more work to clean up and complete current modules

2005-06-20 17:41:29 +00:00 · 2005-06-20 17:41:29 +00:00 · 7a2f20a315
commit 7a2f20a315
parent 2ba9a794db
14 changed files with 873 additions and 579 deletions
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@ -103,6 +103,7 @@ dev_setattr_all_blk_files(bootloader_t)
 dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
 dev_read_rand(bootloader_t)
 dev_read_urand(bootloader_t)
 dev_getattr_sysfs_dir(bootloader_t)
 # for reading BIOS data
 dev_read_raw_memory(bootloader_t)
@ -113,6 +114,7 @@ term_getattr_all_user_ttys(bootloader_t)
 init_getattr_initctl(bootloader_t)
 init_use_script_pty(bootloader_t)
 init_use_script_fd(bootloader_t)
 init_rw_script_pipe(bootloader_t)
 domain_use_wide_inherit_fd(bootloader_t)
@ -183,10 +185,6 @@ optional_policy(`modutils.te',`
 ifdef(`TODO',`
 allow bootloader_t initrc_t:fifo_file { read write };
 allow bootloader_t sysfs_t:dir getattr;
 allow bootloader_t var_t:dir search;
 allow bootloader_t var_t:file { getattr read };
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@ -19,7 +19,12 @@
 ## </interface>
 #
 define(`kernel_userland_entry',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type kernel_t;
 		class process sigchld;
 		class fifo_file rw_file_perms;
 		class fd use;
 	')
 	domain_auto_trans(kernel_t, $2, $1)
@ -29,15 +34,6 @@ define(`kernel_userland_entry',`
 	allow $1 kernel_t:process sigchld;
 ')
 define(`kernel_userland_entry_depend',`
 	type kernel_t;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class file { getattr read execute };
 	class fifo_file rw_file_perms;
 	class fd use;
 ')
 ########################################
 ## <interface name="kernel_rootfs_mountpoint">
 ##	<description>
@ -61,6 +57,25 @@ define(`kernel_rootfs_mountpoint_depend',`
 	class dir mounton;
 ')
 ########################################
 ## <interface name="kernel_sigchld">
 ## 	<description>
 ##		Send a SIGCHLD signal to kernel threads.
 ## 	</description>
 ## 	<parameter name="domain">
 ## 		The type of the process sending the signal.
 ## 	</parameter>
 ## </interface>
 #
 define(`kernel_sigchld',`
 	gen_require(`
 		type kernel_t;
 		class process sigchld;
 	')
 	allow kernel_t $1:process sigchld;
 ')
 ########################################
 ## <interface name="kernel_share_state">
 ## 	<description>
@ -73,17 +88,14 @@ define(`kernel_rootfs_mountpoint_depend',`
 ## </interface>
 #
 define(`kernel_share_state',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type kernel_t;
 		class process share;
 	')
 	allow kernel_t $1:process share;
 ')
 define(`kernel_share_state_depend',`
 	type kernel_t;
 	class process share;
 ')
 ########################################
 ## <interface name="kernel_use_fd">
 ## 	<description>
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@ -227,6 +227,48 @@ define(`storage_raw_write_lvm_volume',`
 	typeattribute $1 fixed_disk_raw_write;
 ')
 ########################################
 ## <interface name="storage_getattr_scsi_generic">
 ##	<description>
 ##		Allow the caller to get the attributes of
 ##		the generic SCSI interface device nodes.
 ##	</description>
 ##	<parameter name="domain">
 ##		The type of the process performing this action.
 ##	</parameter>
 ## </interface>
 #
 define(`storage_getattr_scsi_generic',`
 	gen_require(`
 		type scsi_generic_device_t;
 		class blk_file getattr;
 	')
 	dev_list_all_dev_nodes($1)
 	allow $1 scsi_generic_device_t:blk_file getattr;
 ')
