change over to some perm set macros. add indentation

2005-06-03 12:25:14 +00:00 · 2005-06-03 12:25:14 +00:00 · 0c73cd2526
commit 0c73cd2526
parent 36e54b81f7
58 changed files with 6523 additions and 5316 deletions
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@ -302,7 +302,7 @@ tmp/policy.xml: $(ALL_INTERFACES) tmp/generated_definitions.conf
 		$(XMLLINT) --noout --dtdvalid $(XMLDTD) $@ ;\
 	fi
-$(JAVABYTE) doctool: $(JAVASRC)
+$(JAVABYTE): $(JAVASRC)
 	javac $(JAVASRC)
 html: tmp/policy.xml $(JAVABYTE) $(HTMLHEAD) $(HTMLFOOT)
--- a/refpolicy/policy/modules/admin/consoletype.if
+++ b/refpolicy/policy/modules/admin/consoletype.if
@ -5,10 +5,12 @@
 #
 define(`consoletype_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 consoletype_exec_t:file { getattr read execute };
 	allow $1 consoletype_t:process transition;
 	type_transition $1 consoletype_exec_t:process consoletype_t;
 	dontaudit $1 consoletype_t:process { noatsecure siginh rlimitinh };
 	allow $1 consoletype_t:fd use;
 	allow consoletype_t $1:fd use;
 	allow consoletype_t $1:fifo_file rw_file_perms;
@ -17,6 +19,7 @@ allow consoletype_t $1:process sigchld;
 define(`consoletype_transition_depend',`
 	type consoletype_t, consoletype_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -29,10 +32,12 @@ class fifo_file rw_file_perms;
 #
 define(`consoletype_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`consoletype_execute_depend',`
 	type consoletype_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
--- a/refpolicy/policy/modules/admin/dmesg.if
+++ b/refpolicy/policy/modules/admin/dmesg.if
@ -14,10 +14,12 @@
 #
 define(`dmesg_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 dmesg_exec_t:file { getattr read execute };
 	allow $1 dmesg_t:process transition;
 	type_transition $1 dmesg_exec_t:process dmesg_t;
 	dontaudit $1 dmesg_t:process { noatsecure siginh rlimitinh };
 	allow $1 dmesg_t:fd use;
 	allow dmesg_t $1:fd use;
 	allow dmesg_t $1:fifo_file rw_file_perms;
@ -26,6 +28,7 @@ allow dmesg_t $1:process sigchld;
 define(`dmesg_transition_depend',`
 	type dmesg_t, dmesg_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -45,11 +48,13 @@ class fifo_file rw_file_perms;
 #
 define(`dmesg_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 dmesg_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`dmesg_execute_depend',`
 	type dmesg_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@ -5,10 +5,12 @@
 #
 define(`netutils_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 netutils_exec_t:file { getattr read execute };
 	allow $1 netutils_t:process transition;
 	type_transition $1 netutils_exec_t:process netutils_t;
 	dontaudit $1 netutils_t:process { noatsecure siginh rlimitinh };
 	allow $1 netutils_t:fd use;
 	allow netutils_t $1:fd use;
 	allow netutils_t $1:fifo_file rw_file_perms;
@ -17,6 +19,7 @@ allow netutils_t $1:process sigchld;
 define(`netutils_transition_depend',`
 	type netutils_t, netutils_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -29,10 +32,12 @@ class fifo_file rw_file_perms;
 #
 define(`netutils_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 netutils_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`netutils_execute_depend',`
 	type netutils_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@ -14,10 +14,12 @@
 #
 define(`rpm_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 rpm_exec_t:file { getattr read execute };
 	allow $1 rpm_t:process transition;
 	type_transition $1 rpm_exec_t:process rpm_t;
 	dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh };
 	allow $1 rpm_t:fd use;
 	allow rpm_t $1:fd use;
 	allow rpm_t $1:fifo_file rw_file_perms;
@ -26,6 +28,7 @@ allow rpm_t $1:process sigchld;
 define(`rpm_transition_depend',`
 	type rpm_t, rpm_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -51,6 +54,7 @@ class fifo_file rw_file_perms;
 #
 define(`rpm_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	rpm_transition($1)
 	role $2 types rpm_t;
 	role $2 types rpm_script_t;
@ -59,6 +63,7 @@ allow rpm_t $3:chr_file { getattr read write ioctl };
 define(`rpm_transition_add_role_use_terminal_depend',`
 	type rpm_t, rpm_script_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -75,11 +80,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`rpm_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 rpm_t:fd use;
 ')
 define(`rpm_use_file_descriptors_depend',`
 	type rpm_t;
 	class fd use;
 ')
@ -96,11 +103,13 @@ class fd use;
 #
 define(`rpm_read_pipe',`
 	requires_block_template(`$0'_depend)
 	allow $1 rpm_t:fifo_file { getattr read };
 ')
 define(`rpm_read_pipe_depend',`
 	type rpm_t;
 	class fifo_file { getattr read };
 ')
@ -117,6 +126,7 @@ class fifo_file { getattr read };
 #
 define(`rpm_read_package_database',`
 	requires_block_template(`$0'_depend)
 	allow $1 rpm_var_lib_t:dir { getattr read search };
 	allow $1 rpm_var_lib_t:file { read getattr };
 	allow $1 rpm_var_lib_t:lnk_file { getattr read };
@ -124,6 +134,7 @@ allow $1 rpm_var_lib_t:lnk_file { getattr read };
 define(`rpm_read_package_database_depend',`
 	type rpm_var_lib_t_t;
 	class dir { search getattr read };
 	class lnk_file { getattr read };
 	class file { getattr read };
@ -135,6 +146,7 @@ class file { getattr read };
 #
 define(`rpm_manage_package_database',`
 	requires_block_template(`$0'_depend)
 	allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
 	allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
 	allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
@ -142,6 +154,7 @@ allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
 define(`rpm_manage_package_database_depend',`
 	type rpm_var_lib_t_t;
 	class dir { search getattr read };
 	class lnk_file { getattr read };
 	class file { getattr read };
--- a/refpolicy/policy/modules/admin/usermanage.if
+++ b/refpolicy/policy/modules/admin/usermanage.if
@ -14,10 +14,12 @@
 #
 define(`usermanage_chfn_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 chfn_exec_t:file { getattr read execute };
 	allow $1 chfn_t:process transition;
 	type_transition $1 chfn_exec_t:process chfn_t;
 	dontaudit $1 chfn_t:process { noatsecure siginh rlimitinh };
 	allow $1 chfn_t:fd use;
 	allow chfn_t $1:fd use;
 	allow chfn_t $1:fifo_file rw_file_perms;
@ -26,6 +28,7 @@ allow chfn_t $1:process sigchld;
 define(`usermanage_chfn_transition_depend',`
 	type chfn_t, chfn_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -52,6 +55,7 @@ class fifo_file rw_file_perms;
 #
 define(`usermanage_chfn_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	usermanage_chfn_transition($1)
 	role $2 types chfn_t;
 	allow chfn_t $3:chr_file { getattr read write ioctl };
@ -59,6 +63,7 @@ allow chfn_t $3:chr_file { getattr read write ioctl };
 define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
 	type chfn_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -75,10 +80,12 @@ class chr_file { getattr read write ioctl };
 #
 define(`usermanage_groupadd_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 groupadd_exec_t:file { getattr read execute };
 	allow $1 groupadd_t:process transition;
 	type_transition $1 groupadd_exec_t:process groupadd_t;
 	dontaudit $1 groupadd_t:process { noatsecure siginh rlimitinh };
 	allow $1 groupadd_t:fd use;
 	allow groupadd_t $1:fd use;
 	allow groupadd_t $1:fifo_file rw_file_perms;
@ -87,6 +94,7 @@ allow groupadd_t $1:process sigchld;
 define(`usermanage_groupadd_transition_depend',`
 	type groupadd_t, groupadd_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -113,6 +121,7 @@ class fifo_file rw_file_perms;
 #
 define(`usermanage_groupadd_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	usermanage_groupadd_transition($1)
 	role $2 types groupadd_t;
 	allow groupadd_t $3:chr_file { getattr read write ioctl };
@ -120,6 +129,7 @@ allow groupadd_t $3:chr_file { getattr read write ioctl };
 define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
 	type groupadd_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -136,10 +146,12 @@ class chr_file { getattr read write ioctl };
 #
 define(`usermanage_passwd_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 passwd_exec_t:file { getattr read execute };
 	allow $1 passwd_t:process transition;
 	type_transition $1 passwd_exec_t:process passwd_t;
 	dontaudit $1 passwd_t:process { noatsecure siginh rlimitinh };
 	allow $1 passwd_t:fd use;
 	allow passwd_t $1:fd use;
 	allow passwd_t $1:fifo_file rw_file_perms;
@ -148,6 +160,7 @@ allow passwd_t $1:process sigchld;
 define(`usermanage_passwd_transition_depend',`
 	type passwd_t, passwd_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -174,6 +187,7 @@ class fifo_file rw_file_perms;
 #
 define(`usermanage_passwd_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	usermanage_passwd_transition($1)
 	role $2 types passwd_t;
 	allow passwd_t $3:chr_file { getattr read write ioctl };
@ -181,6 +195,7 @@ allow passwd_t $3:chr_file { getattr read write ioctl };
 define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
 	type passwd_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -197,10 +212,12 @@ class chr_file { getattr read write ioctl };
 #
 define(`usermanage_useradd_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 useradd_exec_t:file { getattr read execute };
 	allow $1 useradd_t:process transition;
 	type_transition $1 useradd_exec_t:process useradd_t;
 	dontaudit $1 useradd_t:process { noatsecure siginh rlimitinh };
 	allow $1 useradd_t:fd use;
 	allow useradd_t $1:fd use;
 	allow useradd_t $1:fifo_file rw_file_perms;
@ -209,6 +226,7 @@ allow useradd_t $1:process sigchld;
 define(`usermanage_useradd_transition_depend',`
 	type useradd_t, useradd_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -235,6 +253,7 @@ class fifo_file rw_file_perms;
 #
 define(`usermanage_useradd_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	usermanage_useradd_transition($1)
 	role $2 types useradd_t;
 	allow useradd_t $3:chr_file { getattr read write ioctl };
@ -242,6 +261,7 @@ allow useradd_t $3:chr_file { getattr read write ioctl };
 define(`usermanage_useradd_transition_add_role_use_terminal_depend',`
 	type useradd_t;
 	class chr_file { getattr read write ioctl };
 ')
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@ -46,9 +46,12 @@ role $1_r types $1_gpg_pinentry_t;
 	allow $1_t $1_gpg_t:process transition;
 	allow $1_t gpg_exec_t:file { getattr read execute };
 	type_transition $1_t gpg_exec_t:process $1_gpg_t;
 	dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };
 	allow $1_t $1_gpg_t:fd use;
 	allow $1_gpg_t $1_t:fd use;
 	allow $1_gpg_t $1_t:fifo_file rw_file_perms;
 	allow $1_gpg_t $1_t:process sigchld;
 	allow $1_gpg_t self:capability { ipc_lock setuid };
 	allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
@ -158,9 +161,12 @@ dontaudit $1_gpg_t var_t:dir search;
 	allow $1_gpg_t $1_gpg_helper_t:process transition;
 	allow $1_gpg_t gpg_helper_exec_t:file { getattr read execute };
 	type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
 	dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };
 	allow $1_gpg_t $1_gpg_helper_t:fd use;
-allow $1_gpg_helper_t $1_t:fd use;
+	allow $1_gpg_helper_t $1_gpg_t:fd use;
-allow $1_gpg_helper_t $1_t:fifo_file rw_file_perms;
+	allow $1_gpg_helper_t $1_gpg_t:fifo_file rw_file_perms;
 	allow $1_gpg_helper_t $1_gpg_t:process sigchld;
 	allow $1_gpg_helper_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
@ -278,9 +284,12 @@ can_unix_connect($1_gpg_t, $1_gpg_agent_t)
 	allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
 	allow $1_gpg_agent_t pinentry_exec_t:file { getattr read execute };
 	type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
 	dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
 	allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
 	allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
 	allow $1_gpg_agent_t $1_gpg_pinentry_t:fifo_file rw_file_perms;
 	allow $1_gpg_agent_t $1_gpg_pinentry_t:process sigchld;
 	allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
 	allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
@ -307,7 +316,7 @@ allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
 		allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
 		can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
 		allow $1_gpg_pinentry_t xdm_t:fd use;
-')dnl end ig xdm.te
+	')
 	allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
@ -334,5 +343,5 @@ dontaudit $1_gpg_pinentry_t cifs_t:file write;
 	dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
 	') dnl end TODO
-') dnl end gpg_per_userdomain_template
+')
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@ -148,10 +148,13 @@ allow bootloader_t boot_t:file relabelfrom;
 tunable_policy(`distro_redhat', `
 	# for memlock
 	allow bootloader_t self:capability ipc_lock;
 	# new file system defaults to file_t, granting file_t access is still bad.
 	allow bootloader_t boot_runtime_t:file { read getattr unlink };
 	# mkinitrd mount initrd on bootloader temp dir
 	files_make_mountpoint(bootloader_tmp_t)
 	# for mke2fs
 	mount_transition(bootloader_t)
 ')
@ -164,6 +167,7 @@ filesystemtools_execute(bootloader_t)
 # maybe we should change the labeling for this
 optional_policy(`lvm.te', `
 	devices_use_lvm_control_channel(bootloader_t)
 	lvm_transition(bootloader_t)
 	lvm_read_config(bootloader_t)
 ')
@ -194,6 +198,7 @@ allow bootloader_t initrc_var_run_t:dir r_dir_perms;
 	allow bootloader_t var_lib_t:dir search;
 	allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
 	allow bootloader_t dpkg_var_lib_t:file { getattr read };
 	# for /usr/share/initrd-tools/scripts
 	can_exec(bootloader_t, usr_t)
 ')
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@ -276,24 +276,29 @@ define(`devices_manage_dev_symbolic_links_depend',`
 #
 define(`devices_manage_device_nodes',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
 	allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
 	allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
 	allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
 	allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
 	# these next rules are to satisfy assertions broken by the above lines.
 	# the permissions hopefully can be cut back a lot
 	storage_raw_read_fixed_disk($1)
 	storage_raw_write_fixed_disk($1)
 	storage_read_scsi_generic($1)
 	storage_write_scsi_generic($1)
 	typeattribute $1 memory_raw_read;
 	typeattribute $1 memory_raw_write;
 ')
 define(`devices_manage_device_nodes_depend',`
 	attribute device_node, memory_raw_read, memory_raw_write;
 	type device_t;
 	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
 	class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
 	class lnk_file { create read getattr setattr link unlink rename };
@ -307,11 +312,13 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink
 #
 define(`devices_ignore_modify_generic_devices',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
 ')
 define(`devices_ignore_modify_generic_devices_depend',`
 	type device_t;
 	class chr_file { getattr read write ioctl };
 	class blk_file { getattr read write ioctl };
 ')
@ -322,14 +329,16 @@ class blk_file { getattr read write ioctl };
 #
 define(`devices_manage_generic_block_devices',`
 	requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read write add_name remove_name };
+
-allow $1 device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 device_t:dir rw_dir_perms;
 	allow $1 device_t:blk_file create_file_perms;
 ')
 define(`devices_manage_generic_block_devices_depend',`
 	type device_t;
-class dir r_dir_perms;
+
-class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+	class dir rw_dir_perms;
 	class blk_file create_file_perms;
 ')
 ########################################
@ -338,14 +347,16 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink
 #
 define(`devices_manage_generic_character_devices',`
 	requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read write add_name remove_name };
+
-allow $1 device_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 device_t:dir rw_dir_perms;
 	allow $1 device_t:chr_file create_file_perms;
 ')
 define(`devices_manage_generic_character_devices_depend',`
 	type device_t;
-class dir r_dir_perms;
+
-class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+	class dir rw_dir_perms;
 	class chr_file create_file_perms;
 ')
 ########################################
@ -354,8 +365,10 @@ class chr_file { create ioctl read getattr lock write setattr append link unlink
 #
 define(`devices_create_dev_entry',`
 	requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read write add_name remove_name };
+
 	allow $1 device_t:dir rw_dir_perms;
 	type_transition $1 device_t:$3 $2;
 	optional_policy(`distro_redhat',`
 		filesystem_tmpfs_associate($2)
 	')
@ -363,7 +376,8 @@ filesystem_tmpfs_associate($2)
 define(`devices_set_dev_entry_depend',`
 	type device_t;
-class dir { getattr search read write add_name remove_name };
+
 	class dir rw_dir_perms;
 ')
 ########################################
@ -372,12 +386,14 @@ class dir { getattr search read write add_name remove_name };
 #
 define(`devices_get_all_block_device_attributes',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 device_node:blk_file getattr;
 ')
 define(`devices_get_all_block_device_attributes_depend',`
 	attribute device_node;
 	class blk_file getattr;
 	class dir r_dir_perms;
 ')
@ -388,11 +404,13 @@ class dir r_dir_perms;
 #
 define(`devices_ignore_get_all_block_device_attributes',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_node:blk_file getattr;
 ')
 define(`devices_ignore_get_all_block_device_attributes_depend',`
 	attribute device_node;
 	class blk_file getattr;
 ')
@ -402,12 +420,14 @@ class blk_file getattr;
 #
 define(`devices_get_all_character_device_attributes',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 device_node:chr_file getattr;
 ')
 define(`devices_get_all_character_device_attributes_depend',`
 	attribute device_node;
 	class chr_file getattr;
 	class dir r_dir_perms;
 ')
@ -418,11 +438,13 @@ class dir r_dir_perms;
 #
 define(`devices_ignore_get_all_character_device_attributes',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 device_node:chr_file getattr;
 ')
 define(`devices_ignore_get_all_character_device_attributes_depend',`
 	attribute device_node;
 	class chr_file getattr;
 ')
@ -432,11 +454,15 @@ class chr_file getattr;
 #
 define(`devices_set_all_block_device_attributes',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 device_node:blk_file setattr;
 ')
 define(`devices_set_all_block_device_attributes_depend',`
 	attribute device_node;
 	class dir r_dir_perms;
 	class blk_file setattr;
 ')
@ -446,11 +472,15 @@ class blk_file setattr;
 #
 define(`devices_set_all_character_device_attributes',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 device_node:chr_file setattr;
 ')
 define(`devices_set_all_character_device_attributes_depend',`
 	attribute device_node;
 	class dir r_dir_perms;
 	class chr_file setattr;
 ')
@ -460,8 +490,10 @@ class chr_file setattr;
 #
 define(`devices_manage_all_block_devices',`
 	requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read write add_name remove_name };
+
-allow $1 device_node:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 device_t:dir rw_dir_perms;
 	allow $1 device_node:blk_file create_file_perms;
