systemd_sessions_var_run_t, systemd_logind_t; + type systemd_sessions_runtime_t, systemd_logind_t; ') allow $1 systemd_logind_t:fd use; init_search_run($1) - allow $1 systemd_sessions_var_run_t:dir list_dir_perms; - read_files_pattern($1, systemd_sessions_var_run_t, systemd_sessions_var_run_t) + allow $1 systemd_sessions_runtime_t:dir list_dir_perms; + read_files_pattern($1, systemd_sessions_runtime_t, systemd_sessions_runtime_t) ') ###################################### @@ -244,11 +244,11 @@ interface(`systemd_read_logind_sessions_files',` # interface(`systemd_write_inherited_logind_sessions_pipes',` gen_require(` - type systemd_logind_t, systemd_sessions_var_run_t; + type systemd_logind_t, systemd_sessions_runtime_t; ') allow $1 systemd_logind_t:fd use; - allow $1 systemd_sessions_var_run_t:fifo_file write; + allow $1 systemd_sessions_runtime_t:fifo_file write; allow systemd_logind_t $1:process signal; ') @@ -264,12 +264,12 @@ interface(`systemd_write_inherited_logind_sessions_pipes',` # interface(`systemd_write_inherited_logind_inhibit_pipes',` gen_require(` - type systemd_logind_inhibit_var_run_t; + type systemd_logind_inhibit_runtime_t; type systemd_logind_t; ') allow $1 systemd_logind_t:fd use; - allow $1 systemd_logind_inhibit_var_run_t:fifo_file write; + allow $1 systemd_logind_inhibit_runtime_t:fifo_file write; ') ######################################## @@ -357,11 +357,11 @@ interface(`systemd_signull_logind',` # interface(`systemd_read_machines',` gen_require(` - type systemd_machined_var_run_t; + type systemd_machined_runtime_t; ') - allow $1 systemd_machined_var_run_t:dir list_dir_perms; - allow $1 systemd_machined_var_run_t:file read_file_perms; + allow $1 systemd_machined_runtime_t:dir list_dir_perms; + allow $1 systemd_machined_runtime_t:file read_file_perms; ') ######################################## @@ -417,11 +417,11 @@ interface(`systemd_use_passwd_agent_fds',` interface(`systemd_use_passwd_agent',` gen_require(` type systemd_passwd_agent_t; - type systemd_passwd_var_run_t; + type systemd_passwd_runtime_t; ') - manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) - manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) + manage_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t) + manage_sock_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t) allow systemd_passwd_agent_t $1:process signull; ps_process_pattern(systemd_passwd_agent_t, $1) @@ -430,7 +430,7 @@ interface(`systemd_use_passwd_agent',` ######################################## ## <summary> -## Transition to systemd_passwd_var_run_t when creating dirs +## Transition to systemd_passwd_runtime_t when creating dirs ## </summary> ## <param name="domain"> ## <summary> @@ -440,11 +440,11 @@ interface(`systemd_use_passwd_agent',` # interface(`systemd_filetrans_passwd_runtime_dirs',` gen_require(` - type systemd_passwd_var_run_t; + type systemd_passwd_runtime_t; ') - init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") - init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") + init_pid_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password-block") + init_pid_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password") ') ###################################### @@ -459,10 +459,10 @@ interface(`systemd_filetrans_passwd_runtime_dirs',` # interface(`systemd_manage_passwd_runtime_symlinks',` gen_require(` - type systemd_passwd_var_run_t; + type systemd_passwd_runtime_t; ') - allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms; + allow $1 systemd_passwd_runtime_t:lnk_file manage_lnk_file_perms; ') ######################################## @@ -708,11 +708,11 @@ interface(`systemd_rw_networkd_netlink_route_sockets',` # interface(`systemd_list_networkd_runtime',` gen_require(` - type systemd_networkd_var_run_t; + type systemd_networkd_runtime_t; ') init_list_pids($1) - allow $1 systemd_networkd_var_run_t:dir list_dir_perms; + allow $1 systemd_networkd_runtime_t:dir list_dir_perms; ') ####################################### @@ -728,11 +728,11 @@ interface(`systemd_list_networkd_runtime',` interface(`systemd_read_networkd_runtime',` gen_require(` - type systemd_networkd_var_run_t; + type systemd_networkd_runtime_t; ') - list_dirs_pattern($1, systemd_networkd_var_run_t, systemd_networkd_var_run_t) - read_files_pattern($1, systemd_networkd_var_run_t, systemd_networkd_var_run_t) + list_dirs_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t) + read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t) ') ######################################## @@ -960,10 +960,10 @@ interface(`systemd_dbus_chat_resolved',` # interface(`systemd_read_resolved_runtime',` gen_require(` - type systemd_resolved_var_run_t; + type systemd_resolved_runtime_t; ') - read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) + read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t) ') ####################################### diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 4678c61d6..f02039014 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -59,9 +59,9 @@ domain_type(systemd_cgroups_t) domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t) role system_r types systemd_cgroups_t; -type systemd_cgroups_var_run_t; -files_pid_file(systemd_cgroups_var_run_t) -init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups") +type systemd_cgroups_runtime_t alias systemd_cgroups_var_run_t; +files_pid_file(systemd_cgroups_runtime_t) +init_daemon_pid_file(systemd_cgroups_runtime_t, dir, "systemd_cgroups") type systemd_cgtop_t; type systemd_cgtop_exec_t; @@ -100,25 +100,25 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t) type systemd_logind_t; type systemd_logind_exec_t; init_daemon_domain(systemd_logind_t, systemd_logind_exec_t) -init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t) +init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t) type systemd_logind_var_lib_t; files_type(systemd_logind_var_lib_t) -type systemd_logind_var_run_t; -files_pid_file(systemd_logind_var_run_t) -init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind") +type systemd_logind_runtime_t alias systemd_logind_var_run_t; +files_pid_file(systemd_logind_runtime_t) +init_daemon_pid_file(systemd_logind_runtime_t, dir, "systemd_logind") -type systemd_logind_inhibit_var_run_t; -files_pid_file(systemd_logind_inhibit_var_run_t) +type systemd_logind_inhibit_runtime_t alias systemd_logind_inhibit_var_run_t; +files_pid_file(systemd_logind_inhibit_runtime_t) type systemd_machined_t; type systemd_machined_exec_t; init_daemon_domain(systemd_machined_t, systemd_machined_exec_t) -type systemd_machined_var_run_t; -files_pid_file(systemd_machined_var_run_t) -init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines") +type systemd_machined_runtime_t alias systemd_machined_var_run_t; +files_pid_file(systemd_machined_runtime_t) +init_daemon_pid_file(systemd_machined_runtime_t, dir, "machines") type systemd_modules_load_t; type systemd_modules_load_exec_t; @@ -131,8 +131,8 @@ init_system_domain(systemd_networkd_t, systemd_networkd_exec_t) type systemd_networkd_unit_t; init_unit_file(systemd_networkd_unit_t) -type systemd_networkd_var_run_t; -files_pid_file(systemd_networkd_var_run_t) +type systemd_networkd_runtime_t alias systemd_networkd_var_run_t; +files_pid_file(systemd_networkd_runtime_t) type systemd_notify_t; type systemd_notify_exec_t; @@ -143,8 +143,8 @@ type systemd_nspawn_exec_t; init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) mcs_killall(systemd_nspawn_t) -type systemd_nspawn_var_run_t; -files_pid_file(systemd_nspawn_var_run_t) +type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t; +files_pid_file(systemd_nspawn_runtime_t) type systemd_nspawn_tmp_t; files_tmp_file(systemd_nspawn_tmp_t) @@ -153,8 +153,8 @@ type systemd_resolved_t; type systemd_resolved_exec_t; init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) -type systemd_resolved_var_run_t; -files_pid_file(systemd_resolved_var_run_t) +type systemd_resolved_runtime_t alias systemd_resolved_var_run_t; +files_pid_file(systemd_resolved_runtime_t) type systemd_run_t; type systemd_run_exec_t; @@ -168,8 +168,8 @@ type systemd_passwd_agent_t; type systemd_passwd_agent_exec_t; init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t) -type systemd_passwd_var_run_t; -files_pid_file(systemd_passwd_var_run_t) +type systemd_passwd_runtime_t alias systemd_passwd_var_run_t; +files_pid_file(systemd_passwd_runtime_t) type systemd_rfkill_t; type systemd_rfkill_exec_t; @@ -185,9 +185,9 @@ type systemd_sessions_t; type systemd_sessions_exec_t; init_system_domain(systemd_sessions_t, systemd_sessions_exec_t) -type systemd_sessions_var_run_t; -files_pid_file(systemd_sessions_var_run_t) -init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions") +type systemd_sessions_runtime_t alias systemd_sessions_var_run_t; +files_pid_file(systemd_sessions_runtime_t) +init_daemon_pid_file(systemd_sessions_runtime_t, dir, "systemd_sessions") type systemd_tmpfiles_t; type systemd_tmpfiles_exec_t; @@ -435,18 +435,18 