From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 6B27D138A1F for ; Fri, 8 Aug 2014 14:50:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7B061E09F6; Fri, 8 Aug 2014 14:50:01 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D645FE09F6 for ; Fri, 8 Aug 2014 14:50:00 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id DB1463402D1 for ; Fri, 8 Aug 2014 14:49:59 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 6AE5B1881A for ; Fri, 8 Aug 2014 14:49:58 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1407509383.41fed32dfd6a3a812c252bd6facd6982b23988da.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/tmpfiles.fc policy/modules/system/tmpfiles.if policy/modules/system/tmpfiles.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 41fed32dfd6a3a812c252bd6facd6982b23988da X-VCS-Branch: testing Date: Fri, 8 Aug 2014 14:49:58 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c5a6ecae-30e8-444a-82e4-3d77bccb622e X-Archives-Hash: 106a43c3e7e988048285c8937a7a7444 commit: 41fed32dfd6a3a812c252bd6facd6982b23988da Author: Sven Vermeulen siphos be> AuthorDate: Thu Aug 7 15:27:49 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Fri Aug 8 14:49:43 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=41fed32d Introduce the tmpfiles_t domain The tmpfiles application, as documented in [1], is used to prepare directory structures in runtime, volatile locations (such as /var/run, /run and perhaps even /tmp and /var/tmp). [1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html The need for the tmpfiles application seems to came forward as systemd service files ("unit files") are not the flexible shell scripts that are used in init scripts (/etc/rc.d/init.d/* files). Whereas these init scripts usually did the preparation of runtime directories, the systemd service scripts do not (well, beyond the RuntimeDirectory= directive, that is). Instead, services are required to create a tmpfiles configuration file inside one of the following locations, informing the tmpfiles application to create directories and files as needed: (a.) /usr/lib/tmpfiles.d/ (*.conf) for packaged services (default settings) (b.) /run/tmpfiles.d/ (*.conf) for dynamically generated overrides of (a.) (c.) /etc/tmpfiles.d/ (*.conf) for local system administration overrides of (a.) and (b.) These files declare what action to perform on a specific location (such as create a directory) and which ownership to apply (similar to the install(1) application it seems). Both in systemd as well as OpenRC the tmpfiles application is SELinux-aware, (re)setting the context of the target. Signed-off-by: Jason Zaman perfinion.com> --- policy/modules/system/tmpfiles.fc | 7 ++ policy/modules/system/tmpfiles.if | 161 ++++++++++++++++++++++++++++++++++++++ policy/modules/system/tmpfiles.te | 103 ++++++++++++++++++++++++ 3 files changed, 271 insertions(+) diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc new file mode 100644 index 0000000..12fd30a --- /dev/null +++ b/policy/modules/system/tmpfiles.fc @@ -0,0 +1,7 @@ + +/etc/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_conf_t,s0) +/var/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_var_run_t,s0) + +/lib/rc/bin/checkpath -- gen_context(system_u:object_r:tmpfiles_exec_t,s0) +/lib/rc/sh/tmpfiles.sh -- gen_context(system_u:object_r:tmpfiles_exec_t,s0) + diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if new file mode 100644 index 0000000..09897fc --- /dev/null +++ b/policy/modules/system/tmpfiles.if @@ -0,0 +1,161 @@ +## Policy for tmpfiles, a boot-time temporary file handler + +######################################## +## +## Read resources in /run/tmpfiles.d/. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`tmpfiles_read_var_run',` + gen_require(` + type tmpfiles_var_run_t; + ') + + files_search_pids($1) + allow $1 tmpfiles_var_run_t:dir list_dir_perms; + allow $1 tmpfiles_var_run_t:file read_file_perms; +') + +######################################## +## +## Create files in /run/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_create_var_run_files',` + gen_require(` + type tmpfiles_var_run_t; + ') + + create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) + + tmpfiles_read_var_run($1) +') + +######################################## +## +## Write to files in /run/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_write_var_run_files',` + gen_require(` + type tmpfiles_var_run_t; + ') + + write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) + + tmpfiles_read_var_run($1) +') + +######################################## +## +## Manage files in /run/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_manage_var_run_files',` + gen_require(` + type tmpfiles_var_run_t; + ') + + tmpfiles_read_var_run($1) + + manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) +') + +######################################## +## +## Read files in /etc/tmpfiles.d/. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`tmpfiles_read_conf',` + gen_require(` + type tmpfiles_conf_t; + ') + + files_search_etc($1) + allow $1 tmpfiles_conf_t:dir list_dir_perms; + allow $1 tmpfiles_conf_t:file read_file_perms; +') + +######################################## +## +## Create files in /etc/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_create_conf_files',` + gen_require(` + type tmpfiles_conf_t; + ') + + create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) + + tmpfiles_read_conf($1) +') + +######################################## +## +## Write to files in /etc/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_write_conf_files',` + gen_require(` + type tmpfiles_conf_t; + ') + + write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) + + tmpfiles_read_conf($1) +') + +######################################## +## +## Manage files in /etc/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_manage_conf_files',` + gen_require(` + type tmpfiles_conf_t; + ') + + manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) + + tmpfiles_read_conf($1) +') diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te new file mode 100644 index 0000000..de92477 --- /dev/null +++ b/policy/modules/system/tmpfiles.te @@ -0,0 +1,103 @@ +policy_module(tmpfiles, 1.0.0) + +######################################## +# +# Declarations +# + +## +##

+## Determine whether tmpfiles can manage +## all non-security sensitive resources. +## Without this, it is only allowed rights towards +## /run, /tmp, /dev and /var/lock. +##

+##
+gen_tunable(tmpfiles_manage_all_non_security, false) + +type tmpfiles_t; +type tmpfiles_exec_t; +init_daemon_domain(tmpfiles_t, tmpfiles_exec_t) + +type tmpfiles_conf_t; +files_config_file(tmpfiles_conf_t) + +type tmpfiles_var_run_t; +files_pid_file(tmpfiles_var_run_t) + + +######################################## +# +# Local policy +# + +allow tmpfiles_t self:capability { mknod chown fowner fsetid }; +allow tmpfiles_t self:process getsched; +allow tmpfiles_t self:fifo_file rw_fifo_file_perms; +allow tmpfiles_t self:unix_dgram_socket create_socket_perms; + +allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans; + +list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t) +read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t) + +manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t) +manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t) + +corecmd_exec_bin(tmpfiles_t) +corecmd_exec_shell(tmpfiles_t) + +dev_create_all_blk_files(tmpfiles_t) +dev_create_all_chr_files(tmpfiles_t) +dev_getattr_all_blk_files(tmpfiles_t) +dev_getattr_generic_blk_files(tmpfiles_t) +dev_getattr_generic_chr_files(tmpfiles_t) +dev_relabel_all_dev_nodes(tmpfiles_t) +dev_relabel_generic_dev_dirs(tmpfiles_t) +dev_relabelfrom_generic_chr_files(tmpfiles_t) +dev_setattr_all_chr_files(tmpfiles_t) +dev_setattr_generic_dirs(tmpfiles_t) + +files_manage_all_pids(tmpfiles_t) +files_manage_generic_locks(tmpfiles_t) +files_manage_generic_tmp_dirs(tmpfiles_t) +files_manage_generic_tmp_files(tmpfiles_t) +files_manage_var_dirs(tmpfiles_t) +files_manage_var_files(tmpfiles_t) +files_relabel_all_lock_dirs(tmpfiles_t) +files_relabel_all_pidfiles(tmpfiles_t) +files_relabel_all_tmp_dirs(tmpfiles_t) +files_relabel_all_tmp_files(tmpfiles_t) +files_setattr_all_tmp_dirs(tmpfiles_t) +files_setattr_lock_dirs(tmpfiles_t) +files_setattr_pid_dirs(tmpfiles_t) + +fs_getattr_all_fs(tmpfiles_t) +fs_getattr_tmpfs_dirs(tmpfiles_t) +fs_manage_cgroup_files(tmpfiles_t) + +selinux_get_enforce_mode(tmpfiles_t) + +auth_use_nsswitch(tmpfiles_t) + +init_exec_rc(tmpfiles_t) + +miscfiles_read_localization(tmpfiles_t) + +seutil_exec_setfiles(tmpfiles_t) +seutil_libselinux_linked(tmpfiles_t) +seutil_read_file_contexts(tmpfiles_t) + +ifdef(`distro_gentoo',` + dev_create_generic_dirs(tmpfiles_t) + # Early at boot, access /dev/console and /dev/tty which is device_t due to kernel-provided devtmpfs + dev_rw_generic_chr_files(tmpfiles_t) + + init_relabelto_script_state(tmpfiles_t) +') + +tunable_policy(`tmpfiles_manage_all_non_security',` + files_manage_all_non_security_file_types(tmpfiles_t) + files_manage_non_security_dirs(tmpfiles_t) + files_relabel_all_non_security_file_types(tmpfiles_t) +') From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 93FBA13877A for ; Fri, 8 Aug 2014 15:27:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3864CE0A49; Fri, 8 Aug 2014 15:27:45 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AF944E0A41 for ; Fri, 8 Aug 2014 15:27:44 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id BAE00340265 for ; Fri, 8 Aug 2014 15:27:43 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 8B8591881A for ; Fri, 8 Aug 2014 15:27:42 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1407509383.41fed32dfd6a3a812c252bd6facd6982b23988da.