 	# these next rules are to satisfy assertions broken by the above lines.
 	storage_raw_read_fixed_disk($1)
 	storage_raw_write_fixed_disk($1)
@ -471,8 +503,9 @@ storage_write_scsi_generic($1)
 define(`devices_manage_generic_block_devices_depend',`
 	attribute device_node;
-class dir r_dir_perms;
+
-class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+	class dir rw_dir_perms;
 	class blk_file create_file_perms;
 ')
 ########################################
@ -481,15 +514,18 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink
 #
 define(`devices_manage_all_character_devices',`
 	requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr search read write add_name remove_name };
+
-allow $1 device_node:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 device_t:dir rw_dir_perms;
 	allow $1 device_node:chr_file create_file_perms;
 	typeattribute $1 memory_raw_read, memory_raw_write;
 ')
 define(`devices_manage_all_character_devices_depend',`
 	attribute device_node, memory_raw_read, memory_raw_write;
-class dir r_dir_perms;
+
-class chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+	class dir rw_dir_perms;
 	class chr_file create_file_perms;
 ')
 ########################################
@ -498,17 +534,19 @@ class chr_file { create ioctl read getattr lock write setattr append link unlink
 #
 define(`devices_raw_read_memory',`
 	requires_block_template(`$0'_depend)
-typeattribute $1 memory_raw_read;
+
 	allow $1 device_t:dir r_dir_perms;
-allow $1 memory_device_t:chr_file { getattr read ioctl };
+	allow $1 memory_device_t:chr_file r_file_perms;
 	allow $1 self:capability sys_rawio;
 	typeattribute $1 memory_raw_read;
 ')
 define(`devices_raw_read_memory_depend',`
 type device_t, memory_device_t;
 attribute memory_raw_read;
 class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+class chr_file r_file_perms;
 class capability sys_rawio;
 ')
@ -518,10 +556,12 @@ class capability sys_rawio;
 #
 define(`devices_raw_write_memory',`
 	requires_block_template(`$0'_depend)
-typeattribute $1 memory_raw_write;
+
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 memory_device_t:chr_file write;
 	allow $1 self:capability sys_rawio;
 	typeattribute $1 memory_raw_write;
 ')
 define(`devices_raw_write_memory_depend',`
@ -538,12 +578,14 @@ class capability sys_rawio;
 #
 define(`devices_legacy_raw_read_memory',`
 	requires_block_template(`$0'_depend)
 	devices_raw_read_memory($1)
 	allow $1 memory_device_t:chr_file execute;
 ')
 define(`devices_legacy_raw_read_memory_depend',`
 	type device_t, memory_device_t;
 	class chr_file execute;
 ')
@ -553,12 +595,14 @@ class chr_file execute;
 #
 define(`devices_legacy_raw_write_memory',`
 	requires_block_template(`$0'_depend)
 	devices_raw_write_memory($1)
 	allow $1 memory_device_t:chr_file execute;
 ')
 define(`devices_legacy_raw_write_memory_depend',`
 	type device_t, memory_device_t;
 	class chr_file execute;
 ')
@ -568,14 +612,16 @@ class chr_file execute;
 #
 define(`devices_get_random_data',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 random_device_t:chr_file { getattr read ioctl };
+	allow $1 random_device_t:chr_file r_file_perms;
 ')
 define(`devices_get_random_data_depend',`
 	type device_t, random_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+	class chr_file r_file_perms;
 ')
 ########################################
@ -584,14 +630,16 @@ class chr_file { getattr read ioctl };
 #
 define(`devices_get_pseudorandom_data',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 urandom_device_t:chr_file { getattr read ioctl };
+	allow $1 urandom_device_t:chr_file r_file_perms;
 ')
 define(`devices_get_pseudorandom_data_depend',`
 	type device_t, urandom_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+	class chr_file r_file_perms;
 ')
 ########################################
@ -600,12 +648,14 @@ class chr_file { getattr read ioctl };
 #
 define(`devices_add_entropy',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 random_device_t:chr_file { getattr write ioctl };
 ')
 define(`devices_add_entropy_depend',`
 	type device_t, random_device_t;
 	class dir r_dir_perms;
 	class chr_file { getattr write ioctl };
 ')
@ -616,12 +666,14 @@ class chr_file { getattr write ioctl };
 #
 define(`devices_set_pseudorandom_seed',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 urandom_device_t:chr_file { getattr write ioctl };
 ')
 define(`devices_set_pseudorandom_seed_depend',`
 	type device_t, urandom_device_t;
 	class dir r_dir_perms;
 	class chr_file { getattr write ioctl };
 ')
@ -632,12 +684,14 @@ class chr_file { getattr write ioctl };
 #
 define(`devices_use_dev_null',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 null_device_t:chr_file rw_file_perms;
 ')
 define(`devices_use_dev_null_depend',`
 	type device_t, null_device_t;
 	class device_t:dir r_dir_perms;
 	class chr_file rw_file_perms;
 ')
@ -648,12 +702,14 @@ class chr_file rw_file_perms;
 #
 define(`devices_use_dev_zero',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 zero_device_t:chr_file rw_file_perms;
 ')
 define(`devices_use_dev_zero_depend',`
 	type device_t, zero_device_t;
 	class device_t:dir r_dir_perms;
 	class chr_file r_file_perms;
 ')
@ -664,12 +720,14 @@ class chr_file r_file_perms;
 #
 define(`devices_legacy_use_dev_zero',`
 	requires_block_template(`$0'_depend)
 	devices_use_dev_zero($1)
 	allow $1 zero_device_t:chr_file execute;
 ')
 define(`devices_legacy_use_dev_zero_depend',`
 	type zero_device_t;
 	class chr_file execute;
 ')
@ -679,14 +737,15 @@ class chr_file execute;
 #
 define(`devices_read_realtime_clock',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 clock_device_t:chr_file { getattr read ioctl };
+	allow $1 clock_device_t:chr_file r_file_perms;
 ')
 define(`devices_read_realtime_clock_depend',`
 type device_t, clock_device_t;
 class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+class chr_file r_file_perms;
 ')
 ########################################
@ -695,12 +754,14 @@ class chr_file { getattr read ioctl };
 #
 define(`devices_write_realtime_clock',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
 ')
 define(`devices_write_realtime_clock_depend',`
 	type device_t, clock_device_t;
 	class dir r_dir_perms;
 	class chr_file { setattr lock write append ioctl };
 ')
@ -720,14 +781,15 @@ devices_write_realtime_clock($1)
 #
 define(`devices_record_sound_input',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 sound_device_t:chr_file { getattr read ioctl };
+	allow $1 sound_device_t:chr_file r_file_perms;
 ')
 define(`devices_record_sound_input_depend',`
 type device_t, sound_device_t;
 class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+class chr_file r_file_perms;
 ')
 ########################################
@ -736,12 +798,14 @@ class chr_file { getattr read ioctl };
 #
 define(`devices_play_sound',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 sound_device_t:chr_file { getattr write ioctl };
 ')
 define(`devices_play_sound_depend',`
 	type device_t, sound_device_t;
 	class dir r_dir_perms;
 	class chr_file { getattr write ioctl };
 ')
@ -752,12 +816,14 @@ class chr_file { getattr write ioctl };
 #
 define(`devices_read_sound_mixer_levels',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 sound_device_t:chr_file { getattr read ioctl };
 ')
 define(`devices_read_sound_mixer_levels_depend',`
 	type device_t, sound_device_t;
 	class dir r_dir_perms;
 	class chr_file { getattr read ioctl };
 ')
@ -768,12 +834,14 @@ class chr_file { getattr read ioctl };
 #
 define(`devices_write_sound_mixer_levels',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 sound_device_t:chr_file { getattr write ioctl };
 ')
 define(`devices_write_sound_mixer_levels_depend',`
 	type device_t, sound_device_t;
 	class dir r_dir_perms;
 	class chr_file { getattr write ioctl };
 ')
@ -784,14 +852,16 @@ class chr_file { getattr write ioctl };
 #
 define(`devices_direct_agp_access',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 agp_device_t:chr_file { getattr read write ioctl };
+	allow $1 agp_device_t:chr_file rw_file_perms;
 ')
 define(`devices_direct_agp_access_depend',`
 	type device_t, agp_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read write ioctl };
+	class chr_file rw_file_perms;
 ')
 ########################################
@ -800,12 +870,14 @@ class chr_file { getattr read write ioctl };
 #
 define(`devices_get_direct_rendering_interface_attributes',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 dri_device_t:chr_file getattr;
 ')
 define(`devices_get_direct_rendering_interface_attributes_depend',`
 	type device_t, dri_device_t;
 	class dir r_dir_perms;
 	class chr_file getattr;
 ')
@ -816,14 +888,16 @@ class chr_file getattr;
 #
 define(`devices_use_direct_rendering_interface',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 dri_device_t:chr_file { getattr read write ioctl };
+	allow $1 dri_device_t:chr_file rw_file_perms;
 ')
 define(`devices_use_direct_rendering_interface_depend',`
 	type device_t, dri_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read write ioctl };
+	class chr_file rw_file_perms;
 ')
 ########################################
@ -832,11 +906,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`devices_ignore_use_direct_rendering_interface',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
 ')
 define(`devices_ignore_use_direct_rendering_interface_depend',`
 	type dri_device_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -846,14 +922,16 @@ class chr_file { getattr read write ioctl };
 #
 define(`devices_read_mtrr',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 mtrr_device_t:chr_file { getattr read ioctl };
+	allow $1 mtrr_device_t:chr_file r_file_perms;
 ')
 define(`devices_read_mtrr_depend',`
 	type device_t, mtrr_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+	class chr_file r_file_perms;
 ')
 ########################################
@ -862,12 +940,14 @@ class chr_file { getattr read ioctl };
 #
 define(`devices_write_mtrr',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 mtrr_device_t:chr_file { getattr write ioctl };
 ')
 define(`devices_write_mtrr_depend',`
 	type device_t, mtrr_device_t;
 	class dir r_dir_perms;
 	class chr_file { getattr write ioctl };
 ')
@ -878,14 +958,16 @@ class chr_file { getattr write ioctl };
 #
 define(`devices_read_framebuffer',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 framebuf_device_t:chr_file { getattr read ioctl };
+	allow $1 framebuf_device_t:chr_file r_file_perms;
 ')
 define(`devices_read_framebuffer_depend',`
 	type framebuf_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+	class chr_file r_file_perms;
 ')
 ########################################
@ -894,12 +976,14 @@ class chr_file { getattr read ioctl };
 #
 define(`devices_write_framebuffer',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 framebuf_device_t:chr_file { getattr write ioctl };
 ')
 define(`devices_write_framebuffer_depend',`
 	type device_t, framebuf_device_t;
 	class dir r_dir_perms;
 	class chr_file { getattr write ioctl };
 ')
@ -910,14 +994,16 @@ class chr_file { getattr write ioctl };
 #
 define(`devices_read_lvm_control_channel',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 lvm_control_t:chr_file { getattr read };
+	allow $1 lvm_control_t:chr_file r_file_perms;
 ')
 define(`devices_read_lvm_control_channel_depend',`
-type lvm_control_t;
+	type device_t, lvm_control_t;
 	class dir r_dir_perms;
-class chr_file { ioctl read getattr lock write append };
+	class chr_file r_file_perms;
 ')
 ########################################
@ -926,14 +1012,16 @@ class chr_file { ioctl read getattr lock write append };
 #
 define(`devices_use_lvm_control_channel',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 lvm_control_t:chr_file { ioctl read getattr lock write append };
+	allow $1 lvm_control_t:chr_file rw_file_perms;
 ')
 define(`devices_use_lvm_control_channel_depend',`
-type lvm_control_t;
+	type device_t, lvm_control_t;
 	class dir r_dir_perms;
-class chr_file { ioctl read getattr lock write append };
+	class chr_file rw_file_perms;
 ')
 ########################################
@ -942,12 +1030,14 @@ class chr_file { ioctl read getattr lock write append };
 #
 define(`devices_remove_lvm_control_channel',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir { getattr search read write remove_name };
 	allow $1 lvm_control_t:chr_file unlink;
 ')
 define(`devices_remove_lvm_control_channel_depend',`
-type lvm_control_t;
+	type device_t, lvm_control_t;
 	class dir { getattr search read write remove_name };
 	class chr_file unlink;
 ')
@ -958,14 +1048,16 @@ class chr_file unlink;
 #
 define(`devices_read_misc',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 misc_device_t:chr_file { getattr read ioctl };
+	allow $1 misc_device_t:chr_file r_file_perms;
 ')
 define(`devices_read_misc_depend',`
 	type device_t, misc_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+	class chr_file r_file_perms;
 ')
 ########################################
@ -974,12 +1066,14 @@ class chr_file { getattr read ioctl };
 #
 define(`devices_write_misc',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
 	allow $1 misc_device_t:chr_file { getattr write ioctl };
 ')
 define(`devices_write_misc_depend',`
 	type device_t, misc_device_t;
 	class dir r_dir_perms;
 	class chr_file { getattr write ioctl };
 ')
@ -990,14 +1084,16 @@ class chr_file { getattr write ioctl };
 #
 define(`devices_get_mouse_input',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 mouse_device_t:chr_file { getattr read ioctl };
+	allow $1 mouse_device_t:chr_file r_file_perms;
 ')
 define(`devices_get_mouse_input_depend',`
 	type device_t, mouse_device_t;
 	allow $1 device_t:dir r_dir_perms;
-class chr_file { getattr read ioctl };
+	class chr_file r_file_perms;
 ')
 ########################################
@ -1006,14 +1102,16 @@ class chr_file { getattr read ioctl };
 #
 define(`devices_get_input_event',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 event_device_t:chr_file { getattr read ioctl };
+	allow $1 event_device_t:chr_file r_file_perms;
 ')
 define(`devices_get_input_event_depend',`
 	type device_t, event_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+	class chr_file r_file_perms;
 ')
 ########################################
@ -1022,14 +1120,16 @@ class chr_file { getattr read ioctl };
 #
 define(`devices_get_cpuid',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 cpu_device_t:chr_file { getattr read ioctl };
+	allow $1 cpu_device_t:chr_file r_file_perms;
 ')
 define(`devices_get_cpuid_depend',`
 	type device_t, cpu_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read ioctl };
+	class chr_file r_file_perms;
 ')
 ########################################
@ -1038,14 +1138,16 @@ class chr_file { getattr read ioctl };
 #
 define(`devices_load_cpu_microcode',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 cpu_device_t:chr_file { getattr read write ioctl };
+	allow $1 cpu_device_t:chr_file rw_file_perms;
 ')
 define(`devices_load_cpu_microcode_depend',`
 	type device_t, cpu_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read write ioctl };
+	class chr_file rw_file_perms;
 ')
 ########################################
@ -1054,14 +1156,16 @@ class chr_file { getattr read write ioctl };
 #
 define(`devices_use_scanner',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 scanner_device_t:chr_file { getattr read write ioctl };
+	allow $1 scanner_device_t:chr_file rw_file_perms;
 ')
 define(`devices_use_scanner_depend',`
 	type device_t, scanner_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read write ioctl };
+	class chr_file rw_file_perms;
 ')
 ########################################
@ -1070,14 +1174,16 @@ class chr_file { getattr read write ioctl };
 #
 define(`devices_control_system_powermanagement',`
 	requires_block_template(`$0'_depend)
 	allow $1 device_t:dir r_dir_perms;
-allow $1 power_device_t:chr_file { getattr read write ioctl };
+	allow $1 power_device_t:chr_file rw_file_perms;
 ')
 define(`devices_control_system_powermanagement_depend',`
 	type device_t, power_device_t;
 	class dir r_dir_perms;
-class chr_file { getattr read write ioctl };
+	class chr_file rw_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@ -15,12 +15,14 @@
 #
 define(`storage_get_fixed_disk_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 fixed_disk_device_t:blk_file getattr;
 ')
 define(`storage_get_fixed_disk_attributes_depend',`
 	type fixed_disk_device_t;
 	class blk_file getattr;
 ')
@ -38,11 +40,13 @@ class blk_file getattr;
 #
 define(`storage_ignore_get_fixed_disk_attributes',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 fixed_disk_device_t:blk_file getattr;
 ')
 define(`storage_ignore_get_fixed_disk_attributes_depend',`
 	type fixed_disk_device_t;
 	class blk_file getattr;
 ')
@ -60,12 +64,14 @@ class blk_file getattr;
 #
 define(`storage_set_fixed_disk_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 fixed_disk_device_t:blk_file setattr;
 ')
 define(`storage_set_fixed_disk_attributes_depend',`
 	type fixed_disk_device_t;
 	class blk_file setattr;
 ')
@ -85,15 +91,18 @@ class blk_file setattr;
 #
 define(`storage_raw_read_fixed_disk',`
 	requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_read;
+
 	devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file { getattr read ioctl };
+	allow $1 fixed_disk_device_t:blk_file r_file_perms;
 	typeattribute $1 fixed_disk_raw_read;
 ')
 define(`storage_raw_read_fixed_disk_depend',`
 type fixed_disk_device_t;
 	attribute fixed_disk_raw_read;
-class blk_file { getattr read ioctl };
+
 	type fixed_disk_device_t;
 	class blk_file r_file_perms;
 ')
 ########################################
@ -112,14 +121,17 @@ class blk_file { getattr read ioctl };
 #
 define(`storage_raw_write_fixed_disk',`
 	requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_write;
+
 	devices_list_device_nodes($1)
 	allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
 	typeattribute $1 fixed_disk_raw_write;
 ')
 define(`storage_raw_write_fixed_disk_depend',`
 type fixed_disk_device_t;
 	attribute fixed_disk_raw_write;
 	type fixed_disk_device_t;
 	class blk_file { getattr write ioctl };
 ')
@ -136,11 +148,16 @@ class blk_file { getattr write ioctl };
 #
 define(`storage_create_fixed_disk_dev_entry',`
 	requires_block_template(`$0'_depend)
 	allow $1 fixed_disk_device_t:blk_file create_file_perms;
 	devices_create_dev_entry($1,fixed_disk_device_t,blk_file)
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')
 define(`storage_create_fixed_disk_dev_entry_depend',`
 	type fixed_disk_device_t;
 	class blk_file create_file_perms;
 ')
 ########################################
@ -156,16 +173,18 @@ type fixed_disk_device_t;
 #
 define(`storage_manage_fixed_disk',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 fixed_disk_device_t:blk_file create_file_perms;
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')
 define(`storage_manage_fixed_disk_depend',`
-attribute fixed_disk_raw_read;
+	attribute fixed_disk_raw_read, fixed_disk_raw_write;
-attribute fixed_disk_raw_write;
+
 	type fixed_disk_device_t;
-class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+
 	class blk_file create_file_perms;
 ')
 ########################################
@ -184,15 +203,18 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink
 #
 define(`storage_raw_read_lvm_volume',`
 	requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_read;
+
 	devices_list_device_nodes($1)
-allow $1 lvm_vg_t:blk_file { getattr read ioctl };
+	allow $1 lvm_vg_t:blk_file r_file_perms;
 	typeattribute $1 fixed_disk_raw_read;
 ')
 define(`storage_raw_read_lvm_volume_depend',`
 type lvm_vg_t;
 	attribute fixed_disk_raw_read;
-class blk_file { getattr read ioctl };
+
 	type lvm_vg_t;
 	class blk_file r_file_perms;
 ')
 ########################################
@ -211,14 +233,17 @@ class blk_file { getattr read ioctl };
 #
 define(`storage_raw_write_lvm_volume',`
 	requires_block_template(`$0'_depend)
-typeattribute $1 fixed_disk_raw_write;
+
 	devices_list_device_nodes($1)
 	allow $1 lvm_vg_t:blk_file { getattr write ioctl };
 	typeattribute $1 fixed_disk_raw_write;
 ')
 define(`storage_raw_write_lvm_volume_depend',`
 type lvm_vg_t;
 	attribute fixed_disk_raw_write;
 	type lvm_vg_t;
 	class blk_file { getattr write ioctl };
 ')
@ -239,15 +264,18 @@ class blk_file { getattr write ioctl };
 #
 define(`storage_read_scsi_generic',`
 	requires_block_template(`$0'_depend)
-typeattribute $1 scsi_generic_read;
+
 	devices_list_device_nodes($1)
-allow $1 scsi_generic_device_t:blk_file { getattr read ioctl };
+	allow $1 scsi_generic_device_t:blk_file r_file_perms;
 	typeattribute $1 scsi_generic_read;
 ')
 define(`storage_read_scsi_generic_depend',`
 type scsi_generic_device_t;
 	attribute scsi_generic_read;
-class blk_file { getattr read ioctl };
+
 	type scsi_generic_device_t;
 	class blk_file r_file_perms;
 ')
 ########################################
@ -267,14 +295,17 @@ class blk_file { getattr read ioctl };
 #
 define(`storage_write_scsi_generic',`
 	requires_block_template(`$0'_depend)
-typeattribute $1 scsi_generic_write;
+
 	devices_list_device_nodes($1)
 	allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
 	typeattribute $1 scsi_generic_write;
 ')
 define(`storage_write_scsi_generic_depend',`
 type scsi_generic_device_t;
 	attribute scsi_generic_write;
 	type scsi_generic_device_t;
 	class blk_file { getattr write ioctl };
 ')
@ -284,12 +315,14 @@ class blk_file { getattr write ioctl };
 #
 define(`storage_get_scsi_generic_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 scsi_generic_device_t:blk_file getattr;
 ')
 define(`storage_get_scsi_generic_attributes_depend',`
 	type scsi_generic_device_t;
 	class blk_file getattr;
 ')
@ -299,12 +332,14 @@ class blk_file getattr;
 #
 define(`storage_set_scsi_generic_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 scsi_generic_device_t:blk_file setattr;
 ')
 define(`storage_set_scsi_generic_attributes_depend',`
 	type scsi_generic_device_t;
 	class blk_file setattr;
 ')
@ -322,12 +357,14 @@ class blk_file setattr;
 #
 define(`storage_get_removable_device_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 removable_device_t:blk_file getattr;
 ')
 define(`storage_get_removable_device_attributes_depend',`
 	type removable_device_t;
 	class blk_file getattr;
 ')
@ -345,11 +382,13 @@ class blk_file getattr;
 #
 define(`storage_ignore_get_removable_device_attributes',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 removable_device_t:blk_file getattr;
 ')
 define(`storage_ignore_get_removable_device_attributes_depend',`
 	type removable_device_t;
 	class blk_file getattr;
 ')
@ -359,12 +398,14 @@ class blk_file getattr;
 #
 define(`storage_set_removable_device_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 removable_device_t:blk_file setattr;
 ')
 define(`storage_set_removable_device_attributes_depend',`
 	type removable_device_t;
 	class blk_file setattr;
 ')
@ -374,13 +415,15 @@ class blk_file setattr;
 #
 define(`storage_raw_read_removable_device',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
-allow $1 removable_device_t:blk_file { getattr read ioctl };
+	allow $1 removable_device_t:blk_file r_file_perms;
 ')
 define(`storage_raw_read_removable_device_depend',`
 	type removable_device_t;
-class blk_file { getattr read ioctl };
+
 	class blk_file r_file_perms;
 ')
 ########################################
@ -389,12 +432,14 @@ class blk_file { getattr read ioctl };
 #
 define(`storage_raw_write_removable_device',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 removable_device_t:blk_file { getattr write ioctl };
 ')
 define(`storage_raw_write_removable_device_depend',`
 	type removable_device_t;
 	class blk_file { getattr write ioctl };
 ')
@ -404,13 +449,15 @@ class blk_file { getattr write ioctl };
 #
 define(`storage_read_tape_device',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
-allow $1 tape_device_t:blk_file { getattr read ioctl };
+	allow $1 tape_device_t:blk_file r_file_perms;
 ')
 define(`storage_read_tape_device_depend',`
 	type tape_device_t;
-class blk_file { getattr read ioctl };
+
 	class blk_file r_file_perms;
 ')
 ########################################
@ -419,12 +466,14 @@ class blk_file { getattr read ioctl };
 #
 define(`storage_write_tape_device',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 tape_device_t:blk_file { getattr write ioctl };
 ')
 define(`storage_write_tape_device_depend',`
 	type tape_device_t;
 	class blk_file { getattr write ioctl };
 ')
@ -434,12 +483,14 @@ class blk_file { getattr write ioctl };
 #
 define(`storage_get_tape_device_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 tape_device_t:blk_file getattr;
 ')
 define(`storage_get_tape_device_attributes_depend',`
 	type tape_device_t;
 	class blk_file getattr;
 ')
@ -449,6 +500,7 @@ class blk_file getattr;
 #
 define(`storage_set_tape_device_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 tape_device_t:blk_file setattr;
 ')
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@ -7,13 +7,16 @@
 #
 define(`terminal_make_pseudoterminal',`
 	requires_block_template(`$0'_depend)
 	allow $1 devpts_t:filesystem associate;
 	typeattribute $1 ptynode;
 ')
 define(`terminal_make_pseudoterminal_depend',`
 	attribute ptynode;
 	type devpts_t;
 	class filesystem associate;
 ')
@ -23,6 +26,7 @@ class filesystem associate;
 #
 define(`terminal_make_user_pseudoterminal',`
 	requires_block_template(`$0'_depend)
 	terminal_make_pseudoterminal($1)
 	type_change $1 server_ptynode:chr_file $2;
 ')
@ -37,6 +41,7 @@ attribute server_ptynode;
 #
 define(`terminal_make_service_pseudoterminal',`
 	requires_block_template(`$0'_depend)
 	terminal_make_pseudoterminal($1)
 	typeattribute $1 server_ptynode;
 ')
@ -51,13 +56,16 @@ attribute server_ptynode;
 #
 define(`terminal_make_physical_terminal',`
 	requires_block_template(`$0'_depend)
 	typeattribute $2 ttynode;
 	type_change $1 tty_device_t:chr_file $2;
