From 0059652b3b7b7ec06c5eba9422043f6d5df649ee Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 18 Jul 2011 10:13:57 -0400
Subject: [PATCH] All spoolfile attribute so that systemd can create and delete
 sockets in spool file directories and with spoolfile types.  Then change all
 files_type(.*spool_t) to files_spool_file)

---
 policy/modules/kernel/files.if          | 85 +++++++++++++++++++++++++
 policy/modules/kernel/files.te          |  2 +
 policy/modules/services/abrt.te         |  2 +-
 policy/modules/services/amavis.te       |  2 +-
 policy/modules/services/apache.te       |  1 +
 policy/modules/services/asterisk.te     |  2 +-
 policy/modules/services/callweaver.te   |  2 +-
 policy/modules/services/courier.te      |  2 +-
 policy/modules/services/cron.te         |  6 +-
 policy/modules/services/ctdbd.te        |  2 +-
 policy/modules/services/dovecot.te      |  2 +-
 policy/modules/services/exim.te         |  2 +-
 policy/modules/services/inn.te          |  1 +
 policy/modules/services/jabber.te       |  2 +-
 policy/modules/services/kerberos.fc     |  3 +
 policy/modules/services/lpd.te          |  2 +-
 policy/modules/services/mta.te          |  2 +
 policy/modules/services/nagios.te       |  2 +-
 policy/modules/services/plymouthd.te    |  2 +-
 policy/modules/services/postfix.te      |  8 +--
 policy/modules/services/postgrey.te     |  2 +-
 policy/modules/services/prelude.te      |  2 +-
 policy/modules/services/pyicqt.te       |  2 +-
 policy/modules/services/qmail.te        |  2 +-
 policy/modules/services/rpc.te          |  2 +-
 policy/modules/services/rwho.te         |  2 +-
 policy/modules/services/slrnpull.te     |  2 +-
 policy/modules/services/spamassassin.te |  2 +-
 policy/modules/services/uptime.te       |  2 +-
 policy/modules/services/uucp.te         |  2 +-
 policy/modules/services/xserver.te      |  2 +-
 policy/modules/system/init.te           |  3 +
 policy/modules/system/logging.te        |  2 +-
 33 files changed, 128 insertions(+), 31 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index c0e0b1e1..d6ca227e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
 ##		<li>files_pid_file()</li>
 ##		<li>files_security_file()</li>
 ##		<li>files_security_mountpoint()</li>
+##		<li>files_spool_file()</li>
 ##		<li>files_tmp_file()</li>
 ##		<li>files_tmpfs_file()</li>
 ##		<li>logging_log_file()</li>
@@ -6378,6 +6379,90 @@ interface(`files_delete_all_pid_dirs',`
 	delete_dirs_pattern($1, pidfile, pidfile)
 ')
 
+########################################
+## <summary>
+##	Make the specified type a file
+##	used for spool files.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for spool files.
+##	This will also make the type usable for files, making
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a spool file may result in problems with
+##	purging spool files.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_spool_filetrans()</li>
+##	</ul>
+##	<p>
+##	Example usage with a domain that can create and
+##	write its spool file in the system spool file
+##	directories (/var/spool):
+##	</p>
+##	<p>
+##	type myspoolfile_t;
+##	files_spool_file(myfile_spool_t)
+##	allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
+##	files_spool_filetrans(mydomain_t, myfile_spool_t, file)
+##	</p>
+## </desc>
+## <param name="file_type">
+##	<summary>
+##	Type of the file to be used as a
+##	spool file.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_spool_file',`
+	gen_require(`
+		attribute spoolfile;
+	')
+
+	files_type($1)
+	typeattribute $1 spoolfile;
+')
+
+########################################
+## <summary>
+##	Create all spool sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
+	gen_require(`
+		attribute spoolfile;
+	')
+
+	allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Delete all spool sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_all_spool_sockets',`
+	gen_require(`
+		attribute spoolfile;
+	')
+
+	allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search the contents of generic spool
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 567322ba..20251b0d 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -10,6 +10,7 @@ attribute files_unconfined_type;
 attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
+attribute spoolfile;
 attribute configfile;
 attribute etcfile;
 
@@ -192,6 +193,7 @@ files_mountpoint(var_run_t)
 #
 type var_spool_t;
 files_tmp_file(var_spool_t)
+files_spool_file(var_spool_t)
 
