last fixes for cab

refpolicy/policy/modules/kernel/devices.if

@@ -78,6 +78,20 @@ type device_t;
 class dir r_dir_perms;
 ')
 
+########################################
+#
+# devices_add_dev_dir(domain)
+#
+define(`devices_add_dev_dir',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { ra_dir_perms create };
+')
+
+define(`devices_add_dev_dir_depend',`
+type device_t;
+class dir { ra_dir_perms create };
+')
+
 ########################################
 #
 # devices_ignore_get_generic_pipe_attributes(domain)

refpolicy/policy/modules/system/files.if

@@ -621,6 +621,20 @@ type etc_t;
 class dir { getattr search read write add_name remove_name };
 ')
 
+########################################
+#
+# files_modify_isid_type_dir(domain)
+#
+define(`files_modify_isid_type_dir',`
+requires_block_template(`$0'_depend)
+allow $1 file_t:dir rw_dir_perms;
+')
+
+define(`files_modify_isid_type_dir_depend',`
+type file_t;
+class dir rw_dir_perms;
+')
+
 ########################################
 #
 # files_ignore_get_isid_type_dir_attrib(domain)

refpolicy/policy/modules/system/getty.te

@@ -49,7 +49,10 @@ kernel_read_hardware_state(getty_t)
 filesystem_get_persistent_filesystem_attributes(getty_t)
 
 # Chown, chmod, read and write ttys.
-terminal_use_all_terminals(getty_t)
+terminal_use_all_private_physical_terminals(getty_t)
+terminal_use_general_physical_terminal(getty_t)
+terminal_set_all_private_physical_terminal_attributes(getty_t)
+terminal_set_general_physical_terminal_attributes(getty_t)
 terminal_set_console_attributes(getty_t)
 
 authlogin_modify_login_records(getty_t)

refpolicy/policy/modules/system/init.te

@@ -313,6 +313,9 @@ tunable_policy(`distro_debian', `
 ')
 
 tunable_policy(`distro_redhat',`
+	# this is from kmodule, which should get its own policy:
+	allow initrc_t self:capability sys_admin;
+
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
 	kernel_ignore_use_file_descriptors(initrc_t)
@@ -327,6 +330,7 @@ tunable_policy(`distro_redhat',`
 
 	# These seem to be from the initrd
 	# during device initialization:
+	devices_add_dev_dir(initrc_t)
 	devices_legacy_use_dev_zero(initrc_t)
 	devices_legacy_raw_read_memory(initrc_t)
 	devices_legacy_raw_write_memory(initrc_t)
@@ -339,8 +343,7 @@ tunable_policy(`distro_redhat',`
 
 	# readahead asks for these
 	mta_read_mail_aliases(initrc_t)
-
-') dnl end distro_redhat
+')
 
 optional_policy(`hotplug.te',`
 	kernel_read_usb_hardware_state(initrc_t)

refpolicy/policy/modules/system/lvm.te

@@ -136,6 +136,11 @@ selinux_read_config(lvm_t)
 selinux_read_file_contexts(lvm_t)
 selinux_newrole_sigchld(lvm_t)
 
+tunable_policy(`distro_redhat',`
+	# this is from the initrd:
+	files_modify_isid_type_dir(lvm_t)
+')
+
 tunable_policy(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(lvm_t)
 	terminal_ignore_use_general_pseudoterminal(lvm_t)