Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] misc services patches
References: <YBohv4PUTV7ZgBqU@xev>
Date:   Wed, 03 Feb 2021 19:06:41 +0100
In-Reply-To: <YBohv4PUTV7ZgBqU@xev> (Russell Coker's message of "Wed, 3 Feb
        2021 15:08:31 +1100")
Message-ID: <ypjlo8h1qb4e.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Precedence: bulk

Russell Coker <russell@coker.com.au> writes:

> Lots of little patches for services.
>
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210203/policy/modules/services/accountsd.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/accountsd.te
> +++ refpolicy-2.20210203/policy/modules/services/accountsd.te
> @@ -21,8 +21,8 @@ files_type(accountsd_var_lib_t)
>  # Local policy
>  #
>  
> -allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
> -allow accountsd_t self:process signal;
> +allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace sys_nice };
> +allow accountsd_t self:process { signal getsched setsched };
>  allow accountsd_t self:fifo_file rw_fifo_file_perms;
>  allow accountsd_t self:passwd { rootok passwd chfn chsh };
>  
> Index: refpolicy-2.20210203/policy/modules/services/acpi.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/acpi.te
> +++ refpolicy-2.20210203/policy/modules/services/acpi.te
> @@ -45,6 +45,8 @@ files_type(acpid_var_lib_t)
>  #
>  
>  allow acpi_t self:capability { dac_override sys_admin };
> +# for pidof and pgrep
> +allow acpid_t self:cap_userns sys_ptrace;
>  
>  kernel_read_system_state(acpi_t)
>  
> @@ -105,6 +107,7 @@ dev_rw_acpi_bios(acpid_t)
>  dev_rw_sysfs(acpid_t)
>  dev_dontaudit_getattr_all_chr_files(acpid_t)
>  dev_dontaudit_getattr_all_blk_files(acpid_t)
> +dev_watch_dev_dirs(acpid_t)
>  
>  files_exec_etc_files(acpid_t)
>  files_read_etc_runtime_files(acpid_t)
> @@ -136,6 +139,7 @@ domain_dontaudit_list_all_domains_state(
>  auth_use_nsswitch(acpid_t)
>  
>  init_domtrans_script(acpid_t)
> +init_read_utmp(acpid_t)
>  init_telinit(acpid_t)
>  
>  libs_exec_ld_so(acpid_t)
> @@ -218,6 +222,7 @@ optional_policy(`
>  
>  optional_policy(`
>  	init_list_unit_dirs(acpid_t)
> +	systemd_dbus_chat_logind(acpid_t)
>  	systemd_start_power_units(acpid_t)
>  	systemd_status_power_units(acpid_t)
>  ')
> Index: refpolicy-2.20210203/policy/modules/services/apache.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/apache.fc
> +++ refpolicy-2.20210203/policy/modules/services/apache.fc
> @@ -172,7 +172,7 @@ ifdef(`distro_suse',`
>  /var/log/roundcubemail(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/suphp\.log.*					--	gen_context(system_u:object_r:httpd_log_t,s0)
>  /var/log/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/log/php[^/]+-fpm\.log				--	gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/php[^/]+-fpm\.log.*				--	gen_context(system_u:object_r:httpd_log_t,s0)
>  
>  /run/apache.*							gen_context(system_u:object_r:httpd_runtime_t,s0)
>  /run/cherokee\.pid					--	gen_context(system_u:object_r:httpd_runtime_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/apache.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/apache.te
> +++ refpolicy-2.20210203/policy/modules/services/apache.te
> @@ -505,6 +505,7 @@ files_list_mnt(httpd_t)
>  files_search_spool(httpd_t)
>  files_read_var_symlinks(httpd_t)
>  files_read_var_lib_files(httpd_t)
> +files_map_var_lib_files(httpd_t)
>  files_search_home(httpd_t)
>  files_getattr_home_dir(httpd_t)
>  files_read_etc_runtime_files(httpd_t)
> Index: refpolicy-2.20210203/policy/modules/services/aptcacher.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/aptcacher.te
> +++ refpolicy-2.20210203/policy/modules/services/aptcacher.te
> @@ -64,6 +64,7 @@ manage_files_pattern(aptcacher_t, aptcac
>  
>  manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
>  
> +kernel_read_system_state(aptcacher_t)
>  kernel_read_vm_overcommit_sysctl(aptcacher_t)
>  
>  # Calls system()
> @@ -76,6 +77,7 @@ corenet_tcp_connect_http_port(aptcacher_
>  auth_use_nsswitch(aptcacher_t)
>  
>  files_read_etc_files(aptcacher_t)
> +files_read_usr_files(aptcacher_t)
>  
>  # Uses sd_notify() to inform systemd it has properly started
>  init_dgram_send(aptcacher_t)
> Index: refpolicy-2.20210203/policy/modules/services/bind.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/bind.te
> +++ refpolicy-2.20210203/policy/modules/services/bind.te
> @@ -76,7 +76,7 @@ role ndc_roles types ndc_t;
>  
>  allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
>  dontaudit named_t self:capability sys_tty_config;
> -allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
> +allow named_t self:process { getsched setsched getcap setcap setrlimit signal_perms };
>  allow named_t self:fifo_file rw_fifo_file_perms;
>  allow named_t self:unix_stream_socket { accept listen };
>  allow named_t self:tcp_socket { accept listen };
> @@ -212,9 +212,9 @@ optional_policy(`
>  # NDC local policy
>  #
>  
> -allow ndc_t self:capability { dac_override net_admin };
> +allow ndc_t self:capability { dac_override dac_read_search net_admin };
>  allow ndc_t self:capability2 block_suspend;
> -allow ndc_t self:process signal_perms;
> +allow ndc_t self:process { signal_perms getsched setsched };
>  allow ndc_t self:fifo_file rw_fifo_file_perms;
>  allow ndc_t self:unix_stream_socket { accept listen };
>  
> Index: refpolicy-2.20210203/policy/modules/services/bluetooth.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/bluetooth.te
> +++ refpolicy-2.20210203/policy/modules/services/bluetooth.te
> @@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_str
