clean up some filesystem assoc

refpolicy/policy/modules/kernel/devices.if

@@ -8,11 +8,13 @@ define(`devices_make_device_node',`
 requires_block_template(devices_make_device_node_depend,$2)
 typeattribute $1 device_node;
 filesystem_associate($1,optional)
+filesystem_tmpfs_associate($1,optional)
 ')
 
 define(`devices_make_device_node_depend',`
 attribute device_node;
 filesystem_associate_depend
+filesystem_tmpfs_associate_depend
 ')
 
 ########################################

refpolicy/policy/modules/kernel/devices.te

@@ -11,6 +11,8 @@ attribute device_node;
 #
 type device_t, device_node;
 filesystem_associate(device_t)
+filesystem_tmpfs_associate(device_t)
+filesystem_noxattr_associate(device_t)
 
 # Only directories and symlinks should be labeled device_t.
 # If there are other files with this type, it is wrong.
@@ -24,12 +26,14 @@ neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr
 #
 type zero_device_t, device_node;
 filesystem_associate(zero_device_t)
+filesystem_tmpfs_associate(zero_device_t)
 
 #
 # null_device_t is the type of /dev/null.
 #
 type null_device_t, device_node;
 filesystem_associate(null_device_t)
+filesystem_tmpfs_associate(null_device_t)
 
 #
 # memory_device_t is the type of /dev/kmem,
@@ -37,6 +41,7 @@ filesystem_associate(null_device_t)
 #
 type memory_device_t, device_node;
 filesystem_associate(memory_device_t)
+filesystem_tmpfs_associate(memory_device_t)
 
 attribute memory_raw_read;
 attribute memory_raw_write;
@@ -51,18 +56,22 @@ type random_device_t, device_node;
 type urandom_device_t, device_node;
 filesystem_associate(random_device_t)
 filesystem_associate(urandom_device_t)
+filesystem_tmpfs_associate(random_device_t)
+filesystem_tmpfs_associate(urandom_device_t)
 
 #
 # Type for /dev/agpgart
 #
 type agp_device_t, device_node;
 filesystem_associate(agp_device_t)
+filesystem_tmpfs_associate(agp_device_t)
 
 #
 # Type for /dev/apm_bios
 #
 type apm_bios_t, device_node;
 filesystem_associate(apm_bios_t)
+filesystem_tmpfs_associate(apm_bios_t)
 
 #
 # clock_device_t is the type of
@@ -70,24 +79,28 @@ filesystem_associate(apm_bios_t)
 #
 type clock_device_t, device_node;
 filesystem_associate(clock_device_t)
+filesystem_tmpfs_associate(clock_device_t)
 
 #
 # cpu control devices /dev/cpu/0/*
 #
 type cpu_device_t, device_node;
 filesystem_associate(cpu_device_t)
+filesystem_tmpfs_associate(cpu_device_t)
 
 #
 # Type for framebuffer /dev/fb/*
 #
 type framebuf_device_t, device_node;
 filesystem_associate(framebuf_device_t)
+filesystem_tmpfs_associate(framebuf_device_t)
 
 #
 # Type for /dev/cpu/mtrr and /proc/mtrr
 #
 type mtrr_device_t, device_node;
 filesystem_associate(mtrr_device_t)
+filesystem_tmpfs_associate(mtrr_device_t)
 genfscon proc /mtrr system_u:object_r:mtrr_device_t
 
 #
@@ -95,9 +108,11 @@ genfscon proc /mtrr system_u:object_r:mtrr_device_t
 #
 type power_device_t, device_node;
 filesystem_associate(power_device_t)
+filesystem_tmpfs_associate(power_device_t)
 
 #
 # Type for sound devices and mixers
 #
 type sound_device_t, device_node;
 filesystem_associate(sound_device_t)
+filesystem_tmpfs_associate(sound_device_t)

refpolicy/policy/modules/kernel/filesystem.if

@@ -29,19 +29,21 @@ class filesystem associate;
 