 ########################################
 ## <interface name="storage_setattr_scsi_generic">
 ##	<description>
 ##		Allow the caller to set the attributes of
 ##		the generic SCSI interface device nodes.
 ##	</description>
 ##	<parameter name="domain">
 ##		The type of the process performing this action.
 ##	</parameter>
 ## </interface>
 #
 define(`storage_setattr_scsi_generic',`
 	gen_require(`
 		type scsi_generic_device_t;
 		class blk_file setattr;
 	')
 	dev_list_all_dev_nodes($1)
 	allow $1 scsi_generic_device_t:blk_file setattr;
 ')
 ########################################
 ## <interface name="storage_read_scsi_generic">
 ##	<description>
@ -383,6 +425,26 @@ define(`storage_setattr_removable_device',`
 	allow $1 removable_device_t:blk_file setattr;
 ')
 ########################################
 ## <interface name="storage_dontaudit_setattr_removable_device">
 ##	<description>
 ##		Do not audit attempts made by the caller to set
 ##		the attributes of removable devices device nodes.
 ##	</description>
 ##	<parameter name="domain">
 ##		The type of the process to not audit.
 ##	</parameter>
 ## </interface>
 #
 define(`storage_dontaudit_setattr_removable_device',`
 	gen_require(`
 		type removable_device_t;
 		class blk_file setattr;
 	')
 	dontaudit $1 removable_device_t:blk_file setattr;
 ')
 ########################################
 ## <interface name="storage_raw_read_removable_device">
 ##	<description>
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -1,21 +1,6 @@
 ## <module name="authlogin" layer="system">
 ## <summary>Common policy for authentication and user login.</summary>
 ########################################
 ## <interface name="authlogin_per_userdomain_template">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="userdomain_prefix">
 ##		
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # Per user domain template for this module
@ -110,31 +95,21 @@ define(`authlogin_per_userdomain_template_depend',`
 ########################################
 ## <interface name="auth_login_entry_type">
 ##	<description>
-##		
+##		Use the login program as an entry point program.
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
-##		
+##		The type of process using the login program as entry point.
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # auth_login_entry_type(domain)
 #
 define(`auth_login_entry_type',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type login_exec_t;
 	')
 	domain_entry_file($1,login_exec_t)
 ')
 define(`auth_login_entry_type_depend',`
 	type login_exec_t;
 ')
 ########################################
 ## <interface name="auth_domtrans_login_program">
 ##	<description>
@ -149,13 +124,15 @@ define(`auth_login_entry_type_depend',`
 ## </interface>
 #
 define(`auth_domtrans_login_program',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type login_exec_t;
 		class process sigchld;
 		class fd use;
 		class fifo_file rw_file_perms;
 	')
-	# FIXME: search bin_t
+	corecmd_search_bin($1)
-	allow $1 login_exec_t:file rx_file_perms;
+	domain_auto_trans($1,login_exec_t,$2)
 	allow $1 $2:process transition;
 	type_transition $1 login_exec_t:process $2;
 	dontaudit $1 $2:process { noatsecure siginh rlimitinh };
 	allow $1 $2:fd use;
 	allow $2 $1:fd use;
@ -163,35 +140,26 @@ define(`auth_domtrans_login_program',`
 	allow $2 $1:process sigchld;
 ')
 define(`auth_domtrans_login_program_depend',`
 	type login_exec_t;
 	class file rx_file_perms; 
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
 ')
 ########################################
 ## <interface name="auth_domtrans_chk_passwd">
 ##	<description>
-##		
+##		Run unix_chkpwd to check a password.
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
-##		
+##		The type of the process performing this action.