>  allow bluetooth_t self:unix_stream_socket { accept connectto listen };
>  allow bluetooth_t self:tcp_socket { accept listen };
>  allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
>  
>  read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
>  
> @@ -87,6 +88,7 @@ files_runtime_filetrans(bluetooth_t, blu
>  
>  can_exec(bluetooth_t, bluetooth_helper_exec_t)
>  
> +kernel_read_crypto_sysctls(bluetooth_t)
>  kernel_read_kernel_sysctls(bluetooth_t)
>  kernel_read_system_state(bluetooth_t)
>  kernel_read_network_state(bluetooth_t)
> @@ -123,6 +125,8 @@ miscfiles_read_localization(bluetooth_t)
>  miscfiles_read_fonts(bluetooth_t)
>  miscfiles_read_hwdata(bluetooth_t)
>  
> +udev_search_runtime(bluetooth_t)
> +
>  userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
>  userdom_dontaudit_use_user_terminals(bluetooth_t)
>  userdom_dontaudit_search_user_home_dirs(bluetooth_t)
> @@ -210,5 +214,9 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	unconfined_dbus_send(bluetooth_t)
> +')
> +
> +optional_policy(`
>  	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
>  ')
> Index: refpolicy-2.20210203/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20210203/policy/modules/services/boinc.te
> @@ -118,6 +118,7 @@ corecmd_exec_shell(boinc_t)
>  dev_read_rand(boinc_t)
>  dev_read_urand(boinc_t)
>  dev_read_sysfs(boinc_t)
> +dev_rw_dri(boinc_t)
>  dev_rw_xserver_misc(boinc_t)
>  
>  domain_read_all_domains_state(boinc_t)
> Index: refpolicy-2.20210203/policy/modules/services/certbot.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/certbot.te
> +++ refpolicy-2.20210203/policy/modules/services/certbot.te
> @@ -85,6 +85,8 @@ domain_use_interactive_fds(certbot_t)
>  files_read_etc_files(certbot_t)
>  files_read_usr_files(certbot_t)
>  
> +# dontaudit for attempts to write python cache files
> +libs_dontaudit_write_lib_dirs(certbot_t)
>  libs_exec_ldconfig(certbot_t)
>  # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
>  libs_exec_lib_files(certbot_t)
> Index: refpolicy-2.20210203/policy/modules/services/clamav.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/clamav.te
> +++ refpolicy-2.20210203/policy/modules/services/clamav.te
> @@ -176,7 +176,7 @@ optional_policy(`
>  # Freshclam local policy
>  #
>  
> -allow freshclam_t self:capability { dac_override setgid setuid };
> +allow freshclam_t self:capability { chown dac_override setgid setuid };
>  allow freshclam_t self:fifo_file rw_fifo_file_perms;
>  allow freshclam_t self:unix_stream_socket { accept listen };
>  allow freshclam_t self:tcp_socket { accept listen };
> @@ -228,6 +228,7 @@ dev_read_urand(freshclam_t)
>  domain_use_interactive_fds(freshclam_t)
>  
>  files_read_etc_runtime_files(freshclam_t)
> +files_read_usr_files(freshclam_t)
>  files_search_var_lib(freshclam_t)
>  
>  auth_use_nsswitch(freshclam_t)
> Index: refpolicy-2.20210203/policy/modules/services/colord.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/colord.te
> +++ refpolicy-2.20210203/policy/modules/services/colord.te
> @@ -25,7 +25,7 @@ files_type(colord_var_lib_t)
>  
>  allow colord_t self:capability { dac_override dac_read_search };
>  dontaudit colord_t self:capability sys_admin;
> -allow colord_t self:process signal;
> +allow colord_t self:process { signal getsched setsched };
>  allow colord_t self:fifo_file rw_fifo_file_perms;
>  allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
>  allow colord_t self:tcp_socket { accept listen };
> Index: refpolicy-2.20210203/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20210203/policy/modules/services/cron.te
> @@ -461,6 +461,7 @@ kernel_read_fs_sysctls(system_cronjob_t)
>  kernel_read_irq_sysctls(system_cronjob_t)
>  kernel_read_kernel_sysctls(system_cronjob_t)
>  kernel_read_network_state(system_cronjob_t)
> +kernel_read_rpc_sysctls(system_cronjob_t)
>  kernel_read_system_state(system_cronjob_t)
>  kernel_read_software_raid_state(system_cronjob_t)
>  
> Index: refpolicy-2.20210203/policy/modules/services/cups.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/cups.te
> +++ refpolicy-2.20210203/policy/modules/services/cups.te
> @@ -5,6 +5,13 @@ policy_module(cups, 1.25.3)
>  # Declarations
>  #
>  
> +## <desc>
> +## <p>
> +## Allows legacy ld_so for old printer filters
> +## </p>
> +## </desc>
> +gen_tunable(cups_legacy_ldso, false)
> +
>  type cupsd_config_t;
>  type cupsd_config_exec_t;
>  init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
> @@ -131,6 +138,7 @@ manage_files_pattern(cupsd_t, cupsd_inte
>  
>  manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
>  manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
> +manage_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
>  filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
>  files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
>  
> @@ -211,11 +219,13 @@ domain_use_interactive_fds(cupsd_t)
>  
>  files_getattr_boot_dirs(cupsd_t)
>  files_list_spool(cupsd_t)
> +files_map_etc_files(cupsd_t)
>  files_read_etc_runtime_files(cupsd_t)
>  files_read_usr_files(cupsd_t)
>  files_exec_usr_files(cupsd_t)
>  # for /var/lib/defoma
>  files_read_var_lib_files(cupsd_t)
> +files_read_var_lib_symlinks(cupsd_t)
>  files_list_world_readable(cupsd_t)
>  files_read_world_readable_files(cupsd_t)
>  files_read_world_readable_symlinks(cupsd_t)
> @@ -565,6 +575,10 @@ userdom_manage_user_home_content_dirs(cu
>  userdom_manage_user_home_content_files(cups_pdf_t)
>  userdom_home_filetrans_user_home_dir(cups_pdf_t)
>  
> +tunable_policy(`cups_legacy_ldso',`
not sure if this is worth a tunable

