more sediff fixes

refpolicy/policy/modules/kernel/kernel.te

@@ -29,7 +29,7 @@ type kernel_t, can_load_kernmodule;
 domain_base_type(kernel_t)
 mls_rangetrans_source(kernel_t)
 role system_r types kernel_t;
-sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
+sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127)
 
 #
 # DebugFS

refpolicy/policy/modules/kernel/terminal.if

@@ -17,6 +17,7 @@ interface(`term_pty',`
 		type devpts_t;
 	')
 
+	files_type($1)
 	allow $1 devpts_t:filesystem associate;
 	typeattribute $1 ptynode;
 ')
@@ -514,10 +515,9 @@ interface(`term_use_all_user_ptys',`
 interface(`term_dontaudit_use_all_user_ptys',`
 	gen_require(`
 		attribute ptynode;
-		class chr_file { read write };
 	')
 
-	dontaudit $1 ptynode:chr_file { read write };
+	dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
 ')
 
 ########################################

refpolicy/policy/modules/services/dhcp.te

@@ -24,7 +24,7 @@ files_pid_file(dhcpd_var_run_t)
 # Local policy
 #
 
-dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+dontaudit dhcpd_t self:capability { net_raw net_admin sys_tty_config };
 allow dhcpd_t self:process signal_perms;
 allow dhcpd_t self:fifo_file { read write getattr };
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;

refpolicy/policy/modules/services/inn.te

@@ -30,7 +30,7 @@ files_type(news_spool_t)
 #
 allow innd_t self:capability { dac_override kill setgid setuid };
 dontaudit innd_t self:capability sys_tty_config;
-allow innd_t self:process setsched;
+allow innd_t self:process { setsched signal_perms };
 allow innd_t self:fifo_file rw_file_perms;
 allow innd_t self:tcp_socket create_stream_socket_perms;
 allow innd_t self:udp_socket create_socket_perms;

refpolicy/policy/modules/system/files.if

@@ -325,6 +325,25 @@ interface(`files_getattr_all_files',`
 	allow $1 file_type:file getattr;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of all sockets
+##	with the type of a file.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for initrc_t/distro_redhat.  I
+# do not think it has any effect.
+interface(`files_getattr_all_file_type_sockets',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:socket_class_set getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes

refpolicy/policy/modules/system/init.if

@@ -92,10 +92,10 @@ interface(`init_daemon_domain',`
 		if(! regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
 			domain_auto_trans(initrc_t,$2,$1)
 			allow initrc_t $1:fd use;
-			allow initrc_t $1:process { noatsecure siginh rlimitinh };
 			allow $1 initrc_t:fd use;
 			allow $1 initrc_t:fifo_file rw_file_perms;
 			allow $1 initrc_t:process sigchld;
+			dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
 		} else {
 			can_exec(initrc_t,$2)
 			can_exec(direct_run_init,$2)
@@ -103,10 +103,10 @@ interface(`init_daemon_domain',`
 	',`
 		domain_auto_trans(initrc_t,$2,$1)
 		allow initrc_t $1:fd use;
-		allow initrc_t $1:process { noatsecure siginh rlimitinh };
 		allow $1 initrc_t:fd use;
 		allow $1 initrc_t:fifo_file rw_file_perms;
 		allow $1 initrc_t:process sigchld;
+		dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
 	')
 
 	optional_policy(`nscd.te',`

refpolicy/policy/modules/system/init.te

@@ -418,6 +418,7 @@ ifdef(`distro_redhat',`
 	fs_use_tmpfs_chr_dev(initrc_t)
 
 	files_create_boot_flag(initrc_t)
+	files_getattr_all_file_type_sockets(initrc_t)
 
 	# readahead asks for these
 	mta_read_aliases(initrc_t)