 ########################################
 #
-# filesystem_associate_noxattr(type,[`optional'])
+# filesystem_noxattr_associate(type,[`optional'])
 #
-define(`filesystem_associate_noxattr',`
-requires_block_template(filesystem_associate_noxattr_depend,$2)
+define(`filesystem_noxattr_associate',`
+requires_block_template(filesystem_noxattr_associate_depend,$2)
 allow $1 autofs_t:filesystem associate;
 allow $1 cifs_t:filesystem associate;
 allow $1 dosfs_t:filesystem associate;
 allow $1 iso9660_t:filesystem associate;
 allow $1 nfs_t:filesystem associate;
+allow $1 removable_t:filesystem associate;
+allow $1 usbfs_t:filesystem associate;
 ')
 
-define(`filesystem_associate_noxattr_depend',`
-type fs_t, nfs_t, cifs_t, dosfs_t, iso9660_t, autofs_t;
+define(`filesystem_noxattr_associate_depend',`
+type fs_t, nfs_t, cifs_t, dosfs_t, iso9660_t, autofs_t, usbfs_t, removable_t;
 class filesystem associate;
 ')
 

refpolicy/policy/modules/kernel/filesystem.te

@@ -45,6 +45,13 @@ genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t
 #
 type tmpfs_t, fs_type;
 allow tmpfs_t self:filesystem associate;
+allow tmpfs_t autofs_t:filesystem associate;
+allow tmpfs_t cifs_t:filesystem associate;
+allow tmpfs_t dosfs_t:filesystem associate;
+allow tmpfs_t iso9660_t:filesystem associate;
+allow tmpfs_t nfs_t:filesystem associate;
+allow tmpfs_t removable_t:filesystem associate;
+allow tmpfs_t usbfs_t:filesystem associate;
 
 ########################################
 #
@@ -84,6 +91,18 @@ allow iso9660_t self:filesystem associate;
 genfscon iso9660 / system_u:object_r:iso9660_t
 genfscon udf / system_u:object_r:iso9660_t
 
+#
+# removable_t is the default type of all removable media
+#
+type removable_t, fs_type;
+allow removable_t self:filesystem associate;
+allow removable_t autofs_t:filesystem associate;
+allow removable_t cifs_t:filesystem associate;
+allow removable_t dosfs_t:filesystem associate;
+allow removable_t iso9660_t:filesystem associate;
+allow removable_t nfs_t:filesystem associate;
+allow removable_t usbfs_t:filesystem associate;
+
 #
 # nfs_t is the default type for NFS file systems
 # and their files.

refpolicy/policy/modules/kernel/terminal.te

@@ -7,33 +7,35 @@ attribute ptynode;
 # console_device_t is the type of /dev/console.
 #
 type console_device_t;
-
 devices_make_device_node(console_device_t)
 
 #
 # devtty_t is the type of /dev/tty.
 #
 type devtty_t;
-
 devices_make_device_node(devtty_t)
 
 #
 # tty_device_t is the type of /dev/*tty*
 #
 type tty_device_t, ttynode;
-
 devices_make_device_node(tty_device_t)
 
 #
 # bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
 type bsdpty_device_t, ptynode;
-
 devices_make_device_node(bsdpty_device_t)
 
+#
+# usbtty_device_t is the type of /dev/usr/tty*
+#
+type usbtty_device_t;
+devices_make_device_node(usbtty_device_t)
 
+#
 # ptmx_t is the type for /dev/ptmx.
+#
 type ptmx_t;
-
 devices_make_device_node(ptmx_t)
 
 #
@@ -41,3 +43,4 @@ devices_make_device_node(ptmx_t)
 # the type of the root directory of the file system.
 #
 type devpts_t;
+filesystem_make_filesystem(devpts_t)

refpolicy/policy/modules/system/corecommands.te

@@ -23,7 +23,7 @@ typealias bin_t alias ls_exec_t;
 # shell_exec_t is the type of user shells such as /bin/bash.
 #
 type shell_exec_t;
-files_make_file(sbin_t)
+files_make_file(shell_exec_t)
 
 type chroot_exec_t;
 files_make_file(chroot_exec_t)

refpolicy/policy/modules/system/files.if

@@ -8,7 +8,7 @@ define(`files_make_file',`
 requires_block_template(files_make_file_depend,$2)
 typeattribute $1 file_type;
 filesystem_associate($1,optional)
-filesystem_associate_noxattr($1,optional)
+filesystem_noxattr_associate($1,optional)
 ')
 
 define(`files_make_file_depend',`

refpolicy/policy/modules/system/files.te

@@ -10,14 +10,14 @@ attribute tmpfile;
 # other than the generic /.* specification.
 type default_t, file_type;
 filesystem_associate(default_t)
-filesystem_associate_noxattr(default_t)
+filesystem_noxattr_associate(default_t)
 
 #
 # etc_t is the type of the system etc directories.
 #
 type etc_t, file_type;
 filesystem_associate(etc_t)
-filesystem_associate_noxattr(etc_t)
+filesystem_noxattr_associate(etc_t)
 
 #
 # etc_runtime_t is the type of various
@@ -26,7 +26,7 @@ filesystem_associate_noxattr(etc_t)
 #
 type etc_runtime_t, file_type;
 filesystem_associate(etc_runtime_t)
-filesystem_associate_noxattr(etc_runtime_t)
+filesystem_noxattr_associate(etc_runtime_t)
 
 #
 # file_t is the default type of a file that has not yet been
@@ -35,22 +35,15 @@ filesystem_associate_noxattr(etc_runtime_t)
 #
 type file_t, file_type;
 filesystem_associate(file_t)
-filesystem_associate_noxattr(file_t)
+filesystem_noxattr_associate(file_t)
 kernel_make_root_filesystem_mountpoint(file_t)
 
-#
-# removable_t is the default type of all removable media
-#
-type removable_t, file_type;
-filesystem_associate(removable_t)
-filesystem_associate_noxattr(removable_t)
-
 #
 # root_t is the type for rootfs and the root directory.
 #
 type root_t, file_type;
 filesystem_associate(root_t)
-filesystem_associate_noxattr(root_t)
+filesystem_noxattr_associate(root_t)
 kernel_read_directory_from(root_t)
 kernel_make_root_filesystem_mountpoint(root_t)
 genfscon rootfs / system_u:object_r:root_t
@@ -61,63 +54,63 @@ genfscon rootfs / system_u:object_r:root_t
 #
 type home_root_t, file_type;
 filesystem_associate(home_root_t)
-filesystem_associate_noxattr(home_root_t)
+filesystem_noxattr_associate(home_root_t)
 
 #
 # lost_found_t is the type for the lost+found directories.
 #
 type lost_found_t, file_type;
 filesystem_associate(lost_found_t)
-filesystem_associate_noxattr(lost_found_t)
+filesystem_noxattr_associate(lost_found_t)
 
 #
 # mnt_t is the type for mount points such as /mnt/cdrom
 #
 type mnt_t, file_type;
 filesystem_associate(mnt_t)
-filesystem_associate_noxattr(mnt_t)
+filesystem_noxattr_associate(mnt_t)
 
 #
 # src_t is the type of files in the system src directories.
 #
 type src_t, file_type;
 filesystem_associate(src_t)
-filesystem_associate_noxattr(src_t)
+filesystem_noxattr_associate(src_t)
 
 #
 # tmp_t is the type of the temporary directories
 #
 type tmp_t, file_type, tmpfile;
 filesystem_associate(tmp_t)
-filesystem_associate_noxattr(tmp_t)
+filesystem_noxattr_associate(tmp_t)
 
 #
 # usr_t is the type for /usr.
 #
 type usr_t, file_type;
 filesystem_associate(usr_t)
-filesystem_associate_noxattr(usr_t)
+filesystem_noxattr_associate(usr_t)
 
 #
 # var_t is the type of /var
 #
 type var_t, file_type;
 filesystem_associate(var_t)
-filesystem_associate_noxattr(var_t)
+filesystem_noxattr_associate(var_t)
 
 #
 # var_lib_t is the type of /var/lib
 #
 type var_lib_t, file_type;
 filesystem_associate(var_lib_t)
-filesystem_associate_noxattr(var_lib_t)
+filesystem_noxattr_associate(var_lib_t)
 
 #
 # var_lock_t is tye type of /var/lock
 #
 type var_lock_t, file_type, lockfile;
 filesystem_associate(var_lock_t)
-filesystem_associate_noxattr(var_lock_t)
+filesystem_noxattr_associate(var_lock_t)
 
 #
 # var_run_t is the type of /var/run, usually
@@ -125,11 +118,11 @@ filesystem_associate_noxattr(var_lock_t)
 #
 type var_run_t, file_type, pidfile;
 filesystem_associate(var_run_t)
-filesystem_associate_noxattr(var_run_t)
+filesystem_noxattr_associate(var_run_t)
 
 #
 # var_spool_t is the type of /var/spool
 #
 type var_spool_t, file_type;
 filesystem_associate(var_spool_t)
-filesystem_associate_noxattr(var_spool_t)
+filesystem_noxattr_associate(var_spool_t)

refpolicy/policy/modules/system/init.te

@@ -16,6 +16,7 @@ domain_make_entrypoint_file(init_t,init_exec_t)
 
 type initctl_t;
 files_make_file(initctl_t)
+filesystem_tmpfs_associate(initctl_t)
 devices_create_dev_entry(init_t,initctl_t,fifo_file)
 
 type init_var_run_t;

refpolicy/policy/modules/system/libraries.if

@@ -41,11 +41,11 @@ define(`libraries_read_shared_libraries',`
 requires_block_template(libraries_read_shared_libraries_depend,$2)
 allow $1 lib_t:dir { getattr read search };
 allow $1 lib_t:lnk_file { getattr read };
-allow $1 { shlib_t textrel_shlib_t }:file { getattr read execute };
+allow $1 { shlib_t texrel_shlib_t }:file { getattr read execute };
 ')
 
 define(`libraries_read_shared_libraries_depend',`
-type lib_t, shlib_t, textrel_shlib_t;
+type lib_t, shlib_t, texrel_shlib_t;
 class dir { getattr read search };
 class lnk_file { getattr read };
 class file { getattr read execute };

refpolicy/policy/modules/system/libraries.te

@@ -25,8 +25,8 @@ type shlib_t;
 files_make_file(shlib_t)
 
 #
-# textrel_shlib_t is the type of shared objects in the system lib
+# texrel_shlib_t is the type of shared objects in the system lib
 # directories, which require text relocation.
 #
-type textrel_shlib_t;
-files_make_file(textrel_shlib_t)
+type texrel_shlib_t;
+files_make_file(texrel_shlib_t)

refpolicy/policy/modules/system/miscfiles.te

@@ -17,7 +17,7 @@ files_make_file(cert_t)
 # files in /usr
 #
 type fonts_t;
-files_make_file(cert_t)
+files_make_file(fonts_t)
 
 #
 # locale_t is the type for system localization

refpolicy/policy/modules/system/modutils.te

@@ -36,6 +36,9 @@ role system_r types update_modules_t;
 type update_modules_exec_t;
 domain_make_entrypoint_file(update_modules_t,update_modules_exec_t)
 
+type update_modules_tmp_t;
+files_make_file(update_modules_tmp_t)
+
 ########################################
 #
 # insmod local policy