> +	libs_legacy_use_ld_so(cupsd_t)
> +')
> +
>  tunable_policy(`use_nfs_home_dirs',`
>  	fs_manage_nfs_dirs(cups_pdf_t)
>  	fs_manage_nfs_files(cups_pdf_t)
> Index: refpolicy-2.20210203/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20210203/policy/modules/services/devicekit.te
> @@ -67,7 +67,7 @@ optional_policy(`
>  
>  allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
>  allow devicekit_disk_t self:capability2 wake_alarm;
> -allow devicekit_disk_t self:process { getsched signal_perms };
> +allow devicekit_disk_t self:process { getsched setsched signal_perms };
>  allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
>  allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
>  
> @@ -135,6 +135,8 @@ mls_file_read_all_levels(devicekit_disk_
>  mls_file_write_to_clearance(devicekit_disk_t)
>  
>  mount_rw_runtime_files(devicekit_disk_t)
> +mount_watch_runtime_files(devicekit_disk_t)
> +mount_watch_runtime_files_reads(devicekit_disk_t)
>  
>  storage_raw_read_fixed_disk(devicekit_disk_t)
>  storage_raw_write_fixed_disk(devicekit_disk_t)
> @@ -147,6 +149,7 @@ auth_use_nsswitch(devicekit_disk_t)
>  
>  logging_send_syslog_msg(devicekit_disk_t)
>  
> +mount_watch_runtime_dirs(devicekit_disk_t)
>  miscfiles_read_localization(devicekit_disk_t)
>  
>  userdom_read_all_users_state(devicekit_disk_t)
> @@ -210,7 +213,7 @@ optional_policy(`
>  
>  allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
>  allow devicekit_power_t self:capability2 wake_alarm;
> -allow devicekit_power_t self:process { getsched signal_perms };
> +allow devicekit_power_t self:process { getsched setsched signal_perms };
>  allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
>  allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
>  allow devicekit_power_t self:unix_stream_socket create_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/services/dirmngr.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/dirmngr.te
> +++ refpolicy-2.20210203/policy/modules/services/dirmngr.te
> @@ -85,6 +85,7 @@ miscfiles_read_generic_certs(dirmngr_t)
>  userdom_search_user_home_dirs(dirmngr_t)
>  userdom_search_user_runtime(dirmngr_t)
>  userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
> +allow dirmngr_t dirmngr_tmp_t:dir manage_dir_perms;
>  
>  optional_policy(`
>  	gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> @@ -92,3 +93,7 @@ optional_policy(`
>  	gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
>  	gpg_stream_connect_agent(dirmngr_t)
>  ')
> +
> +optional_policy(`
> +	corenet_tcp_connect_tor_port(dirmngr_t)
> +')
> Index: refpolicy-2.20210203/policy/modules/services/dovecot.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/dovecot.te
> +++ refpolicy-2.20210203/policy/modules/services/dovecot.te
> @@ -258,6 +258,8 @@ allow dovecot_auth_t dovecot_t:unix_stre
>  
>  kernel_dontaudit_getattr_proc(dovecot_auth_t)
>  
> +kernel_getattr_proc(dovecot_auth_t)
> +
>  files_search_runtime(dovecot_auth_t)
>  files_read_usr_files(dovecot_auth_t)
>  files_read_var_lib_files(dovecot_auth_t)
> Index: refpolicy-2.20210203/policy/modules/services/fail2ban.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/fail2ban.te
> +++ refpolicy-2.20210203/policy/modules/services/fail2ban.te
> @@ -63,7 +63,9 @@ manage_files_pattern(fail2ban_t, fail2ba
>  files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
>  
>  kernel_read_system_state(fail2ban_t)
> +kernel_read_vm_overcommit_sysctl(fail2ban_t)
>  kernel_search_fs_sysctls(fail2ban_t)
> +kernel_search_vm_sysctl(fail2ban_t)
>  
>  corecmd_exec_bin(fail2ban_t)
>  corecmd_exec_shell(fail2ban_t)
> @@ -133,7 +135,7 @@ optional_policy(`
>  #
>  
>  allow fail2ban_client_t self:capability dac_read_search;
> -allow fail2ban_client_t self:unix_stream_socket { create connect write read };
> +allow fail2ban_client_t self:unix_stream_socket { create connect
>  write read shutdown };
create_socket_perms

