kernel.if renaming

refpolicy/policy/modules/kernel/kernel.te

@@ -188,21 +188,25 @@ allow kernel_t sysctl_t:dir r_dir_perms;
 allow kernel_t sysctl_kernel_t:dir r_dir_perms;
 allow kernel_t sysctl_kernel_t:file r_file_perms;
 
-# old base_file_read_access():
-files_list_home_directories(kernel_t)
-files_read_general_application_resources(kernel_t)
-selinux_read_config(kernel_t)
-
-selinux_read_binary_policy(kernel_t)
 allow kernel_t security_t:dir r_dir_perms;
 allow kernel_t security_t:file rw_file_perms;
 allow kernel_t security_t:security load_policy;
 auditallow kernel_t security_t:security load_policy;
 
+corecommands_execute_shell(kernel_t)
+corecommands_read_system_programs_directory(kernel_t)
+
+files_read_root_dir(kernel_t)
+files_list_home_directories(kernel_t)
+files_read_general_application_resources(kernel_t)
+
+init_sigchld(kernel_t)
+
 libraries_use_dynamic_loader(kernel_t)
 libraries_use_shared_libraries(kernel_t)
 
-corecommands_execute_shell(kernel_t)
+selinux_read_config(kernel_t)
+selinux_read_binary_policy(kernel_t)
 
 terminal_use_console(kernel_t)
 domain_signal_all_domains(kernel_t)
@@ -234,3 +238,14 @@ neverallow ~can_setsecparam security_t:security setsecparam;
 neverallow * *:process { setcurrent dyntransition };
 
 neverallow ~can_load_kernmodule *:capability sys_module;
+
+########################################
+#
+# Unlabeled process local policy
+#
+
+# If you load a new policy that removes active domains, processes can
+# get stuck if you do not allow unlabeled processes to signal init.
+# If you load an incompatible policy, you should probably reboot,
+# since you may have compromised system security.
+init_sigchld(unlabeled_t)

refpolicy/policy/modules/system/corecommands.te

@@ -12,7 +12,6 @@ files_make_file(bin_t)
 #
 type sbin_t;
 files_make_file(sbin_t)
-kernel_read_directory_from(sbin_t)
 
 #
 # ls_exec_t is the type of the ls program.

refpolicy/policy/modules/system/files.te

@@ -82,7 +82,6 @@ fs_noxattr_associate(readable_t)
 type root_t, file_type, mountpoint;
 fs_associate(root_t)
 fs_noxattr_associate(root_t)
-kernel_read_directory_from(root_t)
 kernel_make_root_fs_mountpoint(root_t)
 genfscon rootfs / context_template(system_u:object_r:root_t,s0)
 

refpolicy/policy/modules/system/init.te

@@ -85,20 +85,8 @@ devices_create_dev_entry(init_t,initctl_t,fifo_file)
 # Modify utmp.
 allow init_t initrc_var_run_t:file rw_file_perms;
 
-# Run init scripts.  this is ok since initrc
-# is also in this module
-allow init_t initrc_t:process transition;
-allow init_t initrc_exec_t:file rx_file_perms;
-type_transition init_t initrc_exec_t:process initrc_t;
-dontaudit init_t initrc_t:process { noatsecure siginh rlimitinh };
-
-kernel_sigchld_from(init_t)
-
-# If you load a new policy that removes active domains, processes can
-# get stuck if you do not allow unlabeled processes to signal init
-# If you load an incompatible policy, you should probably reboot,
-# since you may have compromised system security.
-kernel_unlabeled_sigchld_from(init_t)
+# Run init scripts.
+domain_auto_trans(init_t,initrc_exec_t,initrc_t)
 
 kernel_set_selinux_boolean(init_t)
 kernel_read_system_state(init_t)