 ########################################
 #
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index ffe6d415..baad5e70 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -72,7 +72,7 @@ type abrt_retrace_cache_t;
 files_type(abrt_retrace_cache_t)
 
 type abrt_retrace_spool_t;
-files_type(abrt_retrace_spool_t)
+files_spool_file(abrt_retrace_spool_t)
 
 ########################################
 #
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 4556eb27..ae8c5791 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -38,7 +38,7 @@ type amavis_quarantine_t;
 files_type(amavis_quarantine_t)
 
 type amavis_spool_t;
-files_type(amavis_spool_t)
+files_spool_file(amavis_spool_t)
 
 ########################################
 #
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index a079c519..edeae62c 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -340,6 +340,7 @@ typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
 # File Type of squirrelmail attachments
 type squirrelmail_spool_t;
 files_tmp_file(squirrelmail_spool_t)
+files_spool_file(squirrelmail_spool_t)
 
 optional_policy(`
 	prelink_object_file(httpd_modules_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index 0e8a352d..c873197c 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
 logging_log_file(asterisk_log_t)
 
 type asterisk_spool_t;
-files_type(asterisk_spool_t)
+files_spool_file(asterisk_spool_t)
 
 type asterisk_tmp_t;
 files_tmp_file(asterisk_tmp_t)
diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te
index a67f7325..a7c96a52 100644
--- a/policy/modules/services/callweaver.te
+++ b/policy/modules/services/callweaver.te
@@ -24,7 +24,7 @@ type callweaver_var_run_t;
 files_pid_file(callweaver_var_run_t)
 
 type callweaver_spool_t;
-files_type(callweaver_spool_t)
+files_spool_file(callweaver_spool_t)
 
 ########################################
 #
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 452741cd..59d0f964 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -15,7 +15,7 @@ courier_domain_template(pcp)
 courier_domain_template(pop)
 
 type courier_spool_t;
-files_type(courier_spool_t)
+files_spool_file(courier_spool_t)
 
 courier_domain_template(tcpd)
 
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 18125634..894130f4 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -31,7 +31,7 @@ type anacron_exec_t;
 application_executable_file(anacron_exec_t)
 
 type cron_spool_t;
-files_type(cron_spool_t)
+files_spool_file(cron_spool_t)
 
 # var/lib files
 type cron_var_lib_t;
@@ -85,7 +85,7 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
 allow admin_crontab_t crond_t:process signal;
 
 type system_cron_spool_t, cron_spool_type;
-files_type(system_cron_spool_t)
+files_spool_file(system_cron_spool_t)
 
 type system_cronjob_t alias system_crond_t;
 init_daemon_domain(system_cronjob_t, anacron_exec_t)
@@ -107,7 +107,7 @@ domain_cron_exemption_target(unconfined_cronjob_t)
 type user_cron_spool_t, cron_spool_type;
 typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
 typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
-files_type(user_cron_spool_t)
+files_spool_file(user_cron_spool_t)
 ubac_constrained(user_cron_spool_t)
 mta_system_content(user_cron_spool_t)
 
diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
index 8ce09c40..82ba45e1 100644
--- a/policy/modules/services/ctdbd.te
+++ b/policy/modules/services/ctdbd.te
@@ -18,7 +18,7 @@ type ctdbd_log_t;
 logging_log_file(ctdbd_log_t)
 
 type ctdbd_spool_t;
-files_type(ctdbd_spool_t)
+files_spool_file(ctdbd_spool_t)
 
 type ctdbd_tmp_t;
 files_tmp_file(ctdbd_tmp_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 4bbff24b..87949e87 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -39,7 +39,7 @@ type dovecot_passwd_t;
 files_type(dovecot_passwd_t)
 
 type dovecot_spool_t;
-files_type(dovecot_spool_t)
+files_spool_file(dovecot_spool_t)
 
 type dovecot_tmp_t;
 files_tmp_file(dovecot_tmp_t)
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 0b19f11d..6419b554 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -42,7 +42,7 @@ type exim_log_t;
 logging_log_file(exim_log_t)
 
 type exim_spool_t;
-files_type(exim_spool_t)
+files_spool_file(exim_spool_t)
 
 type exim_tmp_t;
 files_tmp_file(exim_tmp_t)
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index dc7dd01e..2462aa7b 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t)
 
 type news_spool_t;
 files_mountpoint(news_spool_t)
+files_spool_file(news_spool_t)
 