>  
>  domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
>  
> Index: refpolicy-2.20210203/policy/modules/services/ftp.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ftp.fc
> +++ refpolicy-2.20210203/policy/modules/services/ftp.fc
> @@ -1,4 +1,5 @@
>  /etc/proftpd\.conf	--	gen_context(system_u:object_r:ftpd_etc_t,s0)
> +/etc/pure-ftpd(/.*)?		gen_context(system_u:object_r:ftpd_etc_t,s0)
>  
>  /etc/cron\.monthly/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
>  
> @@ -22,8 +23,10 @@
>  /usr/sbin/muddleftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
>  /usr/sbin/proftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
>  /usr/sbin/vsftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
> +/usr/sbin/pure-ftpd	--	gen_context(system_u:object_r:ftpd_exec_t,s0)
>  
> -/run/proftpd.*	gen_context(system_u:object_r:ftpd_runtime_t,s0)
> +/run/proftpd.*			gen_context(system_u:object_r:ftpd_runtime_t,s0)
> +/run/pure-ftpd(/.*)?		gen_context(system_u:object_r:ftpd_runtime_t,s0)
>  
>  /usr/libexec/webmin/vsftpd/webalizer/xfer_log	--	gen_context(system_u:object_r:xferlog_t,s0)
>  
> @@ -31,6 +34,7 @@
>  
>  /var/log/muddleftpd\.log.*	--	gen_context(system_u:object_r:xferlog_t,s0)
>  /var/log/proftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
> +/var/log/pure-ftpd(/.*)?	gen_context(system_u:object_r:xferlog_t,s0)
>  /var/log/vsftpd.*	--	gen_context(system_u:object_r:xferlog_t,s0)
>  /var/log/xferlog.*	--	gen_context(system_u:object_r:xferlog_t,s0)
>  /var/log/xferreport.*	--	gen_context(system_u:object_r:xferlog_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/ftp.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ftp.te
> +++ refpolicy-2.20210203/policy/modules/services/ftp.te
> @@ -180,6 +180,7 @@ allow ftpd_t self:tcp_socket { accept li
>  allow ftpd_t self:shm create_shm_perms;
>  allow ftpd_t self:key manage_key_perms;
>  
> +allow ftpd_t ftpd_etc_t:dir list_dir_perms;
>  allow ftpd_t ftpd_etc_t:file read_file_perms;
>  
>  allow ftpd_t ftpd_keytab_t:file read_file_perms;
> @@ -196,6 +197,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t,
>  
>  manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
>  manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
> +allow ftpd_t ftpd_runtime_t:file map;
>  manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
>  files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir })
>  
> @@ -405,6 +407,13 @@ optional_policy(`
>  	seutil_sigchld_newrole(ftpd_t)
>  ')
>  
> +optional_policy(`
> +	systemd_connect_machined(ftpd_t)

