diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index 633d2fc..8d62407 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)
-auth_relabel_all_files_except_auth_files(dpkg_t)
-auth_manage_all_files_except_auth_files(dpkg_t)
+files_relabel_non_security_files(dpkg_t)
+files_manage_non_security_files(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)
files_exec_etc_files(dpkg_t)
@@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
-auth_manage_all_files_except_auth_files(dpkg_script_t)
+files_manage_non_security_files(dpkg_script_t)
init_domtrans_script(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 7d964bf..ba6e400 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -154,8 +154,8 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
-auth_relabel_all_files_except_auth_files(rpm_t)
-auth_manage_all_files_except_auth_files(rpm_t)
+files_relabel_all_files(rpm_t)
+files_manage_all_files(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
@@ -304,8 +304,8 @@ term_use_all_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
# ideally we would not need this
-auth_manage_all_files_except_auth_files(rpm_script_t)
-auth_relabel_shadow(rpm_script_t)
+files_manage_all_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
index ebaff2f..de6b197 100644
--- a/policy/modules/admin/sosreport.te
+++ b/policy/modules/admin/sosreport.te
@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
# some config files do not have configfile attribute
# sosreport needs to read various files on system
-auth_read_all_files_except_auth_files(sosreport_t)
+files_read_non_security_files(sosreport_t)
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index 045fb86..a51a92d 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -66,7 +66,7 @@ fs_list_all(sxid_t)
term_dontaudit_use_console(sxid_t)
-auth_read_all_files_except_auth_files(sxid_t)
+files_read_non_security_files(sxid_t)
auth_dontaudit_getattr_shadow(sxid_t)
init_use_fds(sxid_t)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index deb24b4..225c263 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -663,12 +663,63 @@ interface(`files_read_non_security_files',`
attribute non_security_file_type;
')
+ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
read_files_pattern($1, non_security_file_type, non_security_file_type)
read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
##
+## Manage all non-security files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_manage_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+##
+## Relabel all non-security files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`files_relabel_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+ allow $1 { non_security_file_type }:dir list_dir_perms;
+ relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+ relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+')
+
+########################################
+##
## Read all directories on the filesystem, except
## the listed exceptions.
##
@@ -2451,7 +2502,7 @@ interface(`files_read_etc_files',`
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -3945,7 +3996,7 @@ interface(`files_getattr_tmp_dirs',`
##
##
##
-## Domain allowed access.
+## Domain to not audit.
##
##
#
@@ -4017,7 +4068,7 @@ interface(`files_list_tmp',`
##
##
##
-## Domain not to audit.
+## Domain to not audit.
##
##
#
@@ -4202,7 +4253,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
-## Domain not to audit.
+## Domain to not audit.
##
##
#
@@ -4262,7 +4313,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
-## Domain not to audit.
+## Domain to not audit.
##
##
#
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index eac9961..797f131 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -336,7 +336,7 @@ optional_policy(`
fs_read_noxattr_fs_symlinks(kernel_t)
auth_read_all_dirs_except_auth_files(kernel_t)
- auth_read_all_files_except_auth_files(kernel_t)
+ files_read_non_security_files(kernel_t)
auth_read_all_symlinks_except_auth_files(kernel_t)
')
@@ -346,7 +346,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
- auth_manage_all_files_except_auth_files(kernel_t)
+ files_manage_non_security_files(kernel_t)
')
')
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index 89ddeaa..4b5119b 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -30,7 +30,7 @@ mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
auth_role(secadm_r, secadm_t)
-auth_relabel_all_files_except_auth_files(secadm_t)
+files_relabel_non_security_files(secadm_t)
auth_relabel_shadow(secadm_t)
init_exec(secadm_t)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 02ffdfb..69c2d2c 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
- auth_manage_all_files_except_auth_files(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
')
tunable_policy(`ftp_home_dir',`
@@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
- auth_manage_all_files_except_auth_files(sftpd_t)
+ files_manage_non_security_files(sftpd_t)
')
tunable_policy(`use_samba_home_dirs',`
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 941f6e1..68985da 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -134,7 +134,7 @@ sysnet_dns_name_resolve(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
tunable_policy(`puppet_manage_all_files',`
- auth_manage_all_files_except_auth_files(puppet_t)
+ files_manage_non_security_files(puppet_t)
')
optional_policy(`
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
index c537000..52ec13b 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
#term_use_ptmx(rgmanager_t)
# needed by resources scripts
-auth_read_all_files_except_auth_files(rgmanager_t)
+files_read_non_security_files(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 62fca97..6c6d18b 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
- auth_manage_all_files_except_auth_files(nfsd_t)
+ files_manage_non_security_files(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
@@ -171,7 +171,7 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
auth_read_all_dirs_except_auth_files(nfsd_t)
- auth_read_all_files_except_auth_files(nfsd_t)
+ files_read_non_security_files(nfsd_t)
')
########################################
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 1c381e1..51cedbd 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -126,7 +126,7 @@ tunable_policy(`rsync_export_all_ro',`
fs_read_nfs_files(rsync_t)
fs_read_cifs_files(rsync_t)
auth_read_all_dirs_except_auth_files(rsync_t)
- auth_read_all_files_except_auth_files(rsync_t)
+ files_read_non_security_files(rsync_t)
auth_read_all_symlinks_except_auth_files(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index df830cf..d1f1a15 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -451,17 +451,17 @@ tunable_policy(`samba_create_home_dirs',`
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
auth_read_all_dirs_except_auth_files(smbd_t)
- auth_read_all_files_except_auth_files(smbd_t)
+ files_read_non_security_files(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_read_all_dirs_except_auth_files(nmbd_t)
- auth_read_all_files_except_auth_files(nmbd_t)
+ files_read_non_security_files(nmbd_t)
')
tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
- auth_manage_all_files_except_auth_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
- auth_manage_all_files_except_auth_files(nmbd_t)
+ files_manage_non_security_files(nmbd_t)
userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 94e49e8..fd331b9 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -143,7 +143,7 @@ ifdef(`distro_ubuntu',`
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_auth_files(mount_t)
- auth_read_all_files_except_auth_files(mount_t)
+ files_read_non_security_files(mount_t)
files_mounton_non_security(mount_t)
')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 508b206..52a5442 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -327,8 +327,8 @@ selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
-auth_relabel_all_files_except_auth_files(restorecond_t )
-auth_read_all_files_except_auth_files(restorecond_t)
+files_relabel_non_security_files(restorecond_t )
+files_read_non_security_files(restorecond_t)
auth_use_nsswitch(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)