1 |
commit: 0fc88387bdc52d40b6388336d655a4374271b049 |
2 |
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Dec 16 17:45:34 2019 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Dec 24 09:58:27 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0fc88387 |
7 |
|
8 |
Rename gentoo-specific *_var_run_t types to *_runtime_t. |
9 |
|
10 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
11 |
|
12 |
policy/modules/admin/puppet.te | 2 +- |
13 |
policy/modules/apps/qemu.if | 4 +-- |
14 |
policy/modules/apps/qemu.te | 4 +-- |
15 |
policy/modules/contrib/at.fc | 4 +-- |
16 |
policy/modules/contrib/at.te | 10 +++--- |
17 |
policy/modules/contrib/bitcoin.if | 4 +-- |
18 |
policy/modules/contrib/bitcoin.te | 4 +-- |
19 |
policy/modules/contrib/ceph.fc | 10 +++--- |
20 |
policy/modules/contrib/ceph.if | 13 ++++---- |
21 |
policy/modules/contrib/ceph.te | 10 +++--- |
22 |
policy/modules/contrib/dirsrv.fc | 4 +-- |
23 |
policy/modules/contrib/dirsrv.if | 18 +++++------ |
24 |
policy/modules/contrib/dirsrv.te | 22 ++++++------- |
25 |
policy/modules/contrib/nginx.if | 4 +-- |
26 |
policy/modules/contrib/nginx.te | 10 +++--- |
27 |
policy/modules/contrib/phpfpm.fc | 4 +-- |
28 |
policy/modules/contrib/phpfpm.if | 8 ++--- |
29 |
policy/modules/contrib/phpfpm.te | 10 +++--- |
30 |
policy/modules/contrib/resolvconf.fc | 2 +- |
31 |
policy/modules/contrib/resolvconf.if | 4 +-- |
32 |
policy/modules/contrib/resolvconf.te | 10 +++--- |
33 |
policy/modules/contrib/salt.fc | 10 +++--- |
34 |
policy/modules/contrib/salt.if | 8 ++--- |
35 |
policy/modules/contrib/salt.rst | 6 ++-- |
36 |
policy/modules/contrib/salt.te | 52 +++++++++++++++---------------- |
37 |
policy/modules/contrib/vde.fc | 2 +- |
38 |
policy/modules/contrib/vde.if | 6 ++-- |
39 |
policy/modules/contrib/vde.te | 12 +++---- |
40 |
policy/modules/services/apache.te | 4 +-- |
41 |
policy/modules/services/clamav.te | 2 +- |
42 |
policy/modules/services/courier.te | 2 +- |
43 |
policy/modules/services/cron.fc | 4 +-- |
44 |
policy/modules/services/cron.rst | 2 +- |
45 |
policy/modules/services/dbus.if | 8 ++--- |
46 |
policy/modules/services/fail2ban.te | 4 +-- |
47 |
policy/modules/services/ldap.te | 2 +- |
48 |
policy/modules/services/munin.rst | 2 +- |
49 |
policy/modules/services/mysql.if | 8 ++--- |
50 |
policy/modules/services/networkmanager.fc | 2 +- |
51 |
policy/modules/services/networkmanager.te | 8 ++--- |
52 |
policy/modules/services/ntp.fc | 2 +- |
53 |
policy/modules/system/authlogin.te | 2 +- |
54 |
policy/modules/system/init.te | 4 +-- |
55 |
policy/modules/system/lvm.te | 2 +- |
56 |
policy/modules/system/modutils.te | 4 +-- |
57 |
policy/modules/system/sysnetwork.fc | 4 +-- |
58 |
policy/modules/system/sysnetwork.te | 10 +++--- |
59 |
policy/modules/system/tmpfiles.fc | 2 +- |
60 |
policy/modules/system/tmpfiles.if | 32 +++++++++---------- |
61 |
policy/modules/system/tmpfiles.rst | 2 +- |
62 |
policy/modules/system/tmpfiles.te | 8 ++--- |
63 |
51 files changed, 188 insertions(+), 189 deletions(-) |
64 |
|
65 |
diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te |
66 |
index 85c4ac40..75d03e76 100644 |
67 |
--- a/policy/modules/admin/puppet.te |
68 |
+++ b/policy/modules/admin/puppet.te |
69 |
@@ -355,7 +355,7 @@ ifdef(`distro_gentoo',` |
70 |
|
71 |
rw_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) |
72 |
|
73 |
- manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) |
74 |
+ manage_files_pattern(puppetmaster_t, puppet_runtime_t, puppet_runtime_t) |
75 |
|
76 |
optional_policy(` |
77 |
usermanage_check_exec_passwd(puppetmaster_t) |
78 |
|
79 |
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if |
80 |
index e373c4d9..413e1347 100644 |
81 |
--- a/policy/modules/apps/qemu.if |
82 |
+++ b/policy/modules/apps/qemu.if |
83 |
@@ -427,8 +427,8 @@ interface(`qemu_entry_type',` |
84 |
# |
85 |
interface(`qemu_rw_pid_sock_files',` |
86 |
gen_require(` |
87 |
- type qemu_var_run_t; |
88 |
+ type qemu_runtime_t; |
89 |
') |
90 |
|
91 |
- allow $1 qemu_var_run_t:sock_file rw_sock_file_perms; |
92 |
+ allow $1 qemu_runtime_t:sock_file rw_sock_file_perms; |
93 |
') |
94 |
|
95 |
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te |
96 |
index f99f2161..6188d362 100644 |
97 |
--- a/policy/modules/apps/qemu.te |
98 |
+++ b/policy/modules/apps/qemu.te |
99 |
@@ -90,9 +90,9 @@ ifdef(`distro_gentoo',` |
100 |
allow qemu_t self:udp_socket create_socket_perms; |
101 |
|
102 |
# Network related socket |
103 |
- allow qemu_t qemu_var_run_t:sock_file manage_sock_file_perms; |
104 |
+ allow qemu_t qemu_runtime_t:sock_file manage_sock_file_perms; |
105 |
|
106 |
- files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) |
107 |
+ files_pid_filetrans(qemu_t, qemu_runtime_t, sock_file) |
108 |
|
109 |
optional_policy(` |
110 |
vde_connect(qemu_t) |
111 |
|
112 |
diff --git a/policy/modules/contrib/at.fc b/policy/modules/contrib/at.fc |
113 |
index b3cf1863..39c83a99 100644 |
114 |
--- a/policy/modules/contrib/at.fc |
115 |
+++ b/policy/modules/contrib/at.fc |
116 |
@@ -1,9 +1,9 @@ |
117 |
/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:atd_initrc_exec_t,s0) |
118 |
|
119 |
/usr/bin/at -- gen_context(system_u:object_r:at_exec_t,s0) |
120 |
-/usr/sbin/atd -- gen_context(system_u:object_r:atd_exec_t,s0) |
121 |
+/usr/bin/atd -- gen_context(system_u:object_r:atd_exec_t,s0) |
122 |
|
123 |
-/run/atd\.pid -- gen_context(system_u:object_r:atd_var_run_t,s0) |
124 |
+/run/atd\.pid -- gen_context(system_u:object_r:atd_runtime_t,s0) |
125 |
|
126 |
/var/spool/at(/.*)? gen_context(system_u:object_r:at_spool_t,s0) |
127 |
/var/spool/at/atjobs(/.*)? gen_context(system_u:object_r:at_job_t,s0) |
128 |
|
129 |
diff --git a/policy/modules/contrib/at.te b/policy/modules/contrib/at.te |
130 |
index c28a9e7b..b0900cbf 100644 |
131 |
--- a/policy/modules/contrib/at.te |
132 |
+++ b/policy/modules/contrib/at.te |
133 |
@@ -21,8 +21,8 @@ init_daemon_domain(atd_t, atd_exec_t) |
134 |
type atd_initrc_exec_t; |
135 |
init_script_file(atd_initrc_exec_t) |
136 |
|
137 |
-type atd_var_run_t; |
138 |
-files_pid_file(atd_var_run_t) |
139 |
+type atd_runtime_t alias atd_var_run_t; |
140 |
+files_pid_file(atd_runtime_t) |
141 |
|
142 |
######################################## |
143 |
# |
144 |
@@ -39,8 +39,8 @@ list_dirs_pattern(atd_t, at_spool_t, at_job_t) |
145 |
|
146 |
manage_files_pattern(atd_t, at_job_log_t, at_job_log_t) |
147 |
|
148 |
-manage_files_pattern(atd_t, atd_var_run_t, atd_var_run_t) |
149 |
-files_pid_filetrans(atd_t, atd_var_run_t, file) |
150 |
+manage_files_pattern(atd_t, atd_runtime_t, atd_runtime_t) |
151 |
+files_pid_filetrans(atd_t, atd_runtime_t, file) |
152 |
|
153 |
kernel_read_kernel_sysctls(atd_t) |
154 |
|
155 |
@@ -81,7 +81,7 @@ allow at_t at_spool_t:dir search_dir_perms; |
156 |
|
157 |
allow at_t atd_t:process signal; |
158 |
|
159 |
-allow at_t atd_var_run_t:file read_file_perms; |
160 |
+allow at_t atd_runtime_t:file read_file_perms; |
161 |
|
162 |
domain_use_interactive_fds(at_t) |
163 |
|
164 |
|
165 |
diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if |
166 |
index 9c7ca8da..7e00c963 100644 |
167 |
--- a/policy/modules/contrib/bitcoin.if |
168 |
+++ b/policy/modules/contrib/bitcoin.if |
169 |
@@ -19,7 +19,7 @@ interface(`bitcoin_admin',` |
170 |
gen_require(` |
171 |
type bitcoin_t; |
172 |