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms; allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) -manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) -manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) -allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms; +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) +manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) +allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms; -manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) -manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) -manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) -init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit") +manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t) +manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t) +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t) +init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_runtime_t, dir, "inhibit") -allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms; -allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms; -allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms; +allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms; +allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms; +allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms; kernel_read_kernel_sysctls(systemd_logind_t) @@ -587,8 +587,8 @@ allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace }; allow systemd_machined_t self:process setfscreate; allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect }; -manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) -allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms; +manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t) +allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms; kernel_read_kernel_sysctls(systemd_machined_t) kernel_read_system_state(systemd_machined_t) @@ -659,9 +659,9 @@ allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relab allow systemd_networkd_t self:udp_socket create_socket_perms; allow systemd_networkd_t self:unix_dgram_socket create_socket_perms; -manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) -manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) -manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) +manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t) +manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t) +manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t) kernel_read_system_state(systemd_networkd_t) kernel_read_kernel_sysctls(systemd_networkd_t) @@ -745,9 +745,9 @@ allow systemd_nspawn_t systemd_journal_t:dir search; allow systemd_nspawn_t systemd_machined_t:dbus send_msg; -allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms; -allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms; -init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) +allow systemd_nspawn_t systemd_nspawn_runtime_t:dir manage_dir_perms; +allow systemd_nspawn_t systemd_nspawn_runtime_t:file manage_file_perms; +init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, dir) files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file }) allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms; @@ -756,7 +756,7 @@ allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton; allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms; # for /run/systemd/nspawn/incoming in chroot -allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton; +allow systemd_nspawn_t systemd_nspawn_runtime_t:dir mounton; kernel_mount_proc(systemd_nspawn_t) kernel_mounton_sysctl_dirs(systemd_nspawn_t) @@ -878,11 +878,11 @@ allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal }; allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; -manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t) -manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t) -manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t) -manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t) -init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file }) +manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) +manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) +manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) +manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) +init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file }) kernel_read_system_state(systemd_passwd_agent_t) kernel_stream_connect(systemd_passwd_agent_t) @@ -963,9 +963,9 @@ allow systemd_resolved_t self:process { getcap setcap setfscreate signal }; allow systemd_resolved_t self:tcp_socket { accept listen }; -manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) -manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) -init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) +manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) +manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t) +init_pid_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir) dev_read_sysfs(systemd_resolved_t) @@ -1001,8 +1001,8 @@ optional_policy(` allow systemd_sessions_t self:process setfscreate; -allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; -files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) +allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms; +files_pid_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file) kernel_read_kernel_sysctls(systemd_sessions_t) @@ -1026,7 +1026,7 @@ allow systemd_tmpfiles_t self:process { setfscreate getcap }; allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms }; allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms; -allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms }; +allow systemd_tmpfiles_t systemd_sessions_runtime_t:file { relabelfrom relabelto manage_file_perms }; manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 76e0fb123..61dec2e53 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -37,11 +37,11 @@ ifdef(`distro_redhat',` /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0) -/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/run/udev(/.*)? gen_context(system_u:object_r:udev_runtime_t,s0) ifdef(`distro_debian',` -/run/console-setup(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) +/run/console-setup(/.*)? gen_context(system_u:object_r:udev_runtime_t,s0) +/run/xen-hotplug -d gen_context(system_u:object_r:udev_runtime_t,s0) ') ifdef(`distro_gentoo',` diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index fc8577bdf..dc5c047d3 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -307,10 +307,10 @@ interface(`udev_rw_db',` interface(`udev_create_db_dirs',` gen_require(` type udev_tbl_t; - type udev_var_run_t; + type udev_runtime_t; ') - create_dirs_pattern($1, udev_var_run_t, udev_tbl_t) + create_dirs_pattern($1, udev_runtime_t, udev_tbl_t) ') @@ -338,10 +338,10 @@ interface(`udev_create_db_dirs',` interface(`udev_pid_filetrans_db',` gen_require(` type udev_tbl_t; - type udev_var_run_t; + type udev_runtime_t; ') - filetrans_pattern($1, udev_var_run_t, udev_tbl_t, $2, $3) + filetrans_pattern($1, udev_runtime_t, udev_tbl_t, $2, $3) ') ######################################## @@ -356,12 +356,12 @@ interface(`udev_pid_filetrans_db',` # interface(`udev_relabelto_db',` gen_require(` - type udev_var_run_t; + type udev_runtime_t; ') files_search_pids($1) - allow $1 udev_var_run_t:file relabelto_file_perms; - allow $1 udev_var_run_t:lnk_file relabelto_file_perms; + allow $1 udev_runtime_t:file relabelto_file_perms; + allow $1 udev_runtime_t:lnk_file relabelto_file_perms; ') ######################################## @@ -376,10 +376,10 @@ interface(`udev_relabelto_db',` # interface(`udev_relabelto_db_sockets',` gen_require(` - type udev_var_run_t; + type udev_runtime_t; ') - allow $1 udev_var_run_t:sock_file relabelto_sock_file_perms; + allow $1 udev_runtime_t:sock_file relabelto_sock_file_perms; ') ######################################## @@ -394,11 +394,11 @@ interface(`udev_relabelto_db_sockets',` # interface(`udev_search_pids',` gen_require(` - type udev_var_run_t; + type udev_runtime_t; ') files_search_var_lib($1) - search_dirs_pattern($1, udev_var_run_t, udev_var_run_t) + search_dirs_pattern($1, udev_runtime_t, udev_runtime_t) ') ######################################## @@ -413,11 +413,11 @@ interface(`udev_search_pids',` # interface(`udev_list_pids',` gen_require(` - type udev_var_run_t; + type udev_runtime_t; ') files_search_pids($1) - allow $1 udev_var_run_t:dir list_dir_perms; + allow $1 udev_runtime_t:dir list_dir_perms; ') ######################################## @@ -433,11 +433,11 @@ interface(`udev_list_pids',` # interface(`udev_manage_pid_dirs',` gen_require(` - type udev_var_run_t; + type udev_runtime_t; ') files_search_var_lib($1) - manage_dirs_pattern($1, udev_var_run_t, udev_var_run_t) + manage_dirs_pattern($1, udev_runtime_t, udev_runtime_t) ') ######################################## @@ -452,11 +452,11 @@ interface(`udev_manage_pid_dirs',` # interface(`udev_read_pid_files',` gen_require(` - type udev_var_run_t; + type udev_runtime_t; ') files_search_pids($1) - read_files_pattern($1, udev_var_run_t, udev_var_run_t) + read_files_pattern($1, udev_runtime_t, udev_runtime_t) ') @@ -472,10 +472,10 @@ interface(`udev_read_pid_files',` # interface(`udev_dontaudit_rw_pid_files',` gen_require(` - type udev_var_run_t; + type udev_runtime_t; ') - dontaudit $1 udev_var_run_t:file { read write }; + dontaudit $1 udev_runtime_t:file { read write }; ') ######################################## @@ -491,16 +491,16 @@ interface(`udev_dontaudit_rw_pid_files',` # interface(`udev_manage_pid_files',` gen_require(` - type udev_var_run_t; + type udev_runtime_t; ') files_search_pids($1) - manage_files_pattern($1, udev_var_run_t, udev_var_run_t) + manage_files_pattern($1, udev_runtime_t, udev_runtime_t) ') ######################################## ## <summary> -## Write dirs in /var/run with the udev_var_run file type. +## Write dirs in /var/run with the udev_runtime file type. ## This method is deprecated in favor of the init_daemon_run_dir call. ## </summary> ## <param name="domain"> @@ -605,10 +605,10 @@ interface(`udevadm_exec',` interface(`udev_pid_filetrans_rules',` gen_require(` type udev_rules_t; - type udev_var_run_t; + type udev_runtime_t; ') - filetrans_pattern($1, udev_var_run_t, udev_rules_t, $2, $3) + filetrans_pattern($1, udev_runtime_t, udev_rules_t, $2, $3) ') ######################################## @@ -624,9 +624,9 @@ interface(`udev_pid_filetrans_rules',` interface(`udev_create_rules_dirs',` gen_require(` type udev_rules_t; - type udev_var_run_t; + type udev_runtime_t; ') - create_dirs_pattern($1, udev_var_run_t, udev_rules_t) + create_dirs_pattern($1, udev_runtime_t, udev_rules_t) ') diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 99653d3c8..d0bbea639 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -14,7 +14,7 @@ domain_obj_id_change_exemption(udev_t) domain_entry_file(udev_t, udev_helper_exec_t) domain_interactive_fd(udev_t) init_daemon_domain(udev_t, udev_exec_t) -init_named_socket_activation(udev_t, udev_var_run_t) +init_named_socket_activation(udev_t, udev_runtime_t) type udevadm_t; type udevadm_exec_t; @@ -31,9 +31,9 @@ files_type(udev_tbl_t) type udev_rules_t; files_type(udev_rules_t) -type udev_var_run_t; -files_pid_file(udev_var_run_t) -init_daemon_pid_file(udev_var_run_t, dir, "udev") +type udev_runtime_t alias udev_var_run_t; +files_pid_file(udev_runtime_t) +init_daemon_pid_file(udev_runtime_t, dir, "udev") ifdef(`enable_mcs',` kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) @@ -81,12 +81,12 @@ list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) manage_files_pattern(udev_t, udev_rules_t, udev_rules_t) manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t) -manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) -manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) -manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) -manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) -files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev") -files_pid_filetrans(udev_t, udev_var_run_t, dir, "console-setup") +manage_dirs_pattern(udev_t, udev_runtime_t, udev_runtime_t) +manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) +manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) +manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) +files_pid_filetrans(udev_t, udev_runtime_t, dir, "udev") +files_pid_filetrans(udev_t, udev_runtime_t, dir, "console-setup") kernel_load_module(udev_t) kernel_read_system_state(udev_t) @@ -203,7 +203,7 @@ ifdef(`distro_debian',` # for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933 files_read_default_files(udev_t) - files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug") + files_pid_filetrans(udev_t, udev_runtime_t, dir, "xen-hotplug") optional_policy(` # for /usr/lib/avahi/avahi-daemon-check-dns.sh @@ -419,13 +419,13 @@ allow udevadm_t self:capability dac_read_search; allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms; allow udevadm_t self:unix_stream_socket create_socket_perms; -stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t) +stream_connect_pattern(udevadm_t, udev_runtime_t, udev_runtime_t, udev_t) -delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) -delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) -delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) -list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) -read_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) +delete_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t) +delete_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t) +delete_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t) +list_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t) +read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t) dev_rw_sysfs(udevadm_t) dev_read_urand(udevadm_t) diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc index ac5439f98..6f529706f 100644 --- a/policy/modules/system/xen.fc +++ b/policy/modules/system/xen.fc @@ -38,14 +38,14 @@ /var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) -/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) -/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) -/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) -/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) -/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0) -/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) -/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) -/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) -/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) +/run/evtchnd -s gen_context(system_u:object_r:evtchnd_runtime_t,s0) +/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_runtime_t,s0) +/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_runtime_t,s0) +/run/xend(/.*)? gen_context(system_u:object_r:xend_runtime_t,s0) +/run/xen -d gen_context(system_u:object_r:xend_runtime_t,s0) +/run/xend\.pid -- gen_context(system_u:object_r:xend_runtime_t,s0) +/run/xenner(/.*)? gen_context(system_u:object_r:xend_runtime_t,s0) +/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_runtime_t,s0) +/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_runtime_t,s0) /xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if index 441162920..e80d3d90b 100644 --- a/policy/modules/system/xen.if +++ b/policy/modules/system/xen.if @@ -188,11 +188,11 @@ interface(`xen_manage_log',` # interface(`xen_read_xenstored_pid_files',` gen_require(` - type xenstored_var_run_t; + type xenstored_runtime_t; ') files_search_pids($1) - read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) + read_files_pattern($1, xenstored_runtime_t, xenstored_runtime_t) ') ######################################## @@ -227,11 +227,11 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` # interface(`xen_stream_connect_xenstore',` gen_require(` - type xenstored_t, xenstored_var_run_t; + type xenstored_t, xenstored_runtime_t; ') files_search_pids($1) - stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xenstored_t) + stream_connect_pattern($1, xenstored_runtime_t, xenstored_runtime_t, xenstored_t) ') ######################################## @@ -247,11 +247,11 @@ interface(`xen_stream_connect_xenstore',` # interface(`xen_stream_connect',` gen_require(` - type xend_t, xend_var_run_t, xend_var_lib_t; + type xend_t, xend_runtime_t, xend_var_lib_t; ') files_search_pids($1) - stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t) + stream_connect_pattern($1, xend_runtime_t, xend_runtime_t, xend_t) files_search_var_lib($1) stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) @@ -259,7 +259,7 @@ interface(`xen_stream_connect',` ######################################## ## <summary> -## Create in a xend_var_run_t directory +## Create in a xend_runtime_t directory ## </summary> ## <param name="domain"> ## <summary> @@ -279,10 +279,10 @@ interface(`xen_stream_connect',` # interface(`xen_pid_filetrans',` gen_require(` - type xend_var_run_t; + type xend_runtime_t; ') - filetrans_pattern($1, xend_var_run_t, $2, $3) + filetrans_pattern($1, xend_runtime_t, $2, $3) ') ######################################## @@ -321,5 +321,5 @@ interface(`xen_stream_connect_xm',` ') files_search_pids($1) - stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t) + stream_connect_pattern($1, xenstored_runtime_t, xenstored_runtime_t, xm_t) ') diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 04dd1ea74..1f751766e 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -43,8 +43,8 @@ domain_type(blktap_t) domain_entry_file(blktap_t, blktap_exec_t) role system_r types blktap_t; -type blktap_var_run_t; -files_pid_file(blktap_var_run_t) +type blktap_runtime_t alias blktap_var_run_t; +files_pid_file(blktap_runtime_t) type evtchnd_t; type evtchnd_exec_t; @@ -53,8 +53,8 @@ init_daemon_domain(evtchnd_t, evtchnd_exec_t) type evtchnd_var_log_t; logging_log_file(evtchnd_var_log_t) -type evtchnd_var_run_t; -files_pid_file(evtchnd_var_run_t) +type evtchnd_runtime_t alias evtchnd_var_run_t; +files_pid_file(evtchnd_runtime_t) type xen_devpts_t; term_pty(xen_devpts_t) @@ -88,9 +88,9 @@ files_mountpoint(xend_var_lib_t) type xend_var_log_t; logging_log_file(xend_var_log_t) -type