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # auth_domtrans_chk_passwd(domain)
 #
 define(`auth_domtrans_chk_passwd',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 		class process sigchld;
 		class udp_socket create_socket_perms;
 		class fd use;
 		class fifo_file rw_file_perms;
 	')
 	corecmd_search_sbin($1)
 	domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
 	allow $1 system_chkpwd_t:fd use;
@ -200,7 +168,6 @@ define(`auth_domtrans_chk_passwd',`
 	allow system_chkpwd_t $1:process sigchld;
 	dontaudit $1 shadow_t:file { getattr read };
 	#allow $1_t sbin_t:dir search;
 	#can_ypbind($1_t)
 	#can_kerberos($1_t)
 	#can_ldap($1_t)
@ -217,145 +184,99 @@ define(`auth_domtrans_chk_passwd',`
 	')
 ')
 define(`auth_domtrans_chk_passwd_depend',`
 	type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 	class file rx_file_perms;
 	class process { transition sigchld };                         
 	class udp_socket create_socket_perms;
 	class fd use;
 	class fifo_file rw_file_perms;
 ')
 ########################################
 ## <interface name="auth_dontaudit_getattr_shadow">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
-##		
+##		The type of the process performing this action.
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # auth_dontaudit_getattr_shadow(domain)
 #
 define(`auth_dontaudit_getattr_shadow',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type shadow_t;
 		class file stat_file_perms;
 	')
 	dontaudit $1 shadow_t:file getattr;
 ')
 define(`auth_dontaudit_getattr_shadow_depend',`
 	type shadow_t;
 	class file stat_file_perms;
 ')
 ########################################
 ## <interface name="auth_read_shadow">
 ##	<description>
-##		
+##		Read the shadow passwords file (/etc/shadow)
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
-##		
+##		The type of the process performing this action.
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # auth_read_shadow(domain)
 #
 define(`auth_read_shadow',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		attribute can_read_shadow_passwords;
 		type shadow_t;
 		class file r_file_perms;
 	')
 	files_list_etc($1)
 	allow $1 shadow_t:file r_file_perms;
 	typeattribute $1 can_read_shadow_passwords;
 ')
 define(`auth_read_shadow_depend',`
 	attribute can_read_shadow_passwords;
 	type shadow_t;
 	class file r_file_perms;
 ')
 ########################################
 ## <interface name="auth_dontaudit_read_shadow">
 ##	<description>
-##		
+##		Do not audit attempts to read the shadow
 ##		password file (/etc/shadow).
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
-##		
+##		The type of the domain to not audit.
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # auth_dontaudit_read_shadow(domain)
 #
 define(`auth_dontaudit_read_shadow',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type shadow_t;
 		class file r_file_perms;
 	')
 	dontaudit $1 shadow_t:file { getattr read };
 ')
 define(`auth_dontaudit_read_shadow_depend',`
 	type shadow_t;
 	class file r_file_perms;
 ')
 ########################################
 ## <interface name="auth_rw_shadow">
 ##	<description>
-##		
+##		Read and write the shadow password file (/etc/shadow).
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
-##		
+##		The type of the process performing this action.