type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t; |
173 |
- type bitcoin_var_lib_t, bitcoin_var_run_t; |
174 |
+ type bitcoin_var_lib_t, bitcoin_runtime_t; |
175 |
type bitcoin_initrc_exec_t; |
176 |
') |
177 |
|
178 |
@@ -41,5 +41,5 @@ interface(`bitcoin_admin',` |
179 |
admin_pattern($1, bitcoin_var_lib_t) |
180 |
|
181 |
files_list_pids($1) |
182 |
- admin_pattern($1, bitcoin_var_run_t) |
183 |
+ admin_pattern($1, bitcoin_runtime_t) |
184 |
') |
185 |
|
186 |
diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te |
187 |
index 672516e9..c5667519 100644 |
188 |
--- a/policy/modules/contrib/bitcoin.te |
189 |
+++ b/policy/modules/contrib/bitcoin.te |
190 |
@@ -31,8 +31,8 @@ type bitcoin_var_lib_t; |
191 |
files_type(bitcoin_var_lib_t) |
192 |
init_script_readable_type(bitcoin_var_lib_t) |
193 |
|
194 |
-type bitcoin_var_run_t; |
195 |
-files_pid_file(bitcoin_var_run_t) |
196 |
+type bitcoin_runtime_t alias bitcoin_var_run_t; |
197 |
+files_pid_file(bitcoin_runtime_t) |
198 |
|
199 |
type bitcoin_tmp_t; |
200 |
files_tmp_file(bitcoin_tmp_t) |
201 |
|
202 |
diff --git a/policy/modules/contrib/ceph.fc b/policy/modules/contrib/ceph.fc |
203 |
index 8e2e1799..4d1db681 100644 |
204 |
--- a/policy/modules/contrib/ceph.fc |
205 |
+++ b/policy/modules/contrib/ceph.fc |
206 |
@@ -23,8 +23,8 @@ |
207 |
|
208 |
/var/log/ceph(/.*)? gen_context(system_u:object_r:ceph_log_t,s0) |
209 |
|
210 |
-/run/ceph -d gen_context(system_u:object_r:ceph_var_run_t,s0) |
211 |
-/run/ceph/ceph-osd.* gen_context(system_u:object_r:ceph_osd_var_run_t,s0) |
212 |
-/run/ceph/ceph-mon.* gen_context(system_u:object_r:ceph_mon_var_run_t,s0) |
213 |
-/run/ceph/ceph-mds.* gen_context(system_u:object_r:ceph_mds_var_run_t,s0) |
214 |
-/run/ceph/mds.* -- gen_context(system_u:object_r:ceph_mds_var_run_t,s0) |
215 |
+/run/ceph -d gen_context(system_u:object_r:ceph_runtime_t,s0) |
216 |
+/run/ceph/ceph-osd.* gen_context(system_u:object_r:ceph_osd_runtime_t,s0) |
217 |
+/run/ceph/ceph-mon.* gen_context(system_u:object_r:ceph_mon_runtime_t,s0) |
218 |
+/run/ceph/ceph-mds.* gen_context(system_u:object_r:ceph_mds_runtime_t,s0) |
219 |
+/run/ceph/mds.* -- gen_context(system_u:object_r:ceph_mds_runtime_t,s0) |
220 |
|
221 |
diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if |
222 |
index c922531b..9ff98e6f 100644 |
223 |
--- a/policy/modules/contrib/ceph.if |
224 |
+++ b/policy/modules/contrib/ceph.if |
225 |
@@ -17,7 +17,7 @@ template(`ceph_domain_template',` |
226 |
attribute cephpidfile; |
227 |
attribute_role ceph_roles; |
228 |
|
229 |
- type ceph_var_run_t; |
230 |
+ type ceph_runtime_t; |
231 |
') |
232 |
|
233 |
type ceph_$1_t, cephdomain; |
234 |
@@ -28,8 +28,9 @@ template(`ceph_domain_template',` |
235 |
type ceph_$1_data_t, cephdata; |
236 |
files_type(ceph_$1_data_t) |
237 |
|
238 |
- type ceph_$1_var_run_t, cephpidfile; |
239 |
- files_pid_file(ceph_$1_var_run_t) |
240 |
+ type ceph_$1_runtime_t, cephpidfile; |
241 |
+ typealias ceph_$1_runtime_t alias ceph_$1_var_run_t; |
242 |
+ files_pid_file(ceph_$1_runtime_t) |
243 |
|
244 |
######################################## |
245 |
# |
246 |
@@ -37,12 +38,12 @@ template(`ceph_domain_template',` |
247 |
# |
248 |
# Rules which cannot be made part of the domain |
249 |
|
250 |
- allow ceph_$1_t ceph_$1_var_run_t:file manage_file_perms; |
251 |
- allow ceph_$1_t ceph_$1_var_run_t:sock_file manage_file_perms; |
252 |
+ allow ceph_$1_t ceph_$1_runtime_t:file manage_file_perms; |
253 |
+ allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_file_perms; |
254 |
allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms; |
255 |
allow ceph_$1_t ceph_$1_data_t:file manage_file_perms; |
256 |
|
257 |
- filetrans_pattern(ceph_$1_t, ceph_var_run_t, ceph_$1_var_run_t, { file sock_file }) |
258 |
+ filetrans_pattern(ceph_$1_t, ceph_runtime_t, ceph_$1_runtime_t, { file sock_file }) |
259 |
|
260 |
files_var_lib_filetrans(ceph_$1_t, ceph_$1_data_t, { file dir }) |
261 |
') |
262 |
|
263 |
diff --git a/policy/modules/contrib/ceph.te b/policy/modules/contrib/ceph.te |
264 |
index 9704dd41..94ebe44f 100644 |
265 |
--- a/policy/modules/contrib/ceph.te |
266 |
+++ b/policy/modules/contrib/ceph.te |
267 |
@@ -28,8 +28,8 @@ logging_log_file(ceph_log_t) |
268 |
type ceph_var_lib_t; |
269 |
files_type(ceph_var_lib_t) |
270 |
|
271 |
-type ceph_var_run_t; |
272 |
-files_pid_file(ceph_var_run_t) |
273 |
+type ceph_runtime_t alias ceph_var_run_t; |
274 |
+files_pid_file(ceph_runtime_t) |
275 |
|
276 |
######################################### |
277 |
# |
278 |
@@ -48,8 +48,8 @@ allow cephdomain ceph_log_t:file { create_file_perms rw_file_perms }; |
279 |
allow cephdomain ceph_var_lib_t:dir search_dir_perms; |
280 |
allow cephdomain self:netlink_route_socket { rw_netlink_socket_perms }; |
281 |
allow cephdomain self:tcp_socket { create_socket_perms listen accept }; |
282 |
-allow cephdomain ceph_var_run_t:file manage_file_perms; |
283 |
-allow cephdomain ceph_var_run_t:dir manage_dir_perms; |
284 |
+allow cephdomain ceph_runtime_t:file manage_file_perms; |
285 |
+allow cephdomain ceph_runtime_t:dir manage_dir_perms; |
286 |
|
287 |
kernel_read_system_state(cephdomain) |
288 |
|
289 |
@@ -60,7 +60,7 @@ corenet_tcp_connect_all_unreserved_ports(cephdomain) |
290 |
files_read_etc_files(cephdomain) |
291 |
files_search_pids(cephdomain) |
292 |
files_search_var_lib(cephdomain) |
293 |
-files_pid_filetrans(cephdomain, ceph_var_run_t, dir) |
294 |
+files_pid_filetrans(cephdomain, ceph_runtime_t, dir) |
295 |
|
296 |
fs_getattr_all_fs(cephdomain) |
297 |
|
298 |
|
299 |
diff --git a/policy/modules/contrib/dirsrv.fc b/policy/modules/contrib/dirsrv.fc |
300 |
index 88b1a6eb..3a33d632 100644 |
301 |
--- a/policy/modules/contrib/dirsrv.fc |
302 |
+++ b/policy/modules/contrib/dirsrv.fc |
303 |
@@ -6,7 +6,7 @@ |
304 |
/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0) |
305 |
/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0) |
306 |
/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) |
307 |
-/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) |
308 |
-/run/ldap-agent.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) |
309 |
+/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_runtime_t,s0) |
310 |
+/run/ldap-agent.pid gen_context(system_u:object_r:dirsrv_snmp_runtime_t,s0) |
311 |
|
312 |
/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) |
313 |
|
314 |
diff --git a/policy/modules/contrib/dirsrv.if b/policy/modules/contrib/dirsrv.if |
315 |
index cbe9ecaf..8c697fc9 100644 |
316 |
--- a/policy/modules/contrib/dirsrv.if |
317 |
+++ b/policy/modules/contrib/dirsrv.if |
318 |
@@ -112,11 +112,11 @@ interface(`dirsrv_manage_var_lib',` |
319 |
# |
320 |
interface(`dirsrv_manage_var_run',` |
321 |
gen_require(` |
322 |
- type dirsrv_var_run_t; |
323 |
+ type dirsrv_runtime_t; |
324 |
') |
325 |
- allow $1 dirsrv_var_run_t:dir manage_dir_perms; |
326 |
- allow $1 dirsrv_var_run_t:file manage_file_perms; |
327 |
- allow $1 dirsrv_var_run_t:sock_file manage_file_perms; |
328 |
+ allow $1 dirsrv_runtime_t:dir manage_dir_perms; |
329 |
+ allow $1 dirsrv_runtime_t:file manage_file_perms; |
330 |
+ allow $1 dirsrv_runtime_t:sock_file manage_file_perms; |
331 |
') |
332 |
|
333 |
###################################### |
334 |
@@ -131,10 +131,10 @@ interface(`dirsrv_manage_var_run',` |
335 |
# |
336 |
interface(`dirsrv_pid_filetrans',` |
337 |
gen_require(` |
338 |
- type dirsrv_var_run_t; |
339 |
+ type dirsrv_runtime_t; |
340 |
') |
341 |
# Allow creating a dir in /var/run with this type |
342 |
- files_pid_filetrans($1, dirsrv_var_run_t, dir) |
343 |
+ files_pid_filetrans($1, dirsrv_runtime_t, dir) |
344 |
') |
345 |
|
346 |
####################################### |
347 |
@@ -149,10 +149,10 @@ interface(`dirsrv_pid_filetrans',` |
348 |
# |
349 |
interface(`dirsrv_read_var_run',` |
350 |
gen_require(` |
351 |
- type dirsrv_var_run_t; |
352 |
+ type dirsrv_runtime_t; |
353 |
') |
354 |
- allow $1 dirsrv_var_run_t:dir list_dir_perms; |
355 |
- allow $1 dirsrv_var_run_t:file read_file_perms; |
356 |
+ allow $1 dirsrv_runtime_t:dir list_dir_perms; |
357 |
+ allow $1 dirsrv_runtime_t:file read_file_perms; |
358 |
') |
359 |
|
360 |
######################################## |
361 |
|
362 |
diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te |
363 |
index 1a8b77a1..e7c8d06e 100644 |
364 |
--- a/policy/modules/contrib/dirsrv.te |
365 |
+++ b/policy/modules/contrib/dirsrv.te |
366 |
@@ -32,12 +32,12 @@ type dirsrv_snmp_var_log_t; |
367 |
logging_log_file(dirsrv_snmp_var_log_t) |
368 |
|
369 |
# pid files |
370 |
-type dirsrv_var_run_t; |
371 |
-files_pid_file(dirsrv_var_run_t) |
372 |
+type dirsrv_runtime_t alias dirsrv_var_run_t; |
373 |
+files_pid_file(dirsrv_runtime_t) |
374 |
|
375 |
# snmp pid file |
376 |
-type dirsrv_snmp_var_run_t; |
377 |
-files_pid_file(dirsrv_snmp_var_run_t) |
378 |
+type dirsrv_snmp_runtime_t alias dirsrv_snmp_var_run_t; |
379 |
+files_pid_file(dirsrv_snmp_runtime_t) |
380 |
|
381 |
# lock files |
382 |
type dirsrv_var_lock_t; |
383 |
@@ -95,11 +95,11 @@ allow dirsrv_t dirsrv_var_log_t:dir { setattr }; |
384 |
logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) |
385 |
|
386 |
# pid files |
387 |
-manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) |
388 |
-files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file }) |
389 |
+manage_files_pattern(dirsrv_t, dirsrv_runtime_t, dirsrv_runtime_t) |
390 |
+files_pid_filetrans(dirsrv_t, dirsrv_runtime_t, { file sock_file }) |
391 |
|
392 |
# ldapi socket |
393 |
-manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) |
394 |
+manage_sock_files_pattern(dirsrv_t, dirsrv_runtime_t, dirsrv_runtime_t) |
395 |
|
396 |
# lock files |
397 |
manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) |
398 |
@@ -175,7 +175,7 @@ files_manage_var_files(dirsrv_snmp_t) |
399 |
rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) |
400 |
|
401 |
# stats file |
402 |
-read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) |
403 |
+read_files_pattern(dirsrv_snmp_t, dirsrv_runtime_t, dirsrv_runtime_t) |
404 |
|
405 |
# process stuff |
406 |
allow dirsrv_snmp_t self:capability { dac_override dac_read_search }; |
407 |
@@ -184,9 +184,9 @@ allow dirsrv_snmp_t self:capability { dac_override dac_read_search }; |
408 |
read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t) |
409 |
|
410 |
# pid file |
411 |
-manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t) |
412 |
-files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file }) |
413 |
-search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) |
414 |
+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_runtime_t, dirsrv_snmp_runtime_t) |
415 |
+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_runtime_t, { file sock_file }) |
416 |
+search_dirs_pattern(dirsrv_snmp_t, dirsrv_runtime_t, dirsrv_runtime_t) |
417 |
|
418 |
# log file |
419 |
manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t); |
420 |
|
421 |
diff --git a/policy/modules/contrib/nginx.if b/policy/modules/contrib/nginx.if |
422 |
index ebef6e75..dbd9bcbe 100644 |
423 |
--- a/policy/modules/contrib/nginx.if |
424 |
+++ b/policy/modules/contrib/nginx.if |
425 |
@@ -81,7 +81,7 @@ interface(`nginx_domtrans',` |
426 |
# |
427 |
interface(`nginx_admin',` |
428 |
gen_require(` |
429 |
- type nginx_t, nginx_conf_t, nginx_log_t, nginx_var_lib_t, nginx_var_run_t; |
430 |
+ type nginx_t, nginx_conf_t, nginx_log_t, nginx_var_lib_t, nginx_runtime_t; |
431 |
type nginx_exec_t; |
432 |
') |
433 |
|
434 |
@@ -100,5 +100,5 @@ interface(`nginx_admin',` |
435 |
admin_pattern($1, nginx_log_t) |
436 |
|
437 |
files_list_pids($1) |
438 |
- admin_pattern($1, nginx_var_run_t) |
439 |
+ admin_pattern($1, nginx_runtime_t) |
440 |
') |
441 |
|
442 |
diff --git a/policy/modules/contrib/nginx.te b/policy/modules/contrib/nginx.te |
443 |
index be59babb..1818be85 100644 |
444 |
--- a/policy/modules/contrib/nginx.te |
445 |
+++ b/policy/modules/contrib/nginx.te |
446 |
@@ -69,8 +69,8 @@ type nginx_var_lib_t; |
447 |
files_type(nginx_var_lib_t) |
448 |
|
449 |
# pid files |
450 |
-type nginx_var_run_t; |
451 |
-files_pid_file(nginx_var_run_t) |
452 |
+type nginx_runtime_t alias nginx_var_run_t; |
453 |
+files_pid_file(nginx_runtime_t) |
454 |
|
455 |
######################################## |
456 |
# |
457 |
@@ -92,9 +92,9 @@ logging_log_filetrans(nginx_t, nginx_log_t, { file dir }) |
458 |
|
459 |
|
460 |
# pid file |
461 |
-manage_dirs_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) |
462 |
-manage_files_pattern(nginx_t, nginx_var_run_t, nginx_var_run_t) |
463 |
-files_pid_filetrans(nginx_t, nginx_var_run_t, file) |
464 |
+manage_dirs_pattern(nginx_t, nginx_runtime_t, nginx_runtime_t) |
465 |
+manage_files_pattern(nginx_t, nginx_runtime_t, nginx_runtime_t) |
466 |
+files_pid_filetrans(nginx_t, nginx_runtime_t, file) |
467 |
|
468 |
# tmp files |
469 |
manage_files_pattern(nginx_t, nginx_tmp_t, nginx_tmp_t) |
470 |
|
471 |
diff --git a/policy/modules/contrib/phpfpm.fc b/policy/modules/contrib/phpfpm.fc |
472 |
index f43358d7..da28e772 100644 |
473 |
--- a/policy/modules/contrib/phpfpm.fc |
474 |
+++ b/policy/modules/contrib/phpfpm.fc |
475 |
@@ -1,5 +1,5 @@ |
476 |
/usr/lib/php.*/bin/php-fpm gen_context(system_u:object_r:phpfpm_exec_t,s0) |
477 |
-/run/php*-fpm/*.sock gen_context(system_u:object_r:phpfpm_var_run_t,s0) |
478 |
+/run/php*-fpm/*.sock gen_context(system_u:object_r:phpfpm_runtime_t,s0) |
479 |
|
480 |
/var/log/php-fpm.log gen_context(system_u:object_r:phpfpm_log_t,s0) |
481 |
-/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_var_run_t,s0) |
482 |
+/run/php-fpm.pid gen_context(system_u:object_r:phpfpm_runtime_t,s0) |
483 |
|
484 |
diff --git a/policy/modules/contrib/phpfpm.if b/policy/modules/contrib/phpfpm.if |
485 |
index fee2c174..38f7c3e7 100644 |
486 |
--- a/policy/modules/contrib/phpfpm.if |
487 |
+++ b/policy/modules/contrib/phpfpm.if |
488 |
@@ -13,7 +13,7 @@ |
489 |
interface(`phpfpm_admin',` |
490 |
gen_require(` |
491 |
type phpfpm_t; |
492 |
- type phpfpm_log_t, phpfpm_tmp_t, phpfpm_var_run_t; |
493 |
+ type phpfpm_log_t, phpfpm_tmp_t, phpfpm_runtime_t; |
494 |
') |
495 |
|
496 |
allow $1 phpfpm_t:process { ptrace signal_perms }; |
497 |
@@ -26,7 +26,7 @@ interface(`phpfpm_admin',` |
498 |
admin_pattern($1, phpfpm_tmp_t) |
499 |
|
500 |
files_list_pids($1) |
501 |
- admin_pattern($1, phpfpm_var_run_t) |
502 |
+ admin_pattern($1, phpfpm_runtime_t) |
503 |
') |
504 |
|
505 |
######################################## |
506 |
@@ -42,7 +42,7 @@ interface(`phpfpm_admin',` |
507 |
# |
508 |
interface(`phpfpm_stream_connect',` |
509 |
gen_require(` |
510 |
- type phpfpm_t, phpfpm_var_run_t; |
511 |