 ########################################
 #
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 0ba2bdc6..6538d66a 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -25,7 +25,7 @@ type pyicqt_log_t;
 logging_log_file(pyicqt_log_t);
 
 type pyicqt_var_spool_t;
-files_type(pyicqt_var_spool_t)
+files_spool_file(pyicqt_var_spool_t)
 
 type pyicqt_var_run_t;
 files_pid_file(pyicqt_var_run_t)
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
index 923e979e..74ec098c 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -30,5 +30,8 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
 /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
 /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
 
+/var/cache/krb5rcache(/.*)?	 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+
+krb5_host_rcache_t
 /var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 /var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index c08de17e..f28acd2c 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -47,7 +47,7 @@ ubac_constrained(lpr_tmp_t)
 type print_spool_t;
 typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
 typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
-files_type(print_spool_t)
+files_spool_file(print_spool_t)
 ubac_constrained(print_spool_t)
 
 type printer_t;
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index dbddbefa..3bd4ceb2 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -25,9 +25,11 @@ userdom_user_home_content(mail_home_t)
 
 type mqueue_spool_t;
 files_mountpoint(mqueue_spool_t)
+files_spool_file(mqueue_spool_t)
 
 type mail_spool_t;
 files_mountpoint(mail_spool_t)
+files_spool_file(mail_spool_t)
 
 type sendmail_exec_t;
 mta_agent_executable(sendmail_exec_t)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index 8a9789ce..971f7413 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -25,7 +25,7 @@ type nagios_var_run_t;
 files_pid_file(nagios_var_run_t)
 
 type nagios_spool_t;
-files_type(nagios_spool_t)
+files_spool_file(nagios_spool_t)
 
 nagios_plugin_template(admin)
 nagios_plugin_template(checkdisk)
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
index 208ef3ab..4f9a5758 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
 init_daemon_domain(plymouthd_t, plymouthd_exec_t)
 
 type plymouthd_spool_t;
-files_type(plymouthd_spool_t)
+files_spool_file(plymouthd_spool_t)
 
 type plymouthd_var_lib_t;
 files_type(plymouthd_var_lib_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 701607cd..c6a54801 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -21,7 +21,7 @@ attribute postfix_user_domtrans;
 postfix_server_domain_template(bounce)
 
 type postfix_spool_bounce_t, postfix_spool_type;
-files_type(postfix_spool_bounce_t)
+files_spool_file(postfix_spool_bounce_t)
 
 postfix_server_domain_template(cleanup)
 
@@ -78,13 +78,13 @@ mta_mailserver_sender(postfix_smtp_t)
 postfix_server_domain_template(smtpd)
 
 type postfix_spool_t, postfix_spool_type;
-files_type(postfix_spool_t)
+files_spool_file(postfix_spool_t)
 
 type postfix_spool_maildrop_t, postfix_spool_type;
-files_type(postfix_spool_maildrop_t)
+files_spool_file(postfix_spool_maildrop_t)
 
 type postfix_spool_flush_t, postfix_spool_type;
-files_type(postfix_spool_flush_t)
+files_spool_file(postfix_spool_flush_t)
 
 type postfix_public_t;
 files_type(postfix_public_t)
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index db843e2c..4389e81d 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
 init_script_file(postgrey_initrc_exec_t)
 
 type postgrey_spool_t;
-files_type(postgrey_spool_t)
+files_spool_file(postgrey_spool_t)
 
 type postgrey_var_lib_t;
 files_type(postgrey_var_lib_t)
diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
index 8f0b07e6..e0c0f70c 100644
--- a/policy/modules/services/prelude.te
+++ b/policy/modules/services/prelude.te
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
 init_script_file(prelude_initrc_exec_t)
 
 type prelude_spool_t;
-files_type(prelude_spool_t)
+files_spool_file(prelude_spool_t)
 
 type prelude_log_t;
 logging_log_file(prelude_log_t)
diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te
index a841221a..b62a01f9 100644
--- a/policy/modules/services/pyicqt.te
+++ b/policy/modules/services/pyicqt.te
@@ -13,7 +13,7 @@ type pyicqt_conf_t;
 files_config_file(pyicqt_conf_t)
 
 type pyicqt_spool_t;
-files_type(pyicqt_spool_t)
+files_spool_file(pyicqt_spool_t)
 
 type pyicqt_var_run_t;
 files_pid_file(pyicqt_var_run_t)
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 54329f90..88e6f401 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
 qmail_child_domain_template(qmail_splogger, qmail_start_t)
 
 type qmail_spool_t;
-files_type(qmail_spool_t)
+files_spool_file(qmail_spool_t)
 
 type qmail_start_t;
 type qmail_start_exec_t;
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index e8ee29bc..06e637c0 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -214,10 +214,10 @@ kernel_signal(gssd_t)
 
 corecmd_exec_bin(gssd_t)
 
-fs_search_nfsd_fs(gssd_t)
 fs_list_rpc(gssd_t)
 fs_rw_rpc_sockets(gssd_t)
 fs_read_rpc_files(gssd_t)
+fs_search_nfsd_fs(gssd_t)
 
 fs_list_inotifyfs(gssd_t)
 files_list_tmp(gssd_t)
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index 0ba4495b..ee398109 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -16,7 +16,7 @@ type rwho_log_t;
 files_type(rwho_log_t)
 
 type rwho_spool_t;
-files_type(rwho_spool_t)
+files_spool_file(rwho_spool_t)
 
 ########################################
 #
diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
index e5e72fd9..92eecec6 100644
--- a/policy/modules/services/slrnpull.te
+++ b/policy/modules/services/slrnpull.te
@@ -13,7 +13,7 @@ type slrnpull_var_run_t;
 files_pid_file(slrnpull_var_run_t)
 
 type slrnpull_spool_t;
-files_type(slrnpull_spool_t)
+files_spool_file(slrnpull_spool_t)
 
 type slrnpull_log_t;
 logging_log_file(slrnpull_log_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 7573826a..e1f34778 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -94,7 +94,7 @@ type spamd_log_t;
 logging_log_file(spamd_log_t)
 
 type spamd_spool_t;
-files_type(spamd_spool_t)
+files_spool_file(spamd_spool_t)
 
 type spamd_tmp_t;
 files_tmp_file(spamd_tmp_t)
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index 037a1e8b..1f8f7685 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -13,7 +13,7 @@ type uptimed_etc_t alias etc_uptimed_t;
 files_config_file(uptimed_etc_t)
 
 type uptimed_spool_t;
-files_type(uptimed_spool_t)
+files_spool_file(uptimed_spool_t)
 
 type uptimed_var_run_t;
 files_pid_file(uptimed_var_run_t)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index 4d112ba5..5e7be4f7 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -24,7 +24,7 @@ type uucpd_ro_t;
 files_type(uucpd_ro_t)
 
 type uucpd_spool_t;
-files_type(uucpd_spool_t)
+files_spool_file(uucpd_spool_t)
 
 type uucpd_log_t;
 logging_log_file(uucpd_log_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index bc547bf5..0ad8e41b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -206,7 +206,7 @@ type xdm_rw_etc_t;
 files_config_file(xdm_rw_etc_t)
 
 type xdm_spool_t;
-files_type(xdm_spool_t)
+files_spool_file(xdm_spool_t)
 
 type xdm_var_lib_t;
 files_type(xdm_var_lib_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 82cf8aed..308297da 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -286,6 +286,7 @@ tunable_policy(`init_systemd',`
 	dev_manage_sysfs_dirs(init_t)
 	dev_relabel_sysfs_dirs(init_t)
 
+	files_search_all(init_t)
 	files_mounton_all_mountpoints(init_t)
 	files_unmount_all_file_type_fs(init_t)
 	files_manage_all_pid_dirs(init_t)
@@ -293,6 +294,8 @@ tunable_policy(`init_systemd',`
 	files_relabel_all_pid_files(init_t)
 	files_create_all_pid_sockets(init_t)
 	files_delete_all_pid_sockets(init_t)
+	files_create_all_spool_sockets(init_t)
+	files_delete_all_spool_sockets(init_t)
 	files_manage_urandom_seed(init_t)
 	files_list_locks(init_t)
 	files_list_spool(init_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index eedd444f..fa034d6a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -20,7 +20,7 @@ files_security_file(auditd_log_t)
 files_security_mountpoint(auditd_log_t)
 
 type audit_spool_t;
-files_type(audit_spool_t)
+files_spool_file(audit_spool_t)
 files_security_file(audit_spool_t)
 files_security_mountpoint(audit_spool_t)
 
-- 
2.47.2