xend_var_run_t; -files_pid_file(xend_var_run_t) -files_mountpoint(xend_var_run_t) +type xend_runtime_t alias xend_var_run_t; +files_pid_file(xend_runtime_t) +files_mountpoint(xend_runtime_t) type xenstored_t; type xenstored_exec_t; @@ -106,16 +106,16 @@ files_mountpoint(xenstored_var_lib_t) type xenstored_var_log_t; logging_log_file(xenstored_var_log_t) -type xenstored_var_run_t; -files_pid_file(xenstored_var_run_t) -init_daemon_pid_file(xenstored_var_run_t, dir, "xenstored") +type xenstored_runtime_t alias xenstored_var_run_t; +files_pid_file(xenstored_runtime_t) +init_daemon_pid_file(xenstored_runtime_t, dir, "xenstored") type xenconsoled_t; type xenconsoled_exec_t; init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) -type xenconsoled_var_run_t; -files_pid_file(xenconsoled_var_run_t) +type xenconsoled_runtime_t alias xenconsoled_var_run_t; +files_pid_file(xenconsoled_runtime_t) type xm_t; type xm_exec_t; @@ -156,10 +156,10 @@ create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) -manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -manage_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -manage_sock_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) +manage_dirs_pattern(evtchnd_t, evtchnd_runtime_t, evtchnd_runtime_t) +manage_files_pattern(evtchnd_t, evtchnd_runtime_t, evtchnd_runtime_t) +manage_sock_files_pattern(evtchnd_t, evtchnd_runtime_t, evtchnd_runtime_t) +files_pid_filetrans(evtchnd_t, evtchnd_runtime_t, { file sock_file dir }) ######################################## # @@ -193,11 +193,11 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) -manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) -files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) +manage_dirs_pattern(xend_t, xend_runtime_t, xend_runtime_t) +manage_files_pattern(xend_t, xend_runtime_t, xend_runtime_t) +manage_sock_files_pattern(xend_t, xend_runtime_t, xend_runtime_t) +manage_fifo_files_pattern(xend_t, xend_runtime_t, xend_runtime_t) +files_pid_filetrans(xend_t, xend_runtime_t, { file sock_file fifo_file dir }) manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) @@ -212,7 +212,7 @@ manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) -manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t) +manage_files_pattern(xend_t, xenstored_runtime_t, xenstored_runtime_t) allow xend_t xenstored_var_lib_t:dir list_dir_perms; @@ -378,9 +378,9 @@ append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) -manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) -manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) -files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) +manage_files_pattern(xenconsoled_t, xenconsoled_runtime_t, xenconsoled_runtime_t) +manage_sock_files_pattern(xenconsoled_t, xenconsoled_runtime_t, xenconsoled_runtime_t) +files_pid_filetrans(xenconsoled_t, xenconsoled_runtime_t, { file sock_file }) kernel_read_kernel_sysctls(xenconsoled_t) kernel_write_xen_state(xenconsoled_t) @@ -428,10 +428,10 @@ manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) -manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) -files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) +manage_dirs_pattern(xenstored_t, xenstored_runtime_t, xenstored_runtime_t) +manage_files_pattern(xenstored_t, xenstored_runtime_t, xenstored_runtime_t) +manage_sock_files_pattern(xenstored_t, xenstored_runtime_t, xenstored_runtime_t) +files_pid_filetrans(xenstored_t, xenstored_runtime_t, { file sock_file dir }) manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) @@ -445,7 +445,7 @@ manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file }) -stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t) +stream_connect_pattern(xenstored_t, evtchnd_runtime_t, evtchnd_runtime_t, evtchnd_t) kernel_write_xen_state(xenstored_t) kernel_read_xen_state(xenstored_t) @@ -484,7 +484,7 @@ allow xm_t self:fifo_file rw_fifo_file_perms; allow xm_t self:unix_stream_socket { accept connectto listen }; allow xm_t self:tcp_socket { accept listen }; -allow xm_t xend_var_run_t:dir rw_dir_perms; +allow xm_t xend_runtime_t:dir rw_dir_perms; allow xm_t xen_lock_t:file manage_file_perms; files_lock_filetrans(xm_t, xen_lock_t, file) @@ -499,7 +499,7 @@ manage_files_pattern(xm_t, xen_image_t, xen_image_t) manage_blk_files_pattern(xm_t, xen_image_t, xen_image_t) manage_lnk_files_pattern(xm_t, xen_image_t, xen_image_t) -read_files_pattern(xm_t, xenstored_var_run_t, xenstored_var_run_t) +read_files_pattern(xm_t, xenstored_runtime_t, xenstored_runtime_t) xen_manage_image_dirs(xm_t) xen_append_log(xm_t) |