this is probably related to dynamic user resolving? we should probably
address this in auth_use_nsswitch()

> +	systemd_dbus_chat_logind(ftpd_t)
> +	systemd_read_logind_state(ftpd_t)
> +	systemd_write_inherited_logind_sessions_pipes(ftpd_t)

This looks PAM related?

> +')
> +
>  ########################################
>  #
>  # Ctl local policy
> Index: refpolicy-2.20210203/policy/modules/services/kerneloops.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/kerneloops.te
> +++ refpolicy-2.20210203/policy/modules/services/kerneloops.te
> @@ -43,6 +43,7 @@ corenet_tcp_connect_http_port(kerneloops
>  
>  auth_use_nsswitch(kerneloops_t)
>  
> +logging_mmap_generic_logs(kerneloops_t)
>  logging_send_syslog_msg(kerneloops_t)
>  logging_read_generic_logs(kerneloops_t)
>  
> Index: refpolicy-2.20210203/policy/modules/services/modemmanager.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/modemmanager.te
> +++ refpolicy-2.20210203/policy/modules/services/modemmanager.te
> @@ -15,7 +15,7 @@ init_daemon_domain(modemmanager_t, modem
>  #
>  
>  allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
> -allow modemmanager_t self:process { getsched signal };
> +allow modemmanager_t self:process { getsched setsched signal };
>  allow modemmanager_t self:fifo_file rw_fifo_file_perms;
>  allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
>  allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20210203/policy/modules/services/mon.te
> @@ -164,9 +164,10 @@ optional_policy(`
>  #
>  
>  # sys_ptrace is for reading /proc/1/maps etc
> -allow mon_local_test_t self:capability { sys_ptrace sys_admin };
> +allow mon_local_test_t self:capability { sys_rawio sys_ptrace sys_admin };
>  allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
>  allow mon_local_test_t self:process getsched;
> +allow mon_local_test_t self:cap_userns sys_ptrace;
>  
>  can_exec(mon_local_test_t, mon_local_test_exec_t)
>  
> @@ -197,8 +198,11 @@ files_list_boot(mon_local_test_t)
>  fs_search_auto_mountpoints(mon_local_test_t)
>  fs_getattr_nfs(mon_local_test_t)
>  fs_getattr_xattr_fs(mon_local_test_t)
> +fs_list_cgroup_dirs(mon_local_test_t)
>  fs_list_hugetlbfs(mon_local_test_t)
>  fs_list_tmpfs(mon_local_test_t)
> +fs_read_cgroup_files(mon_local_test_t)
> +fs_search_cgroup_dirs(mon_local_test_t)
>  fs_search_nfs(mon_local_test_t)
>  
>  storage_getattr_fixed_disk_dev(mon_local_test_t)
> @@ -211,12 +215,14 @@ application_exec_all(mon_local_test_t)
>  
>  auth_use_nsswitch(mon_local_test_t)
>  
> +fsdaemon_read_lib(mon_local_test_t)
>  init_getattr_initctl(mon_local_test_t)
>  
>  logging_send_syslog_msg(mon_local_test_t)
>  
>  miscfiles_read_generic_certs(mon_t)
>  miscfiles_read_localization(mon_local_test_t)
> +storage_raw_read_fixed_disk(mon_local_test_t)
>  
>  sysnet_read_config(mon_local_test_t)
>  
> Index: refpolicy-2.20210203/policy/modules/services/mta.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mta.if
> +++ refpolicy-2.20210203/policy/modules/services/mta.if
> @@ -253,6 +253,7 @@ interface(`mta_manage_mail_home_rw_conte
>  	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
>  	allow $1 mail_home_rw_t:file map;
>  	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> +	allow $1 mail_home_rw_t:dir watch;
>  ')
>  
>  ########################################
> Index: refpolicy-2.20210203/policy/modules/services/mysql.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mysql.te
> +++ refpolicy-2.20210203/policy/modules/services/mysql.te
> @@ -67,7 +67,7 @@ files_runtime_file(mysqlmanagerd_runtime
>  
>  allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
>  dontaudit mysqld_t self:capability sys_tty_config;
> -allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
> +allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh };
>  allow mysqld_t self:fifo_file rw_fifo_file_perms;
>  allow mysqld_t self:shm create_shm_perms;
>  allow mysqld_t self:unix_stream_socket { connectto accept listen };
> Index: refpolicy-2.20210203/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20210203/policy/modules/services/networkmanager.te
> @@ -148,6 +148,7 @@ files_read_usr_files(NetworkManager_t)
>  files_read_usr_src_files(NetworkManager_t)
>  
>  fs_getattr_all_fs(NetworkManager_t)
> +fs_read_nsfs_files(NetworkManager_t)
>  fs_search_auto_mountpoints(NetworkManager_t)
>  fs_list_inotifyfs(NetworkManager_t)
>  
> @@ -163,6 +164,8 @@ init_domtrans_script(NetworkManager_t)
>  
>  auth_use_nsswitch(NetworkManager_t)
>  
> +libs_watch_shared_libs_dir(NetworkManager_t)
> +
>  logging_send_audit_msgs(NetworkManager_t)
>  logging_send_syslog_msg(NetworkManager_t)
>  
> @@ -184,6 +187,7 @@ sysnet_delete_dhcpc_state(NetworkManager
>  sysnet_search_dhcp_state(NetworkManager_t)
>  sysnet_manage_config(NetworkManager_t)
>  sysnet_etc_filetrans_config(NetworkManager_t)
> +sysnet_watch_config_dir(NetworkManager_t)
>  
>  # certificates in user home directories (cert_home_t in ~/\.pki)
>  userdom_read_user_certs(NetworkManager_t)
> Index: refpolicy-2.20210203/policy/modules/services/openvpn.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/openvpn.te
> +++ refpolicy-2.20210203/policy/modules/services/openvpn.te
> @@ -128,6 +128,7 @@ files_read_etc_runtime_files(openvpn_t)
>  
>  fs_getattr_all_fs(openvpn_t)
>  fs_search_auto_mountpoints(openvpn_t)
> +fs_search_tmpfs(openvpn_t)
>  
>  auth_use_pam(openvpn_t)
>  
> Index: refpolicy-2.20210203/policy/modules/services/policykit.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/policykit.te
> +++ refpolicy-2.20210203/policy/modules/services/policykit.te
> @@ -75,6 +75,7 @@ allow policykit_t self:unix_stream_socke
>  rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
>  
>  manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
> +allow policykit_t policykit_var_lib_t:dir watch;
>  
>  manage_dirs_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
>  manage_files_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
> Index: refpolicy-2.20210203/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20210203/policy/modules/services/postfix.te
> @@ -516,6 +516,7 @@ manage_files_pattern(postfix_map_t, post
>  files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
>  
>  kernel_read_kernel_sysctls(postfix_map_t)
> +kernel_read_network_state(postfix_map_t)
>  kernel_dontaudit_list_proc(postfix_map_t)
>  kernel_dontaudit_read_system_state(postfix_map_t)
>  
> @@ -538,10 +539,14 @@ files_dontaudit_search_var(postfix_map_t
>  
>  auth_use_nsswitch(postfix_map_t)
>  
> +domain_use_interactive_fds(postfix_map_t)
> +
>  logging_send_syslog_msg(postfix_map_t)
>  
>  miscfiles_read_localization(postfix_map_t)
>  
> +userdom_use_user_ptys(postfix_map_t)
> +
>  optional_policy(`
>  	locallogin_dontaudit_use_fds(postfix_map_t)
>  ')
> @@ -745,12 +750,17 @@ allow postfix_showq_t postfix_spool_mail
>  allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
>  
>  allow postfix_showq_t postfix_spool_t:file read_file_perms;
> +allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
>  
>  mcs_file_read_all(postfix_showq_t)
>  
>  term_use_all_ptys(postfix_showq_t)
>  term_use_all_ttys(postfix_showq_t)
>  
> +optional_policy(`
> +	unconfined_run_to(postfix_showq_t, postfix_showq_exec_t)
> +')
> +
>  ########################################
>  #
>  # Smtp delivery local policy
> Index: refpolicy-2.20210203/policy/modules/services/rpc.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/rpc.te
> +++ refpolicy-2.20210203/policy/modules/services/rpc.te
> @@ -114,6 +114,7 @@ corenet_udp_bind_all_rpc_ports(rpc_domai
>  
>  fs_rw_rpc_named_pipes(rpc_domain)
>  fs_search_auto_mountpoints(rpc_domain)
> +fs_watch_rpc_pipefs_dir(rpc_domain)
>  
>  files_read_etc_runtime_files(rpc_domain)
>  files_read_usr_files(rpc_domain)
> Index: refpolicy-2.20210203/policy/modules/services/samba.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/samba.te
> +++ refpolicy-2.20210203/policy/modules/services/samba.te
> @@ -619,7 +619,7 @@ allow smbcontrol_t self:unix_stream_sock
>  allow smbcontrol_t self:process { signal signull };
>  
>  allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
> -read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
> +manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
>  allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
>  
>  manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
> @@ -638,6 +638,7 @@ files_search_var_lib(smbcontrol_t)
>  term_use_console(smbcontrol_t)
>  
>  init_use_fds(smbcontrol_t)
> +init_rw_inherited_stream_socket(smbcontrol_t)
I mentioned how this is common to children of systemd and systemd daemon
I think this is how journald catches the stdout so that it can log it
there is probably a more efficient way to address this on a lower level.