+ type phpfpm_t, phpfpm_runtime_t; |
512 |
') |
513 |
- stream_connect_pattern($1, phpfpm_var_run_t, phpfpm_var_run_t, phpfpm_t) |
514 |
+ stream_connect_pattern($1, phpfpm_runtime_t, phpfpm_runtime_t, phpfpm_t) |
515 |
') |
516 |
|
517 |
diff --git a/policy/modules/contrib/phpfpm.te b/policy/modules/contrib/phpfpm.te |
518 |
index 826ba859..aefad850 100644 |
519 |
--- a/policy/modules/contrib/phpfpm.te |
520 |
+++ b/policy/modules/contrib/phpfpm.te |
521 |
@@ -19,8 +19,8 @@ init_daemon_domain(phpfpm_t, phpfpm_exec_t) |
522 |
type phpfpm_tmp_t; |
523 |
files_tmp_file(phpfpm_tmp_t) |
524 |
|
525 |
-type phpfpm_var_run_t; |
526 |
-files_pid_file(phpfpm_var_run_t) |
527 |
+type phpfpm_runtime_t alias phpfpm_var_run_t; |
528 |
+files_pid_file(phpfpm_runtime_t) |
529 |
|
530 |
type phpfpm_log_t; |
531 |
logging_log_file(phpfpm_log_t) |
532 |
@@ -45,10 +45,10 @@ manage_files_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t) |
533 |
manage_dirs_pattern(phpfpm_t, phpfpm_tmp_t, phpfpm_tmp_t) |
534 |
files_tmp_filetrans(phpfpm_t, phpfpm_tmp_t, {file dir}) |
535 |
|
536 |
-manage_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) |
537 |
-files_pid_filetrans(phpfpm_t, phpfpm_var_run_t, { file sock_file }) |
538 |
+manage_files_pattern(phpfpm_t, phpfpm_runtime_t, phpfpm_runtime_t) |
539 |
+files_pid_filetrans(phpfpm_t, phpfpm_runtime_t, { file sock_file }) |
540 |
|
541 |
-manage_sock_files_pattern(phpfpm_t, phpfpm_var_run_t, phpfpm_var_run_t) |
542 |
+manage_sock_files_pattern(phpfpm_t, phpfpm_runtime_t, phpfpm_runtime_t) |
543 |
|
544 |
kernel_read_kernel_sysctls(phpfpm_t) |
545 |
|
546 |
|
547 |
diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc |
548 |
index 651bbe0a..4e5df895 100644 |
549 |
--- a/policy/modules/contrib/resolvconf.fc |
550 |
+++ b/policy/modules/contrib/resolvconf.fc |
551 |
@@ -4,4 +4,4 @@ |
552 |
|
553 |
/usr/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0) |
554 |
|
555 |
-/run/resolvconf(/.*)? gen_context(system_u:object_r:resolvconf_var_run_t,s0) |
556 |
+/run/resolvconf(/.*)? gen_context(system_u:object_r:resolvconf_runtime_t,s0) |
557 |
|
558 |
diff --git a/policy/modules/contrib/resolvconf.if b/policy/modules/contrib/resolvconf.if |
559 |
index 7a93eb6c..c6e53fb9 100644 |
560 |
--- a/policy/modules/contrib/resolvconf.if |
561 |
+++ b/policy/modules/contrib/resolvconf.if |
562 |
@@ -95,8 +95,8 @@ interface(`resolvconf_exec',` |
563 |
# |
564 |
interface(`resolvconf_generic_run_filetrans_run',` |
565 |
gen_require(` |
566 |
- type resolvconf_var_run_t; |
567 |
+ type resolvconf_runtime_t; |
568 |
') |
569 |
|
570 |
- files_pid_filetrans($1, resolvconf_var_run_t, $2, $3) |
571 |
+ files_pid_filetrans($1, resolvconf_runtime_t, $2, $3) |
572 |
') |
573 |
|
574 |
diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te |
575 |
index 58bb165d..18738a1f 100644 |
576 |
--- a/policy/modules/contrib/resolvconf.te |
577 |
+++ b/policy/modules/contrib/resolvconf.te |
578 |
@@ -11,8 +11,8 @@ attribute resolvconf_client; |
579 |
type resolvconf_conf_t; |
580 |
files_config_file(resolvconf_conf_t) |
581 |
|
582 |
-type resolvconf_var_run_t; |
583 |
-files_pid_file(resolvconf_var_run_t) |
584 |
+type resolvconf_runtime_t alias resolvconf_var_run_t; |
585 |
+files_pid_file(resolvconf_runtime_t) |
586 |
|
587 |
######################################### |
588 |
# |
589 |
@@ -22,13 +22,13 @@ files_pid_file(resolvconf_var_run_t) |
590 |
allow resolvconf_t self:fifo_file manage_fifo_file_perms; |
591 |
allow resolvconf_t resolvconf_conf_t:file read_file_perms; |
592 |
|
593 |
-manage_dirs_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t) |
594 |
-manage_files_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t) |
595 |
+manage_dirs_pattern(resolvconf_t, resolvconf_runtime_t, resolvconf_runtime_t) |
596 |
+manage_files_pattern(resolvconf_t, resolvconf_runtime_t, resolvconf_runtime_t) |
597 |
|
598 |
corecmd_exec_bin(resolvconf_t) |
599 |
corecmd_exec_shell(resolvconf_t) |
600 |
|
601 |
-files_pid_filetrans(resolvconf_t, resolvconf_var_run_t, { dir file }) |
602 |
+files_pid_filetrans(resolvconf_t, resolvconf_runtime_t, { dir file }) |
603 |
files_read_etc_files(resolvconf_t) |
604 |
|
605 |
miscfiles_read_localization(resolvconf_t) |
606 |
|
607 |
diff --git a/policy/modules/contrib/salt.fc b/policy/modules/contrib/salt.fc |
608 |
index ccc8028f..1dbef661 100644 |
609 |
--- a/policy/modules/contrib/salt.fc |
610 |
+++ b/policy/modules/contrib/salt.fc |
611 |
@@ -16,11 +16,11 @@ |
612 |
/var/log/salt/master -- gen_context(system_u:object_r:salt_master_log_t,s0) |
613 |
/var/log/salt/minion -- gen_context(system_u:object_r:salt_minion_log_t,s0) |
614 |
|
615 |
-/run/salt -d gen_context(system_u:object_r:salt_var_run_t,s0) |
616 |
-/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_var_run_t,s0) |
617 |
-/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_var_run_t,s0) |
618 |
-/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_var_run_t,s0) |
619 |
-/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_var_run_t,s0) |
620 |
+/run/salt -d gen_context(system_u:object_r:salt_runtime_t,s0) |
621 |
+/run/salt/master(/.*)? gen_context(system_u:object_r:salt_master_runtime_t,s0) |
622 |
+/run/salt/minion(/.*)? gen_context(system_u:object_r:salt_minion_runtime_t,s0) |
623 |
+/run/salt-master\.pid -- gen_context(system_u:object_r:salt_master_runtime_t,s0) |
624 |
+/run/salt-minion\.pid -- gen_context(system_u:object_r:salt_minion_runtime_t,s0) |
625 |
|
626 |
/var/cache/salt -d gen_context(system_u:object_r:salt_cache_t,s0) |
627 |
/var/cache/salt/master(/.*)? gen_context(system_u:object_r:salt_master_cache_t,s0) |
628 |
|
629 |
diff --git a/policy/modules/contrib/salt.if b/policy/modules/contrib/salt.if |
630 |
index 27fefaef..a26d6380 100644 |
631 |
--- a/policy/modules/contrib/salt.if |
632 |
+++ b/policy/modules/contrib/salt.if |
633 |
@@ -21,8 +21,8 @@ interface(`salt_admin_master',` |
634 |
type salt_master_initrc_exec_t; |
635 |
type salt_master_exec_t; |
636 |
type salt_etc_t; |
637 |
- type salt_var_run_t; |
638 |
- type salt_master_var_run_t; |
639 |
+ type salt_runtime_t; |
640 |
+ type salt_master_runtime_t; |
641 |
attribute_role salt_master_roles; |
642 |
') |
643 |
|
644 |
@@ -40,8 +40,8 @@ interface(`salt_admin_master',` |
645 |
files_list_etc($1) |
646 |
admin_pattern($1, salt_etc_t, salt_etc_t) |
647 |
|
648 |
- allow $1 salt_var_run_t:dir search_dir_perms; |
649 |
- stream_connect_pattern($1, salt_master_var_run_t, salt_master_var_run_t, salt_master_t) |
650 |
+ allow $1 salt_runtime_t:dir search_dir_perms; |
651 |
+ stream_connect_pattern($1, salt_master_runtime_t, salt_master_runtime_t, salt_master_t) |
652 |
') |
653 |
|
654 |
######################################### |
655 |
|
656 |
diff --git a/policy/modules/contrib/salt.rst b/policy/modules/contrib/salt.rst |
657 |
index 0268b95f..ad4ce7d6 100644 |
658 |
--- a/policy/modules/contrib/salt.rst |
659 |
+++ b/policy/modules/contrib/salt.rst |
660 |
@@ -124,13 +124,13 @@ salt_master_log_t |
661 |
salt_minion_log_t |
662 |
is used for the Salt minion log file (*/var/log/salt/minion*) |
663 |
|
664 |
-salt_var_run_t |
665 |
+salt_runtime_t |
666 |
is used for the parent directory for Salt run-time files (*/var/run/salt*) |
667 |
|
668 |
-salt_master_var_run_t |
669 |
+salt_master_runtime_t |
670 |
is used for the Salt master variable run-time files (*/var/run/salt/master*) |
671 |
|
672 |
-salt_minion_var_run_t |
673 |
+salt_minion_runtime_t |
674 |
is used for the Salt minion variable run-time files (*/var/run/salt/minion*) |
675 |
|
676 |
CONFIGURATION FILES |
677 |
|
678 |
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te |
679 |
index 2eb7b7db..5741c27a 100644 |
680 |
--- a/policy/modules/contrib/salt.te |
681 |
+++ b/policy/modules/contrib/salt.te |
682 |
@@ -48,9 +48,9 @@ files_tmp_file(salt_master_tmp_t) |
683 |
type salt_master_tmpfs_t; |
684 |
files_tmpfs_file(salt_master_tmpfs_t) |
685 |
|
686 |
-type salt_master_var_run_t; |
687 |
-init_daemon_pid_file(salt_master_var_run_t, file, "salt-master.pid") |
688 |
-files_pid_file(salt_master_var_run_t) |
689 |
+type salt_master_runtime_t alias salt_master_var_run_t; |
690 |
+init_daemon_pid_file(salt_master_runtime_t, file, "salt-master.pid") |
691 |
+files_pid_file(salt_master_runtime_t) |
692 |
|
693 |
type salt_minion_t; |
694 |
type salt_minion_exec_t; |
695 |
@@ -75,9 +75,9 @@ files_tmp_file(salt_minion_tmp_t) |
696 |
type salt_minion_tmpfs_t; |
697 |
files_tmpfs_file(salt_minion_tmpfs_t) |
698 |
|
699 |
-type salt_minion_var_run_t; |
700 |
-init_daemon_pid_file(salt_minion_var_run_t, file, "salt-minion.pid") |
701 |
-files_pid_file(salt_minion_var_run_t) |
702 |
+type salt_minion_runtime_t alias salt_minion_var_run_t; |
703 |
+init_daemon_pid_file(salt_minion_runtime_t, file, "salt-minion.pid") |
704 |
+files_pid_file(salt_minion_runtime_t) |
705 |
|
706 |
type salt_cache_t; |
707 |
files_type(salt_cache_t) |
708 |
@@ -94,8 +94,8 @@ files_type(salt_sls_t) |
709 |
type salt_pki_t; |
710 |
files_type(salt_pki_t) |
711 |
|
712 |
-type salt_var_run_t; |
713 |
-files_pid_file(salt_var_run_t) |
714 |
+type salt_runtime_t alias salt_var_run_t; |
715 |
+files_pid_file(salt_runtime_t) |
716 |
|
717 |
######################################### |
718 |
# |
719 |
@@ -150,11 +150,11 @@ can_exec(salt_master_t, salt_master_tmp_t) |
720 |
allow salt_master_t salt_master_tmpfs_t:file { manage_file_perms map }; |
721 |
fs_tmpfs_filetrans(salt_master_t, salt_master_tmpfs_t, file) |
722 |
|
723 |
-# salt_master_var_run_t |
724 |
-allow salt_master_t salt_master_var_run_t:file manage_file_perms; |
725 |
-allow salt_master_t salt_master_var_run_t:sock_file manage_sock_file_perms; |
726 |
-manage_dirs_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t) |
727 |
-filetrans_pattern(salt_master_t, salt_var_run_t, salt_master_var_run_t, dir) |
728 |
+# salt_master_runtime_t |
729 |
+allow salt_master_t salt_master_runtime_t:file manage_file_perms; |
730 |
+allow salt_master_t salt_master_runtime_t:sock_file manage_sock_file_perms; |
731 |
+manage_dirs_pattern(salt_master_t, salt_runtime_t, salt_master_runtime_t) |
732 |
+filetrans_pattern(salt_master_t, salt_runtime_t, salt_master_runtime_t, dir) |
733 |
|
734 |
# salt_pki_t |
735 |
create_dirs_pattern(salt_master_t, salt_etc_t, salt_pki_t) |
736 |
@@ -164,10 +164,10 @@ filetrans_pattern(salt_master_t, salt_etc_t, salt_pki_t, dir, "pki") |
737 |
read_files_pattern(salt_master_t, salt_sls_t, salt_sls_t) |
738 |
allow salt_master_t salt_sls_t:dir list_dir_perms; |
739 |
|
740 |
-# salt_var_run_t |
741 |
-allow salt_master_t salt_var_run_t:dir create_dir_perms; |
742 |
-files_pid_filetrans(salt_master_t, salt_var_run_t, dir) |
743 |
-files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid") |
744 |
+# salt_runtime_t |
745 |
+allow salt_master_t salt_runtime_t:dir create_dir_perms; |
746 |
+files_pid_filetrans(salt_master_t, salt_runtime_t, dir) |
747 |
+files_pid_filetrans(salt_master_t, salt_master_runtime_t, file, "salt-master.pid") |
748 |
|
749 |
kernel_read_network_state(salt_master_t) |
750 |
kernel_read_software_raid_state(salt_master_t) |
751 |
@@ -269,20 +269,20 @@ can_exec(salt_minion_t, salt_minion_tmp_t) |
752 |
allow salt_minion_t salt_minion_tmpfs_t:file { manage_file_perms map }; |
753 |
fs_tmpfs_filetrans(salt_minion_t, salt_minion_tmpfs_t, file) |
754 |
|
755 |
-# salt_minion_var_run_t |
756 |
-allow salt_minion_t salt_minion_var_run_t:file manage_file_perms; |
757 |
-allow salt_minion_t salt_minion_var_run_t:sock_file manage_sock_file_perms; |
758 |
-manage_dirs_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t) |
759 |
-filetrans_pattern(salt_minion_t, salt_var_run_t, salt_minion_var_run_t, dir) |
760 |
+# salt_minion_runtime_t |
761 |
+allow salt_minion_t salt_minion_runtime_t:file manage_file_perms; |
762 |
+allow salt_minion_t salt_minion_runtime_t:sock_file manage_sock_file_perms; |
763 |
+manage_dirs_pattern(salt_minion_t, salt_runtime_t, salt_minion_runtime_t) |
764 |
+filetrans_pattern(salt_minion_t, salt_runtime_t, salt_minion_runtime_t, dir) |
765 |
|
766 |
# salt_pki_t |
767 |
create_dirs_pattern(salt_minion_t, salt_etc_t, salt_pki_t) |
768 |
filetrans_pattern(salt_minion_t, salt_etc_t, salt_pki_t, dir, "pki") |
769 |
|
770 |
-# salt_var_run_t |
771 |
-allow salt_minion_t salt_var_run_t:dir create_dir_perms; |
772 |
-files_pid_filetrans(salt_minion_t, salt_var_run_t, dir) |
773 |
-files_pid_filetrans(salt_minion_t, salt_minion_var_run_t, file, "salt-minion.pid") |
774 |
+# salt_runtime_t |
775 |
+allow salt_minion_t salt_runtime_t:dir create_dir_perms; |
776 |
+files_pid_filetrans(salt_minion_t, salt_runtime_t, dir) |
777 |
+files_pid_filetrans(salt_minion_t, salt_minion_runtime_t, file, "salt-minion.pid") |
778 |
|
779 |
kernel_read_network_state(salt_minion_t) |
780 |
kernel_read_software_raid_state(salt_minion_t) |
781 |
|
782 |
diff --git a/policy/modules/contrib/vde.fc b/policy/modules/contrib/vde.fc |
783 |
index fa0b6b28..bea4fd72 100644 |
784 |
--- a/policy/modules/contrib/vde.fc |
785 |
+++ b/policy/modules/contrib/vde.fc |
786 |
@@ -1,5 +1,5 @@ |
787 |
/etc/rc\.d/init\.d/vde -- gen_context(system_u:object_r:vde_initrc_exec_t,s0) |
788 |
/usr/bin/vde_switch -- gen_context(system_u:object_r:vde_exec_t,s0) |
789 |
/usr/sbin/vde_tunctl -- gen_context(system_u:object_r:vde_exec_t,s0) |
790 |
-/run/vde\.ctl(/.*)? gen_context(system_u:object_r:vde_var_run_t,s0) |
791 |
+/run/vde\.ctl(/.*)? gen_context(system_u:object_r:vde_runtime_t,s0) |
792 |
/tmp/vde.[0-9-]* -s gen_context(system_u:object_r:vde_tmp_t,s0) |
793 |
|
794 |
diff --git a/policy/modules/contrib/vde.if b/policy/modules/contrib/vde.if |
795 |
index 00b31b4c..24bc31a9 100644 |
796 |
--- a/policy/modules/contrib/vde.if |
797 |
+++ b/policy/modules/contrib/vde.if |
798 |
@@ -19,7 +19,7 @@ |
799 |
interface(`vde_role',` |
800 |
gen_require(` |
801 |
type vde_t, vde_tmp_t; |
802 |
- type vde_var_run_t; |
803 |
+ type vde_runtime_t; |
804 |
type vde_initrc_exec_t, vde_exec_t; |
805 |
') |
806 |
|
807 |
@@ -49,10 +49,10 @@ interface(`vde_role',` |
808 |
# |
809 |
interface(`vde_connect',` |
810 |
gen_require(` |
811 |
- type vde_t, vde_var_run_t, vde_tmp_t; |
812 |
+ type vde_t, vde_runtime_t, vde_tmp_t; |
813 |
') |
814 |
|
815 |
- allow $1 vde_var_run_t:sock_file write_sock_file_perms; |
816 |
+ allow $1 vde_runtime_t:sock_file write_sock_file_perms; |
817 |
allow $1 vde_t:unix_stream_socket { connectto }; |
818 |
allow $1 vde_t:unix_dgram_socket { sendto }; |
819 |
allow vde_t $1:unix_dgram_socket { sendto }; |
820 |
|
821 |
diff --git a/policy/modules/contrib/vde.te b/policy/modules/contrib/vde.te |
822 |
index 56f668d7..8e935560 100644 |