 	# Debian login is from shadow utils and does not allow resetting the perms.
 	# have to fix this!
 	tunable_policy(`distro_debian',`
 		type_change $1 ttyfile:chr_file $2;
 	')
 	tunable_policy(`distro_redhat',`
 		filesystem_tmpfs_associate($2)
 	')
@ -65,6 +73,7 @@ filesystem_tmpfs_associate($2)
 define(`terminal_make_physical_terminal_depend',`
 	attribute ttynode;
 	type tty_device_t;
 ')
@ -74,9 +83,10 @@ type tty_device_t;
 #
 define(`terminal_create_private_pseudoterminal',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 ptmx_t:chr_file { getattr read write };
-allow $1 devpts_t:dir { getattr search read };
+	allow $1 devpts_t:dir r_dir_perms;
 	allow $1 devpts_t:filesystem getattr;
 	dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
 	type_transition $1 devpts_t:chr_file $2;
@ -84,8 +94,9 @@ type_transition $1 devpts_t:chr_file $2;
 define(`terminal_create_pseudoterminal_depend',`
 	type ptmx_t, devpts_t;
 	class filesystem getattr;
-class dir { getattr search read };
+	class dir r_dir_perms;
 	class chr_file { getattr read write };
 ')
@ -95,6 +106,7 @@ class chr_file { getattr read write };
 #
 define(`terminal_use_all_terminals',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 devpts_t:dir r_dir_perms;
 	allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
@ -102,7 +114,9 @@ allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perm
 define(`terminal_use_all_terminals_depend',`
 	attribute ttynode, ptynode;
 	type console_device_t, devpts_t, tty_device_t;
 	class dir r_dir_perms;
 	class chr_file rw_file_perms;
 ')
@ -143,12 +157,14 @@ define(`terminal_use_console_depend',`
 #
 define(`terminal_use_console',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 console_device_t:chr_file rw_file_perms;
 ')
 define(`terminal_use_console_depend',`
 	type console_device_t;
 	class chr_file rw_file_perms;
 ')
@ -165,11 +181,13 @@ class chr_file rw_file_perms;
 #
 define(`terminal_ignore_use_console',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 console_device_t:chr_file { read write };
 ')
 define(`terminal_ignore_use_console_depend',`
 	type console_device_t;
 	class chr_file { read write };
 ')
@ -179,14 +197,15 @@ class chr_file { read write };
 #
 define(`terminal_set_console_attributes',`
 	requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+
 	devices_list_device_nodes($1)
 	allow $1 console_device_t:chr_file setattr;
 ')
 define(`terminal_set_console_attributes_depend',`
 	type console_device_t;
 	class chr_file setattr;
 devices_list_device_nodes_depend
 ')
 ########################################
@ -195,14 +214,15 @@ devices_list_device_nodes_depend
 #
 define(`terminal_list_pseudoterminals',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
-allow $1 devpts_t:dir { getattr search read };
+	allow $1 devpts_t:dir r_dir_perms;
 ')
 define(`terminal_list_pseudoterminals_depend',`
 	type devpts_t;
-class dir { getattr search read };
+
-devices_list_device_nodes_depend
+	class dir r_dir_perms;
 ')
 ########################################
@ -211,11 +231,13 @@ devices_list_device_nodes_depend
 #
 define(`terminal_ignore_list_pseudoterminals',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 devpts_t:dir { getattr search read };
 ')
 define(`terminal_ignore_list_pseudoterminals_depend',`
 	type devpts_t;
 	class dir { getattr search read };
 ')
@ -225,12 +247,14 @@ class dir { getattr search read };
 #
 define(`terminal_use_general_pseudoterminal',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 devpts_t:chr_file { read write };
 ')
 define(`terminal_use_general_pseudoterminal_depend',`
 	type devpts_t;
 	class chr_file { read write };
 ')
@ -240,11 +264,13 @@ class chr_file { read write };
 #
 define(`terminal_ignore_use_general_pseudoterminal',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 devpts_t:chr_file { read write };
 ')
 define(`terminal_ignore_use_general_pseudoterminal_depend',`
 	type devpts_t;
 	class chr_file { read write };
 ')
@ -254,12 +280,14 @@ class chr_file { read write };
 #
 define(`terminal_use_controlling_terminal',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 devtty_t:chr_file { getattr read write ioctl };
 ')
 define(`terminal_use_controlling_terminal_depend',`
 	type devtty_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -269,11 +297,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`terminal_ignore_use_pseudoterminal_multiplexer',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 ptmx_t:chr_file { getattr read write };
 ')
 define(`terminal_ignore_use_pseudoterminal_multiplexer_depend',`
 	type ptmx_t;
 	class chr_file { getattr read write };
 ')
@ -283,14 +313,16 @@ class chr_file { getattr read write };
 #
 define(`terminal_get_all_private_pseudoterminal_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
-allow $1 devpts_t:dir { getattr search read };
+	allow $1 devpts_t:dir r_dir_perms;
 	allow $1 ptynode:chr_file getattr;
 ')
 define(`terminal_get_all_private_pseudoterminal_attributes_depend',`
 	attribute ptynode;
-class dir { getattr search read };
+
 	class dir r_dir_perms;
 	class chr_file getattr;
 ')
@ -300,14 +332,16 @@ class chr_file getattr;
 #
 define(`terminal_use_all_private_pseudoterminals',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
-allow $1 devpts_t:dir { getattr read search };
+	allow $1 devpts_t:dir r_dir_perms;
 	allow $1 ptynode:chr_file { getattr read write ioctl };
 ')
 define(`terminal_use_all_private_pseudoterminals_depend',`
 	attribute ptynode;
-class dir { getattr search read };
+
 	class dir r_dir_perms;
 	class chr_file { getattr read write ioctl };
 ')
@ -317,11 +351,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`terminal_ignore_use_all_private_pseudoterminals',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 ptynode:chr_file { read write };
 ')
 define(`terminal_ignore_use_all_private_pseudoterminals_depend',`
 	attribute ptynode;
 	class chr_file { read write };
 ')
@ -331,12 +367,14 @@ class chr_file { read write };
 #
 define(`terminal_get_general_physical_terminal_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 tty_device_t:chr_file getattr;
 ')
 define(`terminal_get_general_physical_terminal_attributes_depend',`
 	type tty_device_t;
 	class chr_file getattr;
 ')
@ -346,12 +384,14 @@ class chr_file getattr;
 #
 define(`terminal_set_general_physical_terminal_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 tty_device_t:chr_file setattr;
 ')
 define(`terminal_set_general_physical_terminal_attributes_depend',`
 	type tty_device_t;
 	class chr_file setattr;
 ')
@ -361,12 +401,14 @@ class chr_file setattr;
 #
 define(`terminal_relabel_general_physical_terminal',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 tty_device_t:chr_file { relabelfrom relabelto };
 ')
 define(`terminal_relabel_general_physical_terminal_depend',`
 	type tty_device_t;
 	class chr_file { relabelfrom relabelto };
 ')
@ -376,6 +418,7 @@ class chr_file { relabelfrom relabelto };
 #
 define(`terminal_reset_physical_terminal_labels',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 ttynode:chr_file relabelfrom;
 	allow $1 tty_device_t:chr_file relabelto;
@ -383,6 +426,7 @@ allow $1 tty_device_t:chr_file relabelto;
 define(`terminal_reset_physical_terminal_labels_depend',`
 	attribute ttynode;
 	type tty_device_t;
 	class chr_file { relabelfrom relabelto };
 ')
@ -401,13 +445,15 @@ class chr_file { relabelfrom relabelto };
 #
 define(`terminal_write_general_physical_terminal',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 tty_device_t:chr_file { getattr write };
 ')
 define(`terminal_write_general_physical_terminal_depend',`
 	type tty_device_t;
-class chr_file { read write };
+
 	class chr_file { getattr write };
 ')
 ########################################
@ -416,12 +462,14 @@ class chr_file { read write };
 #
 define(`terminal_use_general_physical_terminal',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 tty_device_t:chr_file { getattr read write ioctl };
 ')
 define(`terminal_use_general_physical_terminal_depend',`
 	type tty_device_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -431,11 +479,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`terminal_ignore_use_general_physical_terminal',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 tty_device_t:chr_file { read write };
 ')
 define(`terminal_ignore_use_general_physical_terminal_depend',`
 	type tty_device_t;
 	class chr_file { read write };
 ')
@ -445,12 +495,14 @@ class chr_file { read write };
 #
 define(`terminal_get_all_private_physical_terminal_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 ttynode:chr_file getattr;
 ')
 define(`terminal_get_all_private_physical_terminal_attributes_depend',`
 	attribute ttynode;
 	class chr_file getattr;
 ')
@ -460,12 +512,14 @@ class chr_file getattr;
 #
 define(`terminal_set_all_private_physical_terminal_attributes',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 ttynode:chr_file setattr;
 ')
 define(`terminal_set_all_private_physical_terminal_attributes_depend',`
 	attribute ttynode;
 	class chr_file setattr;
 ')
@ -475,11 +529,13 @@ class chr_file setattr;
 #
 define(`terminal_ignore_get_all_private_physical_terminal_attributes',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 ttynode:chr_file getattr;
 ')
 define(`terminal_ignore_get_all_private_physical_terminal_attributes_depend',`
 	attribute ttynode;
 	class chr_file getattr;
 ')
@ -489,12 +545,14 @@ class chr_file getattr;
 #
 define(`terminal_relabel_all_private_physical_terminals',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 ttynode:chr_file { relabelfrom relabelto };
 ')
 define(`terminal_relabel_all_private_physical_terminals_depend',`
 	attribute ttynode;
 	class chr_file { relabelfrom relabelto };
 ')
@ -512,12 +570,14 @@ class chr_file { relabelfrom relabelto };
 #
 define(`terminal_write_all_private_physical_terminals',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 ttynode:chr_file { getattr write };
 ')
 define(`terminal_write_all_private_physical_terminals_depend',`
 	attribute ttynode;
 	class chr_file { getattr write };
 ')
@ -527,12 +587,14 @@ class chr_file { getattr write };
 #
 define(`terminal_use_all_private_physical_terminals',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	allow $1 ttynode:chr_file { getattr read write ioctl };
 ')
 define(`terminal_use_all_private_physical_terminals_depend',`
 	attribute ttynode;
 	class chr_file { getattr read write ioctl };
 ')
@ -542,11 +604,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`terminal_ignore_use_all_private_physical_terminals',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 ttynode:chr_file { read write };
 ')
 define(`terminal_ignore_use_all_private_physical_terminals_depend',`
 	attribute ttynode;
 	class chr_file { read write };
 ')
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@ -166,6 +166,12 @@ logging_send_system_log_message($1_crontab_t)
 	miscfiles_read_localization($1_crontab_t)
 	tunable_policy(`fcron_crond', `
 		# fcron wants an instant update of a crontab change for the administrator
 		# also crontab does a security check for crontab -u
 		dontaudit $1_crontab_t crond_t:process signal;
 	')
 	ifdef(`TODO',`
 	# Transition from the user domain to the derived domain.
@ -184,17 +190,6 @@ file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
 	# Use the type when creating files in /var/spool/cron.
 	allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
 tunable_policy(`fcron_crond', `
 # fcron wants an instant update of a crontab change for the administrator
 # also crontab does a security check for crontab -u
 ifelse(`$1', `sysadm', `
 allow $1_crontab_t self:process setfscreate;
 kernel_get_selinuxfs_mount_point($1_crontab_t)
 ', `
 dontaudit $1_crontab_t crond_t:process signal;
 ')dnl end ifelse
 ')dnl end ifdef fcron
 	# Run helper programs as $1_t
 	allow $1_crontab_t { bin_t sbin_t }:dir search;
 	allow $1_crontab_t bin_t:lnk_file read;
@ -223,7 +218,6 @@ dontaudit $1_crontab_t var_run_t:dir search;
 #
 define(`cron_admin_template',`
 	logging_read_system_logs($1_crond_t)
 	# Allow our crontab domain to unlink a user cron spool file.
@ -236,6 +230,13 @@ kernel_compute_selinux_access_vector($1_crontab_t)
 	kernel_compute_selinux_create_context($1_crontab_t)
 	kernel_compute_selinux_relabel_context($1_crontab_t)
 	kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
 	tunable_policy(`fcron_crond', `
 		# fcron wants an instant update of a crontab change for the administrator
 		# also crontab does a security check for crontab -u
 		allow $1_crontab_t self:process setfscreate;
 		kernel_get_selinuxfs_mount_point($1_crontab_t)
 	')
 ')
 ########################################
@ -244,10 +245,12 @@ kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
 #
 define(`cron_modify_log',`
 	requires_block_template(`$0'_depend)
 	allow $1 crond_log_t:file { getattr read write ioctl lock append };
 ')
 define(`cron_modify_log_depend',`
 	type crond_log_t;
 	class file rw_file_perms;
 ')
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@ -37,6 +37,8 @@ allow $1_t sendmail_exec_t:file { getattr read execute execute_no_trans };
 	allow $1_t sendmail_exec_t:lnk_file { getattr read };
 	allow $1_t $1_mail_t:process transition;
 	type_transition $1_t sendmail_exec_t:process $1_mail_t;
 	dontaudit $1_t $1_mail_t:process { noatsecure siginh rlimitinh };
 	allow $1_t $1_mail_t:fd use;
 	allow $1_mail_t $1_t:fd use;
 	allow $1_mail_t $1_t:fifo_file rw_file_perms;
@ -98,7 +100,7 @@ dontaudit $1_mail_t $1_tmp_t:file append;
 	ifdef(`postfix.te', `
 		# postfix seems to need write access if the file handle is opened read/write
 		allow $1_mail_t $1_tmp_t:file write;
-')dnl end if postfix
+	')
 	allow mta_user_agent $1_tmp_t:file { read getattr };
@ -132,7 +134,7 @@ file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
 	ifdef(`qmail.te', `
 		allow $1_mail_t qmail_etc_t:dir search;
 		allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
-')dnl end if qmail
+	')
 	') dnl end TODO
 ')
@ -147,6 +149,7 @@ define(`mta_per_userdomain_template_depend',`
 #
 define(`mta_make_mailserver_domain',`
 	requires_block_template(`$0'_depend)
 	init_make_daemon_domain($1,$2)
 	typeattribute $1 mailserver_domain;
 ')
@ -161,6 +164,7 @@ attribute mailserver_domain;
 #
 define(`mta_make_sendmail_mailserver_domain',`
 	requires_block_template(`$0'_depend)
 	mta_make_mailserver_domain($1,sendmail_exec_t)
 ')
@ -174,11 +178,13 @@ type sendmail_exec_t;
 #
 define(`mta_send_mail',`
 	requires_block_template(`$0'_depend)
 	allow $1 sendmail_exec_t:lnk_file { getattr read };
 	allow $1 sendmail_exec_t:file { getattr read execute };
 	allow $1 system_mail_t:process transition;
 	type_transition $1 sendmail_exec_t:process system_mail_t;
 	dontaudit $1 system_mail_t:process { noatsecure siginh rlimitinh };
 	allow $1 system_mail_t:fd use;
 	allow system_mail_t $1:fd use;
 	allow system_mail_t $1:fifo_file rw_file_perms;
@ -187,11 +193,12 @@ allow system_mail_t $1:process sigchld;
 define(`mta_send_mail_depend',`
 	type system_mail_t, sendmail_exec_t;
 	class file { getattr read execute };
 	class lnk_file { getattr read };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
-class fifo_file { ioctl read getattr lock write append };
+	class fifo_file rw_file_perms;
 ')
 #######################################
@ -200,11 +207,13 @@ class fifo_file { ioctl read getattr lock write append };
 #
 define(`mta_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 sendmail_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`mta_execute_depend',`
 	type sendmail_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -221,11 +230,13 @@ class file { getattr read execute execute_no_trans };
 #
 define(`mta_read_mail_aliases',`
 	requires_block_template(`$0'_depend)
 	allow $1 etc_aliases_t:file { getattr read };
 ')
 define(`mta_read_mail_aliases_depend',`
 	type etc_aliases_t;
 	class file { getattr read };
 ')
@ -235,11 +246,13 @@ class file { getattr read };
 #
 define(`mta_modify_mail_aliases',`
 	requires_block_template(`$0'_depend)
 	allow sendmail_t etc_aliases_t:file { getattr read write append setattr };
 ')
 define(`mta_modify_mail_aliases_depend',`
 	type etc_aliases_t;
 	class file { getattr read write append setattr };
 ')
@ -249,6 +262,7 @@ class file { getattr read write append setattr };
 #
 define(`mta_get_mail_spool_attributes',`
 	requires_block_template(`$0'_depend)
 	files_search_system_spool_directory($1)
 	allow $1 mail_spool_t:dir r_dir_perms;
 	allow $1 mail_spool_t:lnk_file read;
@ -257,6 +271,7 @@ allow $1 mail_spool_t:file getattr;
 define(`mta_get_mail_spool_attributes_depend',`
 	type mail_spool_t;
 	class dir r_dir_perms;
 	class file getattr;
 	class lnk_file read;
@ -268,6 +283,7 @@ class lnk_file read;
 #
 define(`mta_modify_mail_spool',`
 	requires_block_template(`$0'_depend)
 	files_search_system_spool_directory($1)
 	allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
 	allow $1 mail_spool_t:file { getattr read write append setattr };
@ -275,6 +291,7 @@ allow $1 mail_spool_t:file { getattr read write append setattr };
 define(`mta_modify_mail_spool_depend',`
 	type mail_spool_t;
 	class dir { read getattr lock search ioctl add_name remove_name write };
 	class file { create ioctl read getattr lock write setattr append link unlink rename };
 ')
@ -285,6 +302,7 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 #
 define(`mta_manage_mail_spool',`
 	requires_block_template(`$0'_depend)
 	files_search_system_spool_directory($1)
 	allow $1 mail_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
 	allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
@ -292,6 +310,7 @@ allow $1 mail_spool_t:file { create ioctl read getattr lock write setattr append
 define(`mta_manage_mail_spool_depend',`
 	type mail_spool_t;
 	class dir { read getattr lock search ioctl add_name remove_name write };
 	class file { create ioctl read getattr lock write setattr append link unlink rename };
 ')
@ -302,12 +321,14 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 #
 define(`mta_manage_mail_queue',`
 	requires_block_template(`$0'_depend)
 	allow $1 mqueue_spool_t:dir { read getattr lock search ioctl add_name remove_name write };
 	allow $1 mqueue_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 ')
 define(`mta_manage_mail_queue_depend',`
 	type mqueue_spool_t;
 	class dir { read getattr lock search ioctl add_name remove_name write };
 	class file { create ioctl read getattr lock write setattr append link unlink rename }
 ')
--- a/refpolicy/policy/modules/system/audit.te
+++ b/refpolicy/policy/modules/system/audit.te
@ -55,7 +55,7 @@ tunable_policy(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(auditd_t)
 	terminal_ignore_use_general_pseudoterminal(auditd_t)
 	files_ignore_read_rootfs_file(auditd_t)
-')dnl end targeted_policy tunable
+')
 optional_policy(`selinux.te',`
 	selinux_newrole_sigchld(auditd_t)
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -50,6 +50,8 @@ selinux_read_config($1_chkpwd_t)
 	allow $1_t chkpwd_exec_t:file { getattr read execute };
 	allow $1_t $1_chkpwd_t:process transition;
 	type_transition $1_t chkpwd_exec_t:process $1_chkpwd_t;
 	dontaudit $1_t $1_chkpwd_t:process { noatsecure siginh rlimitinh };
 	allow $1_chkpwd_t $1_t:fd use;
 	allow $1_t $1_chkpwd_t:fd use;
 	allow $1_chkpwd_t $1_t:fifo_file rw_file_perms;
@ -81,7 +83,9 @@ selinux_newrole_use_file_descriptors($1_chkpwd_t)
 define(`authlogin_per_userdomain_template_depend',`
 	attribute can_read_shadow_passwords;
 	type chkpwd_exec_t, system_chkpwd_t, shadow_t;
 	class file { getattr read execute };
 	class process { getattr transition sigchld };
 	class capability setuid;
@ -97,12 +101,12 @@ class fifo_file rw_file_perms;
 #
 define(`authlogin_make_login_program_entrypoint',`
 	requires_block_template(`$0'_depend)
 	domain_make_entrypoint_file($1,login_exec_t)
 ')
 define(`authlogin_make_login_program_entrypoint_depend',`
 	type login_exec_t;
 domain_make_entrypoint_file_depend
 ')
 ########################################
@ -121,11 +125,13 @@ domain_make_entrypoint_file_depend
 #
 define(`authlogin_login_program_transition',`
 	requires_block_template(`$0'_depend)
 	# FIXME: search bin_t
 	allow $1 login_exec_t:file { getattr read execute };
 	allow $1 $2:process transition;
 	type_transition $1 login_exec_t:process $2;
 	dontaudit $1 $2:process { noatsecure siginh rlimitinh };
 	allow $1 $2:fd use;
 	allow $2 $1:fd use;
 	allow $2 $1:fifo_file rw_file_perms;
@ -134,6 +140,7 @@ allow $2 $1:process sigchld;
 define(`authlogin_login_program_transition_depend',`
 	type login_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -146,9 +153,11 @@ class fifo_file rw_file_perms;
 #
 define(`authlogin_check_password_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 chkpwd_exec_t:file { getattr read execute };
 	allow $1 system_chkpwd_t:process transition;
 	type_transition $1 chkpwd_exec_t:process system_chkpwd_t;
 	allow $1 system_chkpwd_t:fd use;
 	allow system_chkpwd_t $1:fd use;
 	allow system_chkpwd_t $1:fifo_file rw_file_perms;
@ -169,12 +178,12 @@ corenetwork_sendrecv_raw_on_all_nodes($1)
 		corenetwork_bind_udp_on_all_nodes($1)
 		corenetwork_sendrecv_udp_on_dns_port($1)
 		sysnetwork_read_network_config($1)
-') dnl end use_dns
+	')
-
+')
 ') dnl end check_password_transition
 define(`authlogin_check_password_transition_depend',`
 	type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 	class file { getattr read execute };
 	class process { transition sigchld };
 	class udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
@ -188,11 +197,13 @@ class fifo_file rw_file_perms;
 #
 define(`authlogin_ignore_get_shadow_passwords_attributes',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 shadow_t:file getattr;
 ')
 define(`authlogin_ignore_get_shadow_passwords_attributes_depend',`
 	type shadow_t;
 	class file getattr;
 ')
@ -202,6 +213,7 @@ class file getattr;
 #
 define(`authlogin_read_shadow_passwords',`
 	requires_block_template(`$0'_depend)
 	files_read_general_system_config_directory($1)
 	allow $1 shadow_t:file { getattr read };
 	typeattribute $1 can_read_shadow_passwords;
@ -209,7 +221,9 @@ typeattribute $1 can_read_shadow_passwords;
 define(`authlogin_read_shadow_passwords_depend',`
 	attribute can_read_shadow_passwords;
 	type shadow_t;
 	class file { getattr read };
 ')
@ -219,11 +233,13 @@ class file { getattr read };
 #
 define(`authlogin_ignore_read_shadow_passwords',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 shadow_t:file { getattr read };
 ')
 define(`authlogin_ignore_read_shadow_passwords_depend',`
 	type shadow_t;
 	class file { getattr read };
 ')
@ -233,17 +249,17 @@ class file { getattr read };
 #
 define(`authlogin_modify_shadow_passwords',`
 	requires_block_template(`$0'_depend)
 	files_read_general_system_config_directory($1)
-allow $1 shadow_t:file { getattr read write };
+	allow $1 shadow_t:file rw_file_perms;
-typeattribute $1 can_read_shadow_passwords;
+	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 typeattribute $1 can_write_shadow_passwords;
 ')
 define(`authlogin_modify_shadow_passwords_depend',`
-attribute can_read_shadow_passwords;
+	attribute can_read_shadow_passwords, can_write_shadow_passwords;
-attribute can_write_shadow_passwords;
+
 	type shadow_t;
-class file { getattr read write };
+	class file rw_file_perms;
 ')
 #######################################
@ -252,17 +268,19 @@ class file { getattr read write };
 #
 define(`authlogin_manage_shadow_passwords',`
 	requires_block_template(`$0'_depend)
 	allow $1 shadow_t:file create_file_perms;
 	files_create_private_config($1,shadow_t,file)
-allow $1 shadow_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+
-typeattribute $1 can_read_shadow_passwords;
+	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 typeattribute $1 can_write_shadow_passwords;
 ')
 define(`authlogin_manage_shadow_passwords_depend',`
-attribute can_read_shadow_passwords;
+	attribute can_read_shadow_passwords, can_write_shadow_passwords;
-attribute can_write_shadow_passwords;
+
 	type shadow_t;
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+
 	class file create_file_perms;
 ')
 #######################################
@ -271,6 +289,7 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 #
 define(`authlogin_relabel_to_shadow_passwords',`
 	requires_block_template(`$0'_depend)
 	files_search_general_system_config_directory($1)
 	allow $1 shadow_t:file relabelto;
 	typeattribute $1 can_relabelto_shadow_passwords;
@ -278,7 +297,9 @@ typeattribute $1 can_relabelto_shadow_passwords;
 define(`authlogin_relabel_to_shadow_passwords_depend',`
 	attribute can_relabelto_shadow_passwords;
 	type shadow_t;
 	class file relabelto;
 ')
@ -288,13 +309,15 @@ class file relabelto;
 #
 define(`authlogin_modify_login_failure_records',`
 	requires_block_template(`$0'_depend)
 	allow $1 faillog_t:file rw_file_perms;
 	logging_search_system_log_directory($1)
 allow $1 faillog_t:file { read write append };