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/tmpfiles.fc policy/modules/system/tmpfiles.if policy/modules/system/tmpfiles.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 41fed32dfd6a3a812c252bd6facd6982b23988da X-VCS-Branch: master Date: Fri, 8 Aug 2014 15:27:42 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: b38eb9b7-54ce-441f-af5d-0968ebdfba48 X-Archives-Hash: 4d1e8a02560c685c34eb2ddff2194d78 Message-ID: <20140808152742.ClHcZLSm1Eixvz5LhKnQ_fp0wlWIElLgaAHPG07-v4g@z> commit: 41fed32dfd6a3a812c252bd6facd6982b23988da Author: Sven Vermeulen siphos be> AuthorDate: Thu Aug 7 15:27:49 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Fri Aug 8 14:49:43 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=41fed32d Introduce the tmpfiles_t domain The tmpfiles application, as documented in [1], is used to prepare directory structures in runtime, volatile locations (such as /var/run, /run and perhaps even /tmp and /var/tmp). [1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html The need for the tmpfiles application seems to came forward as systemd service files ("unit files") are not the flexible shell scripts that are used in init scripts (/etc/rc.d/init.d/* files). Whereas these init scripts usually did the preparation of runtime directories, the systemd service scripts do not (well, beyond the RuntimeDirectory= directive, that is). Instead, services are required to create a tmpfiles configuration file inside one of the following locations, informing the tmpfiles application to create directories and files as needed: (a.) /usr/lib/tmpfiles.d/ (*.conf) for packaged services (default settings) (b.) /run/tmpfiles.d/ (*.conf) for dynamically generated overrides of (a.) (c.) /etc/tmpfiles.d/ (*.conf) for local system administration overrides of (a.) and (b.) These files declare what action to perform on a specific location (such as create a directory) and which ownership to apply (similar to the install(1) application it seems). Both in systemd as well as OpenRC the tmpfiles application is SELinux-aware, (re)setting the context of the target. Signed-off-by: Jason Zaman perfinion.com> --- policy/modules/system/tmpfiles.fc | 7 ++ policy/modules/system/tmpfiles.if | 161 ++++++++++++++++++++++++++++++++++++++ policy/modules/system/tmpfiles.te | 103 ++++++++++++++++++++++++ 3 files changed, 271 insertions(+) diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc new file mode 100644 index 0000000..12fd30a --- /dev/null +++ b/policy/modules/system/tmpfiles.fc @@ -0,0 +1,7 @@ + +/etc/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_conf_t,s0) +/var/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_var_run_t,s0) + +/lib/rc/bin/checkpath -- gen_context(system_u:object_r:tmpfiles_exec_t,s0) +/lib/rc/sh/tmpfiles.sh -- gen_context(system_u:object_r:tmpfiles_exec_t,s0) + diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if new file mode 100644 index 0000000..09897fc --- /dev/null +++ b/policy/modules/system/tmpfiles.if @@ -0,0 +1,161 @@ +## Policy for tmpfiles, a boot-time temporary file handler + +######################################## +## +## Read resources in /run/tmpfiles.d/. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`tmpfiles_read_var_run',` + gen_require(` + type tmpfiles_var_run_t; + ') + + files_search_pids($1) + allow $1 tmpfiles_var_run_t:dir list_dir_perms; + allow $1 tmpfiles_var_run_t:file read_file_perms; +') + +######################################## +## +## Create files in /run/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_create_var_run_files',` + gen_require(` + type tmpfiles_var_run_t; + ') + + create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) + + tmpfiles_read_var_run($1) +') + +######################################## +## +## Write to files in /run/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_write_var_run_files',` + gen_require(` + type tmpfiles_var_run_t; + ') + + write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) + + tmpfiles_read_var_run($1) +') + +######################################## +## +## Manage files in /run/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_manage_var_run_files',` + gen_require(` + type tmpfiles_var_run_t; + ') + + tmpfiles_read_var_run($1) + + manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t) +') + +######################################## +## +## Read files in /etc/tmpfiles.d/. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`tmpfiles_read_conf',` + gen_require(` + type tmpfiles_conf_t; + ') + + files_search_etc($1) + allow $1 tmpfiles_conf_t:dir list_dir_perms; + allow $1 tmpfiles_conf_t:file read_file_perms; +') + +######################################## +## +## Create files in /etc/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_create_conf_files',` + gen_require(` + type tmpfiles_conf_t; + ') + + create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) + + tmpfiles_read_conf($1) +') + +######################################## +## +## Write to files in /etc/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_write_conf_files',` + gen_require(` + type tmpfiles_conf_t; + ') + + write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) + + tmpfiles_read_conf($1) +') + +######################################## +## +## Manage files in /etc/tmpfiles.d/. +## +## +## +## Domain allowed access. +## +## +# +interface(`tmpfiles_manage_conf_files',` + gen_require(` + type tmpfiles_conf_t; + ') + + manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) + + tmpfiles_read_conf($1) +') diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te new file mode 100644 index 0000000..de92477 --- /dev/null +++ b/policy/modules/system/tmpfiles.te @@ -0,0 +1,103 @@ +policy_module(tmpfiles, 1.0.0) + +######################################## +# +# Declarations +# + +## +##

+## Determine whether tmpfiles can manage +## all non-security sensitive resources. +## Without this, it is only allowed rights towards +## /run, /tmp, /dev and /var/lock. +##

+##
+gen_tunable(tmpfiles_manage_all_non_security, false) + +type tmpfiles_t; +type tmpfiles_exec_t; +init_daemon_domain(tmpfiles_t, tmpfiles_exec_t) + +type tmpfiles_conf_t; +files_config_file(tmpfiles_conf_t) + +type tmpfiles_var_run_t; +files_pid_file(tmpfiles_var_run_t) + + +######################################## +# +# Local policy +# + +allow tmpfiles_t self:capability { mknod chown fowner fsetid }; +allow tmpfiles_t self:process getsched; +allow tmpfiles_t self:fifo_file rw_fifo_file_perms; +allow tmpfiles_t self:unix_dgram_socket create_socket_perms; + +allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans; + +list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t) +read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t) + +manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t) +manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t) + +corecmd_exec_bin(tmpfiles_t) +corecmd_exec_shell(tmpfiles_t) + +dev_create_all_blk_files(tmpfiles_t) +dev_create_all_chr_files(tmpfiles_t) +dev_getattr_all_blk_files(tmpfiles_t) +dev_getattr_generic_blk_files(tmpfiles_t) +dev_getattr_generic_chr_files(tmpfiles_t) +dev_relabel_all_dev_nodes(tmpfiles_t) +dev_relabel_generic_dev_dirs(tmpfiles_t) +dev_relabelfrom_generic_chr_files(tmpfiles_t) +dev_setattr_all_chr_files(tmpfiles_t) +dev_setattr_generic_dirs(tmpfiles_t) + +files_manage_all_pids(tmpfiles_t) +files_manage_generic_locks(tmpfiles_t) +files_manage_generic_tmp_dirs(tmpfiles_t) +files_manage_generic_tmp_files(tmpfiles_t) +files_manage_var_dirs(tmpfiles_t) +files_manage_var_files(tmpfiles_t) +files_relabel_all_lock_dirs(tmpfiles_t) +files_relabel_all_pidfiles(tmpfiles_t) +files_relabel_all_tmp_dirs(tmpfiles_t) +files_relabel_all_tmp_files(tmpfiles_t) +files_setattr_all_tmp_dirs(tmpfiles_t) +files_setattr_lock_dirs(tmpfiles_t) +files_setattr_pid_dirs(tmpfiles_t) + +fs_getattr_all_fs(tmpfiles_t) +fs_getattr_tmpfs_dirs(tmpfiles_t) +fs_manage_cgroup_files(tmpfiles_t) + +selinux_get_enforce_mode(tmpfiles_t) + +auth_use_nsswitch(tmpfiles_t) + +init_exec_rc(tmpfiles_t) + +miscfiles_read_localization(tmpfiles_t) + +seutil_exec_setfiles(tmpfiles_t) +seutil_libselinux_linked(tmpfiles_t) +seutil_read_file_contexts(tmpfiles_t) + +ifdef(`distro_gentoo',` + dev_create_generic_dirs(tmpfiles_t) + # Early at boot, access /dev/console and /dev/tty which is device_t due to kernel-provided devtmpfs + dev_rw_generic_chr_files(tmpfiles_t) + + init_relabelto_script_state(tmpfiles_t) +') + +tunable_policy(`tmpfiles_manage_all_non_security',` + files_manage_all_non_security_file_types(tmpfiles_t) + files_manage_non_security_dirs(tmpfiles_t) + files_relabel_all_non_security_file_types(tmpfiles_t) +')