823 |
--- a/policy/modules/contrib/vde.te |
824 |
+++ b/policy/modules/contrib/vde.te |
825 |
@@ -15,8 +15,8 @@ init_script_file(vde_initrc_exec_t) |
826 |
type vde_var_lib_t; |
827 |
files_type(vde_var_lib_t) |
828 |
|
829 |
-type vde_var_run_t; |
830 |
-files_pid_file(vde_var_run_t) |
831 |
+type vde_runtime_t alias vde_var_run_t; |
832 |
+files_pid_file(vde_runtime_t) |
833 |
|
834 |
type vde_tmp_t; |
835 |
files_tmp_file(vde_tmp_t) |
836 |
@@ -34,10 +34,10 @@ allow vde_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
837 |
allow vde_t self:unix_dgram_socket create_socket_perms; |
838 |
files_tmp_filetrans(vde_t, vde_tmp_t, sock_file) |
839 |
|
840 |
-manage_dirs_pattern(vde_t, vde_var_run_t, vde_var_run_t) |
841 |
-manage_files_pattern(vde_t, vde_var_run_t, vde_var_run_t) |
842 |
-manage_sock_files_pattern(vde_t, vde_var_run_t, vde_var_run_t) |
843 |
-files_pid_filetrans(vde_t, vde_var_run_t, { dir file sock_file unix_dgram_socket }) |
844 |
+manage_dirs_pattern(vde_t, vde_runtime_t, vde_runtime_t) |
845 |
+manage_files_pattern(vde_t, vde_runtime_t, vde_runtime_t) |
846 |
+manage_sock_files_pattern(vde_t, vde_runtime_t, vde_runtime_t) |
847 |
+files_pid_filetrans(vde_t, vde_runtime_t, { dir file sock_file unix_dgram_socket }) |
848 |
|
849 |
files_read_etc_files(vde_t) |
850 |
|
851 |
|
852 |
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te |
853 |
index 715cc2d6..bda92f4a 100644 |
854 |
--- a/policy/modules/services/apache.te |
855 |
+++ b/policy/modules/services/apache.te |
856 |
@@ -1487,8 +1487,8 @@ ifdef(`distro_gentoo',` |
857 |
## </desc> |
858 |
gen_tunable(hiawatha_httpd, false) |
859 |
|
860 |
-init_daemon_pid_file(httpd_var_run_t, dir, "apache_ssl_mutex") |
861 |
-init_daemon_pid_file(httpd_var_run_t, dir, "apache2") |
862 |
+init_daemon_pid_file(httpd_runtime_t, dir, "apache_ssl_mutex") |
863 |
+init_daemon_pid_file(httpd_runtime_t, dir, "apache2") |
864 |
|
865 |
tunable_policy(`hiawatha_httpd',` |
866 |
# bug 513362 |
867 |
|
868 |
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te |
869 |
index 6ceaf130..334ae633 100644 |
870 |
--- a/policy/modules/services/clamav.te |
871 |
+++ b/policy/modules/services/clamav.te |
872 |
@@ -330,5 +330,5 @@ optional_policy(` |
873 |
') |
874 |
|
875 |
ifdef(`distro_gentoo',` |
876 |
- init_daemon_pid_file(clamd_var_run_t, dir, "clamav") |
877 |
+ init_daemon_pid_file(clamd_runtime_t, dir, "clamav") |
878 |
') |
879 |
|
880 |
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te |
881 |
index dce1451b..5a4c7ea7 100644 |
882 |
--- a/policy/modules/services/courier.te |
883 |
+++ b/policy/modules/services/courier.te |
884 |
@@ -201,7 +201,7 @@ ifdef(`distro_gentoo',` |
885 |
# |
886 |
|
887 |
# Startup of courier-imapd creates /var/run/imapd.pid.lock and imapd.lock (bug 534030) |
888 |
- files_pid_filetrans(courier_tcpd_t, courier_var_run_t, file) |
889 |
+ files_pid_filetrans(courier_tcpd_t, courier_runtime_t, file) |
890 |
|
891 |
######################################## |
892 |
# |
893 |
|
894 |
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc |
895 |
index 6fdcdb78..ee64e81e 100644 |
896 |
--- a/policy/modules/services/cron.fc |
897 |
+++ b/policy/modules/services/cron.fc |
898 |
@@ -5,7 +5,7 @@ |
899 |
|
900 |
/usr/bin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) |
901 |
#/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) |
902 |
-/usr/bin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) |
903 |
+#/usr/bin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) |
904 |
/usr/bin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) |
905 |
/usr/bin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) |
906 |
/usr/bin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) |
907 |
@@ -29,7 +29,6 @@ |
908 |
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) |
909 |
|
910 |
/run/anacron\.pid -- gen_context(system_u:object_r:crond_runtime_t,s0) |
911 |
-/run/atd\.pid -- gen_context(system_u:object_r:crond_runtime_t,s0) |
912 |
/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_runtime_t,s0) |
913 |
/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_runtime_t,s0) |
914 |
/run/fcron\.fifo -s gen_context(system_u:object_r:crond_runtime_t,s0) |
915 |
@@ -37,7 +36,6 @@ |
916 |
/run/.*cron.* -- gen_context(system_u:object_r:crond_runtime_t,s0) |
917 |
|
918 |
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) |
919 |
-/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) |
920 |
|
921 |
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) |
922 |
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) |
923 |
|
924 |
diff --git a/policy/modules/services/cron.rst b/policy/modules/services/cron.rst |
925 |
index a35c26a4..773af37b 100644 |
926 |
--- a/policy/modules/services/cron.rst |
927 |
+++ b/policy/modules/services/cron.rst |
928 |
@@ -208,7 +208,7 @@ cron_var_lib_t |
929 |
crond_tmp_t |
930 |
is used for the temporary files created/managed by the cron daemon |
931 |
|
932 |
-crond_var_run_t |
933 |
+crond_runtime_t |
934 |
is used for the variable runtime information of the cron daemon |
935 |
|
936 |
POLICY |
937 |
|
938 |
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if |
939 |
index 7337fcd3..6169143e 100644 |
940 |
--- a/policy/modules/services/dbus.if |
941 |
+++ b/policy/modules/services/dbus.if |
942 |
@@ -607,7 +607,7 @@ interface(`dbus_unconfined',` |
943 |
|
944 |
######################################## |
945 |
## <summary> |
946 |
-## Create resources in /run or /var/run with the system_dbusd_var_run_t |
947 |
+## Create resources in /run or /var/run with the system_dbusd_runtime_t |
948 |
## label. This method is deprecated in favor of the init_daemon_run_dir |
949 |
## call. |
950 |
## </summary> |
951 |
@@ -633,7 +633,7 @@ interface(`dbus_generic_pid_filetrans_system_dbusd_var_run',` |
952 |
|
953 |
######################################## |
954 |
## <summary> |
955 |
-## Create directories with the system_dbusd_var_run_t label |
956 |
+## Create directories with the system_dbusd_runtime_t label |
957 |
## </summary> |
958 |
## <param name="domain"> |
959 |
## <summary> |
960 |
@@ -643,10 +643,10 @@ interface(`dbus_generic_pid_filetrans_system_dbusd_var_run',` |
961 |
# |
962 |
interface(`dbus_create_system_dbusd_var_run_dirs',` |
963 |
gen_require(` |
964 |
- type system_dbusd_var_run_t; |
965 |
+ type system_dbusd_runtime_t; |
966 |
') |
967 |
|
968 |
- create_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) |
969 |
+ create_dirs_pattern($1, system_dbusd_runtime_t, system_dbusd_runtime_t) |
970 |
') |
971 |
|
972 |
|
973 |
|
974 |
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te |
975 |
index 50264730..067d5caf 100644 |
976 |
--- a/policy/modules/services/fail2ban.te |
977 |
+++ b/policy/modules/services/fail2ban.te |
978 |
@@ -163,9 +163,9 @@ ifdef(`distro_gentoo',` |
979 |
files_dontaudit_write_usr_dirs(fail2ban_t) |
980 |
|
981 |
# Fix bug 534256 - Startup fails without these |
982 |
- allow fail2ban_client_t fail2ban_var_run_t:dir write; |
983 |
+ allow fail2ban_client_t fail2ban_runtime_t:dir write; |
984 |
|
985 |
- init_daemon_pid_file(fail2ban_var_run_t, dir, "fail2ban") |
986 |
+ init_daemon_pid_file(fail2ban_runtime_t, dir, "fail2ban") |
987 |
init_use_script_ptys(fail2ban_client_t) |
988 |
') |
989 |
|
990 |
|
991 |
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te |
992 |
index 50d7769d..31b895d7 100644 |
993 |
--- a/policy/modules/services/ldap.te |
994 |
+++ b/policy/modules/services/ldap.te |
995 |
@@ -154,7 +154,7 @@ optional_policy(` |
996 |
') |
997 |
|
998 |
ifdef(`distro_gentoo',` |
999 |
- init_daemon_pid_file(slapd_var_run_t, dir, "openldap") |
1000 |
+ init_daemon_pid_file(slapd_runtime_t, dir, "openldap") |
1001 |
|
1002 |
######################################## |
1003 |
# |
1004 |
|
1005 |
diff --git a/policy/modules/services/munin.rst b/policy/modules/services/munin.rst |
1006 |
index 220c75e1..207c2f19 100644 |
1007 |
--- a/policy/modules/services/munin.rst |
1008 |
+++ b/policy/modules/services/munin.rst |
1009 |
@@ -71,7 +71,7 @@ munin_plugin_state_t |
1010 |
munin_var_lib_t |
1011 |
is used for the variable information used by munin |
1012 |
|
1013 |
-munin_var_run_t |
1014 |
+munin_runtime_t |
1015 |
is used for the variable runtime state information of munin |
1016 |
|
1017 |
POLICY |
1018 |
|
1019 |
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if |
1020 |
index 82b5f1e2..bf5c0b70 100644 |
1021 |
--- a/policy/modules/services/mysql.if |
1022 |
+++ b/policy/modules/services/mysql.if |
1023 |
@@ -449,10 +449,10 @@ interface(`mysql_admin',` |
1024 |
# |
1025 |
interface(`mysql_setattr_run_dirs',` |
1026 |
gen_require(` |
1027 |
- type mysqld_var_run_t; |
1028 |
+ type mysqld_runtime_t; |
1029 |
') |
1030 |
|
1031 |
- setattr_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) |
1032 |
+ setattr_dirs_pattern($1, mysqld_runtime_t, mysqld_runtime_t) |
1033 |
') |
1034 |
|
1035 |
####################################### |
1036 |
@@ -467,10 +467,10 @@ interface(`mysql_setattr_run_dirs',` |
1037 |
# |
1038 |
interface(`mysql_create_run_dirs',` |
1039 |
gen_require(` |
1040 |
- type mysqld_var_run_t; |
1041 |
+ type mysqld_runtime_t; |
1042 |
') |
1043 |
|
1044 |
- create_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) |
1045 |
+ create_dirs_pattern($1, mysqld_runtime_t, mysqld_runtime_t) |
1046 |
') |
1047 |
|
1048 |
####################################### |
1049 |
|
1050 |
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc |
1051 |
index d37b86de..e7c1b89e 100644 |
1052 |
--- a/policy/modules/services/networkmanager.fc |
1053 |
+++ b/policy/modules/services/networkmanager.fc |
1054 |
@@ -47,4 +47,4 @@ |
1055 |
/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_runtime_t,s0) |
1056 |
/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_runtime_t,s0) |
1057 |
/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_runtime_t,s0) |
1058 |
-/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_var_run_t,s0) |
1059 |
+/run/wpa_cli-.* -- gen_context(system_u:object_r:wpa_cli_runtime_t,s0) |
1060 |
|
1061 |
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te |
1062 |
index 309e3363..e3af7618 100644 |
1063 |
--- a/policy/modules/services/networkmanager.te |
1064 |
+++ b/policy/modules/services/networkmanager.te |
1065 |
@@ -38,8 +38,8 @@ type wpa_cli_exec_t; |
1066 |
init_system_domain(wpa_cli_t, wpa_cli_exec_t) |
1067 |
|
1068 |
ifdef(`distro_gentoo',` |
1069 |
- type wpa_cli_var_run_t; |
1070 |
- files_pid_file(wpa_cli_var_run_t) |
1071 |
+ type wpa_cli_runtime_t alias wpa_cli_var_run_t; |
1072 |
+ files_pid_file(wpa_cli_runtime_t) |
1073 |
') |
1074 |
|
1075 |
######################################## |
1076 |
@@ -425,8 +425,8 @@ ifdef(`distro_gentoo',` |
1077 |
# |
1078 |
# wpa_cli_t policy |
1079 |
# |
1080 |
- manage_files_pattern(wpa_cli_t, wpa_cli_var_run_t, wpa_cli_var_run_t) |
1081 |
- files_pid_filetrans(wpa_cli_t, wpa_cli_var_run_t, file) |
1082 |
+ manage_files_pattern(wpa_cli_t, wpa_cli_runtime_t, wpa_cli_runtime_t) |
1083 |
+ files_pid_filetrans(wpa_cli_t, wpa_cli_runtime_t, file) |
1084 |
|
1085 |
corecmd_exec_bin(wpa_cli_t) |
1086 |
corecmd_exec_shell(wpa_cli_t) |
1087 |
|
1088 |
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc |
1089 |
index 623451cf..b16c5739 100644 |
1090 |
--- a/policy/modules/services/ntp.fc |
1091 |
+++ b/policy/modules/services/ntp.fc |
1092 |
@@ -39,7 +39,7 @@ |
1093 |
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) |
1094 |
/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) |
1095 |
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) |
1096 |
-/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_var_run_t,s0) |
1097 |
+/run/ntpd\.sock -s gen_context(system_u:object_r:ntpd_pid_t,s0) |
1098 |
|
1099 |
ifdef(`distro_gentoo',` |
1100 |
/var/lib/openntpd/ntpd.drift -- gen_context(system_u:object_r:ntp_drift_t,s0) |
1101 |
|
1102 |
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te |
1103 |
index 2bf22f72..2b34a4f9 100644 |
1104 |
--- a/policy/modules/system/authlogin.te |
1105 |
+++ b/policy/modules/system/authlogin.te |
1106 |
@@ -477,5 +477,5 @@ optional_policy(` |
1107 |
') |
1108 |
|
1109 |
ifdef(`distro_gentoo',` |
1110 |
- init_daemon_pid_file(pam_var_run_t, dir, "sepermit") |
1111 |
+ init_daemon_pid_file(pam_runtime_t, dir, "sepermit") |
1112 |
') |
1113 |
|
1114 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
1115 |
index fe9b8535..4d152ee1 100644 |
1116 |
--- a/policy/modules/system/init.te |
1117 |
+++ b/policy/modules/system/init.te |
1118 |
@@ -1383,8 +1383,8 @@ ifdef(`distro_gentoo',` |
1119 |
read_files_pattern(initrc_t, init_script_readable, init_script_readable) |
1120 |
read_lnk_files_pattern(initrc_t, init_script_readable, init_script_readable) |
1121 |
|
1122 |
- manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) |
1123 |
- files_pid_filetrans(initrc_t, initrc_var_run_t, dir) |
1124 |
+ manage_dirs_pattern(initrc_t, initrc_runtime_t, initrc_runtime_t) |
1125 |
+ files_pid_filetrans(initrc_t, initrc_runtime_t, dir) |
1126 |
|
1127 |
kernel_write_proc_files(initrc_t) |
1128 |
|
1129 |
|
1130 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
1131 |
index 857c6f23..6b705bfe 100644 |
1132 |
--- a/policy/modules/system/lvm.te |
1133 |
+++ b/policy/modules/system/lvm.te |
1134 |
@@ -401,7 +401,7 @@ ifdef(`distro_gentoo',` |
1135 |
# Bug 529430 comment 6 |
1136 |
create_dirs_pattern(lvm_t, lvm_etc_t, lvm_etc_t) |
1137 |
# Bug 529430 comment 8 |
1138 |
- manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) |
1139 |
+ manage_fifo_files_pattern(lvm_t, lvm_runtime_t, lvm_runtime_t) |
1140 |
|
1141 |
# Bug 615300 |
1142 |
init_read_script_pipes(lvm_t) |
1143 |
|
1144 |
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te |
1145 |
index df4193d6..33729a23 100644 |
1146 |
--- a/policy/modules/system/modutils.te |
1147 |
+++ b/policy/modules/system/modutils.te |
1148 |
@@ -216,6 +216,6 @@ ifdef(`distro_gentoo',` |
1149 |
files_manage_kernel_modules(kmod_t) |
1150 |
|
1151 |
# for /run/tmpfiles.d/kmod.conf |
1152 |
- tmpfiles_create_var_run_files(kmod_t) |
1153 |
- filetrans_add_pattern(kmod_t, tmpfiles_var_run_t, kmod_tmpfiles_conf_t, file) |
1154 |
+ tmpfiles_create_runtime_files(kmod_t) |
1155 |
+ filetrans_add_pattern(kmod_t, tmpfiles_runtime_t, kmod_tmpfiles_conf_t, file) |
1156 |
') |
1157 |
|
1158 |
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc |
1159 |
index 69b6ce88..1a8f7281 100644 |
1160 |
--- a/policy/modules/system/sysnetwork.fc |
1161 |
+++ b/policy/modules/system/sysnetwork.fc |
1162 |
@@ -93,6 +93,6 @@ ifdef(`distro_debian',` |
1163 |
|
1164 |
ifdef(`distro_gentoo',` |
1165 |
