# # This is the guide for converting old macros to local policy # and new interfaces. # # $1, $2, etc. are replaced with and the first and second, etc. # parameters to the old macro. # ######################################## # # Attributes # # $1 is the type this attribute is on # # admin_tty_type: complete # { sysadm_tty_device_t sysadm_devpts_t } # # auth: complete # auth_read_shadow($1) # # auth_chkpwd: complete # auth_domtrans_chk_passwd($1) # # file_type: complete # files_file_type($1) # # fs_domain: complete # # one or both of these: storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) # # privfd: complete # domain_wide_inherit_fd($1) # # privlog: complete # logging_send_syslog_msg($1) # # privmail: # mta_send_mail($1) # this needs more work: allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file { read write }; # # privmodule: complete # modutils_domtrans_insmod($1) # # privowner: complete # domain_obj_id_change_exempt($1) # # privrole: complete # domain_role_change_exempt($1) # # privuser: complete # domain_subj_id_change_exempt($1) ######################################## # # Access macros # # # access_terminal(): # allow $1 $2_tty_device_t:chr_file { read write getattr ioctl }; allow $1 devtty_t:chr_file { read write getattr ioctl }; allow $1 devpts_t:dir { read search getattr }; allow $1 $2_devpts_t:chr_file { read write getattr ioctl }; # # append_log_domain(): # type $1_log_t; logging_log_file($1_log_t) allow $1_t var_log_t:dir ra_dir_perms; allow $1_t $1_log_t:file { create ra_file_perms }; type_transition $1_t var_log_t:file $1_log_t; # # append_logdir_domain(): # type $1_log_t; logging_log_file($1_log_t) allow $1_t var_log_t:dir ra_dir_perms; allow $1_t $1_log_t:dir { setattr ra_dir_perms }; allow $1_t $1_log_t:file { create ra_file_perms }; type_transition $1_t var_log_t:file $1_log_t; # # application_domain(): # type $1_t; type $1_exec_t; domain_type($1_t) domain_entry_file($1_t,$1_exec_t) role sysadm_r types $1_t; domain_auto_trans(sysadm_t, $1_exec_t, $1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) # # base_can_network($1,$2): # allow $1 self:$2_socket connected_socket_perms; corenet_$2_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) corenet_$2_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_$2_sendrecv_all_ports($1) corenet_$2_bind_all_nodes($1) sysnet_read_config($1) # # base_can_network($1,$2,$3): # allow $1 self:$2_socket connected_socket_perms; corenet_$2_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) corenet_$2_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_$2_bind_all_nodes($1) corenet_$2_sendrecv_$3_port($1) sysnet_read_config($1) # # base_file_read_access(): # files_list_home($1) files_read_usr_files($1) allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:notdevfile_class_set r_file_perms; allow $1 sbin_t:dir r_dir_perms; allow $1 sbin_t:notdevfile_class_set r_file_perms; kernel_read_kernel_sysctl($1) seutil_read_config($1) if (read_default_t) { allow $1 default_t:dir r_dir_perms; allow $1 default_t:notdevfile_class_set r_file_perms; } # # base_pty_perms(): # allow $1_t ptmx_t:chr_file rw_file_perms; allow $1_t devpts_t:filesystem getattr; allow $1_t devpts_t:dir { getattr read search }; dontaudit $1_t bsdpty_device_t:chr_file { getattr read write }; # # can_create(): # # for each i in $3 can_create_internal($1,$2,$i) # # can_create_internal($1,$2,dir): # allow $1 $2:$3 { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; # # can_create_internal($1,$2,lnk_file): # allow $1 $2:$3 { create read getattr setattr link unlink rename }; # # can_create_internal($1,$2,[file,chr_file,blk_file,sock_file,fifo_file]): # allow $1 $2:$3 { create ioctl read getattr lock write setattr append link unlink rename }; # # can_create_other_pty(): complete # term_create_pty($1_t,$2_devpts_t) allow $1_t $2_devpts_t:chr_file { setattr ioctl read getattr lock write append }; # # can_create_pty(): complete # # $2 may require more conversion type $1_devpts_t $2; term_pty($1_devpts_t) allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; term_create_pty($1_t,$1_devpts_t) # # can_exec_any(): complete # domain_exec_all_entry_files($1) files_exec_generic_etc_files($1) corecmd_exec_bin($1) corecmd_exec_sbin($1) libs_use_ld_so($1) libs_use_shared_libs($1) libs_exec_ld_so($1) libs_exec_lib_files($1) # # can_getcon(): # allow $1 self:process getattr; kernel_read_system_state($1) # # can_getsecurity(): complete # selinux_get_fs_mount($1) selinux_validate_context($1) selinux_compute_access_vector($1) selinux_compute_create_context($1) selinux_compute_relabel_context($1) selinux_compute_user_contexts($1) # # can_kerberos(): complete # optional_policy(`kerberos.te',` kerberos_use($1) ') # # can_ldap(): complete # optional_policy(`ldap.te',` allow $1 self:tcp_socket create_socket_perms; corenet_tcp_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_ldap_port($1) corenet_tcp_bind_all_nodes($1) sysnet_read_config($1) ') # # can_loadpol(): complete # selinux_get_fs_mount($1) selinux_load_policy($1) # # can_network(): # can_network_tcp($1, `$2') can_network_udp($1, `$2') ifdef(`mount.te', ` allow $1 mount_t:udp_socket rw_socket_perms; ') # # can_network_client(): # can_network_client_tcp($1, `$2') can_network_udp($1, `$2') # # can_network_client_tcp($1): complete # allow $1 self:tcp_socket create_socket_perms; corenet_tcp_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_all_ports($1) corenet_tcp_bind_all_nodes($1) sysnet_read_config($1) # # can_network_client_tcp($1,$2): # # remove _port_t from $2 allow $1 self:tcp_socket create_socket_perms; corenet_tcp_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_$2_port($1) corenet_tcp_bind_all_nodes($1) sysnet_read_config($1) # # can_network_server(): # allow $1 self:tcp_socket create_stream_socket_perms; base_can_network($1, tcp, `$2') # # can_network_server_tcp(): # allow $1 self:tcp_socket create_stream_socket_perms; base_can_network($1, tcp, `$2') # # can_network_tcp(): complete # can_network_server_tcp($1, `$2') can_network_client_tcp($1, `$2') # # can_network_udp(): complete # base_can_network($1, udp, `$2') allow $1 self:udp_socket { connect }; # # can_ps(): # allow $1 $2:dir { search getattr read }; allow $1 $2:{ file lnk_file } { read getattr }; allow $1 $2:process getattr; # We need to suppress this denial because procps tries to access # /proc/pid/environ and this now triggers a ptrace check in recent kernels # (2.4 and 2.6). Might want to change procps to not do this, or only if # running in a privileged domain. dontaudit $1 $2:process ptrace; # # can_ptrace(): # allow $1 $2:process ptrace; allow $2 $1:process sigchld; # # can_resolve(): complete # tunable_policy(`use_dns',` allow $1 self:udp_socket create_socket_perms; corenet_udp_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) corenet_udp_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_udp_sendrecv_dns_port($1) corenet_udp_bind_all_nodes($1) sysnet_read_config($1) ') # # can_setbool(): complete # selinux_get_fs_mount($1) selinux_set_boolean($1) # # can_setcon(): complete # # get mount point is due to libselinux init # allow $1 self:process setcurrent; selinux_get_fs_mount($1) # # can_setenforce(): complete # # get mount point is due to libselinux init # selinux_get_fs_mount($1) selinux_set_enforce_mode($1) # # can_setexec(): complete # # get mount point is due to libselinux init # allow $1 self:process setexec; selinux_get_fs_mount($1) # # can_setfscreate(): complete # # get mount point is due to libselinux init # allow $1 self:process setfscreate; selinux_get_fs_mount($1) # # can_setsecparam(): complete # # get mount point is due to libselinux init # selinux_get_fs_mount($1) kernel_setsecparam($1) # # can_sysctl(): complete # kernel_rw_all_sysctl($1) # # can_tcp_connect # allow $1 $2:tcp_socket { connectto recvfrom }; allow $2 $1:tcp_socket { acceptfrom recvfrom }; allow $2 kernel_t:tcp_socket recvfrom; allow $1 kernel_t:tcp_socket recvfrom; # # can_udp_send(): # allow $1 $2:udp_socket sendto; allow $2 $1:udp_socket recvfrom; # # can_unix_connect(): # allow $1 $2:unix_stream_socket connectto; # # can_unix_send(): # allow $1 $2:unix_dgram_socket sendto; # # can_ypbind(): complete # optional_policy(`nis.te',` nis_use_ypbind($1) ') # # create_append_log_file(): # allow $1 $2:dir { read getattr search add_name write }; allow $1 $2:file { create ioctl getattr setattr append link }; # # create_dir_file(): # allow $1 $2:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; allow $1 $2:file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1 $2:lnk_file { create read getattr setattr link unlink rename }; # # create_dir_notdevfile(): # allow $1 $2:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }; allow $1 $2:{ file sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename }; allow $1 $2:lnk_file { create read getattr setattr link unlink rename }; # # daemon_base_domain(): # type $1_t; type $1_exec_t; init_daemon_domain($1_t,$1_exec_t) role system_r types $1_t; dontaudit $1_t self:capability sys_tty_config; allow $1_t self:process { sigchld sigkill sigstop signull signal }; kernel_read_kernel_sysctl($1_t) dev_read_sysfs($1_t) fs_search_auto_mountpoints($1_t) term_dontaudit_use_console($1_t) domain_use_wide_inherit_fd($1_t) init_use_fd($1_t) init_use_script_pty($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) logging_send_syslog_msg($1_t) userdom_dontaudit_use_unpriv_user_fd($1_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_tty($1_t) term_dontaudit_use_generic_pty($1_t) files_dontaudit_read_root_file($1_t) ') optional_policy(`rhgb.te',` rhgb_domain($1_t) ') optional_policy(`selinux.te',` seutil_newrole_sigchld($1_t) ') optional_policy(`udev.te', ` udev_read_db($1_t) ') allow $1_t proc_t:dir r_dir_perms; allow $1_t proc_t:lnk_file read; # # daemon_domain(): # type $1_t; type $1_exec_t; init_daemon_domain($1_t,$1_exec_t) type $1_var_run_t; files_pid_file($1_var_run_t) dontaudit $1_t self:capability sys_tty_config; allow $1_t $1_var_run_t:file { getattr create read write append setattr unlink }; files_create_pid($1_t,$1_var_run_t) kernel_read_kernel_sysctl($1_t) dev_read_sysfs($1_t) fs_getattr_all_fs($1_t) fs_search_auto_mountpoints($1_t) term_dontaudit_use_console($1_t) domain_use_wide_inherit_fd($1_t) init_use_fd($1_t) init_use_script_pty($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) logging_send_syslog_msg($1_t) miscfiles_read_localization($1_t) userdom_dontaudit_use_unpriv_user_fd($1_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty($1_t) term_dontaudit_use_generic_pty($1_t) files_dontaudit_read_root_file($1_t) ') optional_policy(`rhgb.te',` rhgb_domain($1_t) ') optional_policy(`selinux.te',` seutil_newrole_sigchld($1_t) ') optional_policy(`udev.te', ` udev_read_db($1_t) ') allow $1_t proc_t:dir r_dir_perms; allow $1_t proc_t:lnk_file read; dontaudit $1_t sysadm_home_dir_t:dir search; # # daemon_sub_domain(): # # $1 is the parent domain (or domains), $2_t is the child domain, # and $3 is any attributes to apply to the child type $2_t, domain, privlog, daemon $3; type $2_exec_t, file_type, sysadmfile, exec_type; role system_r types $2_t; domain_auto_trans($1, $2_exec_t, $2_t) allow $2_t $1:fd use; allow $2_t $1:process sigchld; allow $2_t self:process signal_perms; libs_use_ld_so($2_t) libs_use_shared_libs($2_t) allow $2_t proc_t:dir r_dir_perms; allow $2_t proc_t:lnk_file read; allow $2_t device_t:dir getattr; # # etc_domain(): # type $1_etc_t; #, usercanread; files_file_type($1_etc_t) allow $1_t $1_etc_t:file { getattr read }; # # etcdir_domain(): # type $1_etc_t; #, usercanread; files_file_type($1_etc_t) allow $1_t $1_etc_t:file r_file_perms; allow $1_t $1_etc_t:dir r_dir_perms; allow $1_t $1_etc_t:lnk_file { getattr read }; # # file_type_auto_trans($1,$2,$3): # allow $1 $3:dir { read getattr lock search ioctl add_name remove_name write }; allow $1 $3:file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1 $3:lnk_file { create read getattr setattr link unlink rename }; allow $1 $3:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1 $3:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; type_transition $1 $2:{ dir file lnk_file sock_file fifo_file } $3; # # file_type_auto_trans($1,$2,$3,$4): # allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write }; # for each i in $4: can_create_internal($1,$3,$i) type_transition $1 $2:$i $3; # # general_domain_access(): complete # allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition }; allow $1 self:fd use; allow $1 self:fifo_file rw_file_perms; allow $1 self:unix_dgram_socket create_socket_perms; allow $1 self:unix_stream_socket create_stream_socket_perms; allow $1 self:unix_dgram_socket sendto; allow $1 self:unix_stream_socket connectto; allow $1 self:shm create_shm_perms; allow $1 self:sem create_sem_perms; allow $1 self:msgq create_msgq_perms; allow $1 self:msg { send receive }; fs_search_auto_mountpoints($1) userdom_use_unpriv_user_fd($1) optional_policy(`nis.te',` nis_use_ypbind($1) ') # # general_proc_read_access(): complete # kernel_read_system_state($1) kernel_read_sendrecv_state($1) kernel_read_software_raid_state($1) kernel_getattr_core($1) kernel_getattr_message_if($1) kernel_read_kernel_sysctl($1) # # home_domain(): # # # home_domain_access(): # # # home_domain_ro(): # # # home_domain_ro_access(): # # # in_user_role(): # role user_r types $1; role staff_r types $1; # # init_service_domain(): # type $1_t; type $1_exec_t; init_daemon_domain($1_t,$1_exec_t) dontaudit $1_t self:capability sys_tty_config; dev_read_sysfs($1_t) term_dontaudit_use_console($1_t) init_use_fd($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) logging_send_syslog_msg($1_t) tunable_policy(`targeted_policy', ` term_dontaudit_use_unallocated_tty($1_t) term_dontaudit_use_generic_pty($1_t) files_dontaudit_read_root_file($1_t) ')dnl end targeted_policy tunable allow $1_t proc_t:dir r_dir_perms; allow $1_t proc_t:lnk_file read; optional_policy(`udev.te', ` udev_read_db($1_t) ') allow $1_t autofs_t:dir { search getattr }; dontaudit $1_t unpriv_userdomain:fd use; # # inetd_child_domain(): # type $1_t; #, nscd_client_domain; type $1_exec_t; inetd_(udp_|tcp_)?service_domain($1_t,$1_exec_t) role system_r types $1_t; type $1_tmp_t; files_tmp_file($1_tmp_t) type $1_var_run_t; files_pid_file($1_var_run_t) allow $1_t self:process signal_perms; allow $1_t self:fifo_file rw_file_perms; allow $1_t self:tcp_socket { listen accept connected_socket_perms } # for identd # cjp: this should probably only be inetd_child rules? allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow $1_t self:capability { setuid setgid }; allow $1_t self:dir search; allow $1_t self:{ lnk_file file } { getattr read }; #allow $1_t home_root_t:dir search; #can_kerberos($1_t) #end for identd allow $1_t $1_tmp_t:dir create_dir_perms; allow $1_t $1_tmp_t:file create_file_perms; files_create_tmp_files($1_t, $1_tmp_t, { file dir }) allow $1_t $1_var_run_t:file create_file_perms; files_create_pid($1_t,$1_var_run_t) kernel_read_kernel_sysctl($1_t) kernel_read_system_state($1_t) kernel_read_network_state($1_t) corenet_sendrecv_tcp_on_all_interfaces($1_t) corenet_sendrecv_raw_on_all_interfaces($1_t) corenet_sendrecv_tcp_on_all_nodes($1_t) corenet_sendrecv_raw_on_all_nodes($1_t) corenet_bind_tcp_on_all_nodes($1_t) corenet_sendrecv_tcp_on_all_ports($1_t) dev_read_urand($1_t) fs_getattr_xattr_fs($1_t) files_read_generic_etc_files($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) logging_send_syslog_msg($1_t) miscfiles_read_localization($1_t) sysnet_read_config($1_t) optional_policy(`nis.te',` nis_use_ypbind($1_t) ') # # legacy_domain(): complete # allow $1_t self:process execmem; libs_legacy_use_shared_libs($1_t) libs_legacy_use_ld_so($1_t) # # lock_domain(): complete # type $1_lock_t; files_lock_file($1_lock_t) allow $1_t $1_lock_t:file create_file_perms; files_create_lock_file($1_t,$1_lock_t) # # log_domain(): complete # type $1_log_t; logging_log_file($1_log_t) allow $1_t $1_log_t:file create_file_perms; logging_create_log($1_t,$1_log_t) # # logdir_domain(): complete # type $1_log_t; logging_log_file($1_log_t) allow $1_t $1_log_t:file create_file_perms; allow $1_t $1_log_t:dir rw_dir_perms; logging_search_logs($1_t,$1_log_t,{ file dir }) # # mini_user_domain(): # # # network_home_dir(): # create_dir_file($1, $2) can_exec($1, $2) allow $1 $2:{ sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename }; # # pty_slave_label(): # type $1_devpts_t, file_type, sysadmfile, ptyfile $2; allow $1_devpts_t devpts_t:filesystem associate; type_transition $1_t devpts_t:chr_file $1_devpts_t; allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms }; # # r_dir_file(): # allow $1 $2:dir { getattr read search }; allow $1 $2:file { read getattr }; allow $1 $2:lnk_file { getattr read }; # # ra_dir_create_file(): # allow $1 $2:dir ra_dir_perms; allow $1 $2:file { create ra_file_perms }; allow $1 $2:lnk_file { create read getattr }; # # ra_dir_file(): # allow $1 $2:dir ra_dir_perms; allow $1 $2:file ra_file_perms; allow $1 $2:lnk_file { getattr read }; # # read_locale(): complete # miscfiles_read_localization($1) # # read_sysctl($1): complete # kernel_read_kernel_sysctl($1) # # read_sysctl($1,full): complete # kernel_read_all_sysctl($1) # # rhgb_domain(): # ifdef(`rhgb.te', ` allow $1 rhgb_t:process sigchld; allow $1 rhgb_t:fd use; allow $1 rhgb_t:fifo_file { read write }; ') # # rw_dir_create_file(): # allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write }; allow $1 $2:file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1 $2:lnk_file { create read getattr setattr link unlink rename }; # # rw_dir_file(): # allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write }; allow $1 $2:file rw_file_perms; allow $1 $2:lnk_file { getattr read }; # # system_domain(): # type $1_t; domain_type($1_t) role system_r types $1_t; type $1_exec_t; domain_entry_file($1_t,$1_exec_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) logging_send_syslog_msg($1_t) allow $1_t etc_t:dir r_dir_perms; # # tmp_domain(): complete # # $2 may need more handling # type $1_tmp_t $2; files_tmp_file($1_tmp_t) # no class specified: allow $1_t $1_tmp_t:dir create_dir_perms; allow $1_t $1_tmp_t:file create_file_perms; files_create_tmp_files($1_t, $1_tmp_t, { file dir }) # class specified: files_create_tmp_files($1_t, $1_tmp_t, $3) # $3 manage object perms here # # tmp_domain($1,$2,$3): complete # # $2 may need more handling # type $1_tmp_t $2; files_tmp_file($1_tmp_t) files_create_tmp_files($1_t, $1_tmp_t, $3) allow $1_t $1_tmp_t:$3 manage_obj_perms; # # tmpfs_domain(): complete # type $1_tmpfs_t; files_tmpfs_file($1_tmpfs_t) allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # # unconfined_domain(): # # # user_application_domain(): # type $1_t, domain, privlog $2; type $1_exec_t, file_type, sysadmfile, exec_type; role sysadm_r types $1_t; domain_auto_trans(sysadm_t, $1_exec_t, $1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) in_user_role($1_t) domain_auto_trans(userdomain, $1_exec_t, $1_t) # # uses_authbind(): # domain_auto_trans($1, authbind_exec_t, authbind_t) allow authbind_t $1:process sigchld; allow authbind_t $1:fd use; allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms; # # var_lib_domain(): # type $1_var_lib_t, file_type, sysadmfile; typealias $1_var_lib_t alias var_lib_$1_t; file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file) allow $1_t $1_var_lib_t:dir rw_dir_perms; # # var_run_domain($1): # type $1_var_run_t; files_pid_file($1_var_run_t) allow $1_t $1_var_run_t:file create_file_perms; files_create_pid($1_t,$1_var_run_t) # # var_run_domain($1,$2): # type $1_var_run_t, file_type, sysadmfile, pidfile; file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2) allow $1_t var_t:dir search; allow $1_t $1_var_run_t:dir { read getattr lock search ioctl add_name remove_name write };