 ')
 define(`authlogin_modify_login_failure_records_depend',`
 	type faillog_t;
-class file { read write append };
+
 	class file rw_file_perms;
 ')
 #######################################
@ -303,12 +326,14 @@ class file { read write append };
 #
 define(`authlogin_modify_last_login_log',`
 	requires_block_template(`$0'_depend)
 	logging_search_system_log_directory($1)
 	allow $1 lastlog_t:file { getattr read write setattr };
 ')
 define(`authlogin_modify_last_login_log_depend',`
 	type lastlog_t;
 	class file { getattr read write setattr };
 ')
@ -325,10 +350,12 @@ class file { getattr read write setattr };
 #
 define(`authlogin_pam_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 pam_exec_t:file { getattr read execute };
 	allow $1 pam_t:process transition;
 	type_transition $1 pam_exec_t:process pam_t;
 	dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
 	allow $1 pam_t:fd use;
 	allow pam_t $1:fd use;
 	allow pam_t $1:fifo_file rw_file_perms;
@ -337,6 +364,7 @@ allow pam_t $1:process sigchld;
 define(`authlogin_pam_transition_depend',`
 	type pam_t, pam_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd
@ -362,6 +390,7 @@ class fifo_file rw_file_perms;
 #
 define(`authlogin_pam_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	authlogin_pam_transition($1)
 	role $2 types pam_t;
 	allow pam_t $3:chr_file { getattr read write ioctl };
@ -369,6 +398,7 @@ allow pam_t $3:chr_file { getattr read write ioctl };
 define(`authlogin_pam_transition_add_role_use_terminal_depend',`
 	type pam_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -378,11 +408,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`authlogin_pam_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 pam_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`authlogin_pam_execute_depend',`
 	type pam_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -392,6 +424,7 @@ class file { getattr read execute execute_no_trans };
 #
 define(`authlogin_pam_read_runtime_data',`
 	requires_block_template(`$0'_depend)
 	files_search_system_state_data_directory($1)
 	files_search_runtime_data_directory($1)
 	allow $1 pam_var_run_t:dir { getattr search read };
@ -400,6 +433,7 @@ allow $1 pam_var_run_t:file { getattr read };
 define(`authlogin_pam_read_runtime_data_depend',`
 	type pam_var_run_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -410,6 +444,7 @@ class file { getattr read };
 #
 define(`authlogin_pam_remove_runtime_data',`
 	requires_block_template(`$0'_depend)
 	files_search_system_state_data_directory($1)
 	files_search_runtime_data_directory($1)
 	allow $1 pam_var_run_t:dir { getattr search read write remove_name };
@ -418,6 +453,7 @@ allow $1 pam_var_run_t:file { getattr unlink };
 define(`authlogin_pam_remove_runtime_data_depend',`
 	type pam_var_run_t;
 	class dir { getattr search read write remove_name };
 	class file { getattr unlink };
 ')
@ -428,10 +464,12 @@ class file { getattr unlink };
 #
 define(`authlogin_pam_console_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 pam_console_exec_t:file { getattr read execute };
 	allow $1 pam_console_t:process transition;
 	type_transition $1 pam_console_exec_t:process pam_console_t;
 	dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
 	allow $1 pam_console_t:fd use;
 	allow pam_console_t $1:fd use;
 	allow pam_console_t $1:fifo_file rw_file_perms;
@ -440,6 +478,7 @@ allow pam_console_t $1:process sigchld;
 define(`authlogin_pam_console_transition_depend',`
 	type pam_console_t, pam_console_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -452,14 +491,16 @@ class fifo_file rw_file_perms;
 #
 define(`authlogin_pam_console_read_runtime_data_dir',`
 	requires_block_template(`$0'_depend)
 	files_search_system_state_data_directory($1)
 	files_search_runtime_data_directory($1)
-allow $1 pam_var_console_t:dir { getattr search read };
+	allow $1 pam_var_console_t:dir r_dir_perms;
 ')
 define(`authlogin_pam_console_read_runtime_data_dir_depend',`
 	type pam_var_console_t;
-class dir { getattr search read };
+
 	class dir r_dir_perms;
 ')
 #######################################
@ -468,16 +509,18 @@ class dir { getattr search read };
 #
 define(`authlogin_pam_console_read_runtime_data',`
 	requires_block_template(`$0'_depend)
 	files_search_system_state_data_directory($1)
 	files_search_runtime_data_directory($1)
-allow $1 pam_var_console_t:dir { getattr search read };
+	allow $1 pam_var_console_t:dir r_dir_perms;
-allow $1 pam_var_console_t:file { getattr read };
+	allow $1 pam_var_console_t:file r_file_perms;
 ')
 define(`authlogin_pam_console_read_runtime_data_depend',`
 	type pam_var_console_t;
-class dir { getattr search read };
+
-class file { getattr read };
+	class dir r_dir_perms;
 	class file r_file_perms;
 ')
 #######################################
@ -486,6 +529,7 @@ class file { getattr read };
 #
 define(`authlogin_pam_console_manage_runtime_data',`
 	requires_block_template(`$0'_depend)
 	files_search_system_state_data_directory($1)
 	files_search_runtime_data_directory($1)
 	allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write };
@ -495,6 +539,7 @@ allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink re
 define(`authlogin_pam_console_manage_runtime_data_depend',`
 	type pam_var_console_t;
 	class dir { read getattr lock search ioctl add_name remove_name write };
 	class file { create ioctl read getattr lock write setattr append link unlink rename };
 	class lnk_file { create read getattr setattr link unlink rename };
@ -519,6 +564,7 @@ class lnk_file { create read getattr setattr link unlink rename };
 define(`authlogin_relabel_all_files_except_shadow',`
 	requires_block_template(`$0'_depend)
 	files_relabel_all_files($1,$2 -shadow_t)
 ')
@ -545,6 +591,7 @@ type shadow_t;
 define(`authlogin_manage_all_files_except_shadow',`
 	requires_block_template(`$0'_depend)
 	files_manage_all_files($1,$2 -shadow_t)
 ')
@ -565,10 +612,12 @@ type shadow_t;
 #
 define(`authlogin_utempter_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 utempter_exec_t:file { getattr read execute };
 	allow $1 utempter_t:process transition;
 	type_transition $1 utempter_exec_t:process utempter_t;
 	dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
 	allow $1 utempter_t:fd use;
 	allow utempter_t $1:fd use;
 	allow utempter_t $1:fifo_file rw_file_perms;
@ -577,6 +626,7 @@ allow utempter_t $1:process sigchld;
 define(`authlogin_utempter_transition_depend',`
 	type utempter_t, utempter_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -602,6 +652,7 @@ class fifo_file rw_file_perms;
 #
 define(`authlogin_utempter_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	authlogin_utempter_transition($1)
 	role $2 types utempter_t;
 	allow utempter_t $3:chr_file { getattr read write ioctl };
@ -609,6 +660,7 @@ allow utempter_t $3:chr_file { getattr read write ioctl };
 define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
 	type utempter_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -618,12 +670,14 @@ class chr_file { getattr read write ioctl };
 #
 define(`authlogin_read_login_records',`
 	requires_block_template(`$0'_depend)
 	logging_search_system_log_directory($1)
 	allow $1 wtmp_t:file { getattr read };
 ')
 define(`authlogin_read_login_records_depend',`
 	type wtmp_t;
 	class file { getattr read };
 ')
@ -633,11 +687,13 @@ class file { getattr read };
 #
 define(`authlogin_ignore_write_login_records',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 wtmp_t:file write;
 ')
 define(`authlogin_read_login_records_depend',`
 	type wtmp_t;
 	class file write;
 ')
@ -647,13 +703,14 @@ class file write;
 #
 define(`authlogin_modify_login_records',`
 	requires_block_template(`$0'_depend)
 	allow $1 wtmp_t:file rw_file_perms;
 	logging_search_system_log_directory($1)
 allow $1 wtmp_t:file { getattr read write append setattr lock };
 ')
 define(`authlogin_modify_login_records_depend',`
 type wtmp_t;
-class file { getattr read write append setattr lock };
+class file rw_file_perms;
 ')
 ## </module>
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@ -270,7 +270,7 @@ can_kerberos(system_chkpwd_t)
 can_ldap(system_chkpwd_t)
 dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
-')
+') dnl end TODO
 ########################################
 #
--- a/refpolicy/policy/modules/system/clock.if
+++ b/refpolicy/policy/modules/system/clock.if
@ -14,10 +14,12 @@
 #
 define(`clock_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 hwclock_exec_t:file { getattr read execute };
 	allow $1 hwclock_t:process transition;
 	type_transition $1 hwclock_exec_t:process hwclock_t;
 	dontaudit $1 hwclock_t:process { noatsecure siginh rlimitinh };
 	allow $1 hwclock_t:fd use;
 	allow hwclock_t $1:fd use;
 	allow hwclock_t $1:fifo_file rw_file_perms;
@ -26,6 +28,7 @@ allow hwclock_t $1:process sigchld;
 define(`clock_transition_depend',`
 	type hwclock_t, hwclock_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -52,6 +55,7 @@ class fifo_file rw_file_perms;
 #
 define(`clock_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	clock_transition($1)
 	role $2 types hwclock_t;
 	allow hwclock_t $3:chr_file { getattr read write ioctl };
@ -59,6 +63,7 @@ allow hwclock_t $3:chr_file { getattr read write ioctl };
 define(`clock_transition_add_role_use_terminal_depend',`
 	type hwclock_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -68,11 +73,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`clock_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 hwclock_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`clock_execute_depend',`
 	type hwclock_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -82,12 +89,14 @@ class file { getattr read execute execute_no_trans };
 #
 define(`clock_modify_drift_records',`
 	requires_block_template(`$0'_depend)
 	allow $1 adjtime_t:file { getattr read write ioctl lock append };
 	files_read_general_system_config_directory($1)
 ')
 define(`clock_modify_drift_records_depend',`
 	type adjtime_t;
 	class file { getattr read write ioctl lock append };
 ')
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@ -10,6 +10,7 @@
 #
 define(`corecommands_make_shell_entrypoint',`
 	requires_block_template(`$0'_depend)
 	domain_make_entrypoint_file($1,shell_exec_t)
 ')
@ -23,11 +24,13 @@ type shell_exec_t;
 #
 define(`corecommands_search_general_programs_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 bin_t:dir search;
 ')
 define(`corecommands_search_general_programs_directory_depend',`
 	type bin_t;
 	class dir search;
 ')
@ -37,11 +40,13 @@ class dir search;
 #
 define(`corecommands_read_general_programs_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 bin_t:dir { getattr search read };
 ')
 define(`corecommands_read_general_programs_directory_depend',`
 	type bin_t;
 	class dir { getattr search read };
 ')
@ -51,6 +56,7 @@ class dir { getattr search read };
 #
 define(`corecommands_execute_general_programs',`
 	requires_block_template(`$0'_depend)
 	allow $1 bin_t:dir { getattr search read };
 	allow $1 bin_t:lnk_file { getattr read };
 	allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
@ -58,6 +64,7 @@ allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
 define(`corecommands_execute_general_programs_depend',`
 	type bin_t;
 	class dir { getattr search read };
 	class lnk_file { getattr read };
 	class file { getattr read ioctl lock execute execute_no_trans };
@ -69,11 +76,13 @@ class file { getattr read ioctl lock execute execute_no_trans };
 #
 define(`corecommands_search_system_programs_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 sbin_t:dir search;
 ')
 define(`corecommands_search_system_programs_directory_depend',`
 	type sbin_t;
 	class dir search;
 ')
@ -83,11 +92,13 @@ class dir search;
 #
 define(`corecommands_read_system_programs_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 sbin_t:dir r_dir_perms;
 ')
 define(`corecommands_read_system_programs_directory_depend',`
 	type sbin_t;
 	class dir r_dir_perms;
 ')
@ -97,11 +108,13 @@ class dir r_dir_perms;
 #
 define(`corecommands_ignore_get_system_programs_attributes',`
 	requires_block_template(`$0'_depend)
 	allow $1 sbin_t:file getattr;
 ')
 define(`corecommands_ignore_get_system_programs_attributes_depend',`
 	type sbin_t;
 	class file getattr;
 ')
@ -111,6 +124,7 @@ class file getattr;
 #
 define(`corecommands_execute_system_programs',`
 	requires_block_template(`$0'_depend)
 	allow $1 sbin_t:dir { getattr search read };
 	allow $1 sbin_t:lnk_file { getattr read };
 	allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
@ -118,6 +132,7 @@ allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
 define(`corecommands_execute_system_programs_depend',`
 	type sbin_t;
 	class dir { getattr search read };
 	class lnk_file { getattr read };
 	class file { getattr read ioctl lock execute execute_no_trans };
@ -129,6 +144,7 @@ class file { getattr read ioctl lock execute execute_no_trans };
 #
 define(`corecommands_execute_shell',`
 	requires_block_template(`$0'_depend)
 	allow $1 bin_t:dir r_dir_perms;
 	allow $1 bin_t:lnk_file { getattr read };
 	allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
@ -136,6 +152,7 @@ allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
 define(`corecommands_execute_shell_depend',`
 	type bin_t, shell_exec_t;
 	class dir r_dir_perms;
 	class lnk_file { getattr read };
 	class file { getattr read lock ioctl execute execute_no_trans };
@ -147,6 +164,7 @@ class file { getattr read lock ioctl execute execute_no_trans };
 #
 define(`corecommands_execute_ls',`
 	requires_block_template(`$0'_depend)
 	allow $1 bin_t:dir r_dir_perms;
 	allow $1 bin_t:lnk_file { getattr read };
 	allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
@ -154,6 +172,7 @@ allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
 define(`corecommands_execute_shell_depend',`
 	type bin_t, ls_exec_t;
 	class dir r_dir_perms;
 	class lnk_file { getattr read };
 	class file { getattr read lock ioctl execute execute_no_trans };
@ -177,11 +196,13 @@ class file { getattr read lock ioctl execute execute_no_trans };
 #
 define(`corecommands_shell_explicit_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 bin_t:dir { getattr search read };
 	allow $1 bin_t:lnk_file { getattr read };
 	allow $1 shell_exec_t:file { getattr read execute };
 	allow $1 $2:process transition;
 	dontaudit $1 $2:process { noatsecure siginh rlimitinh };
 	allow $1 $2:fd use;
 	allow $2 $1:fd use;
 	allow $2 $1:fifo_file rw_file_perms;
@ -190,6 +211,7 @@ allow $2 $1:process sigchld;
 define(`corecommands_shell_explicit_transition_depend',`
 	type bin_t, shell_exec_t;
 	class dir { getattr search read };
 	class lnk_file { getattr read };
 	class file { getattr read execute };
@ -214,6 +236,7 @@ class fifo_file rw_file_perms;
 #
 define(`corecommands_shell_transition',`
 	requires_block_template(`$0'_depend)
 	corecommands_shell_explicit_transition($1,$2)
 	type_transition $1 shell_exec_t:process $2;
 ')
@ -228,13 +251,14 @@ type shell_exec_t;
 #
 define(`corecommands_chroot',`
 	requires_block_template(`$0'_depend)
 	allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
 # could go to a generic chroot priv:
 	allow $1 self:capability sys_chroot;
 ')
 define(`corecommands_chroot_depend',`
 	type chroot_exec_t;
 	class file { getattr read execute execute_no_trans };
 	class capability sys_chroot;
 ')
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@ -21,6 +21,7 @@ allow $1 self:process { fork sigchld };
 define(`domain_make_base_domain_depend',`
 	attribute domain;
 	class dir { getattr search read };
 	class file { getattr read write ioctl };
 	class lnk_file { getattr read };
@ -31,7 +32,6 @@ class lnk_file { getattr read };
 # domain_make_domain(domain)
 #
 define(`domain_make_domain',`
 	# start with basic domain
 	domain_make_base_domain($1)
@ -59,13 +59,15 @@ rpm_read_pipe($1)
 #
 define(`domain_make_entrypoint_file',`
 	requires_block_template(`$0'_depend)
-allow $1 $2:file entrypoint;
+
 	files_make_file($2)
 	allow $1 $2:file entrypoint;
 	typeattribute $2 entry_type;
 ')
 define(`domain_make_entrypoint_file_depend',`
 	attribute entry_type;
 	class file entrypoint;
 ')
@ -75,6 +77,7 @@ class file entrypoint;
 #
 define(`domain_make_file_descriptors_widely_inheritable',`
 	requires_block_template(`$0'_depend)
 	typeattribute $1 privfd;
 ')
@ -88,11 +91,13 @@ attribute privfd;
 #
 define(`domain_use_widely_inheritable_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 privfd:fd use;
 ')
 define(`domain_use_widely_inheritable_file_descriptors_depend',`
 	attribute privfd;
 	class fd use;
 ')
@ -102,11 +107,13 @@ class fd use;
 #
 define(`domain_ignore_use_widely_inheritable_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 privfd:fd use;
 ')
 define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
 	attribute privfd;
 	class fd use;
 ')
@ -116,11 +123,13 @@ class fd use;
 #
 define(`domain_set_all_domains_priorities',`
 	requires_block_template(`$0'_depend)
 	allow $1 domain:process setsched;
 ')
 define(`domain_set_all_domains_priorities_depend',`
 	attribute domain;
 	class process setsched;
 ')
@ -137,11 +146,13 @@ class process setsched;
 #
 define(`domain_signal_all_domains',`
 	requires_block_template(`$0'_depend)
 	allow $1 domain:process signal;
 ')
 define(`domain_signal_all_domains_depend',`
 	attribute domain;
 	class process signal;
 ')
@ -158,11 +169,13 @@ class process signal;
 #
 define(`domain_signull_all_domains',`
 	requires_block_template(`$0'_depend)
 	allow $1 domain:process signull;
 ')
 define(`domain_signull_all_domains_depend',`
 	attribute domain;
 	class process signull;
 ')
@ -179,11 +192,13 @@ class process signull;
 #
 define(`domain_sigstop_all_domains',`
 	requires_block_template(`$0'_depend)
 	allow $1 domain:process sigstop;
 ')
 define(`domain_sigstop_all_domains_depend',`
 	attribute domain;
 	class process sigstop;
 ')
@ -200,11 +215,13 @@ class process sigstop;
 #
 define(`domain_sigchld_all_domains',`
 	requires_block_template(`$0'_depend)
 	allow $1 domain:process sigchld;
 ')
 define(`domain_sigchld_all_domains_depend',`
 	attribute domain;
 	class process sigchld;
 ')
@ -221,12 +238,14 @@ class process sigchld;
 #
 define(`domain_kill_all_domains',`
 	requires_block_template(`$0'_depend)
 	allow $1 domain:process sigkill;
 	allow $1 self:capability kill;
 ')
 define(`domain_kill_all_domains_depend',`
 	attribute domain;
 	class process sigkill;
 	class capability kill;
 ')
@ -244,10 +263,12 @@ class capability kill;
 #
 define(`domain_read_all_domains_process_state',`
 	requires_block_template(`$0'_depend)
 	allow $1 domain:dir { getattr search read };
 	allow $1 domain:lnk_file { getattr read };
 	allow $1 domain:file { getattr read };
 	allow $1 domain:process getattr;
 	# We need to suppress this denial because procps tries to access
 	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
 	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
@ -257,6 +278,7 @@ dontaudit $1 domain:process ptrace;
 define(`domain_read_all_domains_process_state_depend',`
 	attribute domain;
 	class dir { getattr search read };
 	class lnk_file { getattr read };
 	class file { getattr read };
@ -277,11 +299,13 @@ class process { getattr ptrace };
 #
 define(`domain_ignore_read_all_domains_process_dirs',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 domain:dir r_dir_perms;
 ')
 define(`domain_ignore_read_all_domains_process_dirs_depend',`
 	attribute domain;
 	class dir r_dir_perms;
 ')
@ -299,11 +323,13 @@ class dir r_dir_perms;
 #
 define(`domain_get_all_domains_session_id',`
 	requires_block_template(`$0'_depend)
 	allow $1 domain:process getsession;
 ')
 define(`domain_get_all_domains_session_id_depend',`
 	attribute domain;
 	class process getsession;
 ')
@ -321,11 +347,13 @@ class process getsession;
 #
 define(`domain_ignore_get_all_domains_udp_socket_attributes',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 domain:udp_socket getattr;
 ')
 define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
 	attribute domain;
 	class udp_socket getattr;
 ')
@ -343,11 +371,13 @@ class udp_socket getattr;
 #
 define(`domain_ignore_get_all_domains_tcp_socket_attributes',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 domain:tcp_socket getattr;
 ')
 define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
 	attribute domain;
 	class tcp_socket getattr;
 ')
@ -365,11 +395,13 @@ class tcp_socket getattr;
 #
 define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 domain:unix_dgram_socket getattr;
 ')
 define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
 	attribute domain;
 	class unix_dgram_socket getattr;
 ')
@ -387,11 +419,13 @@ class unix_dgram_socket getattr;
 #
 define(`domain_ignore_get_all_domains_pipe_attributes',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 domain:fifo_file getattr;
 ')
 define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
 	attribute domain;
 	class fifo_file getattr;
 ')
@ -401,11 +435,13 @@ class fifo_file getattr;
 #
 define(`domain_execute_all_entrypoint_programs',`
 	requires_block_template(`$0'_depend)
 	allow $1 entry_type:file { getattr read ioctl lock execute execute_no_trans };
 ')
 define(`domain_execute_all_entrypoint_programs_depend',`
 	attribute entry_type;
 	class file { getattr read ioctl lock execute execute_no_trans };
 ')
@ -415,12 +451,14 @@ class file { getattr read ioctl lock execute execute_no_trans };
 #
 define(`domain_read_all_entrypoint_programs',`
 	requires_block_template(`$0'_depend)
 	allow $1 entry_type:lnk_file { getattr read };
 	allow $1 entry_type:file r_file_perms;
 ')
 define(`domain_read_all_entrypoint_programs_depend',`
 	attribute entry_type;
 	class file r_file_perms;
 	class lnk_file { getattr read };
 ')
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -7,9 +7,10 @@
 #
 define(`files_make_file',`
 	requires_block_template(`$0'_depend)
-typeattribute $1 file_type;
+
 	filesystem_associate($1)
 	filesystem_noxattr_associate($1)
 	typeattribute $1 file_type;
 ')
 define(`files_make_file_depend',`
@ -22,6 +23,7 @@ attribute file_type;
 #
 define(`files_make_lock_file',`
 	requires_block_template(`$0'_depend)
 	files_make_file($1)
 	typeattribute $1 lockfile;
 ')
@ -36,6 +38,7 @@ attribute lockfile;
 #
 define(`files_make_mountpoint',`
 	requires_block_template(`$0'_depend)
 	files_make_file($1)
 	typeattribute $1 mountpoint;
 ')
@ -50,6 +53,7 @@ attribute mountpoint;
 #
 define(`files_make_daemon_runtime_file',`
 	requires_block_template(`$0'_depend)
 	files_make_file($1)
 	typeattribute $1 pidfile;
 ')
@ -64,6 +68,7 @@ attribute pidfile;
 #
 define(`files_make_temporary_file',`
 	requires_block_template(`$0'_depend)
 	files_make_file($1)
 	typeattribute $1 tmpfile;
 ')
@ -86,6 +91,7 @@ attribute tmpfile;
 #
 define(`files_make_tmpfs_file',`
 	requires_block_template(`$0'_depend)
 	files_make_file($1)
 	filesystem_tmpfs_associate($1)
 	typeattribute $1 tmpfsfile;
@ -101,6 +107,7 @@ attribute tmpfsfile;
 define(`files_get_all_file_attributes',`
 	requires_block_template(`$0'_depend)
 	allow $1 file_type:dir { search getattr };
 	allow $1 file_type:file getattr;
 	allow $1 file_type:lnk_file getattr;
@ -110,6 +117,7 @@ allow $1 file_type:sock_file getattr;
 define(`files_get_all_file_attributes_depend',`
 	attribute file_type;
 	class dir { search getattr };
 	class file getattr;
 	class lnk_file getattr;
@ -135,6 +143,7 @@ class sock_file getattr;
 #
 define(`files_relabel_all_files',`
 	requires_block_template(`$0'_depend)
 	allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
 	allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
 	allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
@ -142,12 +151,14 @@ allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
 	allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
 	allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
 	allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
 	# satisfy the assertions:
 	selinux_relabelto_binary_policy($1)
 ')
 define(`files_relabel_all_files_depend',`
 	attribute file_type;
 	class dir { r_dir_perms relabelfrom relabelto };
 	class file { relabelfrom relabelto };
 	class lnk_file { relabelfrom relabelto };
@ -175,11 +186,13 @@ class chr_file relabelfrom;
 #
 define(`files_manage_all_files',`
 	requires_block_template(`$0'_depend)
 	allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
 	allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename };
 	allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename };
 	allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
 	allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
 	# satisfy the assertions:
 	selinux_write_binary_policy($1)
 	bootloader_manage_kernel_modules($1)
@ -187,6 +200,7 @@ bootloader_manage_kernel_modules($1)
 define(`files_manage_all_files_depend',`
 	attribute file_type;
 	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
 	class file { create ioctl read getattr lock write setattr append link unlink rename };
 	class lnk_file { create read getattr setattr link unlink rename };
@ -200,11 +214,13 @@ class sock_file { create ioctl read getattr lock write setattr append link unlin
 #
 define(`files_search_all_directories',`
 	requires_block_template(`$0'_depend)
 	allow $1 file_type:dir search;
 ')
 define(`files_search_all_directories_depend',`
 	attribute file_type;
 	class dir search;
 ')
@ -214,11 +230,13 @@ class dir search;
 #
 define(`files_read_all_directories',`
 	requires_block_template(`$0'_depend)
 	allow $1 file_type:dir r_dir_perms;
 ')
 define(`files_read_all_directories_depend',`
 	attribute file_type;
 	class dir r_dir_perms;
 ')
@ -228,11 +246,13 @@ class dir r_dir_perms;
 #
 define(`files_ignore_search_all_directories',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 file_type:dir search;
 ')
 define(`files_ignore_search_all_directories_depend',`
 	attribute file_type;
 	class dir search;
 ')
@ -242,11 +262,13 @@ class dir search;
 #
 define(`files_relabelto_all_file_type_filesystems',`
 	requires_block_template(`$0'_depend)
 	allow $1 file_type:filesystem relabelto;
 ')
 define(`files_relabelto_all_file_type_filesystems_depend',`
 	attribute file_type;
 	filesystem relabelto;
 ')
@ -256,11 +278,13 @@ filesystem relabelto;
 #
 define(`files_mount_all_file_type_filesystems',`
 	requires_block_template(`$0'_depend)
 	allow $1 file_type:filesystem mount;
 ')
 define(`files_mount_all_file_type_filesystems_depend',`
 	attribute file_type;
 	filesystem mount;
 ')
@ -270,11 +294,13 @@ filesystem mount;
 #
 define(`files_unmount_all_file_type_filesystems',`
 	requires_block_template(`$0'_depend)
 	allow $1 file_type:filesystem mount;
 ')
 define(`files_unmount_all_file_type_filesystems_depend',`
 	attribute file_type;
 	filesystem mount;
 ')
@ -284,11 +310,13 @@ filesystem mount;
 #
 define(`files_mount_on_all_mountpoints',`
 	requires_block_template(`$0'_depend)
 	allow $1 mountpoint:dir { getattr search mounton };
 ')
 define(`files_mount_on_all_mountpoints_depend',`
 	attribute mountpoint;
 	class dir { getattr search mounton };
 ')
@ -298,12 +326,14 @@ class dir { getattr search mounton };
 #
 define(`files_read_root_dir',`
 	requires_block_template(`$0'_depend)
 	allow $1 root_t:dir r_dir_perms;
 	allow $1 root_t:lnk_file { getattr read };
 ')
 define(`files_read_root_dir_depend',`
 	type root_t;
 	class dir r_dir_perms;
 	class lnk_file { getattr read };
 ')
@ -314,11 +344,13 @@ class lnk_file { getattr read };
 #
 define(`files_create_root_dir_entry',`
 	requires_block_template(`$0'_depend)
 	allow $1 root_t:dir ra_dir_perms;
 ')
 define(`files_create_root_dir_entry_depend',`
 	type root_t;
 	class dir ra_dir_perms;
 ')
@ -328,11 +360,13 @@ class dir ra_dir_perms;
 #
 define(`files_ignore_read_rootfs_file',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 root_t:file read;
 ')
 define(`files_ignore_read_rootfs_file_depend',`
 	type root_t;
 	class file read;
 ')
@ -342,11 +376,13 @@ class file read;
 #
 define(`files_ignore_modify_rootfs_file',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 root_t:file { read write };
 ')
 define(`files_ignore_modify_rootfs_file_depend',`
 	type root_t;
 	class file { read write };
 ')
@ -356,11 +392,13 @@ class file { read write };
 #
 define(`files_ignore_modify_rootfs_device',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 root_t:chr_file { read write };
 ')
 define(`files_ignore_modify_rootfs_device_depend',`
 	type root_t;
 	class chr_file { read write };
 ')
@ -385,7 +423,9 @@ class chr_file { read write };
 #
 define(`files_create_private_root_dir_entry',`
 	requires_block_template(`$0'_depend)
-allow $1 root_t:dir { getattr search read write add_name remove_name };
+
 	allow $1 root_t:dir rw_dir_perms;
 	ifelse(`$3',`',`
 		type_transition $1 root_t:file $2;
 	',`
@ -395,7 +435,8 @@ type_transition $1 root_t:$3 $2;
 define(`files_create_private_root_dir_entry_depend',`
 type root_t;
-class dir { getattr search read write add_name remove_name };
+
 class dir rw_dir_perms;
 ')
 ########################################
@ -404,11 +445,13 @@ class dir { getattr search read write add_name remove_name };
 #
 define(`files_remove_root_dir_entry',`
 	requires_block_template(`$0'_depend)
 	allow $1 root_t:dir { getattr search read write remove_name };
 ')
 define(`files_remove_root_dir_entry_depend',`
 	type root_t;
 	class dir { getattr search read write remove_name };
 ')
@ -418,11 +461,13 @@ class dir { getattr search read write remove_name };
 #
 define(`files_unmount_root_filesystem',`
 	requires_block_template(`$0'_depend)
 	allow $1 root_t:filesystem unmount;
 ')
 define(`files_unmount_root_filesystem_depend',`
 	type root_t;
 	class filesystem unmount;
 ')
@ -432,11 +477,13 @@ class filesystem unmount;
 #
 define(`files_search_general_system_config_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 etc_t:dir search;
 ')
 define(`files_search_general_system_config_directory_depend',`
 	type etc_t;
 	class dir search;
 ')
@ -446,11 +493,13 @@ class dir search;
 #
 define(`files_read_general_system_config_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 etc_t:dir { getattr search read };
 ')
 define(`files_read_general_system_config_directory_depend',`
 	type etc_t;
 	class dir { getattr search read };
 ')
@ -460,6 +509,7 @@ class dir { getattr search read };
 #
 define(`files_read_general_system_config',`
 	requires_block_template(`$0'_depend)
 	allow $1 etc_t:dir { getattr search read };
 	allow $1 etc_t:file { getattr read ioctl };
 	allow $1 etc_t:lnk_file { getattr read };
@ -467,6 +517,7 @@ allow $1 etc_t:lnk_file { getattr read };
 define(`files_read_general_system_config_depend',`
 	type etc_t;
 	class dir { getattr search read };
 	class file { getattr read };
 	class lnk_file { getattr read };
@ -478,6 +529,7 @@ class lnk_file { getattr read };
 #
 define(`files_modify_general_system_config',`
 	requires_block_template(`$0'_depend)
 	allow $1 etc_t:dir { getattr search read };
 	allow $1 etc_t:file { getattr read write ioctl };
 	allow $1 etc_t:lnk_file { getattr read };
@ -485,6 +537,7 @@ allow $1 etc_t:lnk_file { getattr read };
 define(`files_modify_general_system_config_depend',`
 	type etc_t;
 	class dir { getattr search read };
 	class file { getattr read write ioctl };
 	class lnk_file { getattr read };
@ -496,6 +549,7 @@ class lnk_file { getattr read };
 #
 define(`files_manage_general_system_config',`
 	requires_block_template(`$0'_depend)
 	allow $1 etc_t:dir { read getattr lock search ioctl add_name remove_name write };
 	allow $1 etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 	allow $1 etc_t:lnk_file { getattr read };
@ -503,6 +557,7 @@ allow $1 etc_t:lnk_file { getattr read };
 define(`files_manage_general_system_config_depend',`
 	type etc_t;
 	class dir { read getattr lock search ioctl add_name remove_name write };
 	class file { create ioctl read getattr lock write setattr append link unlink rename };
 	class lnk_file { getattr read };
@ -521,12 +576,14 @@ class lnk_file { getattr read };
 #
 define(`files_remove_general_system_config',`
 	requires_block_template(`$0'_depend)
 	allow $1 etc_t:dir { getattr search read write remove_name };
 	allow $1 etc_t:file unlink;
 ')
 define(`files_remove_general_system_config_depend',`
 	type etc_t;
 	class dir { getattr search read write remove_name };
 	class file unlink;
 ')
@ -537,6 +594,7 @@ class file unlink;
 #
 define(`files_execute_system_config_script',`
 	requires_block_template(`$0'_depend)
 	allow $1 etc_t:dir { getattr search read };
 	allow $1 etc_t:lnk_file { getattr read };
 	allow $1 etc_t:file { getattr read execute execute_no_trans };
@ -544,6 +602,7 @@ allow $1 etc_t:file { getattr read execute execute_no_trans };
 define(`files_execute_system_config_script_depend',`
 	type etc_t;
 	class dir { getattr search read };
 	class lnk_file { getattr read };
 	class file { getattr read execute execute_no_trans };
@ -551,12 +610,13 @@ class file { getattr read execute execute_no_trans };
 ########################################
 #
-# files_create_boot_flag(type)
+# files_create_boot_flag(domain)
 #
 # /halt, /.autofsck, etc
 #
 define(`files_create_boot_flag',`
 	requires_block_template(`$0'_depend)
 	allow $1 root_t:dir { getattr search read write add_name remove_name };
 	allow $1 etc_runtime_t:file { create read write setattr unlink };
 	type_transition $1 root_t:file etc_runtime_t;
@ -564,6 +624,7 @@ type_transition $1 root_t:file etc_runtime_t;
 define(`files_create_boot_flag_depend',`
 	type root_t, etc_runtime_t;
 	class dir { getattr search read write add_name };
 	class file { create read write setattr };
 ')
@ -574,6 +635,7 @@ class file { create read write setattr };
 #
 define(`files_manage_runtime_system_config',`
 	requires_block_template(`$0'_depend)
 	allow $1 etc_t:dir { getattr search read write add_name remove_name };
 	allow $1 etc_runtime_t:file { getattr create read write append setattr rename link unlink lock };
 	type_transition $1 etc_t:file etc_runtime_t;
@ -581,6 +643,7 @@ type_transition $1 etc_t:file etc_runtime_t;
 define(`files_manage_runtime_system_config_depend',`
 	type etc_t, etc_runtime_t;
 	class dir { getattr search read write add_name };
 	class file { getattr create read write append setattr rename unlink unlink lock };
 ')
@ -591,12 +654,14 @@ class file { getattr create read write append setattr rename unlink unlink lock
 #
 define(`files_read_runtime_system_config',`
 	requires_block_template(`$0'_depend)
 	allow $1 etc_t:dir { getattr search read };
 	allow $1 etc_runtime_t:file { getattr read };
 ')
 define(`files_read_runtime_system_config_depend',`
 	type etc_t, etc_runtime_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -607,17 +672,19 @@ class file { getattr read };
 #
 define(`files_create_private_config',`
 	requires_block_template(`$0'_depend)
-allow $1 etc_t:dir { getattr search read write add_name remove_name };
+
 	allow $1 etc_t:dir rw_dir_perms;
 	ifelse(`$3',`',`
 		type_transition $1 etc_t:file $2;
 	',`
 		type_transition $1 etc_t:$3 $2;
-') dnl end ifelse
+	')
 ')
 define(`files_create_private_config_depend',`
 type etc_t;
-class dir { getattr search read write add_name remove_name };
+
 class dir rw_dir_perms;
 ')
 ########################################
@ -626,11 +693,13 @@ class dir { getattr search read write add_name remove_name };
 #
 define(`files_modify_isid_type_dir',`
 	requires_block_template(`$0'_depend)
 	allow $1 file_t:dir rw_dir_perms;
 ')
 define(`files_modify_isid_type_dir_depend',`
 	type file_t;
 	class dir rw_dir_perms;
 ')
@ -640,11 +709,13 @@ class dir rw_dir_perms;
 #
 define(`files_ignore_get_isid_type_dir_attrib',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 file_t:dir search;
 ')
 define(`files_ignore_get_isid_type_dir_attrib_depend',`
 	type file_t;
 	class dir search;
 ')
@ -654,11 +725,13 @@ class dir search;
 #
 define(`files_ignore_search_isid_type_dir',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 file_t:dir search;
 ')
 define(`files_ignore_search_isid_type_dir_depend',`
 	type file_t;
 	class dir search;
 ')
@ -675,11 +748,13 @@ class dir search;
 #
 define(`files_list_home_directories',`
 	requires_block_template(`$0'_depend)
 	allow $1 home_root_t:dir { getattr search read };
 ')
 define(`files_list_home_directories_depend',`
 	type home_root_t;
 	class dir { getattr search read };
 ')
@ -689,11 +764,13 @@ class dir { getattr search read };
 #
 define(`files_read_mnt_dir',`
 	requires_block_template(`$0'_depend)
 	allow $1 mnt_t:dir { getattr search read };
 ')
 define(`files_read_runtime_system_config_depend',`
 	type mnt_t;
 	class dir { getattr search read };
 ')
@ -703,7 +780,9 @@ class dir { getattr search read };
 #
 define(`files_create_private_tmp_data',`
 	requires_block_template(`$0'_depend)
 	allow $1 tmp_t:dir { getattr search read write add_name remove_name };
 	ifelse(`$3',`',`
 		type_transition $1 tmp_t:file $2;
 	',`
@ -713,6 +792,7 @@ type_transition $1 tmp_t:$3 $2;
 define(`files_create_private_tmp_data_depend',`
 	type tmp_t;
 	class dir { getattr search read write add_name };
 ')
@ -722,6 +802,7 @@ class dir { getattr search read write add_name };
 #
 define(`files_remove_all_tmp_data',`
 	requires_block_template(`$0'_depend)
 	allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
 	allow $1 tmpfile:file { getattr unlink };
 	allow $1 tmpfile:lnk_file { getattr unlink };
@ -731,6 +812,7 @@ allow $1 tmpfile:sock_file { getattr unlink };
 define(`files_remove_all_tmp_data_depend',`
 	attribute tmpfile;
 	class dir { getattr search read write add_name remove_name rmdir };
 	class file { getattr unlink };
 	class lnk_file { getattr unlink };
@ -744,11 +826,13 @@ class sock_file { getattr unlink };
 #
 define(`files_search_general_application_resources_dir',`
 	requires_block_template(`$0'_depend)
 	allow $1 usr_t:dir search;
 ')
 define(`files_search_general_application_resources_dir_depend',`
 	type usr_t;
 	class dir search;
 ')
@ -758,12 +842,14 @@ class dir search;
 #
 define(`files_read_general_application_resources',`
 	requires_block_template(`$0'_depend)
 	allow $1 usr_t:dir { getattr search read };
 	allow $1 usr_t:{ file lnk_file } { getattr read };
 ')
 define(`files_read_general_application_resources_depend',`
 	type usr_t;
 	class dir { getattr search read };
 	class file { getattr read };
 	class lnk_file { getattr read };
@ -782,6 +868,7 @@ class lnk_file { getattr read };
 #
 define(`files_execute_system_source_code_scripts',`
 	requires_block_template(`$0'_depend)
 	allow $1 usr_t:dir search;
 	allow $1 src_t:dir { getattr search read };
 	allow $1 src_t:lnk_file { getattr read };
@ -790,6 +877,7 @@ allow $1 src_t:file { getattr read execute execute_no_trans };
 define(`files_read_system_source_code_depend',`
 	type usr_t, src_t;
 	class dir { getattr search read };
 	class file { getattr read execute execute_no_trans };
 	class lnk_file { getattr read };
@ -801,6 +889,7 @@ class lnk_file { getattr read };
 #
 define(`files_read_system_source_code',`
 	requires_block_template(`$0'_depend)
 	allow $1 usr_t:dir search;
 	allow $1 src_t:dir { getattr search read };
 	allow $1 src_t:{ file lnk_file } { getattr read };
@ -808,6 +897,7 @@ allow $1 src_t:{ file lnk_file } { getattr read };
 define(`files_read_system_source_code_depend',`
 	type usr_t, src_t;
 	class dir { getattr search read };
 	class file { getattr read };
 	class lnk_file { getattr read };
@ -819,11 +909,13 @@ class lnk_file { getattr read };
 #
 define(`files_search_system_state_data_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
 ')
 define(`files_search_system_state_data_directory_depend',`
 	type var_t;
 	class dir search;
 ')
@ -833,11 +925,13 @@ class dir search;
 #
 define(`files_ignore_search_system_state_data_directory',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 var_t:dir search;
 ')
 define(`files_ignore_search_system_state_data_directory_depend',`
 	type var_t;
 	class dir search;
 ')
@ -847,6 +941,7 @@ class dir search;
 #
 define(`files_manage_pseudorandom_saved_seed',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
 	allow $1 var_lib_t:dir { getattr search read write add_name remove_name };
 	allow $1 var_lib_t:file { getattr create read write setattr unlink };
@ -854,6 +949,7 @@ allow $1 var_lib_t:file { getattr create read write setattr unlink };
 define(`files_manage_pseudorandom_saved_seed_depend',`
 	type var_t, var_lib_t;
 	class dir { getattr search read write add_name remove_name };
 	class file { getattr create read write setattr unlink };
 ')
@ -864,12 +960,14 @@ class file { getattr create read write setattr unlink };
 #
 define(`files_get_system_lock_file_attributes',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_lock_t:dir { getattr search read };
 	allow $1 var_lock_t:file getattr;
 ')
 define(`files_get_system_lock_file_attributes_depend',`
 	type var_lock_t;
 	class dir { getattr search read };
 	class file getattr;
 ')
@ -880,12 +978,14 @@ class file getattr;
 #
 define(`files_manage_system_lock_files',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
 	allow $1 var_lock_t:file { getattr create read write setattr unlink };
 ')
 define(`files_manage_system_lock_files_depend',`
 	type var_lock_t;
 	class dir { getattr search create read write setattr add_name remove_name rmdir };
 	class file { getattr create read write setattr unlink };
 ')
@ -896,12 +996,14 @@ class file { getattr create read write setattr unlink };
 #
 define(`files_remove_all_lock_files',`
 	requires_block_template(`$0'_depend)
 	allow $1 lockfile:dir { getattr search read write add_name remove_name };
 	allow $1 lockfile:file { getattr unlink };
 ')
 define(`files_remove_all_lock_files_depend',`
 	attribute lockfile;
 	class dir { getattr search read write add_name remove_name };
 	class file { getattr unlink };
 ')
@ -912,8 +1014,10 @@ class file { getattr unlink };
 #
 define(`files_create_private_lock_file',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
-allow $1 var_lock_t:dir { getattr search read write add_name remove_name };
+	allow $1 var_lock_t:dir rw_dir_perms;
 	ifelse(`$3',`',`
 		type_transition $1 var_lock_t:file $2;
 	',`
@ -923,7 +1027,8 @@ type_transition $1 var_lock_t:$3 $2;
 define(`files_create_private_lock_file_depend',`
 	type var_t, var_lock_t;
-class dir { getattr search read write add_name };
+
 	class dir rw_dir_perms;
 ')
 ########################################
@ -932,12 +1037,14 @@ class dir { getattr search read write add_name };
 #
 define(`files_search_runtime_data_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
 	allow $1 var_run_t:dir search;
 ')
 define(`files_search_runtime_data_directory_depend',`
 	type var_t, var_run_t;
 	class dir search;
 ')
@ -947,11 +1054,13 @@ class dir search;
 #
 define(`files_ignore_search_runtime_data_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_run_t:dir search;
 ')
 define(`files_ignore_search_runtime_data_directory_depend',`
 	type var_run_t;
 	class dir search;
 ')
@ -961,12 +1070,14 @@ class dir search;
 #
 define(`files_read_runtime_data_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
 	allow $1 var_run_t:dir { getattr search read };
 ')
 define(`files_read_runtime_data_directory_depend',`
 	type var_t, var_run_t;
 	class dir { getattr search read };
 ')
@ -976,18 +1087,21 @@ class dir { getattr search read };
 #
 define(`files_create_daemon_runtime_data',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
-allow $1 var_run_t:dir { getattr search read write add_name remove_name };
+	allow $1 var_run_t:dir rw_dir_perms;
 	ifelse(`$3',`',`
 		type_transition $1 var_run_t:file $2;
 	',`
 		type_transition $1 var_run_t:$3 $2;
-') dnl end ifelse
+	')
 ')
 define(`files_create_daemon_runtime_data_depend',`
 	type var_t, var_run_t;
-class dir { getattr search read write add_name remove_name };
+
 	class dir rw_dir_perms;
 ')
 ########################################
@ -996,6 +1110,7 @@ class dir { getattr search read write add_name remove_name };
 #
 define(`files_modify_system_runtime_data',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
 	allow $1 var_run_t:dir { getattr search read };
 	allow $1 var_run_t:file { getattr read write };
@ -1003,6 +1118,7 @@ allow $1 var_run_t:file { getattr read write };
 define(`files_modify_system_runtime_data_depend',`
 	type var_t, var_run_t;
 	class dir { getattr search read };
 	class file { getattr read write };
 ')
@ -1021,11 +1137,13 @@ class file { getattr read write };
 define(`files_ignore_write_all_daemon_runtime_data',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 pidfile:file write;
 ')
 define(`files_ignore_write_all_daemon_runtime_data_depend',`
 	attribute pidfile;
 	class file write;
 ')
@ -1043,11 +1161,13 @@ class file write;
 define(`files_ignore_ioctl_all_daemon_runtime_data',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 pidfile:file ioctl;
 ')
 define(`files_ignore_ioctl_all_daemon_runtime_data_depend',`
 	attribute pidfile;
 	class file ioctl;
 ')
@ -1057,6 +1177,7 @@ class file ioctl;
 #
 define(`files_read_all_daemon_runtime_data',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
 	allow $1 pidfile:dir r_dir_perms;
 	allow $1 pidfile:file r_file_perms;
@ -1064,6 +1185,7 @@ allow $1 pidfile:file r_file_perms;
 define(`files_read_all_daemon_runtime_data_depend',`
 	attribute pidfile;
 	type var_t;
 	class dir r_dir_perms;
 	class file r_file_perms;
@ -1075,18 +1197,21 @@ class file r_file_perms;
 #
 define(`files_remove_all_daemon_runtime_data',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
 	allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
 	allow $1 var_run_t:dir rmdir;
-allow $1 pidfile:dir { getattr search read write add_name remove_name };
+	allow $1 pidfile:dir rw_dir_perms;
 	allow $1 pidfile:file { getattr unlink };
 	allow $1 pidfile:sock_file { getattr unlink };
 ')
 define(`files_remove_all_daemon_runtime_data_depend',`
 	attribute pidfile;
 	type var_t, var_run_t;
-class dir { getattr search read write add_name remove_name rmdir };
+
 	class dir rw_dir_perms;
 	class file { getattr unlink };
 	class lnk_file { getattr unlink };
 	class sock_file { getattr unlink };
@ -1098,12 +1223,14 @@ class sock_file { getattr unlink };
 #
 define(`files_search_system_spool_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
 	allow $1 var_spool_t:dir search;
 ')
 define(`files_search_system_spool_directory_depend',`
 	type var_t, var_spool_t;
 	class dir search;
 ')
@ -1113,12 +1240,14 @@ class dir search;
 #
 define(`files_read_system_spool_directory',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
 	allow $1 var_spool_t:dir { getattr search read };
 ')
 define(`files_read_system_spool_directory_depend',`
 	type var_t, var_spool_t;
 	class dir { getattr search read };
 ')
@ -1128,6 +1257,7 @@ class dir { getattr search read };
 #
 define(`files_read_system_spools',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
 	allow $1 var_spool_t:dir { getattr search read };
 	allow $1 var_spool_t:file { getattr read };
@ -1135,6 +1265,7 @@ allow $1 var_spool_t:file { getattr read };
 define(`files_read_system_spools_depend',`
 	type var_t, var_spool_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -1145,6 +1276,7 @@ class file { getattr read };
 #
 define(`files_manage_system_spools',`
 	requires_block_template(`$0'_depend)
 	allow $1 var_t:dir search;
 	allow $1 var_spool_t:dir { getattr search read write add_name remove_name };
 	allow $1 var_spool_t:file { getattr create read write append unlink setattr };
@ -1152,6 +1284,7 @@ allow $1 var_spool_t:file { getattr create read write append unlink setattr };
 define(`files_manage_system_spools_depend',`
 	type var_t, var_spool_t;
 	class dir { getattr search read write add_name remove_name };
 	class file { getattr create read write append unlink setattr };
 ')
--- a/refpolicy/policy/modules/system/getty.if
+++ b/refpolicy/policy/modules/system/getty.if
@ -5,10 +5,12 @@
 #
 define(`getty_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 getty_exec_t:file { getattr read execute };
 	allow $1 getty_t:process transition;
 	type_transition $1 getty_exec_t:process getty_t;
 	dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
 	allow $1 getty_t:fd use;
 	allow getty_t $1:fd use;
 	allow getty_t $1:fifo_file rw_file_perms;
@ -17,6 +19,7 @@ allow getty_t $1:process sigchld;
 define(`getty_transition_depend',`
 	type getty_t, getty_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -29,11 +32,13 @@ class fifo_file rw_file_perms;
 #
 define(`getty_read_log_file',`
 	requires_block_template(`$0'_depend)
 	allow $1 getty_log_t:file { getattr read };
 ')
 define(`getty_read_log_file_depend',`
 	type getty_log_t;
 	class file { getattr read };
 ')
@ -43,11 +48,13 @@ class file { getattr read };
 #
 define(`getty_read_config_file',`
 	requires_block_template(`$0'_depend)
 	allow $1 getty_etc_t:file { getattr read };
 ')
 define(`getty_read_config_file_depend',`
 	type getty_etc_t;
 	class file { getattr read };
 ')
@ -57,10 +64,12 @@ class file { getattr read };
 #
 define(`getty_modify_config_file',`
 	requires_block_template(`$0'_depend)
 	allow $1 getty_etc_t:file { getattr read write };
 ')
 define(`getty_modify_config_file_depend',`
 	type getty_etc_t;
 	class file { getattr read write };
 ')
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@ -15,10 +15,12 @@
 #
 define(`hostname_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 hostname_exec_t:file { getattr read execute };
 	allow $1 hostname_t:process transition;
 	type_transition $1 hostname_exec_t:process hostname_t;
 	dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
 	allow $1 hostname_t:fd use;
 	allow hostname_t $1:fd use;
 	allow hostname_t $1:fifo_file rw_file_perms;
@ -27,6 +29,7 @@ allow hostname_t $1:process sigchld;
 define(`hostname_transition_depend',`
 	type hostname_t, hostname_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -54,6 +57,7 @@ class fifo_file rw_file_perms;
 #
 define(`hostname_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	hostname_transition($1)
 	role $2 types hostname_t;
 	allow hostname_t $3:chr_file { getattr read write ioctl };
@ -61,6 +65,7 @@ allow hostname_t $3:chr_file { getattr read write ioctl };
 define(`hostname_transition_add_role_use_terminal_depend',`
 	type hostname_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -70,11 +75,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`hostname_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 hostname_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`hostname_execute_depend',`
 	type hostname_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@ -62,7 +62,7 @@ tunable_policy(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(hostname_t)
 	terminal_ignore_use_general_pseudoterminal(hostname_t)
 	files_ignore_read_rootfs_file(hostname_t)
-')dnl end targeted_policy tunable
+')
 tunable_policy(`use_dns',`
 	allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@ -10,10 +10,12 @@
 #
 define(`hotplug_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 hotplug_exec_t:file { getattr read execute };
 	allow $1 hotplug_t:process transition;
 	type_transition $1 hotplug_exec_t:process hotplug_t;
 	dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
 	allow $1 hotplug_t:fd use;
 	allow hotplug_t $1:fd use;
 	allow hotplug_t $1:fifo_file rw_file_perms;
@ -22,6 +24,7 @@ allow hotplug_t $1:process sigchld;
 define(`hotplug_transition_depend',`
 	type hotplug_t, hotplug_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -34,11 +37,13 @@ class fifo_file rw_file_perms;
 #
 define(`hotplug_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`hotplug_execute_depend',`
 	type hotplug_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -48,11 +53,13 @@ class file { getattr read execute execute_no_trans };
 #
 define(`hotplug_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 hotplug_t:fd use;
 ')
 define(`hotplug_use_file_descriptors_depend',`
 	type hotplug_t;
 	class fd use;
 ')
@ -62,11 +69,13 @@ class fd use;
 #
 define(`hotplug_ignore_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 hotplug_t:fd use;
 ')
 define(`hotplug_ignore_use_file_descriptors_depend',`
 	type hotplug_t;
 	class fd use;
 ')
@ -76,11 +85,13 @@ class fd use;
 #
 define(`hotplug_ignore_search_config_directory',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 hotplug_etc_t:dir search;
 ')
 define(`hotplug_ignore_search_config_directory_depend',`
 	type hotplug_etc_t;
 	class dir search;
 ')
@ -97,6 +108,7 @@ class dir search;
 #
 define(`hotplug_read_config',`
 	requires_block_template(`$0'_depend)
 	files_search_general_system_config_directory($1)
 	allow $1 hotplug_etc_t:file { read getattr lock ioctl };
 	allow $1 hotplug_etc_t:dir { read getattr lock search ioctl };
@ -105,6 +117,7 @@ allow $1 hotplug_etc_t:lnk_file { getattr read };
 define(`hotplug_read_config_depend',`
 	type hotplug_etc_t;
 	class file { read getattr lock ioctl };
 	class dir { read getattr lock search ioctl };
 	class lnk_file { getattr read };
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@ -113,9 +113,9 @@ optional_policy(`netutils.te', `
 		# for arping used for static IP addresses on PCMCIA ethernet
 		netutils_transition(hotplug_t)
 		filesystem_use_tmpfs_character_devices(hotplug_t)
-') dnl endif netutils optional
+	')
 	files_get_system_lock_file_attributes(hotplug_t)
-')dnl end distro_redhat tunable
+')
 tunable_policy(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(hotplug_t)
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -127,10 +127,12 @@ define(`init_make_system_domain_depend',`
 #
 define(`init_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 init_exec_t:file { getattr read execute };
 	allow $1 init_t:process transition;
 	type_transition $1 init_exec_t:process init_t;
 	dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
 	allow $1 init_t:fd use;
 	allow init_t $1:fd use;
 	allow init_t $1:fifo_file rw_file_perms;
@ -139,6 +141,7 @@ allow init_t $1:process sigchld;
 define(`init_transition_depend',`
 	type init_t, init_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -151,11 +154,13 @@ class fifo_file rw_file_perms;
 #
 define(`init_get_process_group',`
 	requires_block_template(`$0'_depend)
 	allow $1 init_t:process getpgid;
 ')
 define(`init_get_process_group_depend',`
 	type init_t;
 	class process getpgid;
 ')
@ -165,11 +170,13 @@ class process getpgid;
 #
 define(`init_get_control_channel_attributes',`
 	requires_block_template(`$0'_depend)
 	allow $1 initctl_t:fifo_file getattr;
 ')
 define(`init_get_control_channel_attributes_depend',`
 	type initctl_t;
 	class fifo_file getattr;
 ')
@ -179,11 +186,13 @@ class fifo_file getattr;
 #
 define(`init_ignore_get_control_channel_attributes',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 initctl_t:fifo_file getattr;
 ')
 define(`init_get_control_channel_attributes_depend',`
 	type initctl_t;
 	class fifo_file getattr;
 ')
@ -193,12 +202,14 @@ class fifo_file getattr;
 #
 define(`init_use_control_channel',`
 	requires_block_template(`$0'_depend)
-allow $1 initctl_t:fifo_file { getattr read write };
+
 	devices_list_device_nodes($1)
 	allow $1 initctl_t:fifo_file { getattr read write };
 ')
 define(`init_use_control_channel_depend',`
 	type initctl_t;
 	class fifo_file { getattr read write };
 ')
@ -208,11 +219,13 @@ class fifo_file { getattr read write };
 #
 define(`init_ignore_use_control_channel',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 initctl_t:fifo_file { read write };
 ')
 define(`init_ignore_use_control_channel_depend',`
 	type initctl_t;
 	class fifo_file { read write };
 ')
@ -222,11 +235,13 @@ class fifo_file { read write };
 #
 define(`init_sigchld',`
 	requires_block_template(`$0'_depend)
 	allow $1 init_t:process sigchld;
 ')
 define(`init_sigchld_depend',`
 	type init_t;
 	class process sigchld;
 ')
@ -236,11 +251,13 @@ class process sigchld;
 #
 define(`init_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 init_t:fd use;
 ')
 define(`init_use_file_descriptors_depend',`
 	type init_t;
 	class fd use;
 ')
@ -250,11 +267,13 @@ class fd use;
 #
 define(`init_ignore_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 init_t:fd use;
 ')
 define(`init_ignore_use_file_descriptors_depend',`
 	type init_t;
 	class fd use;
 ')
@ -264,10 +283,12 @@ class fd use;
 #
 define(`init_script_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 initrc_exec_t:file { getattr read execute };
 	allow $1 initrc_t:process transition;
 	type_transition $1 initrc_exec_t:process init_t;
 	dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
 	allow $1 initrc_t:fd use;
 	allow initrc_t $1:fd use;
 	allow initrc_t $1:fifo_file rw_file_perms;
@ -276,6 +297,7 @@ allow initrc_t $1:process sigchld;
 define(`init_script_transition_depend',`
 	type initrc_t, initrc_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -288,11 +310,13 @@ class fifo_file rw_file_perms;
 #
 define(`init_script_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 initrc_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`init_script_execute_depend',`
 	type initrc_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -309,9 +333,11 @@ class file { getattr read execute execute_no_trans };
 #
 define(`init_script_read_process_state',`
 	requires_block_template(`$0'_depend)
 	allow $1 initrc_t:dir { search getattr read };
 	allow $1 initrc_t:{ file lnk_file } { read getattr };
 	allow $1 initrc_t:process getattr;
 	# We need to suppress this denial because procps tries to access
 	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
 	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
@ -321,6 +347,7 @@ dontaudit $1 initrc_t:process ptrace;
 define(`init_script_read_process_state_depend',`
 	type initrc_t;
 	class dir { search getattr read };
 	class file { read getattr };
 	class lnk_file { read getattr };
@ -333,11 +360,13 @@ class process { getattr ptrace };
 #
 define(`init_script_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 initrc_t:fd use;
 ')
 define(`init_script_use_file_descriptors_depend',`
 	type initrc_t;
 	class fd use;
 ')
@ -347,11 +376,13 @@ class fd use;
 #
 define(`init_script_ignore_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 initrc_t:fd use;
 ')
 define(`init_script_ignore_use_file_descriptors_depend',`
 	type initrc_t;
 	class fd use;
 ')
@ -361,11 +392,13 @@ class fd use;
 #
 define(`init_script_get_process_group',`
 	requires_block_template(`$0'_depend)
 	allow $1 initrc_t:process getpgid;
 ')
 define(`init_script_get_process_group_depend',`
 	type initrc_t;
 	class process getpgid;
 ')
@ -375,12 +408,14 @@ class process getpgid;
 #
 define(`init_script_use_pseudoterminal',`
 	requires_block_template(`$0'_depend)
 	terminal_list_pseudoterminals($1)
 	allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
 ')
 define(`init_script_use_pseudoterminal_depend',`
 	type initrc_devpts_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -390,11 +425,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`init_script_ignore_use_pseudoterminal',`
 	requires_block_template(`$0'_depend)
 	allow $1 initrc_devpts_t:chr_file { read write ioctl };
 ')
 define(`init_script_ignore_use_pseudoterminal_depend',`
 	type initrc_devpts_t;
 	class chr_file { read write ioctl };
 ')
@ -411,12 +448,14 @@ class chr_file { read write ioctl };
 #
 define(`init_script_modify_temporary_data',`
 	requires_block_template(`$0'_depend)
 	# FIXME: read tmp_t
 	allow $1 initrc_tmp_t:file { getattr read write };
 ')
 define(`init_script_modify_temporary_data_depend',`
 	type initrc_var_run_t;
 	class file { getattr read write };
 ')
@ -426,12 +465,14 @@ class file { getattr read write };
 #
 define(`init_script_read_runtime_data',`
 	requires_block_template(`$0'_depend)
 	files_read_runtime_data_directory($1)
 	allow $1 initrc_var_run_t:file { getattr read lock };
 ')
 define(`init_script_read_runtime_data_depend',`
 	type initrc_var_run_t;
 	class file { getattr read lock };
 ')
@ -441,11 +482,13 @@ class file { getattr read lock };
 #
 define(`init_script_ignore_write_runtime_data',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 initrc_var_run_t:file { write lock };
 ')
 define(`init_script_ignore_write_runtime_data_depend',`
 	type initrc_var_run_t;
 	class file { write lock };
 ')
@ -455,12 +498,14 @@ class file { write lock };
 #
 define(`init_script_modify_runtime_data',`
 	requires_block_template(`$0'_depend)
 	files_read_runtime_data_directory($1)
 	allow $1 initrc_var_run_t:file { getattr read write append lock };
 ')
 define(`init_script_modify_runtime_data_depend',`
 	type initrc_var_run_t;
 	class file { getattr read write append lock };
 ')
@ -470,11 +515,13 @@ class file { getattr read write append lock };
 #
 define(`init_script_ignore_modify_runtime_data',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 initrc_var_run_t:file { getattr read write append };
 ')
 define(`init_script_ignore_modify_runtime_data_depend',`
 	type initrc_var_run_t;
 	class file { getattr read write append };
 ')
--- a/refpolicy/policy/modules/system/iptables.if
+++ b/refpolicy/policy/modules/system/iptables.if
@ -14,10 +14,12 @@
 #
 define(`iptables_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 iptables_exec_t:file { getattr read execute };
 	allow $1 iptables_t:process transition;
 	type_transition $1 iptables_exec_t:process iptables_t;
 	dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
 	allow $1 iptables_t:fd use;
 	allow iptables_t $1:fd use;
 	allow iptables_t $1:fifo_file rw_file_perms;
@ -26,6 +28,7 @@ allow iptables_t $1:process sigchld;
 define(`iptables_transition_depend',`
 	type iptables_t, iptables_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -52,6 +55,7 @@ class fifo_file rw_file_perms;
 #
 define(`iptables_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	iptables_transition($1)
 	role $2 types iptables_t;
 	allow iptables_t $3:chr_file { getattr read write ioctl };
@ -59,6 +63,7 @@ allow iptables_t $3:chr_file { getattr read write ioctl };
 define(`iptables_transition_add_role_use_terminal_depend',`
 	type iptables_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -75,11 +80,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`iptables_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 iptables_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`iptables_execute_depend',`
 	type iptables_t, iptables_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@ -14,10 +14,12 @@
 #
 define(`libraries_ldconfig_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 ldconfig_exec_t:file { getattr read execute };
 	allow $1 ldconfig_t:process transition;
 	type_transition $1 ldconfig_exec_t:process ldconfig_t;
 	dontaudit $1 ldconfig_t:process { noatsecure siginh rlimitinh };
 	allow $1 ldconfig_t:fd use;
 	allow ldconfig_t $1:fd use;
 	allow ldconfig_t $1:fifo_file rw_file_perms;
@ -26,6 +28,7 @@ allow ldconfig_t $1:process sigchld;
 define(`libraries_ldconfig_transition_depend',`
 	type ldconfig_t, ldconfig_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -51,6 +54,7 @@ class fifo_file rw_file_perms;
 #
 define(`libraries_ldconfig_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	libraries_ldconfig_transition($1)
 	role $2 types ldconfig_t;
 	allow ldconfig_t $3:chr_file { getattr read write ioctl };
@ -58,6 +62,7 @@ allow ldconfig_t $3:chr_file { getattr read write ioctl };
 define(`libraries_ldconfig_transition_add_role_use_terminal_depend',`
 	type ldconfig_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -75,6 +80,7 @@ class chr_file { getattr read write ioctl };
 #
 define(`libraries_use_dynamic_loader',`
 	requires_block_template(`$0'_depend)
 	files_read_general_system_config_directory($1)
 	allow $1 lib_t:dir r_dir_perms;
 	allow $1 lib_t:lnk_file r_file_perms;
@ -85,6 +91,7 @@ allow $1 ld_so_cache_t:file r_file_perms;
 define(`libraries_use_dynamic_loader_depend',`
 	type lib_t, ld_so_t, ld_so_cache_t;
 	class dir r_dir_perms;
 	class lnk_file r_file_perms;
 	class file rx_file_perms;
@ -104,6 +111,7 @@ class file rx_file_perms;
 #
 define(`libraries_legacy_use_dynamic_loader',`
 	requires_block_template(`$0'_depend)
 	libraries_use_dynamic_loader($1)
 	allow $1 ld_so_t:file execmod;
 	allow $1 ld_so_cache_t:file execute;
@ -111,6 +119,7 @@ allow $1 ld_so_cache_t:file execute;
 define(`libraries_legacy_use_dynamic_loader_depend',`
 	type ld_so_t, ld_so_cache_t;
 	class file { execute execmod };
 ')
@ -132,6 +141,7 @@ class file { execute execmod };
 #
 define(`libraries_execute_dynamic_loader',`
 	requires_block_template(`$0'_depend)
 	allow $1 lib_t:dir r_dir_perms;
 	allow $1 lib_t:lnk_file r_file_perms;
 	allow $1 ld_so_t:lnk_file r_file_perms;
@ -140,6 +150,7 @@ allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
 define(`libraries_execute_dynamic_loader_depend',`
 	type lib_t, ld_so_t;
 	class dir r_dir_perms;
 	class lnk_file r_file_perms;
 	class file { r_file_perms execute execute_no_trans };
@ -159,12 +170,14 @@ class file { r_file_perms execute execute_no_trans };
 #
 define(`libraries_modify_dynamic_loader_cache',`
 	requires_block_template(`$0'_depend)
 	files_read_general_system_config_directory($1)
 	allow $1 ld_so_cache_t:file { getattr read write };
 ')
 define(`libraries_modify_dynamic_loader_cache_depend',`
 	type ld_so_cache_t;
 	class file { getattr read write };
 ')
@ -182,12 +195,14 @@ class file { getattr read write };
 #
 define(`libraries_read_library_resources',`
 	requires_block_template(`$0'_depend)
 	allow $1 lib_t:dir { getattr read search };
 	allow $1 lib_t:{ file lnk_file } { getattr read };
 ')
 define(`libraries_read_library_resources_depend',`
 	type lib_t;
 	class dir { getattr read search };
 	class lnk_file { getattr read };
 	class file { getattr read };
@ -206,6 +221,7 @@ class file { getattr read };
 #
 define(`libraries_execute_library_scripts',`
 	requires_block_template(`$0'_depend)
 	allow $1 lib_t:dir { getattr read search };
 	allow $1 lib_t:lnk_file { getattr read };
 	allow $1 lib_t:file { getattr read execute execute_no_trans };
@ -213,6 +229,7 @@ allow $1 lib_t:file { getattr read execute execute_no_trans };
 define(`libraries_execute_library_scripts_depend',`
 	type lib_t;
 	class dir { getattr read search };
 	class lnk_file { getattr read };
 	class file { getattr read execute execute_no_trans };
@ -231,6 +248,7 @@ class file { getattr read execute execute_no_trans };
 #
 define(`libraries_use_shared_libraries',`
 	requires_block_template(`$0'_depend)
 	files_search_general_application_resources_dir($1)
 	allow $1 lib_t:dir r_dir_perms;
 	allow $1 lib_t:lnk_file r_file_perms;
@ -240,6 +258,7 @@ allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
 define(`libraries_use_shared_libraries_depend',`
 	type lib_t, shlib_t, texrel_shlib_t;
 	class dir r_dir_perms;
 	class lnk_file r_file_perms;
 	class file rx_dir_perms;
@ -259,12 +278,14 @@ class file rx_dir_perms;
 #
 define(`libraries_legacy_use_shared_libraries',`
 	requires_block_template(`$0'_depend)
 	libraries_use_shared_libraries($1)
 	allow $1 { shlib_t texrel_shlib_t }:file execmod;
 ')
 define(`libraries_legacy_use_shared_libraries_depend',`
 	type shlib_t, texrel_shlib_t;
 	class file execmod;
 ')
--- a/refpolicy/policy/modules/system/locallogin.if
+++ b/refpolicy/policy/modules/system/locallogin.if
@ -5,6 +5,7 @@
 #
 define(`locallogin_transition',`
 	requires_block_template(`$0'_depend)
 	authlogin_login_program_transition($1,local_login_t)
 ')
@ -18,10 +19,12 @@ type local_login_t;
 #
 define(`locallogin_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 local_login_t:fd use;
 ')
 define(`locallogin_use_file_descriptors_depend',`
 	type local_login_t;
 	class fd use;
 ')
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@ -7,6 +7,7 @@
 #
 define(`logging_make_log_file',`
 	requires_block_template(`$0'_depend)
 	files_make_file($1)
 	typeattribute $1 logfile;
 ')
@ -21,17 +22,20 @@ attribute logfile;
 #
 define(`logging_create_private_log',`
 	requires_block_template(`$0'_depend)
-allow $1 var_log_t:dir { getattr search read write add_name remove_name };
+
 	allow $1 var_log_t:dir rw_dir_perms;
 	ifelse(`$3',`',`
 		type_transition $1 var_log_t:file $2;
 	',`
 		type_transition $1 var_log_t:$3 $2;
-') dnl end ifelse
+	')
 ')
 define(`logging_create_private_log_depend',`
 	type var_log_t;
-class dir { getattr search read write add_name remove_name };
+
 	class dir rw_dir_perms;
 ')
 #######################################
@ -40,19 +44,23 @@ class dir { getattr search read write add_name remove_name };
 #
 define(`logging_send_system_log_message',`
 	requires_block_template(`$0'_depend)
 	allow $1 devlog_t:lnk_file read;
 	allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
 	# the type of socket depends on the syslog daemon
 	allow $1 syslogd_t:unix_dgram_socket sendto;
 	allow $1 syslogd_t:unix_stream_socket connectto;
 	allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
 	allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
 	# cjp: this should most likely be removed:
 	terminal_use_console($1)
 ')
 define(`logging_send_system_log_message_depend',`
 	type syslogd_t, devlog_t;
 	class sock_file { ioctl read getattr lock write append };
 	class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown sendto };
 	class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
@ -73,12 +81,14 @@ class unix_stream_socket { create read getattr write setattr append bind connect
 #
 define(`logging_search_system_log_directory',`
 	requires_block_template(`$0'_depend)
 	files_search_system_state_data_directory($1)
 	allow $1 var_log_t:dir search;
 ')
 define(`logging_search_system_log_directory_depend',`
 	type var_log_t;
 	class dir search;
 ')
@ -88,11 +98,13 @@ class dir search;
 #
 define(`logging_ignore_get_all_logs_attributes',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 logfile:file getattr;
 ')
 define(`logging_ignore_get_all_logs_attributes_depend',`
 	attribute logfile;
 	class file getattr;
 ')
@ -102,6 +114,7 @@ class file getattr;
 #
 define(`logging_append_all_logs',`
 	requires_block_template(`$0'_depend)
 	files_search_system_state_data_directory($1)
 	allow $1 var_log_t:dir { getattr search read };
 	allow $1 logfile:file { getattr append };
@ -109,7 +122,9 @@ allow $1 logfile:file { getattr append };
 define(`logging_append_all_logs_depend',`
 	attribute logfile;
 	type var_log_t;
 	class dir { getattr search read };
 	class file { getattr append };
 ')
@ -120,6 +135,7 @@ class file { getattr append };
 #
 define(`logging_read_all_logs',`
 	requires_block_template(`$0'_depend)
 	files_search_system_state_data_directory($1)
 	allow $1 var_log_t:dir { getattr search read };
 	allow $1 logfile:file { getattr read };
@ -127,7 +143,9 @@ allow $1 logfile:file { getattr read };
 define(`logging_read_all_logs_depend',`
 	attribute logfile;
 	type var_log_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -138,6 +156,7 @@ class file { getattr read };
 #
 define(`logging_read_system_logs',`
 	requires_block_template(`$0'_depend)
 	files_search_system_state_data_directory($1)
 	allow $1 var_log_t:dir { getattr search read };
 	allow $1 var_log_t:file { getattr read };
@ -145,6 +164,7 @@ allow $1 var_log_t:file { getattr read };
 define(`logging_read_system_logs_depend',`
 	type var_log_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -155,6 +175,7 @@ class file { getattr read };
 #
 define(`logging_write_system_logs',`
 	requires_block_template(`$0'_depend)
 	files_search_system_state_data_directory($1)
 	allow $1 var_log_t:dir { getattr search read };
 	allow $1 var_log_t:file { getattr write };
@ -162,6 +183,7 @@ allow $1 var_log_t:file { getattr write };
 define(`logging_write_system_logs_depend',`
 	type var_log_t;
 	class dir { getattr search read };
 	class file { getattr write };
 ')
@ -172,6 +194,7 @@ class file { getattr write };
 #
 define(`logging_modify_system_logs',`
 	requires_block_template(`$0'_depend)
 	files_search_system_state_data_directory($1)
 	allow $1 var_log_t:dir { getattr search read };
 	allow $1 var_log_t:file { getattr read write append };
@ -179,6 +202,7 @@ allow $1 var_log_t:file { getattr read write append };
 define(`logging_modify_system_logs_depend',`
 	type var_log_t;
 	class dir { getattr search read };
 	class file { getattr read write append };
 ')
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@ -14,10 +14,12 @@
 #
 define(`lvm_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 lvm_exec_t:file { getattr read execute };
 	allow $1 lvm_t:process transition;
 	type_transition $1 lvm_exec_t:process lvm_t;
 	dontaudit $1 lvm_t:process { noatsecure siginh rlimitinh };
 	allow $1 lvm_t:fd use;
 	allow lvm_t $1:fd use;
 	allow lvm_t $1:fifo_file rw_file_perms;
@ -26,6 +28,7 @@ allow lvm_t $1:process sigchld;
 define(`lvm_transition_depend',`
 	type lvm_t, lvm_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -51,6 +54,7 @@ class fifo_file rw_file_perms;
 #
 define(`lvm_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	lvm_transition($1)
 	role $2 types lvm_t;
 	allow lvm_t $3:chr_file { getattr read write ioctl };
@ -58,6 +62,7 @@ allow lvm_t $3:chr_file { getattr read write ioctl };
 define(`lvm_transition_add_role_use_terminal_depend',`
 	type lvm_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -74,12 +79,14 @@ class chr_file { getattr read write ioctl };
 #
 define(`lvm_read_config',`
 	requires_block_template(`$0'_depend)
 	allow $1 lvm_etc_t:dir { getattr search read };
 	allow $1 lvm_etc_t:file { getattr read };
 ')
 define(`lvm_read_config_depend',`
 	type lvm_t, lvm_exec_t;
 	class file { getattr read };
 ')
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@ -5,15 +5,17 @@
 #
 define(`miscfiles_manage_man_page_cache',`
 	requires_block_template(`$0'_depend)
 	# FIXME: search var_t dir
-allow $1 catman_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+	allow $1 catman_t:dir create_dir_perms;
-allow $1 catman_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 catman_t:file create_file_perms;
 ')
 define(`miscfiles_manage_man_page_cache_depend',`
 	type catman_t;
-class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+
-class file { create ioctl read getattr lock write setattr append link unlink rename };
+	class dir create_dir_perms;
 	class file create_file_perms;
 ')
 ########################################
@ -22,6 +24,7 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 #
 define(`miscfiles_read_fonts',`
 	requires_block_template(`$0'_depend)
 	# FIXME: search usr_t dir
 	# FIXME: search lib_t dir
 	# cjp: fonts can be in either of the above dirs
@ -31,6 +34,7 @@ allow $1 fonts_t:file { getattr read };
 define(`miscfiles_read_fonts_depend',`
 	type fonts_t;
 	class dir { getattr read search };
 	class file { getattr read };
 ')
@ -41,19 +45,20 @@ class file { getattr read };
 #
 define(`miscfiles_read_localization',`
 	requires_block_template(`$0'_depend)
 	# FIXME: $1 read etc_t:lnk_file here
 	# FIXME: $1 search usr_t:dir here
 # why?
 libraries_read_library_resources($1)
 	allow $1 locale_t:dir { getattr read search };
 	allow $1 locale_t:lnk_file { getattr read };
 	allow $1 locale_t:file { getattr read };
 	# why?
 	libraries_read_library_resources($1)
 ')
 define(`miscfiles_read_localization_depend',`
 	type locale_t;
 	class dir { getattr read search };
 	class lnk_file { getattr read };
 	class file { getattr read };
@ -65,12 +70,14 @@ class file { getattr read };
 #
 define(`miscfiles_legacy_read_localization',`
 	requires_block_template(`$0'_depend)
 	miscfiles_read_localization($1)
 	allow $1 locale_t:file execute;
 ')
 define(`miscfiles_read_localization_depend',`
 	type locale_t;
 	class file execute;
 ')
@ -80,6 +87,7 @@ class file execute;
 #
 define(`miscfiles_read_man_pages',`
 	requires_block_template(`$0'_depend)
 	# FIXME: search usr_t dir
 	allow $1 man_t:dir { getattr read search };
 	allow $1 man_t:file { getattr read };
@ -88,6 +96,7 @@ allow $1 man_t:lnk_file { getattr read };
 define(`miscfiles_read_man_pages_depend',`
 	type man_t;
 	class dir { getattr read search };
 	class file { getattr read };
 	class lnk_file { getattr read };
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@ -14,12 +14,14 @@
 #
 define(`modutils_read_kernel_module_dependencies',`
 	requires_block_template(`$0'_depend)
 	bootloader_list_kernel_modules($1)
 	allow $1 modules_dep_t:file { getattr read };
 ')
 define(`modutils_read_kernel_module_dependencies_depend',`
 	type modules_dep_t;
 	class file { getattr create read write setattr unlink };
 	class dir { search read write add_name remove_name };
 ')
@ -38,11 +40,13 @@ class dir { search read write add_name remove_name };
 #
 define(`modutils_read_kernel_module_loading_config',`
 	requires_block_template(`$0'_depend)
 	allow $1 modules_conf_t:file { getattr read };
 ')
 define(`modutils_read_kernel_module_loading_config_depend',`
 	type modules_conf_t;
 	class file { getattr create read write setattr unlink };
 ')
@ -60,10 +64,12 @@ class file { getattr create read write setattr unlink };
 #
 define(`modutils_insmod_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 insmod_exec_t:file { getattr read execute };
 	allow $1 insmod_t:process transition;
 	type_transition $1 insmod_exec_t:process insmod_t;
 	dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
 	allow $1 insmod_t:fd use;
 	allow insmod_t $1:fd use;
 	allow insmod_t $1:fifo_file rw_file_perms;
@ -72,6 +78,7 @@ allow insmod_t $1:process sigchld;
 define(`modutils_insmod_transition_depend',`
 	type insmod_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -100,6 +107,7 @@ class fifo_file rw_file_perms;
 #
 define(`modutils_insmod_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	modutils_insmod_transition($1)
 	role $2 types insmod_t;
 	allow insmod_t $3:chr_file { getattr read write ioctl };
@ -107,6 +115,7 @@ allow insmod_t $3:chr_file { getattr read write ioctl };
 define(`modutils_insmod_transition_add_role_use_terminal_depend',`
 	type insmod_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -116,11 +125,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`modutils_insmod_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 insmod_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`modutils_insmod_execute_depend',`
 	type insmod_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -137,10 +148,12 @@ class file { getattr read execute execute_no_trans };
 #
 define(`modutils_depmod_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 depmod_exec_t:file { getattr read execute };
 	allow $1 depmod_t:process transition;
 	type_transition $1 depmod_exec_t:process depmod_t;
 	dontaudit $1 depmod_t:process { noatsecure siginh rlimitinh };
 	allow $1 depmod_t:fd use;
 	allow depmod_t $1:fd use;
 	allow depmod_t $1:fifo_file rw_file_perms;
@ -149,6 +162,7 @@ allow depmod_t $1:process sigchld;
 define(`modutils_depmod_transition_depend',`
 	type depmod_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -174,6 +188,7 @@ class fifo_file rw_file_perms;
 #
 define(`modutils_depmod_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	modutils_depmod_transition($1)
 	role $2 types insmod_t;
 	allow insmod_t $3:chr_file { getattr read write ioctl };
@ -181,6 +196,7 @@ allow insmod_t $3:chr_file { getattr read write ioctl };
 define(`modutils_depmod_transition_add_role_use_terminal_depend',`
 	type depmod_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -190,11 +206,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`modutils_depmod_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 depmod_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`modutils_depmod_execute_depend',`
 	type depmod_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -211,10 +229,12 @@ class file { getattr read execute execute_no_trans };
 #
 define(`modutils_update_modules_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 update_modules_exec_t:file { getattr read execute };
 	allow $1 update_modules_t:process transition;
 	type_transition $1 update_modules_exec_t:process update_modules_t;
 	dontaudit $1 update_modules_t:process { noatsecure siginh rlimitinh };
 	allow $1 update_modules_t:fd use;
 	allow update_modules_t $1:fd use;
 	allow update_modules_t $1:fifo_file rw_file_perms;
@ -223,6 +243,7 @@ allow update_modules_t $1:process sigchld;
 define(`modutils_update_modules_transition_depend',`
 	type update_modules_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh signal };
 	class fd use;
@ -248,6 +269,7 @@ class fifo_file rw_file_perms;
 #
 define(`modutils_update_modules_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	modutils_update_modules_transition($1)
 	role $2 types update_modules_t;
 	allow update_modules_t $3:chr_file { getattr read write ioctl };
@ -255,6 +277,7 @@ allow update_modules_t $3:chr_file { getattr read write ioctl };
 define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
 	type update_modules_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -264,11 +287,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`modutils_update_modules_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`modutils_update_modules_execute_depend',`
 	type update_modules_t;
 	class file { getattr read execute execute_no_trans };
 ')
--- a/refpolicy/policy/modules/system/mount.if
+++ b/refpolicy/policy/modules/system/mount.if
@ -14,10 +14,12 @@
 #
 define(`mount_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 mount_exec_t:file { getattr read execute };
 	allow $1 mount_t:process transition;
 	type_transition $1 mount_exec_t:process mount_t;
 	dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
 	allow $1 mount_t:fd use;
 	allow mount_t $1:fd use;
 	allow mount_t $1:fifo_file rw_file_perms;
@ -26,6 +28,7 @@ allow mount_t $1:process sigchld;
 define(`mount_transition_depend',`
 	type mount_t, mount_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -53,6 +56,7 @@ class fifo_file rw_file_perms;
 #
 define(`mount_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	mount_transition($1)
 	role $2 types mount_t;
 	allow mount_t $3:chr_file { getattr read write ioctl };
@ -60,6 +64,7 @@ allow mount_t $3:chr_file { getattr read write ioctl };
 define(`mount_transition_add_role_use_terminal_depend',`
 	type mount_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -69,11 +74,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`mount_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 mount_t:fd use; 
 ')
 define(`mount_use_file_descriptors_depend',`
 	type mount_t;
 	class fd use;
 ')
@ -83,11 +90,13 @@ class fd use;
 #
 define(`mount_send_nfs_client_request',`
 	requires_block_template(`$0'_depend)
 	allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown;
 ')
 define(`mount_send_nfs_client_request_depend',`
 	type mount_t;
 	class udp_socket { ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 ')
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@ -76,9 +76,8 @@ optional_policy(`authlogin.te',`
 		authlogin_pam_console_read_runtime_data(mount_t)
 		# mount config by default sets fscontext=removable_t
 		filesystem_relabelfrom_dos_filesystem(mount_t)
-') dnl end authlogin
+	')
-
+')
 ') dnl end distro_redhat
 optional_policy(`portmap.te', `
 	# for nfs
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@ -14,10 +14,12 @@
 #
 define(`selinux_checkpolicy_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 checkpolicy_exec_t:file { getattr read execute };
 	allow $1 checkpolicy_t:process transition;
 	type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
 	dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
 	allow $1 checkpolicy_t:fd use;
 	allow checkpolicy_t $1:fd use;
 	allow checkpolicy_t $1:fifo_file rw_file_perms;
@ -26,6 +28,7 @@ allow checkpolicy_t $1:process sigchld;
 define(`selinux_checkpolicy_transition_depend',`
 	type checkpolicy_t, checkpolicy_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld sigchld };
 	class fd use;
@ -54,6 +57,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_checkpolicy_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_checkpolicy_transition($1)
 	role $2 types checkpolicy_t;
 	allow checkpolicy_t $3:chr_file { getattr read write ioctl };
@ -61,6 +65,7 @@ allow checkpolicy_t $3:chr_file { getattr read write ioctl };
 define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
 	type checkpolicy_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -70,11 +75,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`selinux_checkpolicy_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`selinux_checkpolicy_execute_depend',`
 	type checkpolicy_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -91,10 +98,12 @@ class file { getattr read execute execute_no_trans };
 #
 define(`selinux_load_policy_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 load_policy_exec_t:file { getattr read execute };
 	allow $1 load_policy_t:process transition;
 	type_transition $1 load_policy_exec_t:process load_policy_t;
 	dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
 	allow $1 load_policy_t:fd use;
 	allow load_policy_t $1:fd use;
 	allow load_policy_t $1:fifo_file rw_file_perms;
@ -103,6 +112,7 @@ allow load_policy_t $1:process sigchld;
 define(`selinux_load_policy_transition_depend',`
 	type load_policy_t, load_policy_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -131,6 +141,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_load_policy_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_load_policy_transition($1)
 	role $2 types load_policy_t;
 	allow load_policy_t $3:chr_file { getattr read write ioctl };
@ -138,6 +149,7 @@ allow load_policy_t $3:chr_file { getattr read write ioctl };
 define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
 	type load_policy_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -147,11 +159,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`selinux_load_policy_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`selinux_load_policy_execute_depend',`
 	type load_policy_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -161,11 +175,13 @@ class file { getattr read execute execute_no_trans };
 #
 define(`selinux_read_load_policy_binary',`
 	requires_block_template(`$0'_depend)
 	allow $1 load_policy_exec_t:file { getattr read };
 ')
 define(`selinux_read_load_policy_binary_depend',`
 	type load_policy_exec_t;
 	class file { getattr read };
 ')
@ -182,10 +198,12 @@ class file { getattr read };
 #
 define(`selinux_newrole_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 newrole_exec_t:file { getattr read execute };
 	allow $1 newrole_t:process transition;
 	type_transition $1 newrole_exec_t:process newrole_t;
 	dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
 	allow $1 newrole_t:fd use;
 	allow newrole_t $1:fd use;
 	allow newrole_t $1:fifo_file rw_file_perms;
@ -194,6 +212,7 @@ allow newrole_t $1:process sigchld;
 define(`selinux_newrole_transition_depend',`
 	type newrole_t, newrole_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -221,6 +240,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_newrole_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_newrole_transition($1)
 	role $2 types newrole_t;
 	allow newrole_t $3:chr_file { getattr read write ioctl };
@ -228,6 +248,7 @@ allow newrole_t $3:chr_file { getattr read write ioctl };
 define(`selinux_newrole_transition_add_role_use_terminal_depend',`
 	type newrole_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -237,11 +258,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`selinux_newrole_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`selinux_newrole_execute_depend',`
 	type newrole_t, newrole_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -259,11 +282,13 @@ class file { getattr read execute execute_no_trans };
 #
 define(`selinux_newrole_ignore_signal',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 newrole_t:process signal;
 ')
 define(`selinux_newrole_ignore_signal_depend',`
 	type newrole_t;
 	class process signal;
 ')
@ -273,11 +298,13 @@ class process signal;
 #
 define(`selinux_newrole_sigchld',`
 	requires_block_template(`$0'_depend)
 	allow $1 newrole_t:process sigchld;
 ')
 define(`selinux_newrole_sigchld_depend',`
 	type newrole_t;
 	class process sigchld;
 ')
@ -287,11 +314,13 @@ class process sigchld;
 #
 define(`selinux_newrole_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 newrole_t:fd use;
 ')
 define(`selinux_newrole_use_file_descriptors_depend',`
 	type newrole_t;
 	class fd use;
 ')
@ -308,10 +337,12 @@ class fd use;
 #
 define(`selinux_restorecon_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 restorecon_exec_t:file { getattr read execute };
 	allow $1 restorecon_t:process transition;
 	type_transition $1 restorecon_exec_t:process restorecon_t;
 	dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
 	allow $1 restorecon_t:fd use;
 	allow restorecon_t $1:fd use;
 	allow restorecon_t $1:fifo_file rw_file_perms;
@ -319,7 +350,8 @@ allow restorecon_t $1:process sigchld;
 ')
 define(`selinux_restorecon_transition_depend',`
-type restorecon_exec_t;
+	type restorecon_t, restorecon_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -347,6 +379,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_restorecon_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_restorecon_transition($1)
 	role $2 types restorecon_t;
 	allow restorecon_t $3:chr_file { getattr read write ioctl };
@ -354,6 +387,7 @@ allow restorecon_t $3:chr_file { getattr read write ioctl };
 define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
 	type restorecon_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -368,6 +402,7 @@ allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
 define(`selinux_restorecon_execute_depend',`
 	type restorecon_t, restorecon_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -384,10 +419,12 @@ class file { getattr read execute execute_no_trans };
 #
 define(`selinux_run_init_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 run_init_exec_t:file { getattr read execute };
 	allow $1 run_init_t:process transition;
 	type_transition $1 run_init_exec_t:process run_init_t;
 	dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
 	allow $1 run_init_t:fd use;
 	allow run_init_t $1:fd use;
 	allow run_init_t $1:fifo_file rw_file_perms;
@ -396,6 +433,7 @@ allow run_init_t $1:process sigchld;
 define(`selinux_run_init_transition_depend',`
 	type run_init_t, run_init_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -423,6 +461,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_run_init_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_run_init_transition($1)
 	role $2 types run_init_t;
 	allow run_init_t $3:chr_file { getattr read write ioctl };
@ -430,6 +469,7 @@ allow run_init_t $3:chr_file { getattr read write ioctl };
 define(`selinux_run_init_transition_add_role_use_terminal_depend',`
 	type run_init_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -439,11 +479,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`selinux_run_init_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 run_init_t:fd use;
 ')
 define(`selinux_run_init_use_file_descriptors_depend',`
 	type run_init_t;
 	class fd use;
 ')
@ -460,10 +502,12 @@ class fd use;
 #
 define(`selinux_setfiles_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 setfiles_exec_t:file { getattr read execute };
 	allow $1 setfiles_t:process transition;
 	type_transition $1 setfiles_exec_t:process setfiles_t;
 	dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
 	allow $1 setfiles_t:fd use;
 	allow setfiles_t $1:fd use;
 	allow setfiles_t $1:fifo_file rw_file_perms;
@ -472,6 +516,7 @@ allow setfiles_t $1:process sigchld;
 define(`selinux_setfiles_transition_depend',`
 	type setfiles_t, setfiles_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -499,6 +544,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_setfiles_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_setfiles_transition($1)
 	role $2 types setfiles_t;
 	allow setfiles_t $3:chr_file { getattr read write ioctl };
@ -506,6 +552,7 @@ allow setfiles_t $3:chr_file { getattr read write ioctl };
 define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
 	type setfiles_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -515,11 +562,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`selinux_setfiles_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`selinux_setfiles_execute_depend',`
 	type setfiles_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -529,12 +578,14 @@ class file { getattr read execute execute_no_trans };
 #
 define(`selinux_read_config',`
 	requires_block_template(`$0'_depend)
 	allow $1 selinux_config_t:dir { getattr search read };
 	allow $1 selinux_config_t:file { getattr read };
 ')
 define(`selinux_read_config_depend',`
 	type selinux_config_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -545,6 +596,7 @@ class file { getattr read };
 #
 define(`selinux_read_default_contexts',`
 	requires_block_template(`$0'_depend)
 	allow $1 selinux_config_t:dir search;
 	allow $1 default_context_t:dir { getattr search read };
 	allow $1 default_context_t:file { getattr read };
@ -552,6 +604,7 @@ allow $1 default_context_t:file { getattr read };
 define(`selinux_read_default_contexts_depend',`
 	type selinux_config_t, default_context_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -562,6 +615,7 @@ class file { getattr read };
 #
 define(`selinux_read_file_contexts',`
 	requires_block_template(`$0'_depend)
 	allow $1 selinux_config_t:dir search;
 	allow $1 file_context_t:dir { getattr search read };
 	allow $1 file_context_t:file { getattr read };
@ -569,6 +623,7 @@ allow $1 file_context_t:file { getattr read };
 define(`selinux_read_file_contexts_depend',`
 	type selinux_config_t, file_context_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -579,12 +634,14 @@ class file { getattr read };
 #
 define(`selinux_read_binary_policy',`
 	requires_block_template(`$0'_depend)
 	allow $1 policy_config_t:dir { getattr search read };
 	allow $1 policy_config_t:file { getattr read };
 ')
 define(`selinux_read_binary_policy_depend',`
 	type policy_config_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -595,6 +652,7 @@ class file { getattr read };
 #
 define(`selinux_write_binary_policy',`
 	requires_block_template(`$0'_depend)
 	allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
 	allow $1 policy_config_t:file { getattr create write unlink };
 	typeattribute $1 can_write_binary_policy;
@ -602,7 +660,9 @@ typeattribute $1 can_write_binary_policy;
 define(`selinux_write_binary_policy_depend',`
 	attribute can_write_binary_policy;
 	type policy_config_t;
 	class dir { getattr search read write add_name remove_name };
 	class file { getattr create write unlink };
 ')
@ -620,13 +680,16 @@ class file { getattr create write unlink };
 #
 define(`selinux_relabelto_binary_policy',`
 	requires_block_template(`$0'_depend)
 	allow $1 policy_config_t:file relabelto;
 	typeattribute $1 can_relabelto_binary_policy;
 ')
 define(`selinux_relabelto_binary_policy_depend',`
 	attribute can_relabelto_binary_policy;
 	type policy_config_t;
 	class file relabelto;
 ')
@ -636,6 +699,7 @@ class file relabelto;
 #
 define(`selinux_manage_binary_policy',`
 	requires_block_template(`$0'_depend)
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
 	allow $1 policy_config_t:dir { getattr search read };
@ -645,6 +709,7 @@ typeattribute $1 can_write_binary_policy;
 define(`selinux_manage_binary_policy_depend',`
 	attribute can_write_binary_policy;
 	type selinux_config_t, policy_config_t;
 	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
 	class file { create ioctl read getattr lock write setattr append link unlink rename };
@ -656,6 +721,7 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 #
 define(`selinux_read_source_policy',`
 	requires_block_template(`$0'_depend)
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
 	allow $1 policy_src_t:dir { getattr search read };
@ -664,6 +730,7 @@ allow $1 policy_src_t:file { getattr read };
 define(`selinux_read_source_policy_depend',`
 	type selinux_config_t, policy_src_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -674,6 +741,7 @@ class file { getattr read };
 #
 define(`selinux_manage_source_policy',`
 	requires_block_template(`$0'_depend)
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
 	allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
@ -682,6 +750,7 @@ allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append
 define(`selinux_manage_source_policy_depend',`
 	type selinux_config_t, policy_src_t;
 	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
 	class file { create ioctl read getattr lock write setattr append link unlink rename };
 ')
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@ -14,10 +14,12 @@
 #
 define(`selinux_checkpolicy_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 checkpolicy_exec_t:file { getattr read execute };
 	allow $1 checkpolicy_t:process transition;
 	type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
 	dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
 	allow $1 checkpolicy_t:fd use;
 	allow checkpolicy_t $1:fd use;
 	allow checkpolicy_t $1:fifo_file rw_file_perms;
@ -26,6 +28,7 @@ allow checkpolicy_t $1:process sigchld;
 define(`selinux_checkpolicy_transition_depend',`
 	type checkpolicy_t, checkpolicy_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld sigchld };
 	class fd use;
@ -54,6 +57,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_checkpolicy_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_checkpolicy_transition($1)
 	role $2 types checkpolicy_t;
 	allow checkpolicy_t $3:chr_file { getattr read write ioctl };
@ -61,6 +65,7 @@ allow checkpolicy_t $3:chr_file { getattr read write ioctl };
 define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
 	type checkpolicy_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -70,11 +75,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`selinux_checkpolicy_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`selinux_checkpolicy_execute_depend',`
 	type checkpolicy_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -91,10 +98,12 @@ class file { getattr read execute execute_no_trans };
 #
 define(`selinux_load_policy_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 load_policy_exec_t:file { getattr read execute };
 	allow $1 load_policy_t:process transition;
 	type_transition $1 load_policy_exec_t:process load_policy_t;
 	dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
 	allow $1 load_policy_t:fd use;
 	allow load_policy_t $1:fd use;
 	allow load_policy_t $1:fifo_file rw_file_perms;
@ -103,6 +112,7 @@ allow load_policy_t $1:process sigchld;
 define(`selinux_load_policy_transition_depend',`
 	type load_policy_t, load_policy_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -131,6 +141,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_load_policy_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_load_policy_transition($1)
 	role $2 types load_policy_t;
 	allow load_policy_t $3:chr_file { getattr read write ioctl };
@ -138,6 +149,7 @@ allow load_policy_t $3:chr_file { getattr read write ioctl };
 define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
 	type load_policy_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -147,11 +159,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`selinux_load_policy_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`selinux_load_policy_execute_depend',`
 	type load_policy_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -161,11 +175,13 @@ class file { getattr read execute execute_no_trans };
 #
 define(`selinux_read_load_policy_binary',`
 	requires_block_template(`$0'_depend)
 	allow $1 load_policy_exec_t:file { getattr read };
 ')
 define(`selinux_read_load_policy_binary_depend',`
 	type load_policy_exec_t;
 	class file { getattr read };
 ')
@ -182,10 +198,12 @@ class file { getattr read };
 #
 define(`selinux_newrole_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 newrole_exec_t:file { getattr read execute };
 	allow $1 newrole_t:process transition;
 	type_transition $1 newrole_exec_t:process newrole_t;
 	dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
 	allow $1 newrole_t:fd use;
 	allow newrole_t $1:fd use;
 	allow newrole_t $1:fifo_file rw_file_perms;
@ -194,6 +212,7 @@ allow newrole_t $1:process sigchld;
 define(`selinux_newrole_transition_depend',`
 	type newrole_t, newrole_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -221,6 +240,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_newrole_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_newrole_transition($1)
 	role $2 types newrole_t;
 	allow newrole_t $3:chr_file { getattr read write ioctl };
@ -228,6 +248,7 @@ allow newrole_t $3:chr_file { getattr read write ioctl };
 define(`selinux_newrole_transition_add_role_use_terminal_depend',`
 	type newrole_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -237,11 +258,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`selinux_newrole_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`selinux_newrole_execute_depend',`
 	type newrole_t, newrole_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -259,11 +282,13 @@ class file { getattr read execute execute_no_trans };
 #
 define(`selinux_newrole_ignore_signal',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 newrole_t:process signal;
 ')
 define(`selinux_newrole_ignore_signal_depend',`
 	type newrole_t;
 	class process signal;
 ')
@ -273,11 +298,13 @@ class process signal;
 #
 define(`selinux_newrole_sigchld',`
 	requires_block_template(`$0'_depend)
 	allow $1 newrole_t:process sigchld;
 ')
 define(`selinux_newrole_sigchld_depend',`
 	type newrole_t;
 	class process sigchld;
 ')
@ -287,11 +314,13 @@ class process sigchld;
 #
 define(`selinux_newrole_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 newrole_t:fd use;
 ')
 define(`selinux_newrole_use_file_descriptors_depend',`
 	type newrole_t;
 	class fd use;
 ')
@ -308,10 +337,12 @@ class fd use;
 #
 define(`selinux_restorecon_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 restorecon_exec_t:file { getattr read execute };
 	allow $1 restorecon_t:process transition;
 	type_transition $1 restorecon_exec_t:process restorecon_t;
 	dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
 	allow $1 restorecon_t:fd use;
 	allow restorecon_t $1:fd use;
 	allow restorecon_t $1:fifo_file rw_file_perms;
@ -319,7 +350,8 @@ allow restorecon_t $1:process sigchld;
 ')
 define(`selinux_restorecon_transition_depend',`
-type restorecon_exec_t;
+	type restorecon_t, restorecon_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -347,6 +379,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_restorecon_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_restorecon_transition($1)
 	role $2 types restorecon_t;
 	allow restorecon_t $3:chr_file { getattr read write ioctl };
@ -354,6 +387,7 @@ allow restorecon_t $3:chr_file { getattr read write ioctl };
 define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
 	type restorecon_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -368,6 +402,7 @@ allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
 define(`selinux_restorecon_execute_depend',`
 	type restorecon_t, restorecon_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -384,10 +419,12 @@ class file { getattr read execute execute_no_trans };
 #
 define(`selinux_run_init_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 run_init_exec_t:file { getattr read execute };
 	allow $1 run_init_t:process transition;
 	type_transition $1 run_init_exec_t:process run_init_t;
 	dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
 	allow $1 run_init_t:fd use;
 	allow run_init_t $1:fd use;
 	allow run_init_t $1:fifo_file rw_file_perms;
@ -396,6 +433,7 @@ allow run_init_t $1:process sigchld;
 define(`selinux_run_init_transition_depend',`
 	type run_init_t, run_init_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -423,6 +461,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_run_init_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_run_init_transition($1)
 	role $2 types run_init_t;
 	allow run_init_t $3:chr_file { getattr read write ioctl };
@ -430,6 +469,7 @@ allow run_init_t $3:chr_file { getattr read write ioctl };
 define(`selinux_run_init_transition_add_role_use_terminal_depend',`
 	type run_init_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -439,11 +479,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`selinux_run_init_use_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 run_init_t:fd use;
 ')
 define(`selinux_run_init_use_file_descriptors_depend',`
 	type run_init_t;
 	class fd use;
 ')
@ -460,10 +502,12 @@ class fd use;
 #
 define(`selinux_setfiles_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 setfiles_exec_t:file { getattr read execute };
 	allow $1 setfiles_t:process transition;
 	type_transition $1 setfiles_exec_t:process setfiles_t;
 	dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
 	allow $1 setfiles_t:fd use;
 	allow setfiles_t $1:fd use;
 	allow setfiles_t $1:fifo_file rw_file_perms;
@ -472,6 +516,7 @@ allow setfiles_t $1:process sigchld;
 define(`selinux_setfiles_transition_depend',`
 	type setfiles_t, setfiles_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -499,6 +544,7 @@ class fifo_file rw_file_perms;
 #
 define(`selinux_setfiles_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	selinux_setfiles_transition($1)
 	role $2 types setfiles_t;
 	allow setfiles_t $3:chr_file { getattr read write ioctl };
@ -506,6 +552,7 @@ allow setfiles_t $3:chr_file { getattr read write ioctl };
 define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
 	type setfiles_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -515,11 +562,13 @@ class chr_file { getattr read write ioctl };
 #
 define(`selinux_setfiles_execute',`
 	requires_block_template(`$0'_depend)
 	allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
 ')
 define(`selinux_setfiles_execute_depend',`
 	type setfiles_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
@ -529,12 +578,14 @@ class file { getattr read execute execute_no_trans };
 #
 define(`selinux_read_config',`
 	requires_block_template(`$0'_depend)
 	allow $1 selinux_config_t:dir { getattr search read };
 	allow $1 selinux_config_t:file { getattr read };
 ')
 define(`selinux_read_config_depend',`
 	type selinux_config_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -545,6 +596,7 @@ class file { getattr read };
 #
 define(`selinux_read_default_contexts',`
 	requires_block_template(`$0'_depend)
 	allow $1 selinux_config_t:dir search;
 	allow $1 default_context_t:dir { getattr search read };
 	allow $1 default_context_t:file { getattr read };
@ -552,6 +604,7 @@ allow $1 default_context_t:file { getattr read };
 define(`selinux_read_default_contexts_depend',`
 	type selinux_config_t, default_context_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -562,6 +615,7 @@ class file { getattr read };
 #
 define(`selinux_read_file_contexts',`
 	requires_block_template(`$0'_depend)
 	allow $1 selinux_config_t:dir search;
 	allow $1 file_context_t:dir { getattr search read };
 	allow $1 file_context_t:file { getattr read };
@ -569,6 +623,7 @@ allow $1 file_context_t:file { getattr read };
 define(`selinux_read_file_contexts_depend',`
 	type selinux_config_t, file_context_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -579,12 +634,14 @@ class file { getattr read };
 #
 define(`selinux_read_binary_policy',`
 	requires_block_template(`$0'_depend)
 	allow $1 policy_config_t:dir { getattr search read };
 	allow $1 policy_config_t:file { getattr read };
 ')
 define(`selinux_read_binary_policy_depend',`
 	type policy_config_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -595,6 +652,7 @@ class file { getattr read };
 #
 define(`selinux_write_binary_policy',`
 	requires_block_template(`$0'_depend)
 	allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
 	allow $1 policy_config_t:file { getattr create write unlink };
 	typeattribute $1 can_write_binary_policy;
@ -602,7 +660,9 @@ typeattribute $1 can_write_binary_policy;
 define(`selinux_write_binary_policy_depend',`
 	attribute can_write_binary_policy;
 	type policy_config_t;
 	class dir { getattr search read write add_name remove_name };
 	class file { getattr create write unlink };
 ')
@ -620,13 +680,16 @@ class file { getattr create write unlink };
 #
 define(`selinux_relabelto_binary_policy',`
 	requires_block_template(`$0'_depend)
 	allow $1 policy_config_t:file relabelto;
 	typeattribute $1 can_relabelto_binary_policy;
 ')
 define(`selinux_relabelto_binary_policy_depend',`
 	attribute can_relabelto_binary_policy;
 	type policy_config_t;
 	class file relabelto;
 ')
@ -636,6 +699,7 @@ class file relabelto;
 #
 define(`selinux_manage_binary_policy',`
 	requires_block_template(`$0'_depend)
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
 	allow $1 policy_config_t:dir { getattr search read };
@ -645,6 +709,7 @@ typeattribute $1 can_write_binary_policy;
 define(`selinux_manage_binary_policy_depend',`
 	attribute can_write_binary_policy;
 	type selinux_config_t, policy_config_t;
 	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
 	class file { create ioctl read getattr lock write setattr append link unlink rename };
@ -656,6 +721,7 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 #
 define(`selinux_read_source_policy',`
 	requires_block_template(`$0'_depend)
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
 	allow $1 policy_src_t:dir { getattr search read };
@ -664,6 +730,7 @@ allow $1 policy_src_t:file { getattr read };
 define(`selinux_read_source_policy_depend',`
 	type selinux_config_t, policy_src_t;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -674,6 +741,7 @@ class file { getattr read };
 #
 define(`selinux_manage_source_policy',`
 	requires_block_template(`$0'_depend)
 	# FIXME: search etc_t:dir
 	allow $1 selinux_config_t:dir search;
 	allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
@ -682,6 +750,7 @@ allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append
 define(`selinux_manage_source_policy_depend',`
 	type selinux_config_t, policy_src_t;
 	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
 	class file { create ioctl read getattr lock write setattr append link unlink rename };
 ')
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@ -7,10 +7,12 @@
 #
 define(`sysnetwork_dhcpc_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 dhcpc_exec_t:file { getattr read execute };
 	allow $1 dhcpc_t:process transition;
 	type_transition $1 dhcpc_exec_t:process dhcpc_t;
 	dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
 	allow $1 dhcpc_t:fd use;
 	allow dhcpc_t $1:fd use;
 	allow dhcpc_t $1:fifo_file rw_file_perms;
@ -19,6 +21,7 @@ allow dhcpc_t $1:process sigchld;
 define(`sysnetwork_dhcpc_transition_depend',`
 	type dhcpc_t, dhcpc_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -38,10 +41,12 @@ class fifo_file rw_file_perms;
 #
 define(`sysnetwork_ifconfig_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 ifconfig_exec_t:file { getattr read execute };
 	allow $1 ifconfig_t:process transition;
 	type_transition $1 ifconfig_exec_t:process ifconfig_t;
 	dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
 	allow $1 ifconfig_t:fd use;
 	allow ifconfig_t $1:fd use;
 	allow ifconfig_t $1:fifo_file rw_file_perms;
@ -50,6 +55,7 @@ allow ifconfig_t $1:process sigchld;
 define(`sysnetwork_ifconfig_transition_depend',`
 	type ifconfig_t, ifconfig_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -77,6 +83,7 @@ class fifo_file rw_file_perms;
 #
 define(`sysnetwork_ifconfig_transition_add_role_use_terminal',`
 	requires_block_template(`$0'_depend)
 	sysnetwork_ifconfig_transition($1)
 	role $2 types ifconfig_t;
 	allow ifconfig_t $3:chr_file { getattr read write ioctl };
@ -84,6 +91,7 @@ allow ifconfig_t $3:chr_file { getattr read write ioctl };
 define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
 	type ifconfig_t;
 	class chr_file { getattr read write ioctl };
 ')
@ -93,12 +101,14 @@ class chr_file { getattr read write ioctl };
 #
 define(`sysnetwork_read_network_config',`
 	requires_block_template(`$0'_depend)
 	files_search_general_system_config_directory($1)
 	allow $1 net_conf_t:file { getattr read };
 ')
 define(`sysnetwork_read_network_config_depend',`
 	type net_conf_t;
 	class file { getattr read };
 ')
--- a/refpolicy/policy/modules/system/udev.if
+++ b/refpolicy/policy/modules/system/udev.if
@ -5,10 +5,12 @@
 #
 define(`udev_transition',`
 	requires_block_template(`$0'_depend)
 	allow $1 udev_exec_t:file { getattr read execute };
 	allow $1 udev_t:process transition;
 	type_transition $1 udev_exec_t:process udev_t;
 	dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
 	allow $1 udev_t:fd use;
 	allow udev_t $1:fd use;
 	allow udev_t $1:fifo_file rw_file_perms;
@ -17,6 +19,7 @@ allow udev_t $1:process sigchld;
 define(`udev_transition_depend',`
 	type udev_t, udev_exec_t;
 	class file { getattr read execute };
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
@ -29,11 +32,13 @@ class fifo_file rw_file_perms;
 #
 define(`udev_read_database',`
 	requires_block_template(`$0'_depend)
 	allow $1 udev_tdb_t:file { getattr read };
 ')
 define(`udev_read_database_depend',`
 	type udev_tdb_t;
 	class file { getattr read };
 ')
@ -43,10 +48,12 @@ class file { getattr read };
 #
 define(`udev_modify_database',`
 	requires_block_template(`$0'_depend)
 	allow $1 udev_tdb_t:file { getattr read write append };
 ')
 define(`udev_modify_database_depend',`
 	type udev_tdb_t;
 	class file { getattr read write append };
 ')
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -315,8 +315,8 @@ dbusd_domain($1)
 		ifdef(`hald.te', `
 			allow $1_t hald_t:dbus send_msg;
 			allow hald_t $1_t:dbus send_msg;
-') dnl end ifdef hald.te
+		')
-') dnl end ifdef dbus.te
+	')
 	# Gnome pannel binds to the following
 	ifdef(`cups.te', `
@ -365,7 +365,7 @@ file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
 		# for shared memory
 		allow xdm_xserver_t $1_tmpfs_t:file { read write };
-')dnl end ifdef xdm.te
+	')
 	ifdef(`rpcd.te', `
 		create_dir_file($1_t, nfsd_rw_t)
@ -402,7 +402,6 @@ allow $1_t pam_var_console_t:dir search;
 #
 define(`user_domain_template', `
 	##############################
 	#
 	# Declarations
@ -524,13 +523,13 @@ allow xdm_t $1_home_t:dir search;
 		# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
 		# 
 		dontaudit xdm_t $1_home_t:file rw_file_perms;
-')dnl end ifdef xdm.te
+	')
 	ifdef(`ftpd.te', `
 		if (ftp_home_dir) {
 			file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
 		}
-')dnl end ifdef ftpd
+	')
 	if (read_default_t) {
 		allow $1 default_t:dir r_dir_perms;
@ -604,7 +603,6 @@ allow $1_mount_t xdm_t:fifo_file { read write };
 # Admin domain template
 #
 define(`admin_domain_template',`
 	##############################
 	#
 	# Declarations
@ -762,8 +760,8 @@ ifdef(`xserver.te', `
 			# Create files in /tmp/.X11-unix with our X servers derived
 			# tmp type rather than user_xserver_tmp_t.
 			file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
-')dnl end xserver.te
+		')
-')dnl end startx.te
+	')
 	ifdef(`xdm.te', `
 		ifdef(`xauth.te', `
@ -772,8 +770,8 @@ allow xdm_t $1_home_t:lnk_file read;
 				allow xdm_t $1_home_t:dir search;
 			}
 			allow $1_t xdm_t:fifo_file rw_file_perms;
-')dnl end ifdef xauth.te
+		')
-')dnl end ifdef xdm.te
+	')
 	#
 	# A user who is authorized for sysadm_t may nonetheless have
@ -843,6 +841,7 @@ type sysadm_t;
 #
 define(`userdomain_sysadm_shell_transition',`
 	requires_block_template(`$0'_depend)
 	corecommands_shell_transition($1,sysadm_t)
 ')
@ -864,6 +863,7 @@ type sysadm_t;
 #
 define(`userdomain_use_admin_terminals',`
 	requires_block_template(`$0'_depend)
 	devices_list_device_nodes($1)
 	terminal_list_pseudoterminals($1)
 	allow $1 admin_terminal:chr_file { getattr read write ioctl };
@ -871,6 +871,7 @@ allow $1 admin_terminal:chr_file { getattr read write ioctl };
 define(`userdomain_use_admin_terminals_depend',`
 	attribute admin_terminal;
 	class chr_file { getattr read write ioctl };
 ')
@ -887,12 +888,14 @@ class chr_file { getattr read write ioctl };
 #
 define(`userdomain_search_all_users_home_dirs',`
 	requires_block_template(`$0'_depend)
 	files_list_home_directories($1)
 	allow $1 { home_dir_type home_type }:dir search;
 ')
 define(`userdomain_search_all_users_home_dirs_depend',`
 	attribute home_dir_type, home_type;
 	class dir search;
 ')
@ -909,6 +912,7 @@ class dir search;
 #
 define(`userdomain_read_all_users_data',`
 	requires_block_template(`$0'_depend)
 	files_list_home_directories($1)
 	allow $1 home_type:dir { getattr search read };
 	allow $1 home_type:file { getattr read };
@ -916,6 +920,7 @@ allow $1 home_type:file { getattr read };
 define(`userdomain_read_all_users_data_depend',`
 	attribute home_type;
 	class dir { getattr search read };
 	class file { getattr read };
 ')
@ -933,11 +938,13 @@ class file { getattr read };
 #
 define(`userdomain_use_all_users_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 userdomain:fd use;
 ')
 define(`userdomain_use_all_users_file_descriptors_depend',`
 	attribute userdomain;
 	class fd use;
 ')
@ -954,11 +961,13 @@ class fd use;
 #
 define(`userdomain_signal_all_userdomains',`
 	requires_block_template(`$0'_depend)
 	allow $1 userdomain:process signal;
 ')
 define(`userdomain_signal_all_userdomains_depend',`
 	attribute userdomain;
 	class process signal;
 ')
@ -975,11 +984,13 @@ class process signal;
 #
 define(`userdomain_use_all_unprivileged_users_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	allow $1 unpriv_userdomain:fd use;
 ')
 define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',`
 	attribute unpriv_userdomain;
 	class fd use;
 ')
@ -997,11 +1008,13 @@ class fd use;
 #
 define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',`
 	requires_block_template(`$0'_depend)
 	dontaudit $1 unpriv_userdomain:fd use;
 ')
 define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',`
 	attribute unpriv_userdomain;
 	class fd use;
 ')