/usr/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) |
1166 |
-/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) |
1167 |
-/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) |
1168 |
+/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_runtime_t,s0) |
1169 |
+/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_runtime_t,s0) |
1170 |
') |
1171 |
|
1172 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
1173 |
index bacb3794..bb54a544 100644 |
1174 |
--- a/policy/modules/system/sysnetwork.te |
1175 |
+++ b/policy/modules/system/sysnetwork.te |
1176 |
@@ -434,14 +434,14 @@ ifdef(`distro_gentoo',` |
1177 |
allow dhcpc_t self:netlink_socket client_stream_socket_perms; |
1178 |
|
1179 |
# Allow dhcpcd to set its control sockets |
1180 |
- allow dhcpc_t dhcpc_var_run_t:sock_file manage_sock_file_perms; |
1181 |
+ allow dhcpc_t dhcpc_runtime_t:sock_file manage_sock_file_perms; |
1182 |
|
1183 |
# Allow dhcpc to set hostname (/proc/sys/kernel/hostname) |
1184 |
allow dhcpc_t self:capability sys_admin; |
1185 |
kernel_rw_kernel_sysctl(dhcpc_t) |
1186 |
|
1187 |
# Fixes bug 468878 |
1188 |
- files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, sock_file) |
1189 |
+ files_pid_filetrans(dhcpc_t, dhcpc_runtime_t, sock_file) |
1190 |
allow dhcpc_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
1191 |
|
1192 |
optional_policy(` |
1193 |
@@ -479,9 +479,9 @@ ifdef(`distro_gentoo',` |
1194 |
manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) |
1195 |
files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir }) |
1196 |
|
1197 |
- manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t) |
1198 |
- create_dirs_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t) |
1199 |
- files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir }) |
1200 |
+ manage_files_pattern(dhcpc_script_t, dhcpc_runtime_t, dhcpc_runtime_t) |
1201 |
+ create_dirs_pattern(dhcpc_script_t, dhcpc_runtime_t, dhcpc_runtime_t) |
1202 |
+ files_pid_filetrans(dhcpc_script_t, dhcpc_runtime_t, { file dir }) |
1203 |
|
1204 |
kernel_read_network_state(dhcpc_script_t) |
1205 |
kernel_read_system_state(dhcpc_script_t) |
1206 |
|
1207 |
diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc |
1208 |
index 16d821a8..5a13949c 100644 |
1209 |
--- a/policy/modules/system/tmpfiles.fc |
1210 |
+++ b/policy/modules/system/tmpfiles.fc |
1211 |
@@ -1,7 +1,7 @@ |
1212 |
|
1213 |
ifndef(`init_systemd',` |
1214 |
/etc/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_conf_t,s0) |
1215 |
-/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_var_run_t,s0) |
1216 |
+/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_runtime_t,s0) |
1217 |
') |
1218 |
|
1219 |
/usr/bin/tmpfiles -- gen_context(system_u:object_r:tmpfiles_exec_t,s0) |
1220 |
|
1221 |
diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if |
1222 |
index 09897fc0..361dc8c4 100644 |
1223 |
--- a/policy/modules/system/tmpfiles.if |
1224 |
+++ b/policy/modules/system/tmpfiles.if |
1225 |
@@ -10,14 +10,14 @@ |
1226 |
## </summary> |
1227 |
## </param> |
1228 |
# |
1229 |
-interface(`tmpfiles_read_var_run',` |
1230 |
+interface(`tmpfiles_read_runtime',` |
1231 |
gen_require(` |
1232 |
- type tmpfiles_var_run_t; |
1233 |
+ type tmpfiles_runtime_t; |
1234 |
') |
1235 |
|
1236 |
files_search_pids($1) |
1237 |
- allow $1 tmpfiles_var_run_t:dir list_dir_perms; |
1238 |
- allow $1 tmpfiles_var_run_t:file read_file_perms; |
1239 |
+ allow $1 tmpfiles_runtime_t:dir list_dir_perms; |
1240 |
+ allow $1 tmpfiles_runtime_t:file read_file_perms; |
1241 |
') |
1242 |
|
1243 |
######################################## |
1244 |
@@ -30,14 +30,14 @@ interface(`tmpfiles_read_var_run',` |
1245 |
## </summary> |
1246 |
## </param> |
1247 |
# |
1248 |
-interface(`tmpfiles_create_var_run_files',` |
1249 |
+interface(`tmpfiles_create_runtime_files',` |
1250 |
gen_require(` |
1251 |
- type tmpfiles_var_run_t; |
1252 |
+ type tmpfiles_runtime_t; |
1253 |
') |
1254 |
|
1255 |
- create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) |
1256 |
+ create_files_pattern($1, tmpfiles_runtime_t, tmpfiles_runtime_t) |
1257 |
|
1258 |
- tmpfiles_read_var_run($1) |
1259 |
+ tmpfiles_read_runtime($1) |
1260 |
') |
1261 |
|
1262 |
######################################## |
1263 |
@@ -50,14 +50,14 @@ interface(`tmpfiles_create_var_run_files',` |
1264 |
## </summary> |
1265 |
## </param> |
1266 |
# |
1267 |
-interface(`tmpfiles_write_var_run_files',` |
1268 |
+interface(`tmpfiles_write_runtime_files',` |
1269 |
gen_require(` |
1270 |
- type tmpfiles_var_run_t; |
1271 |
+ type tmpfiles_runtime_t; |
1272 |
') |
1273 |
|
1274 |
- write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) |
1275 |
+ write_files_pattern($1, tmpfiles_runtime_t, tmpfiles_runtime_t) |
1276 |
|
1277 |
- tmpfiles_read_var_run($1) |
1278 |
+ tmpfiles_read_runtime($1) |
1279 |
') |
1280 |
|
1281 |
######################################## |
1282 |
@@ -70,14 +70,14 @@ interface(`tmpfiles_write_var_run_files',` |
1283 |
## </summary> |
1284 |
## </param> |
1285 |
# |
1286 |
-interface(`tmpfiles_manage_var_run_files',` |
1287 |
+interface(`tmpfiles_manage_runtime_files',` |
1288 |
gen_require(` |
1289 |
- type tmpfiles_var_run_t; |
1290 |
+ type tmpfiles_runtime_t; |
1291 |
') |
1292 |
|
1293 |
- tmpfiles_read_var_run($1) |
1294 |
+ tmpfiles_read_runtime($1) |
1295 |
|
1296 |
- manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) |
1297 |
+ manage_files_pattern($1, tmpfiles_runtime_t, tmpfiles_runtime_t) |
1298 |
') |
1299 |
|
1300 |
######################################## |
1301 |
|
1302 |
diff --git a/policy/modules/system/tmpfiles.rst b/policy/modules/system/tmpfiles.rst |
1303 |
index 748032b4..a445072a 100644 |
1304 |
--- a/policy/modules/system/tmpfiles.rst |
1305 |
+++ b/policy/modules/system/tmpfiles.rst |
1306 |
@@ -49,7 +49,7 @@ tmpfiles_conf_t |
1307 |
tmpfiles_exec_t |
1308 |
is used as entrypoint for the tmpfiles application |
1309 |
|
1310 |
-tmpfiles_var_run_t |
1311 |
+tmpfiles_runtime_t |
1312 |
is used as the variable run-time data used by the tmpfiles application |
1313 |
|
1314 |
POLICY |
1315 |
|
1316 |
diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te |
1317 |
index 9063ca3e..57be1edc 100644 |
1318 |
--- a/policy/modules/system/tmpfiles.te |
1319 |
+++ b/policy/modules/system/tmpfiles.te |
1320 |
@@ -23,8 +23,8 @@ init_daemon_domain(tmpfiles_t, tmpfiles_exec_t) |
1321 |
type tmpfiles_conf_t; |
1322 |
files_config_file(tmpfiles_conf_t) |
1323 |
|
1324 |
-type tmpfiles_var_run_t; |
1325 |
-files_pid_file(tmpfiles_var_run_t) |
1326 |
+type tmpfiles_runtime_t alias tmpfiles_var_run_t; |
1327 |
+files_pid_file(tmpfiles_runtime_t) |
1328 |
|
1329 |
|
1330 |
######################################## |
1331 |
@@ -42,8 +42,8 @@ allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans; |
1332 |
list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t) |
1333 |
read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t) |
1334 |
|
1335 |
-manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t) |
1336 |
-manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t) |
1337 |
+manage_files_pattern(tmpfiles_t, tmpfiles_runtime_t, tmpfiles_runtime_t) |
1338 |
+manage_dirs_pattern(tmpfiles_t, tmpfiles_runtime_t, tmpfiles_runtime_t) |
1339 |
|
1340 |
corecmd_exec_bin(tmpfiles_t) |
1341 |
corecmd_exec_shell(tmpfiles_t) |