>  
>  miscfiles_read_localization(smbcontrol_t)
>  
> Index: refpolicy-2.20210203/policy/modules/services/sendmail.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/sendmail.te
> +++ refpolicy-2.20210203/policy/modules/services/sendmail.te
> @@ -173,6 +173,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	userdom_use_user_ttys(sendmail_t)
probably atleast inherited? ie is userdom_use_inherited_user_ttys() an
option here?

>  	postfix_domtrans_postdrop(sendmail_t)
>  	postfix_domtrans_master(sendmail_t)
>  	postfix_domtrans_postqueue(sendmail_t)
> Index: refpolicy-2.20210203/policy/modules/services/smartmon.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/smartmon.if
> +++ refpolicy-2.20210203/policy/modules/services/smartmon.if
> @@ -56,3 +56,24 @@ interface(`smartmon_admin',`
>  	files_list_var_lib($1)
>  	admin_pattern($1, fsdaemon_var_lib_t)
>  ')
> +
> +########################################
> +## <summary>
> +##	Read fsdaemon /var/lib files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`fsdaemon_read_lib',`
> +	gen_require(`
> +		type fsdaemon_var_lib_t;
> +	')
> +
> +	allow $1 fsdaemon_var_lib_t:dir search;
> +	allow $1 fsdaemon_var_lib_t:file read_file_perms;

you can also use a pattern for this. this is exactly the scenario that
suits the use of a pattern

files_search_var_lib($1)
read_files_pattern($1, fsdaemon_var_lib_t, fsdaemon_var_lib_t)

> +')
> +
> Index: refpolicy-2.20210203/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20210203/policy/modules/services/ssh.te
> @@ -199,6 +199,11 @@ tunable_policy(`user_tcp_server',`
>  ')
>  
>  optional_policy(`
> +	cron_read_pipes(ssh_t)
> +	cron_rw_tmp_files(ssh_t)
> +')
> +
> +optional_policy(`
>  	tunable_policy(`ssh_use_gpg_agent',`
>  		gpg_stream_connect_agent(ssh_t)
>  	')
> @@ -269,6 +274,8 @@ ifdef(`distro_debian',`
>  ifdef(`init_systemd',`
>  	auth_use_pam_systemd(sshd_t)
>  	init_dbus_chat(sshd_t)
> +	# dynamic users
> +	init_stream_connect(sshd_t)

probably best to address DynamicUsers.io in auth_use_nsswitch()?