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # auth_rw_shadow(domain)
 #
 define(`auth_rw_shadow',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		attribute can_read_shadow_passwords, can_write_shadow_passwords;
 		type shadow_t;
 		class file rw_file_perms;
 	')
 	files_list_etc($1)
 	allow $1 shadow_t:file rw_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
 define(`auth_rw_shadow_depend',`
 	attribute can_read_shadow_passwords, can_write_shadow_passwords;
 	type shadow_t;
 	class file rw_file_perms;
 ')
 #######################################
 #
 # auth_manage_shadow(domain)
 #
 define(`auth_manage_shadow',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		attribute can_read_shadow_passwords, can_write_shadow_passwords;
 		type shadow_t;
 		class file create_file_perms;
 	')
 	allow $1 shadow_t:file create_file_perms;
 	files_create_etc_config($1,shadow_t,file)
@ -363,49 +284,34 @@ define(`auth_manage_shadow',`
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
 define(`auth_manage_shadow_depend',`
 	attribute can_read_shadow_passwords, can_write_shadow_passwords;
 	type shadow_t;
 	class file create_file_perms;
 ')
 #######################################
 #
 # auth_relabelto_shadow(domain)
 #
 define(`auth_relabelto_shadow',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		attribute can_relabelto_shadow_passwords;
 		type shadow_t;
 		class file relabelto;
 	')
 	files_search_etc($1)
 	allow $1 shadow_t:file relabelto;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
 define(`auth_relabelto_shadow_depend',`
 	attribute can_relabelto_shadow_passwords;
 	type shadow_t;
 	class file relabelto;
 ')
 #######################################
 #
 # auth_rw_faillog(domain)
 #
 define(`auth_rw_faillog',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type faillog_t;
 		class file rw_file_perms;
 	')
 	allow $1 faillog_t:file rw_file_perms;
 	logging_search_logs($1)
-')
+	allow $1 faillog_t:file rw_file_perms;
 define(`auth_rw_faillog_depend',`
 	type faillog_t;
 	class file rw_file_perms;
 ')
 #######################################
@ -413,18 +319,15 @@ define(`auth_rw_faillog_depend',`
 # auth_rw_lastlog(domain)
 #
 define(`auth_rw_lastlog',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type lastlog_t;
 		class file { getattr read write setattr };
 	')
 	logging_search_logs($1)
 	allow $1 lastlog_t:file { getattr read write setattr };
 ')
 define(`auth_rw_lastlog_depend',`
 	type lastlog_t;
 	class file { getattr read write setattr };
 ')
 ########################################
 ## <interface name="auth_domtrans_pam">
 ##	<description>
@ -436,7 +339,12 @@ define(`auth_rw_lastlog_depend',`
 ## </interface>
 #
 define(`auth_domtrans_pam',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type pam_t, pam_exec_t;
 		class process sigchld;
 		class fd
 		class fifo_file rw_file_perms;
 	')
 	domain_auto_trans($1,pam_exec_t,pam_t)
@ -446,15 +354,6 @@ define(`auth_domtrans_pam',`
 	allow pam_t $1:process sigchld;
 ')
 define(`auth_domtrans_pam_depend',`
 	type pam_t, pam_exec_t;
 	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd
 	class fifo_file rw_file_perms;
 ')
 ########################################
 ## <interface name="auth_run_pam">
 ##	<description>
@ -472,54 +371,44 @@ define(`auth_domtrans_pam_depend',`
 ## </interface>
 #
 define(`auth_run_pam',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type pam_t;
 		class chr_file rw_file_perms;
 	')
 	auth_domtrans_pam($1)
 	role $2 types pam_t;
 	allow pam_t $3:chr_file rw_file_perms;
 ')
 define(`auth_run_pam_depend',`
 	type pam_t;
 	class chr_file rw_file_perms;
 ')
 ########################################
 ## <interface name="auth_exec_pam">
 ##	<description>
-##		
+##		Execute the pam program.
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
-##		
+##		The type of the process performing this action.
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # auth_exec_pam(domain)
 #
 define(`auth_exec_pam',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type pam_exec_t;
 	')
 	can_exec($1,pam_exec_t)
 ')
 define(`auth_exec_pam_depend',`
 	type pam_exec_t;
 	class file { getattr read execute execute_no_trans };
 ')
 #######################################
 #
 # auth_read_pam_pid(domain)
 #
 define(`auth_read_pam_pid',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type pam_var_run_t;
 		class dir r_dir_perms;
 		class file r_file_perms;
 	')
 	files_search_var($1)
 	files_search_pids($1)
@ -527,32 +416,22 @@ define(`auth_read_pam_pid',`
 	allow $1 pam_var_run_t:file r_file_perms;
 ')
 define(`auth_read_pam_pid_depend',`
 	type pam_var_run_t;
 	class dir r_dir_perms;
 	class file r_file_perms;
 ')
 ########################################
 ## <interface name="auth_delete_pam_pid">
 ##	<description>
-##		
+##		Delete pam PID files.
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
-##		
+##		The type of the process performing this action.
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # auth_delete_pam_pid(domain)
 #
 define(`auth_delete_pam_pid',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type pam_var_run_t;
 		class dir { getattr search read write remove_name };
 		class file { getattr unlink };
 	')
 	files_search_var($1)
 	files_search_pids($1)
@ -560,19 +439,17 @@ define(`auth_delete_pam_pid',`
 	allow $1 pam_var_run_t:file { getattr unlink };
 ')
 define(`auth_delete_pam_pid_depend',`
 	type pam_var_run_t;
 	class dir { getattr search read write remove_name };
 	class file { getattr unlink };
 ')
 #######################################
 #
 # auth_domtrans_pam_console(domain)
 #
 define(`auth_domtrans_pam_console',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type pam_console_t, pam_console_exec_t;
 		class process sigchld;
 		class fd use;
 		class fifo_file rw_file_perms;
 	')
 	domain_auto_trans($1,pam_console_exec_t,pam_console_t)
@ -582,52 +459,31 @@ define(`auth_domtrans_pam_console',`
 	allow pam_console_t $1:process sigchld;
 ')
 define(`auth_domtrans_pam_console_depend',`
 	type pam_console_t, pam_console_exec_t;
 	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
 ')
 ########################################
 ## <interface name="auth_list_pam_console_data">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # auth_list_pam_console_data(domain)
 #
 define(`auth_list_pam_console_data',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type pam_var_console_t;
 		class dir r_dir_perms;
 	')
 	files_search_var($1)
 	files_search_pids($1)
 	allow $1 pam_var_console_t:dir r_dir_perms;
 ')
 define(`auth_list_pam_console_data_depend',`
 	type pam_var_console_t;
 	class dir r_dir_perms;
 ')
 #######################################
 #
 # auth_read_pam_console_data(domain)
 #
 define(`auth_read_pam_console_data',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type pam_var_console_t;
 		class dir r_dir_perms;
 		class file r_file_perms;
 	')
 	files_search_var($1)
 	files_search_pids($1)
@ -635,19 +491,17 @@ define(`auth_read_pam_console_data',`
 	allow $1 pam_var_console_t:file r_file_perms;
 ')
 define(`auth_read_pam_console_data_depend',`
 	type pam_var_console_t;
 	class dir r_dir_perms;
 	class file r_file_perms;
 ')
 #######################################
 #
 # auth_manage_pam_console_data(domain)
 #
 define(`auth_manage_pam_console_data',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type pam_var_console_t;
 		class dir rw_dir_perms;
 		class file create_file_perms;
 		class lnk_file create_lnk_perms;
 	')
 	files_search_var($1)
 	files_search_pids($1)
@ -656,14 +510,6 @@ define(`auth_manage_pam_console_data',`
 	allow $1 pam_var_console_t:lnk_file create_lnk_perms;
 ')
 define(`auth_manage_pam_console_data_depend',`
 	type pam_var_console_t;
 	class dir rw_dir_perms;
 	class file create_file_perms;
 	class lnk_file create_lnk_perms;
 ')
 ########################################
 ## <interface name="auth_relabel_all_files_except_shadow">
 ##	<description>
@ -681,15 +527,13 @@ define(`auth_manage_pam_console_data_depend',`
 #
 define(`auth_relabel_all_files_except_shadow',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type shadow_t;
 	')
 	files_relabel_all_files($1,$2 -shadow_t)
 ')
 define(`auth_relabel_all_files_except_shadow_depend',`
 	type shadow_t;
 ')
 ########################################
 ## <interface name="auth_manage_all_files_except_shadow">
 ##	<description>
@ -707,15 +551,13 @@ define(`auth_relabel_all_files_except_shadow_depend',`
 #
 define(`auth_manage_all_files_except_shadow',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type shadow_t;
 	')
 	files_manage_all_files($1,$2 -shadow_t)
 ')
 define(`auth_manage_all_files_except_shadow_depend',`
 	type shadow_t;
 ')
 ########################################
 ## <interface name="auth_domtrans_utempter">
 ##	<description>
@ -727,7 +569,12 @@ define(`auth_manage_all_files_except_shadow_depend',`
 ## </interface>
 #
 define(`auth_domtrans_utempter',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type utempter_t, utempter_exec_t;
 		class process sigchld;
 		class fd use;
 		class fifo_file rw_file_perms;
 	')
 	domain_auto_trans($1,utempter_exec_t,utempter_t)
@ -737,15 +584,6 @@ define(`auth_domtrans_utempter',`
 	allow utempter_t $1:process sigchld;
 ')
 define(`auth_domtrans_utempter_depend',`
 	type utempter_t, utempter_exec_t;
 	class file rx_file_perms;
 	class process { transition noatsecure siginh rlimitinh sigchld };
 	class fd use;
 	class fifo_file rw_file_perms;
 ')
 ########################################
 ## <interface name="auth_run_utempter">
 ##	<description>
@ -763,75 +601,43 @@ define(`auth_domtrans_utempter_depend',`
 ## </interface>
 #
 define(`auth_run_utempter',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type utempter_t;
 		class chr_file rw_file_perms;
 	')
 	auth_domtrans_utempter($1)
 	role $2 types utempter_t;
 	allow utempter_t $3:chr_file rw_file_perms;
 ')
 define(`auth_run_utempter_depend',`
 	type utempter_t;
 	class chr_file rw_file_perms;
 ')
 ########################################
 ## <interface name="auth_read_login_records">
 ##	<description>
 ##		
 ##	</description>
 ##      <securitydesc>
 ##              ...
 ##      </securitydesc>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # auth_read_login_records(domain)
 #
 define(`auth_read_login_records',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type wtmp_t;
 		class file r_file_perms;
 	')
 	logging_search_logs($1)
 	allow $1 wtmp_t:file r_file_perms;
 ')
 define(`auth_read_login_records_depend',`
 	type wtmp_t;
 	class file r_file_perms;
 ')
 ########################################
 ## <interface name="auth_dontaudit_write_login_records">
 ##	<description>
 ##		
 ##	</description>
 ##	<parameter name="domain">
 ##		
 ##	</parameter>
 ## </interface>
 #
 #######################################
 #
 # auth_dontaudit_write_login_records(domain)
 #
 define(`auth_dontaudit_write_login_records',`
-	gen_require(`$0'_depend)
+	gen_require(`
 		type wtmp_t;
 		class file write;
 	')
 	dontaudit $1 wtmp_t:file write;
 ')
 define(`auth_read_login_records_depend',`
 	type wtmp_t;
 	class file write;
 ')
 #######################################
 #
 # auth_rw_login_records(domain)
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@ -141,12 +141,27 @@ kernel_read_system_state(pam_console_t)
 kernel_use_fd(pam_console_t)
 dev_read_sysfs(pam_console_t)
 dev_getattr_framebuffer(pam_console_t)
 dev_setattr_framebuffer(pam_console_t)
 dev_getattr_misc(pam_console_t)
 dev_setattr_misc(pam_console_t)
 dev_getattr_mouse(pam_console_t)
 dev_setattr_mouse(pam_console_t)
 dev_getattr_power_management(pam_console_t)
 dev_setattr_power_management(pam_console_t)
 dev_getattr_scanner(pam_console_t)
 dev_setattr_scanner(pam_console_t)
 dev_getattr_snd_dev(pam_console_t)
 dev_setattr_snd_dev(pam_console_t)
 dev_getattr_video_dev(pam_console_t)
 dev_setattr_video_dev(pam_console_t)
 # Allow to set attributes on /dev entries
 storage_getattr_fixed_disk(pam_console_t)
 storage_setattr_fixed_disk(pam_console_t)
 storage_getattr_removable_device(pam_console_t)
 storage_setattr_removable_device(pam_console_t)
 storage_getattr_scsi_generic(pam_console_t)
 storage_setattr_scsi_generic(pam_console_t)
 term_use_console(pam_console_t)
 term_getattr_unallocated_ttys(pam_console_t)
@ -201,18 +216,7 @@ optional_policy(`rhgb.te', `
 ')
 allow pam_console_t autofs_t:dir { search getattr };
-allow pam_console_t { 
+allow pam_console_t apm_bios_t:chr_file { getattr setattr };
 framebuf_device_t
 v4l_device_t
 apm_bios_t
 sound_device_t
 misc_device_t
 scanner_device_t
 mouse_device_t
 power_device_t
 removable_device_t
 scsi_generic_device_t
 }:chr_file { getattr setattr };
 ifdef(`gpm.te', `
 	allow pam_console_t gpmctl_t:sock_file { getattr setattr };
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -940,6 +940,25 @@ define(`files_dontaudit_search_var_depend',`
 	class dir search;
 ')
 ########################################
 ## <interface name="files_search_var_lib">
 ##	<description>
 ##		Search the /var/lib directory.
 ##	</description>
 ##	<parameter name="domain">
 ##		The type of the process performing this action.
 ##	</parameter>
 ## </interface>
 #
 define(`files_search_var_lib',`
 	gen_require(`
 		type var_t, var_lib_t;
 		class dir search;
 	')
 	allow $1 { var_t var_lib_t }:dir search;
 ')
 ########################################
 #
 # files_manage_urandom_seed(domain)
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@ -43,6 +43,8 @@ allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
 allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
 files_create_pid(hotplug_t,hotplug_var_run_t)
 kernel_sigchld(hotplug_t)
 kernel_read_system_state(hotplug_t)
 kernel_read_kernel_sysctl(hotplug_t)
 kernel_read_net_sysctl(hotplug_t)
@ -58,6 +60,7 @@ corenet_tcp_bind_all_nodes(hotplug_t)
 dev_read_sysfs(hotplug_t)
 dev_read_usbfs(hotplug_t)
 dev_setattr_snd_dev(hotplug_t)
 # for SSP:
 dev_read_urand(hotplug_t)
@ -167,14 +170,9 @@ optional_policy(`rhgb.te', `
 allow kernel_t hotplug_etc_t:dir search;
 allow hotplug_t sound_device_t:chr_file setattr;
 can_ypbind(hotplug_t)
 dbusd_client(system, hotplug)
 allow hotplug_t kernel_t:process sigchld;
 # for ps
 dontaudit hotplug_t domain:dir { getattr search };
 dontaudit hotplug_t { init_t kernel_t }:file read;
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@ -329,6 +329,25 @@ define(`init_get_script_process_group',`
 	allow $1 initrc_t:process getpgid;
 ')
 ########################################
 ## <interface name="init_rw_script_pipe">
 ##	<description>
 ##		Read and write init script unnamed pipes.
 ##	</description>
 ##	<parameter name="domain">
 ##		The type of the process performing this action.
 ##	</parameter>
 ## </interface>
 #
 define(`init_rw_script_pipe',`
 	gen_require(`
 		type initrc_t;
 		class chr_file { read write };
 	')
 	allow $1 initrc_t:fifo_file { read write };
 ')
 ########################################
 #
 # init_use_script_pty(domain)
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@ -64,6 +64,7 @@ fs_getattr_xattr_fs(ldconfig_t)
 domain_use_wide_inherit_fd(ldconfig_t)
 files_search_var_lib(ldconfig_t)
 files_read_generic_etc_files(ldconfig_t)
 # for when /etc/ld.so.cache is mislabeled:
 files_delete_generic_etc_files(ldconfig_t)
@ -83,8 +84,6 @@ ifdef(`apache.te', `
 	dontaudit ldconfig_t httpd_modules_t:dir search;
 ')
 allow ldconfig_t { var_t var_lib_t }:dir search;
 ifdef(`hide_broken_symptoms', `
 	ifdef(`unconfined.te',`
 		dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@ -54,6 +54,20 @@ files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
 kernel_read_system_state(local_login_t)
 kernel_read_kernel_sysctl(local_login_t)
 dev_setattr_mouse(local_login_t)
 dev_getattr_mouse(local_login_t)
 dev_getattr_snd_dev(local_login_t)
 dev_setattr_snd_dev(local_login_t)
 dev_getattr_power_management(local_login_t)
 dev_setattr_power_management(local_login_t)
 dev_dontaudit_getattr_generic_blk_file(local_login_t)
 dev_dontaudit_setattr_generic_blk_file(local_login_t)
 dev_dontaudit_getattr_generic_chr_file(local_login_t)
 dev_dontaudit_setattr_generic_chr_file(local_login_t)
 dev_dontaudit_getattr_misc(local_login_t)
 dev_dontaudit_setattr_misc(local_login_t)
 dev_dontaudit_getattr_scanner(local_login_t)
 dev_dontaudit_setattr_scanner(local_login_t)
 # for SSP/ProPolice
 dev_read_urand(local_login_t)
@ -66,6 +80,8 @@ selinux_compute_user_contexts(local_login_t)
 storage_dontaudit_getattr_fixed_disk(local_login_t)
 storage_dontaudit_setattr_fixed_disk(local_login_t)
 storage_dontaudit_getattr_removable_device(local_login_t)
 storage_dontaudit_setattr_removable_device(local_login_t)
 term_use_all_user_ttys(local_login_t)
 term_use_unallocated_tty(local_login_t)
@ -171,19 +187,11 @@ ifdef(`targeted_policy',`
 	domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
 ')
 allow local_login_t mouse_device_t:chr_file { getattr setattr };
 allow local_login_t sound_device_t:chr_file { getattr setattr };
 allow local_login_t power_device_t:chr_file { getattr setattr };
 # Do not audit denied attempts to access devices.
-dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
+dontaudit local_login_t device_t:lnk_file { getattr setattr };
 dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
 dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
 dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
 dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
 dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
 dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
 dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
 # Do not audit denied attempts to access /mnt.
 dontaudit local_login_t mnt_t:dir r_dir_perms;
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@ -65,6 +65,8 @@ dev_search_usbfs(insmod_t)
 dev_write_mtrr(insmod_t)
 dev_read_urand(insmod_t)
 dev_rw_agp_dev(insmod_t)
 dev_read_snd_dev(insmod_t)
 dev_write_snd_dev(insmod_t)
 fs_getattr_xattr_fs(insmod_t)
@ -105,8 +107,6 @@ ifdef(`TODO',`
 allow insmod_t apm_bios_t:chr_file { read write };
 allow insmod_t sound_device_t:chr_file { read ioctl write };
 ifdef(`xserver.te', `
 	allow insmod_t xserver_log_t:file getattr;
 ')
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@ -1,4 +1,11 @@
 policy_module(mount,1.0)
 ########################################
 #
 # Declarations
 #
 type mount_t;
 type mount_exec_t;
 init_system_domain(mount_t,mount_exec_t)
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@ -102,6 +102,7 @@ init_dontaudit_write_script_pid(udev_t)
 libs_use_ld_so(udev_t)
 libs_use_shared_libs(udev_t)
 logging_search_logs(udev_t)
 logging_send_syslog_msg(udev_t)
 miscfiles_read_localization(udev_t)
@ -141,7 +142,7 @@ optional_policy(`sysnetwork.te',`
 ')
 ifdef(`TODO',`
-allow udev_t var_log_t:dir search;
+
 allow udev_t var_lock_t:dir search;
 allow udev_t var_lock_t:file getattr;