add some file_t interfaces, and console write

2005-05-31 21:25:45 +00:00 · 2005-05-31 21:25:45 +00:00 · 3b857eae09
parent b8fca44d3f
commit 3b857eae09
19 changed files with 227 additions and 115 deletions
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@ -37,7 +37,7 @@ kernel_ignore_read_system_state(consoletype_t)

 filesystem_get_all_filesystems_attributes(consoletype_t)

-terminal_ignore_use_console(consoletype_t)
+terminal_use_console(consoletype_t)
 terminal_use_general_physical_terminal(consoletype_t)

 init_use_file_descriptors(consoletype_t)
@ -69,7 +69,6 @@ allow consoletype_t sysadm_t:fd use;
 allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
 allow consoletype_t sysadm_t:fifo_file rw_file_perms;

-allow consoletype_t initrc_t:fifo_file write;
 allow consoletype_t nfs_t:file write;

 allow consoletype_t crond_t:fifo_file { read getattr ioctl };
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@ -33,6 +33,8 @@ terminal_ignore_use_console(dmesg_t)
 domain_use_widely_inheritable_file_descriptors(dmesg_t)

 files_read_general_system_config_directory(dmesg_t)
+# for when /usr is not mounted:
+files_ignore_search_isid_type_dir(dmesg_t)

 init_use_file_descriptors(dmesg_t)
 init_script_use_pseudoterminal(dmesg_t)
@ -73,7 +75,4 @@ allow dmesg_t rhgb_t:fifo_file { read write };
 ')

 allow dmesg_t autofs_t:dir { search getattr };
-
-# for when /usr is not mounted
-dontaudit dmesg_t file_t:dir search;
 ') dnl endif TODO
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@ -1,4 +1,8 @@
 # Copyright (C) 2005 Tresys Technology, LLC
+## <module name="devices" layer="kernel">
+## <summary>
+##	Policy for all devices except mass storage and terminal devices.
+## </summary>

 ########################################
 #
@ -1015,3 +1019,5 @@ type device_t, power_device_t;
 class dir r_dir_perms;
 class chr_file { getattr read write ioctl };
 ')
+
+## </module>
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -14,7 +14,7 @@ dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
 allow $1 kernel_t:fd use;
 allow kernel_t $1:fd use;
 allow kernel_t $1:fifo_file rw_file_perms;
-allow kernel_t $1:process sigchld;
+allow $1 kernel_t:process sigchld;
 ')

 define(`kernel_make_userland_entrypoint_depend',`
@ -406,7 +406,7 @@ class system ipc_info;
 define(`kernel_get_selinuxfs_mount_point',`
 requires_block_template(`$0'_depend)
 allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
+allow $1 proc_t:{ file lnk_file } read;
 allow $1 self:dir search;
 allow $1 self:file { getattr read };
 ')
@ -561,6 +561,20 @@ class dir { search getattr read };
 class file { getattr read };
 ')

+########################################
+#
+# kernel_ignore_search_sysctl_dir(domain)
+#
+define(`kernel_ignore_search_sysctl_dir',`
+requires_block_template(`$0'_depend)
+dontaudit $1 sysctl_t:dir search;
+')
+
+define(`kernel_ignore_search_sysctl_dir_depend',`
+type sysctl_t;
+class dir search;
+')
+
 ########################################
 #
 # kernel_read_device_sysctl(domain)
@ -630,6 +644,20 @@ class dir { search getattr read };
 class file { getattr read write };
 ')