>  	init_rw_stream_sockets(sshd_t)
>  	systemd_write_inherited_logind_sessions_pipes(sshd_t)
>  ')
> Index: refpolicy-2.20210203/policy/modules/services/virt.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/virt.fc
> +++ refpolicy-2.20210203/policy/modules/services/virt.fc
> @@ -9,6 +9,9 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_
>  /etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
>  /etc/libvirt/.*/.*	gen_context(system_u:object_r:virt_etc_rw_t,s0)
>  
> +/etc/qemu	-d	gen_context(system_u:object_r:virt_etc_t,s0)
> +/etc/qemu/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
> +
>  /etc/rc\.d/init\.d/(libvirt-bin|libvirtd)	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
>  
>  /etc/xen	-d	gen_context(system_u:object_r:virt_etc_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/virt.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/virt.te
> +++ refpolicy-2.20210203/policy/modules/services/virt.te
> @@ -1272,6 +1272,9 @@ allow virt_bridgehelper_t self:tcp_socke
>  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
>  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
>  
> +allow virt_bridgehelper_t virt_etc_t:dir list_dir_perms;
> +allow virt_bridgehelper_t virt_etc_t:file read_file_perms;
> +
>  manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
>  
>  kernel_read_network_state(virt_bridgehelper_t)
> Index: refpolicy-2.20210203/policy/modules/services/xserver.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/xserver.fc
> +++ refpolicy-2.20210203/policy/modules/services/xserver.fc
> @@ -69,6 +69,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
>  /usr/bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/sddm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
> +/usr/bin/sddm-greeter	--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
>  /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
>  /usr/bin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20210203/policy/modules/services/xserver.te
> @@ -282,6 +282,7 @@ term_use_ptmx(xauth_t)
>  auth_use_nsswitch(xauth_t)
>  
>  userdom_use_user_terminals(xauth_t)
> +userdom_user_tmp_filetrans(xauth_t, xauth_home_t, file)
>  userdom_read_user_tmp_files(xauth_t)
>  
>  xserver_rw_xdm_tmp_files(xauth_t)
> Index: refpolicy-2.20210203/policy/modules/system/mount.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/mount.if
> +++ refpolicy-2.20210203/policy/modules/system/mount.if
> @@ -224,6 +224,42 @@ interface(`mount_watch_runtime_dirs',`
>  
>  ########################################
>  ## <summary>
> +##	Watch mount runtime files.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`mount_watch_runtime_files',`
> +	gen_require(`
> +		type mount_runtime_t;
> +	')
> +
> +	allow $1 mount_runtime_t:file watch;
> +')
> +
> +########################################
> +## <summary>
> +##	Watch mount runtime files reads.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`mount_watch_runtime_files_reads',`
> +	gen_require(`
> +		type mount_runtime_t;
> +	')
> +
> +	allow $1 mount_runtime_t:file watch_reads;
> +')
> +
> +########################################
> +## <summary>
>  ##     Getattr on mount_runtime_t files
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20210203/policy/modules/kernel/files.if
> @@ -5932,6 +5932,24 @@ interface(`files_read_var_lib_files',`
>  
>  ########################################
>  ## <summary>
> +##	map generic files in /var/lib.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_map_var_lib_files',`
> +	gen_require(`
> +		type var_lib_t;
> +	')
> +
> +	allow $1 var_lib_t:file map;
> +')
> +
> +########################################
> +## <summary>
>  ##	Read generic symbolic links in /var/lib
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/system/libraries.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/libraries.if
> +++ refpolicy-2.20210203/policy/modules/system/libraries.if
> @@ -469,3 +469,21 @@ interface(`libs_relabel_shared_libs',`
>  
>  	relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
>  ')
> +
> +########################################
> +## <summary>
> +##	watch lib dirs
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`libs_watch_shared_libs_dir',`
> +	gen_require(`
> +		type lib_t;
> +	')
> +
> +	allow $1 lib_t:dir watch;
> +')
> Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20210203/policy/modules/system/sysnetwork.if
> @@ -545,6 +545,24 @@ interface(`sysnet_manage_config',`
>  
>  #######################################
>  ## <summary>
> +##	Watch a network config dir
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`sysnet_watch_config_dir',`
> +	gen_require(`
> +		type net_conf_t;
> +	')
> +
> +	allow $1 net_conf_t:dir watch;
> +')
> +
> +#######################################
> +## <summary>
>  ##	Read the dhcp client pid file.  (Deprecated)
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if
> @@ -583,6 +583,25 @@ interface(`fs_manage_autofs_symlinks',`
>  
>  ########################################
>  ## <summary>
> +##	Get the attributes of binfmt_misc filesystems.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_getattr_binfmt_misc_fs',`
> +	gen_require(`
> +		type binfmt_misc_fs_t;
> +	')
> +
> +	allow $1 binfmt_misc_fs_t:filesystem getattr;
> +
> +')
> +
> +########################################
> +## <summary>
>  ##	Get the attributes of directories on
>  ##	binfmt_misc filesystems.
>  ## </summary>
> @@ -4386,6 +4405,24 @@ interface(`fs_getattr_rpc_pipefs',`
>  	allow $1 rpc_pipefs_t:filesystem getattr;
>  ')
>  
> +########################################
> +## <summary>
> +##	Watch a rpc pipefs dir
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_watch_rpc_pipefs_dir',`
> +	gen_require(`
> +		type rpc_pipefs_t;
> +	')
> +
> +	allow $1 rpc_pipefs_t:dir watch;
> +')
> +
>  #########################################
>  ## <summary>
>  ##	Read and write RPC pipe filesystem named pipes.
> @@ -5773,3 +5810,21 @@ interface(`fs_unconfined',`
>  
>  	typeattribute $1 filesystem_unconfined_type;
>  ')
> +
> +########################################
> +## <summary>
> +##	Search bpf dirs
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_search_bpf',`
> +	gen_require(`
> +		type bpf_t;
> +	')
> +
> +	allow $1 bpf_t:dir search;
> +')
>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift