Switch pipe reading on domtrans to inherited only

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>

policy/modules/admin/su.if

@@ -55,7 +55,7 @@ template(`su_restricted_domain_template', `
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_su_t,$2)
 	allow $2 $1_su_t:fd use;
-	allow $2 $1_su_t:fifo_file rw_fifo_file_perms;
+	allow $2 $1_su_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $2 $1_su_t:process sigchld;
 
 	kernel_read_system_state($1_su_t)
@@ -164,7 +164,7 @@ template(`su_role_template',`
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_su_t, $3)
 	allow $3 $1_su_t:fd use;
-	allow $3 $1_su_t:fifo_file rw_fifo_file_perms;
+	allow $3 $1_su_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $3 $1_su_t:process sigchld;
 
 	kernel_read_system_state($1_su_t)

policy/modules/roles/sysadm.if

@@ -76,7 +76,7 @@ interface(`sysadm_shell_domtrans',`
 
 	corecmd_shell_domtrans($1, sysadm_t)
 	allow sysadm_t $1:fd use;
-	allow sysadm_t $1:fifo_file rw_fifo_file_perms;
+	allow sysadm_t $1:fifo_file rw_inherited_fifo_file_perms;
 	allow sysadm_t $1:process sigchld;
 ')
 
@@ -97,7 +97,7 @@ interface(`sysadm_bin_spec_domtrans',`
 
 	corecmd_bin_spec_domtrans($1, sysadm_t)
 	allow sysadm_t $1:fd use;
-	allow sysadm_t $1:fifo_file rw_fifo_file_perms;
+	allow sysadm_t $1:fifo_file rw_inherited_fifo_file_perms;
 	allow sysadm_t $1:process sigchld;
 ')
 
@@ -120,7 +120,7 @@ interface(`sysadm_entry_spec_domtrans',`
 
 	domain_entry_file_spec_domtrans($1, sysadm_t)
 	allow sysadm_t $1:fd use;
-	allow sysadm_t $1:fifo_file rw_fifo_file_perms;
+	allow sysadm_t $1:fifo_file rw_inherited_fifo_file_perms;
 	allow sysadm_t $1:process sigchld;
 ')
 
@@ -155,7 +155,7 @@ interface(`sysadm_entry_spec_domtrans_to',`
 
 	domain_entry_file_spec_domtrans(sysadm_t, $1)
 	allow $1 sysadm_t:fd use;
-	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
+	allow $1 sysadm_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $1 sysadm_t:process sigchld;
 ')
 
@@ -189,7 +189,7 @@ interface(`sysadm_bin_spec_domtrans_to',`
 
 	corecmd_bin_spec_domtrans(sysadm_t, $1)
 	allow $1 sysadm_t:fd use;
-	allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
+	allow $1 sysadm_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $1 sysadm_t:process sigchld;
 ')
 

policy/modules/services/ssh.if

@@ -58,7 +58,7 @@ template(`ssh_basic_client_template',`
 	allow $1_ssh_t self:capability { dac_override dac_read_search setgid setuid };
 	allow $1_ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 	allow $1_ssh_t self:fd use;
-	allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
+	allow $1_ssh_t self:fifo_file rw_inherited_fifo_file_perms;
 	allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 	allow $1_ssh_t self:shm create_shm_perms;
@@ -405,7 +405,7 @@ template(`ssh_role_template',`
 	userdom_search_user_home_content($1_ssh_agent_t)
 	userdom_user_home_domtrans($1_ssh_agent_t, $3)
 	allow $3 $1_ssh_agent_t:fd use;
-	allow $3 $1_ssh_agent_t:fifo_file rw_fifo_file_perms;
+	allow $3 $1_ssh_agent_t:fifo_file rw_inherited_fifo_file_perms;
 	allow $3 $1_ssh_agent_t:process sigchld;
 
 	tunable_policy(`use_nfs_home_dirs',`

policy/modules/services/ssh.te

@@ -183,7 +183,7 @@ tunable_policy(`allow_ssh_keysign',`
 	domain_auto_transition_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
 	allow ssh_keysign_t ssh_t:fd use;
 	allow ssh_keysign_t ssh_t:process sigchld;
-	allow ssh_keysign_t ssh_t:fifo_file rw_fifo_file_perms;
+	allow ssh_keysign_t ssh_t:fifo_file rw_inherited_fifo_file_perms;
 ')
 
 tunable_policy(`use_nfs_home_dirs',`

policy/modules/system/userdomain.if

@@ -3968,7 +3968,7 @@ interface(`userdom_spec_domtrans_all_users',`
 
 	corecmd_shell_spec_domtrans($1, userdomain)
 	allow userdomain $1:fd use;
-	allow userdomain $1:fifo_file rw_fifo_file_perms;
+	allow userdomain $1:fifo_file rw_inherited_fifo_file_perms;
 	allow userdomain $1:process sigchld;
 ')
 
@@ -3991,7 +3991,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
 
 	xserver_xsession_spec_domtrans($1, userdomain)
 	allow userdomain $1:fd use;
-	allow userdomain $1:fifo_file rw_fifo_file_perms;
+	allow userdomain $1:fifo_file rw_inherited_fifo_file_perms;
 	allow userdomain $1:process sigchld;
 ')
 
@@ -4014,7 +4014,7 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 
 	corecmd_shell_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
-	allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
+	allow unpriv_userdomain $1:fifo_file rw_inherited_fifo_file_perms;
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
@@ -4037,7 +4037,7 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
 
 	xserver_xsession_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
-	allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
+	allow unpriv_userdomain $1:fifo_file rw_inherited_fifo_file_perms;
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
@@ -4134,7 +4134,7 @@ interface(`userdom_bin_spec_domtrans_unpriv_users',`
 
 	corecmd_bin_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
-	allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
+	allow unpriv_userdomain $1:fifo_file rw_inherited_fifo_file_perms;
 	allow unpriv_userdomain $1:process sigchld;
 ')
 
@@ -4157,7 +4157,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
 
 	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
 	allow unpriv_userdomain $1:fd use;
-	allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
+	allow unpriv_userdomain $1:fifo_file rw_inherited_fifo_file_perms;
 	allow unpriv_userdomain $1:process sigchld;
 ')