+########################################
+#
+# kernel_ignore_search_network_sysctl_dir(domain)
+#
+define(`kernel_ignore_search_network_sysctl_dir',`
+requires_block_template(`$0'_depend)
+dontaudit $1 sysctl_net_t:dir search;
+')
+
+define(`kernel_ignore_search_network_sysctl_dir_depend',`
+type sysctl_net_t;
+class dir search;
+')
+
 ########################################
 #
 # kernel_read_network_sysctl(domain)
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@ -97,15 +97,38 @@ class chr_file { getattr read write };
 define(`terminal_use_all_terminals',`
 requires_block_template(`$0'_depend)
 devices_list_device_nodes($1)
-allow $1 devpts_t:dir { getattr search read };
-allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file { getattr read write ioctl };
+allow $1 devpts_t:dir r_dir_perms;
+allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
 ')

 define(`terminal_use_all_terminals_depend',`
 attribute ttynode, ptynode;
 type console_device_t, devpts_t, tty_device_t;
-class dir { getattr search read };
-class chr_file { getattr read write };
+class dir r_dir_perms;
+class chr_file rw_file_perms;
+')
+
+########################################
+## <interface name="terminal_write_console">
+##	<description>
+##		Write to the console.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`terminal_write_console',`
+	requires_block_template(`$0'_depend)
+
+	devices_list_device_nodes($1)
+	allow $1 console_device_t:chr_file write;
+')
+
+define(`terminal_use_console_depend',`
+	type console_device_t;
+	class chr_file write;
 ')

 ########################################
@ -122,12 +145,12 @@ class chr_file { getattr read write };
 define(`terminal_use_console',`
 requires_block_template(`$0'_depend)
 devices_list_device_nodes($1)
-allow $1 console_device_t:chr_file { getattr read write ioctl };
+allow $1 console_device_t:chr_file rw_file_perms;
 ')

 define(`terminal_use_console_depend',`
 type console_device_t;
-class chr_file { read write };
+class chr_file rw_file_perms;
 ')

 ########################################
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@ -234,3 +234,17 @@ kernel_compute_selinux_create_context($1_crontab_t)
 kernel_compute_selinux_relabel_context($1_crontab_t)
 kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
 ')
+
+########################################
+#
+# cron_modify_log(domain)
+#
+define(`cron_modify_log',`
+requires_block_template(`$0'_depend)
+allow $1 crond_log_t:file { getattr read write ioctl lock append };
+')
+
+define(`cron_modify_log_depend',`
+type crond_log_t;
+class file rw_file_perms;
+')
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@ -1,6 +1,6 @@
 # Copyright (C) 2005 Tresys Technology, LLC

-policy_module(consoletype, 1.0)
+policy_module(cron, 1.0)

 ########################################
 #
@ -67,7 +67,7 @@ allow crond_t self:msg { send receive };

 allow crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };

-allow crond_t crond_var_run_t:file { getattr create read write append setattr unlink };
+allow crond_t crond_var_run_t:file create_file_perms;
 files_create_daemon_runtime_data(crond_t,crond_var_run_t)

 allow crond_t crond_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@ -48,6 +48,8 @@ init_script_use_pseudoterminal(hwclock_t)
 domain_use_widely_inheritable_file_descriptors(hwclock_t)

 files_read_general_system_config_directory(hwclock_t)
+# for when /usr is not mounted:
+files_ignore_search_isid_type_dir(hwclock_t)

 libraries_use_dynamic_loader(hwclock_t)
 libraries_use_shared_libraries(hwclock_t)
@ -93,7 +95,4 @@ optional_policy(`apmd.te', `
 domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
 ')

-# for when /usr is not mounted
-dontaudit hwclock_t file_t:dir search;
-
 ') dnl end TODO
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -621,6 +621,34 @@ type etc_t;
 class dir { getattr search read write add_name remove_name };
 ')

+########################################
+#
+# files_ignore_get_isid_type_dir_attrib(domain)
+#
+define(`files_ignore_get_isid_type_dir_attrib',`
+requires_block_template(`$0'_depend)
+dontaudit $1 file_t:dir search;
+')
+
+define(`files_ignore_get_isid_type_dir_attrib_depend',`
+type file_t;
+class dir search;
+')
+
+########################################
+#
+# files_ignore_search_isid_type_dir(domain)
+#
+define(`files_ignore_search_isid_type_dir',`
+requires_block_template(`$0'_depend)
+dontaudit $1 file_t:dir search;
+')
+
+define(`files_ignore_search_isid_type_dir_depend',`
+type file_t;
+class dir search;
+')
+
 ########################################
 ## <interface name="files_list_home_directories">
 ##	<description>
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@ -43,6 +43,9 @@ init_script_use_pseudoterminal(hostname_t)

 domain_use_widely_inheritable_file_descriptors(hostname_t)

+# for when /usr is not mounted:
+files_ignore_search_isid_type_dir(hostname_t)
+
 libraries_use_dynamic_loader(hostname_t)
 libraries_use_shared_libraries(hostname_t)

@ -100,8 +103,4 @@ allow hostname_t rhgb_t:fifo_file { read write };

 allow hostname_t autofs_t:dir { search getattr };
 ##end daemon_base_domain
-
-# for when /usr is not mounted
-dontaudit hostname_t file_t:dir search;
-
 ') dnl end TODO
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@ -78,6 +78,8 @@ domain_use_widely_inheritable_file_descriptors(hotplug_t)
 files_read_general_system_config(hotplug_t)
 files_manage_runtime_system_config(hotplug_t)
 files_execute_system_config_script(hotplug_t)
+# for when filesystems are not mounted early in the boot:
+files_ignore_search_isid_type_dir(hotplug_t)

 init_use_file_descriptors(hotplug_t)
 init_script_use_pseudoterminal(hotplug_t)
@ -173,8 +175,6 @@ dbusd_client(system, hotplug)

 allow hotplug_t kernel_t:process sigchld;

-# for when filesystems are not mounted early in the boot
-dontaudit hotplug_t file_t:dir { search getattr };

 # for ps
 dontaudit hotplug_t domain:dir { getattr search };
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -5,27 +5,38 @@
 # init_make_init_domain(domain,entrypointfile)
 #
 define(`init_make_init_domain',`
-requires_block_template(`$0'_depend)
-domain_make_domain($1)
-domain_make_entrypoint_file($1,$2)
-role system_r types $1;
-allow init_t $1:process transition;
-allow init_t $2:file { getattr read execute };
-dontaudit init_t $1:process { noatsecure siginh rlimitinh };
-type_transition init_t $2:process $1;
-allow $1 init_t:fd use;
-allow init_t $1:fd use;
-allow $1 init_t:fifo_file rw_file_perms;
-allow $1 init_t:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	domain_make_domain($1)
+	domain_make_entrypoint_file($1,$2)
+
+	role system_r types $1;
+
+	allow init_t $1:process transition;
+	allow init_t $2:file { getattr read execute };
+	dontaudit init_t $1:process { noatsecure siginh rlimitinh };
+	type_transition init_t $2:process $1;
+
+	allow $1 init_t:fd use;
+	allow init_t $1:fd use;
+	allow $1 init_t:fifo_file rw_file_perms;
+	allow $1 init_t:process sigchld;
+
+	# Red Hat systems seem to have a stray
+	# fd open from the initrd
+	optional_policy(`distro_redhat',`
+		kernel_ignore_use_file_descriptors($1)
+		files_ignore_read_rootfs_file($1)
+	')
 ')

 define(`init_make_init_domain_depend',`
-type init_t;
-class file { getattr read execute };
-class fd use;
-class fifo_file rw_file_perms;
-class process { transition noatsecure siginh rlimitinh sigchld };
-role system_r;
+	type init_t;
+	class file { getattr read execute };
+	class fd use;
+	class fifo_file rw_file_perms;
+	class process { transition noatsecure siginh rlimitinh sigchld };
+	role system_r;
 ')

 ########################################
@ -33,18 +44,29 @@ role system_r;
 # init_make_daemon_domain(domain,entrypointfile)
 #
 define(`init_make_daemon_domain',`
-requires_block_template(`$0'_depend)
-domain_make_domain($1)
-domain_make_entrypoint_file($1,$2)
-role system_r types $1;
-allow initrc_t $1:process transition;
-allow initrc_t $2:file { getattr read execute };
-dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
-type_transition initrc_t $2:process $1;
-allow initrc_t $1:fd use;
-allow $1 initrc_t:fd use;
-allow $1 initrc_t:fifo_file rw_file_perms;
-allow $1 initrc_t:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	domain_make_domain($1)
+	domain_make_entrypoint_file($1,$2)
+
+	role system_r types $1;
+
+	allow initrc_t $1:process transition;
+	allow initrc_t $2:file { getattr read execute };
+	dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
+	type_transition initrc_t $2:process $1;
+
+	allow initrc_t $1:fd use;
+	allow $1 initrc_t:fd use;
+	allow $1 initrc_t:fifo_file rw_file_perms;
+	allow $1 initrc_t:process sigchld;
+
+	# Red Hat systems seem to have a stray
+	# fd open from the initrd
+	optional_policy(`distro_redhat',`
+		kernel_ignore_use_file_descriptors($1)
+		files_ignore_read_rootfs_file($1)
+	')
 ')

 define(`init_make_daemon_domain_depend',`
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -61,6 +61,15 @@ files_make_temporary_file(initrc_tmp_t)
 # Init local policy
 #

+# Use capabilities. old rule:
+allow init_t self:capability ~sys_module;
+# is ~sys_module really needed? observed: 
+# sys_boot
+# sys_tty_config
+# kill: now provided by domain_kill_all_domains()
+# setuid (from /sbin/shutdown)
+# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
+
 allow init_t self:fifo_file { read write ioctl };

 # Re-exec itself
@ -74,6 +83,9 @@ allow init_t initctl_t:fifo_file { create getattr read append write setattr unli
 filesystem_tmpfs_associate(initctl_t)
 devices_create_dev_entry(init_t,initctl_t,fifo_file)

+# Modify utmp.
+allow init_t initrc_var_run_t:file { getattr read write setattr lock };
+
 # Run init scripts.  this is ok since initrc
 # is also in this module
 allow init_t initrc_t:process transition;
@ -109,6 +121,8 @@ domain_sigchld_all_domains(init_t)

 files_read_general_system_config(init_t)
 files_modify_system_runtime_data(init_t)
+files_ignore_search_isid_type_dir(init_t)
+files_manage_runtime_system_config(init_t)
 # Run /etc/X11/prefdm:
 files_execute_system_config_script(init_t)
 # file descriptors inherited from the rootfs:
@ -117,8 +131,10 @@ files_ignore_modify_rootfs_device(init_t)

 libraries_use_dynamic_loader(init_t)
 libraries_use_shared_libraries(init_t)
+libraries_modify_dynamic_loader_cache(init_t)

 logging_send_system_log_message(init_t)
+logging_modify_system_logs(init_t)

 selinux_read_config(init_t)

@ -129,39 +145,15 @@ filesystem_use_tmpfs_character_devices(init_t)
 filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
 ')

+optional_policy(`authlogin.te',`
+authlogin_modify_login_records(init_t)
+')
+
 # Run the shell in the sysadm_t domain for single-user mode.
 optional_policy(`userdomain.te',`
 userdomain_sysadm_shell_transition(init_t)
 ')

-########################################
-#
-# the following seem questionable
-#
-
-libraries_modify_dynamic_loader_cache(init_t)
-files_manage_runtime_system_config(init_t)
-authlogin_modify_login_records(init_t)
-logging_modify_system_logs(init_t)
-
-# Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
-# is ~sys_module really needed? observed: 
-# sys_boot
-# sys_tty_config
-# kill: now provided by domain_kill_all_domains()
-# setuid (from /sbin/shutdown)
-# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
-
-# Modify utmp.
-allow init_t initrc_var_run_t:file { getattr read write setattr lock };
-
-ifdef(`TODO',`
-
-# for mount points
-allow init_t file_t:dir search;
-') dnl end TODO
-
 ########################################
 #
 # Init script local policy
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@ -207,6 +207,8 @@ kernel_read_system_state(sulogin_t)
 init_script_get_process_group(sulogin_t)

 files_read_general_system_config(sulogin_t)
+# because file systems are not mounted:
+files_ignore_search_isid_type_dir(sulogin_t)

 libraries_use_dynamic_loader(sulogin_t)
 libraries_use_shared_libraries(sulogin_t)
@ -250,7 +252,4 @@ allow sulogin_t autofs_t:dir { search getattr };
 ')

 allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-
-# because file systems are not mounted
-dontaudit sulogin_t file_t:dir search;
 ') dnl endif TODO
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@ -35,10 +35,10 @@ files_make_file(var_log_t)
 # klogd local policy
 #

-allow klogd_t klogd_tmp_t:file { getattr create read write append setattr unlink };
+allow klogd_t klogd_tmp_t:file create_file_perms;
 files_create_private_tmp_data(klogd_t,klogd_tmp_t)

-allow klogd_t klogd_var_run_t:file { getattr create read write append setattr unlink };
+allow klogd_t klogd_var_run_t:file create_file_perms;

 allow klogd_t self:capability sys_admin;
 dontaudit klogd_t self:capability sys_resource;
@ -60,6 +60,8 @@ files_read_runtime_system_config(klogd_t)
 # read /etc/nsswitch.conf
 files_read_general_system_config(klogd_t)

+init_use_file_descriptors(klogd_t)
+
 libraries_use_dynamic_loader(klogd_t)
 libraries_use_shared_libraries(klogd_t)

@ -77,12 +79,15 @@ allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys
 dontaudit syslogd_t self:capability sys_tty_config;

 # create/append log files.
-allow syslogd_t var_log_t:dir { read getattr search add_name write };
-allow syslogd_t var_log_t:file { create ioctl getattr setattr append link };
+allow syslogd_t var_log_t:dir rw_dir_perms;
+allow syslogd_t var_log_t:file create_file_perms;

 # manage temporary files
-allow syslogd_t syslogd_tmp_t:file { getattr create read write append setattr unlink };
-allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
+allow syslogd_t syslogd_tmp_t:file create_file_perms;
+files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
+
+allow syslogd_t syslogd_var_run_t:file create_file_perms;
+files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)

 # receive messages to be logged
 allow syslogd_t devlog_t:unix_stream_socket name_bind;
@ -94,6 +99,7 @@ allow syslogd_t self:fifo_file { getattr read write ioctl lock };

 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)

 # manage pid file
 allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
@ -129,9 +135,6 @@ init_script_use_pseudoterminal(syslogd_t)
 domain_use_widely_inheritable_file_descriptors(syslogd_t)

 files_read_general_system_config(syslogd_t)
-files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
-files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
-files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)

 libraries_use_dynamic_loader(syslogd_t)
 libraries_use_shared_libraries(syslogd_t)
@ -145,7 +148,7 @@ userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t)
 #
 # /initrd is not umounted before minilog starts
 #
-#dontaudit syslogd_t file_t:dir search;
+files_ignore_search_isid_type_dir(syslogd_t)
 #allow syslogd_t tmpfs_t:dir search;
 #dontaudit syslogd_t unlabeled_t:file read;
 #dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
@ -159,6 +162,12 @@ kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
 ')

+tunable_policy(`targeted_policy', `
+terminal_ignore_use_general_physical_terminal(syslogd_t)
+terminal_ignore_use_general_pseudoterminal(syslogd_t)
+files_ignore_read_rootfs_file(syslogd_t)
+')
+
 optional_policy(`selinux.te',`
 selinux_newrole_sigchld(syslogd_t)
 ')
@ -167,10 +176,8 @@ optional_policy(`udev.te', `
 udev_read_database(syslogd_t)
 ')

-tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(syslogd_t)
-terminal_ignore_use_general_pseudoterminal(syslogd_t)
-files_ignore_read_rootfs_file(syslogd_t)
+optional_policy(`cron.te',`
+cron_modify_log(syslogd_t)
 ')

 ifdef(`TODO',`
@ -198,8 +205,6 @@ can_ypbind(syslogd_t)
 allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };

 ifdef(`crond.te', `
-# Write to the cron log.
-allow syslogd_t crond_log_t:file rw_file_perms;
 # for daemon re-start
 allow system_crond_t syslogd_t:lnk_file read;
 ')
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@ -117,6 +117,8 @@ domain_use_widely_inheritable_file_descriptors(lvm_t)
 files_search_system_state_data_directory(lvm_t)
 files_read_general_system_config(lvm_t)
 files_read_runtime_system_config(lvm_t)
+# for when /usr is not mounted:
+files_ignore_search_isid_type_dir(lvm_t)

 init_use_file_descriptors(lvm_t)
 init_ignore_get_control_channel_attributes(lvm_t)
@ -159,9 +161,6 @@ allow lvm_t device_t:lnk_file { relabelfrom relabelto };

 dontaudit lvm_t var_run_t:dir getattr;

-# for when /usr is not mounted
-dontaudit lvm_t file_t:dir search;
-
 optional_policy(`gnome-pty-helper.te', `
 allow lvm_t sysadm_gph_t:fd use;
 ')
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@ -80,8 +80,10 @@ files_read_runtime_system_config(insmod_t)
 files_read_general_system_config(insmod_t)
 files_read_general_application_resources(insmod_t)
 files_execute_system_config_script(insmod_t)
-# for nscd
+# for nscd:
 files_ignore_search_runtime_data_directory(insmod_t)
+# for when /var is not mounted early in the boot:
+files_ignore_search_isid_type_dir(insmod_t)

 init_use_control_channel(insmod_t)
 init_use_file_descriptors(insmod_t)
@ -113,10 +115,6 @@ allow insmod_t xserver_log_t:file getattr;
 # why is this needed?  insmod cannot mounton any dir
 # and it also transitions to mount
 allow insmod_t usbfs_t:filesystem mount;
-
-# for when /var is not mounted early in the boot
-dontaudit insmod_t file_t:dir search;
-
 ') dnl if TODO

 ########################################
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@ -45,7 +45,12 @@ files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)
 # transition to ifconfig
 allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
 allow dhcpc_t ifconfig_t:process transition;
+type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
 dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
+allow dhcpc_t ifconfig_t:fd use;
+allow ifconfig_t dhcpc_t:fd use;
+allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
+allow ifconfig_t dhcpc_t:process sigchld;

 # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
 # in /etc created by dhcpcd will be labelled net_conf_t.
@ -253,6 +258,8 @@ files_read_general_system_config(ifconfig_t);
 kernel_use_file_descriptors(ifconfig_t)
 kernel_read_system_state(ifconfig_t)
 kernel_read_network_state(ifconfig_t)
+kernel_ignore_search_sysctl_dir(ifconfig_t)
+kernel_ignore_search_network_sysctl_dir(ifconfig_t)

 filesystem_get_persistent_filesystem_attributes(ifconfig_t)

@ -290,11 +297,6 @@ ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')

 allow ifconfig_t tun_tap_device_t:chr_file { read write };

-# ifconfig attempts to search some sysctl entries.
-# Do not audit those attempts; comment out these rules if it is desired to
-# see the denials.
-dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
-
 optional_policy(`rhgb.te', `
 allow ifconfig_t rhgb_t:process sigchld;
 allow ifconfig_t rhgb_t:fd use;
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@ -92,6 +92,7 @@ domain_ignore_read_all_domains_process_dirs(udev_t)
 files_read_runtime_system_config(udev_t)
 files_read_general_system_config(udev_t)
 files_execute_system_config_script(udev_t)
+files_ignore_search_isid_type_dir(udev_t)

 init_use_file_descriptors(udev_t)
 init_script_read_runtime_data(udev_t)
@ -150,7 +151,6 @@ allow udev_t sysadm_tty_device_t:chr_file { read write };

 # Dontaudits
 dontaudit udev_t staff_home_dir_t:dir search;
-dontaudit udev_t file_t:dir search;
 dontaudit udev_t ttyfile:chr_file unlink;

 allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };