add module statement macro and entrypoint executable attribute to replicate

can_exec($1,exec_type)

refpolicy/policy/modules/kernel/bootloader.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(bootloader,1.0)
+
 attribute can_modify_kernel_modules;
 
 #

refpolicy/policy/modules/kernel/corenetwork.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(corenetwork,1.0)
+
 attribute netif_type;
 attribute node_type;
 attribute port_type;

refpolicy/policy/modules/kernel/devices.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(devices,1.0)
+
 #
 # Device types
 #

refpolicy/policy/modules/kernel/filesystem.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(filesystem,1.0)
+
 attribute fs_type;
 
 ########################################

refpolicy/policy/modules/kernel/kernel.if

@@ -207,7 +207,7 @@ class security setbool;
 #
 # kernel_setsecparam(domain,[`optional'])
 #
-define(`kernel_security_setsecparam',`
+define(`kernel_setsecparam',`
 requires_block_template(kernel_setsecparam_depend,$2)
 allow $1 security_t:dir { read search getattr };
 allow $1 security_t:file { getattr read write };

refpolicy/policy/modules/kernel/kernel.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(kernel,1.0)
+
 attribute can_load_policy;
 attribute can_setenforce;
 attribute can_setsecparam;

refpolicy/policy/modules/kernel/storage.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(storage,1.0)
+
 #
 # fixed_disk_device_t is the type of 
 # /dev/hd* and /dev/sd*.

refpolicy/policy/modules/kernel/terminal.if

@@ -11,6 +11,7 @@ allow $1 ptmx_t:chr_file { getattr read write };
 allow $1 devpts_t:dir { getattr search read };
 allow $1 devpts_t:filesystem getattr;
 allow $2 devpts_t:filesystem associate;
+dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
 type_transition $1 devpts_t:chr_file $2;
 typeattribute $2 ptynode;
 ')

refpolicy/policy/modules/kernel/terminal.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(terminal,1.0)
+
 attribute ttynode;
 attribute ptynode;
 

refpolicy/policy/modules/system/authlogin.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(authlogin,1.0)
+
 ########################################
 #
 # Declarations

refpolicy/policy/modules/system/corecommands.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(corecommands,1.0)
+
 #
 # bin_t is the type of files in the system bin directories.
 #

refpolicy/policy/modules/system/domain.if

@@ -53,9 +53,11 @@ requires_block_template(domain_make_entrypoint_file_depend,$3)
 allow $1 $2:file entrypoint;
 neverallow $1 ~{ $2 }:file entrypoint;
 files_make_file($2,$3)
+typeattribute $1 entry_type;
 ')
 
 define(`domain_make_entrypoint_file_depend',`
+attribute entry_type;
 class file entrypoint;
 ')
 
@@ -196,3 +198,17 @@ class lnk_file { getattr read };
 class file { getattr read };
 class process { getattr getsession };
 ')
+
+########################################
+#
+# domain_execute_all_entrypoint_programs(domain,[`optional'])
+#
+define(`domain_execute_all_entrypoint_programs',`
+requires_block_template(domain_execute_all_entrypoint_programs_depend,$2)
+allow $1 entry_type:file { getattr read execute execute_no_trans };
+')
+
+define(`domain_execute_all_entrypoint_programs_depend',`
+attribute entry_type;
+class file { getattr read execute execute_no_trans };
+')

refpolicy/policy/modules/system/domain.te

@@ -1,8 +1,13 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(domain,1.0)
+
 # Mark process types as domains
 attribute domain;
 
+# entrypoint executables
+attribute entry_type;
+
 # processes started by init itself
 attribute init_domain;
 attribute init_domain_entry;

refpolicy/policy/modules/system/files.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(files,1.0)
+
 attribute file_type;
 attribute lockfile;
 attribute pidfile;

refpolicy/policy/modules/system/getty.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(getty,1.0)
+
 type getty_t; #, privfd
 type getty_exec_t;
 domain_make_init_domain(getty_t,getty_exec_t)

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(init,1.0)
+
 #
 # init_t is the domain of the init process.
 #

refpolicy/policy/modules/system/libraries.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(libraries,1.0)
+
 #
 # ld_so_cache_t is the type of /etc/ld.so.cache.
 #

refpolicy/policy/modules/system/logging.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(logging,1.0)
+
 attribute logfile;
 
 type devlog_t;

refpolicy/policy/modules/system/miscfiles.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(miscfiles,1.0)
+
 #
 # catman_t is the type for /var/catman.
 #

refpolicy/policy/modules/system/modutils.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(modutils,1.0)
+
 # module loading config
 type modules_conf_t;
 files_make_file(modules_conf_t)

refpolicy/policy/modules/system/selinux.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(selinux,1.0)
+
 #
 # selinux_config_t is the type applied to
 # /etc/selinux/config

refpolicy/policy/modules/system/selinuxutil.te

@@ -1,5 +1,7 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
+policy_module(selinux,1.0)
+
 #
 # selinux_config_t is the type applied to
 # /etc/selinux/config

refpolicy/policy/modules/system/sysnetwork.te

@@ -1,2 +1,6 @@
+# Copyright (C) 2005 Tresys Technology, LLC
+
+policy_module(sysnetwork,1.0)
+
 type net_conf_t alias resolv_conf_t;
 files_make_file(net_conf_t)