fix more TODOs. fix selinux.te to selinuxutil.te in optionals

refpolicy/policy/modules/admin/dmesg.te

@@ -58,7 +58,7 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(dmesg_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(dmesg_t)
 ')
 

refpolicy/policy/modules/kernel/devices.if

@@ -164,6 +164,25 @@ interface(`dev_relabel_dev_dirs',`
 	allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
 ')
 
+########################################
+## <summary>
+##	Read and write generic files in /dev.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_generic_file',`
+	gen_require(`
+		type device_t;
+		class dir search;
+		class file rw_file_perms;
+	')
+
+	allow $1 device_t:dir search;
+	allow $1 device_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Dontaudit getattr on generic pipes.
@@ -328,6 +347,24 @@ interface(`dev_dontaudit_setattr_generic_chr_file',`
 	dontaudit $1 device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	of symbolic links in device directories (/dev).
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_setattr_generic_symlink',`
+	gen_require(`
+		type device_t;
+		class lnk_file setattr;
+	')
+
+	dontaudit $1 device_t:lnk_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Delete symbolic links in device directories.

refpolicy/policy/modules/kernel/filesystem.if

@@ -1705,6 +1705,24 @@ interface(`fs_set_all_quotas',`
 	allow $1 filesystem_type:filesystem quotamod;
 ')
 
+########################################
+## <summary>
+##	List all directories with a filesystem type.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_list_all',`
+	gen_require(`
+		attribute filesystem_type;
+		class dir r_dir_perms;
+	')
+
+	allow $1 filesystem_type:dir r_dir_perms;
+')
+
+
 ########################################
 #
 # fs_getattr_all_files(type)

refpolicy/policy/modules/kernel/kernel.if

@@ -121,6 +121,57 @@ interface(`kernel_dontaudit_use_fd',`
 	dontaudit $1 kernel_t:fd use;
 ')
 
+########################################
+## <system>
+##	Read and write kernel unnamed pipes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kernel_rw_pipe',`
+	gen_require(`
+		type kernel_t;
+		class fifo_file { read write };
+	')
+
+	allow $1 kernel_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+##	Read and write kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kernel_rw_unix_dgram_socket',`
+	gen_require(`
+		type kernel_t;
+		class unix_dgram_socket { read write ioctl };
+	')
+
+	allow $1 kernel_t:unix_dgram_socket { read write ioctl };
+')
+
+########################################
+## <summary>
+##	Send messages to kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kernel_sendto_unix_dgram_socket',`
+	gen_require(`
+		type kernel_t;
+		class unix_dgram_socket sendto;
+	')
+
+	allow $1 kernel_t:unix_dgram_socket sendto;
+')
+
 ########################################
 ## <summary>
 ##	Allows caller to load kernel modules
@@ -1046,20 +1097,19 @@ interface(`kernel_sigchld_unlabeled',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts by caller to get attributes for
-##	unlabeled block devices.
+##	List unlabeled directories.
 ## </summary>
 ## <param name="domain">
-##	The process type not to audit.
+##	Domain allowed access.
 ## </param>
 #
-interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
+interface(`kernel_list_unlabeled',`
 	gen_require(`
 		type unlabeled_t;
-		class blk_file getattr;
+		class dir r_dir_perms;
 	')
 
-	allow $1 unlabeled_t:blk_file getattr;
+	allow $1 unlabeled_t:dir r_dir_perms;
 ')
 
 ########################################
@@ -1079,6 +1129,24 @@ interface(`kernel_rw_unlabeled_dir',`
 	allow $1 unlabeled_t:dir rw_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts by caller to get attributes for
+##	unlabeled block devices.
+## </summary>
+## <param name="domain">
+##	The process type not to audit.
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',`
+	gen_require(`
+		type unlabeled_t;
+		class blk_file getattr;
+	')
+
+	allow $1 unlabeled_t:blk_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write unlabeled block device nodes.

refpolicy/policy/modules/services/inetd.te

@@ -120,7 +120,7 @@ optional_policy(`mount.te',`
 	mount_send_nfs_client_request(inetd_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(inetd_t)
 ')
 

refpolicy/policy/modules/services/kerberos.te

@@ -130,7 +130,7 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(kadmind_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(kadmind_t)
 ')
 
@@ -231,7 +231,7 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(krb5kdc_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(krb5kdc_t)
 ')
 

refpolicy/policy/modules/services/nis.te

@@ -110,7 +110,7 @@ optional_policy(`mount.te',`
 	mount_send_nfs_client_request(ypbind_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(ypbind_t)
 ')
 
@@ -199,7 +199,7 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(ypserv_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(ypserv_t)
 ')
 

refpolicy/policy/modules/services/sendmail.te

@@ -99,7 +99,7 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(sendmail_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(sendmail_t)
 ')
 

refpolicy/policy/modules/services/ssh.te

@@ -223,7 +223,7 @@ optional_policy(`rhgb.te', `
 	rhgb_domain(ssh_keygen_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(ssh_keygen_t)
 ')
 

refpolicy/policy/modules/system/authlogin.if

@@ -103,7 +103,7 @@ template(`authlogin_per_userdomain_template',`
 		nis_use_ypbind($1_chkpwd_t)
 	')
 
-	optional_policy(`selinux.te',`
+	optional_policy(`selinuxutil.te',`
 		seutil_use_newrole_fd($1_chkpwd_t)
 	')
 

refpolicy/policy/modules/system/authlogin.te

@@ -207,7 +207,7 @@ optional_policy(`hotplug.te', `
 	hotplug_dontaudit_search_config(pam_console_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(pam_console_t)
 ')
 
@@ -314,9 +314,9 @@ logging_search_logs(utempter_t)
 # Allow utemper to write to /tmp/.xses-*
 userdom_write_unpriv_user_tmp(utempter_t)
 
-optional_policy(`xserver.te', `
+optional_policy(`xdm.te', `
 	#allow utempter_t xdm_t:fd use;
-	xserver_use_xdm_fd(utempter_t)
+	xdm_use_fd(utempter_t)
 	#allow utempter_t xdm_t:fifo_file { write getattr };
 	xdm_write_fifo(utempter_t)
 ')

refpolicy/policy/modules/system/clock.te

@@ -66,7 +66,7 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(hwclock_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(hwclock_t)
 ')
 

refpolicy/policy/modules/system/corecommands.if

@@ -50,6 +50,7 @@ interface(`corecmd_list_bin',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
+#
 interface(`corecmd_getattr_bin_file',`
 	gen_require(`
 		type bin_t;
@@ -59,6 +60,25 @@ interface(`corecmd_getattr_bin_file',`
 	allow $1 bin_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Read files in bin directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`corecmd_read_bin_file',`
+	gen_require(`
+		type bin_t;
+		class dir search;
+		class file r_file_perms;
+	')
+
+	allow $1 bin_t:dir search;
+	allow $1 bin_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links in bin directories.
@@ -66,15 +86,54 @@ interface(`corecmd_getattr_bin_file',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
+#
 interface(`corecmd_read_bin_symlink',`
 	gen_require(`
 		type bin_t;
 		class dir search;
-		class lnk_file read;
+		class lnk_file r_file_perms;
 	')
 
 	allow $1 bin_t:dir search;
-	allow $1 bin_t:lnk_file read;
+	allow $1 bin_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read pipes in bin directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`corecmd_read_bin_pipe',`
+	gen_require(`
+		type bin_t;
+		class dir search;
+		class fifo_file r_file_perms;
+	')
+
+	allow $1 bin_t:dir search;
+	allow $1 bin_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read named sockets in bin directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`corecmd_read_bin_socket',`
+	gen_require(`
+		type bin_t;
+		class dir search;
+		class sock_file r_file_perms;
+	')
+
+	allow $1 bin_t:dir search;
+	allow $1 bin_t:sock_file r_file_perms;
 ')
 
 ########################################
@@ -146,6 +205,25 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
 	dontaudit $1 sbin_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Read files in sbin directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`corecmd_read_sbin_file',`
+	gen_require(`
+		type sbin_t;
+		class dir search;
+		class file r_file_perms;
+	')
+
+	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links in sbin directories.
@@ -153,15 +231,54 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
+#
 interface(`corecmd_read_sbin_symlink',`
 	gen_require(`
 		type sbin_t;
 		class dir search;
-		class lnk_file read;
+		class lnk_file r_file_perms;
 	')
 
 	allow $1 sbin_t:dir search;
-	allow $1 sbin_t:lnk_file read;
+	allow $1 sbin_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read named pipes in sbin directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`corecmd_read_sbin_pipe',`
+	gen_require(`
+		type sbin_t;
+		class dir search;
+		class fifo_file r_file_perms;
+	')
+
+	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read named sockets in sbin directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`corecmd_read_sbin_socket',`
+	gen_require(`
+		type sbin_t;
+		class dir search;
+		class sock_file r_file_perms;
+	')
+
+	allow $1 sbin_t:dir search;
+	allow $1 sbin_t:sock_file r_file_perms;
 ')
 
 ########################################

refpolicy/policy/modules/system/files.if

@@ -804,6 +804,26 @@ interface(`files_mounton_isid_type_dir',`
 	allow $1 file_t:dir { getattr search mounton };
 ')
 
+########################################
+## <summary>
+##	Read files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_read_isid_type_file',`
+	gen_require(`
+		type file_t;
+		class dir search;
+		class file r_file_perms;
+	')
+
+	allow $1 file_t:dir search;
+	allow $1 file_t:file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
@@ -1028,6 +1048,86 @@ interface(`files_manage_mnt_dirs',`
 	allow $1 mnt_t:dir create_dir_perms;
 ')
 
+########################################
+## <summary>
+##	List world-readable directories.
+## </summary>
+##	Domain allowed access.
+## </param>
+#
+interface(`files_list_world_readable',`
+	gen_require(`
+		type readable_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 readable_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable files.
+## </summary>
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_files',`
+	gen_require(`
+		type readable_t;
+		class file r_file_perms;
+	')
+
+	allow $1 readable_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable symbolic links.
+## </summary>
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_symlinks',`
+	gen_require(`
+		type readable_t;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 readable_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable named pipes.
+## </summary>
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_pipes',`
+	gen_require(`
+		type readable_t;
+		class fifo_file r_file_perms;
+	')
+
+	allow $1 readable_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read world-readable sockets.
+## </summary>
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_world_readable_sockets',`
+	gen_require(`
+		type readable_t;
+		class sock_file r_file_perms;
+	')
+
+	allow $1 readable_t:sock_file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search the tmp directory (/tmp)
@@ -1198,6 +1298,25 @@ interface(`files_read_var_files',`
 	allow $1 var_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read symbolic links in the /var directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_read_var_symlink',`
+	gen_require(`
+		type var_t;
+		class dir search;
+		class lnk_file { getattr read };
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_t:lnk_file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Search the /var/lib directory.
@@ -1233,9 +1352,9 @@ interface(`files_manage_urandom_seed',`
 
 ########################################
 #
-# files_search_generic_locks(domain)
+# files_search_locks(domain)
 #
-interface(`files_search_generic_locks',`
+interface(`files_search_locks',`
 	gen_require(`
 		type var_t;
 		type var_lock_t;
@@ -1245,6 +1364,24 @@ interface(`files_search_generic_locks',`
 	allow $1 { var_t var_lock_t }:dir search;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search the
+##	locks directory (/var/lock).
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`files_dontaudit_search_locks',`
+	gen_require(`
+		type var_lock_t;
+		class dir search;
+	')
+
+	dontaudit $1 var_lock_t:dir search;
+')
+
 ########################################
 #
 # files_getattr_generic_locks(domain)

refpolicy/policy/modules/system/fstools.te

@@ -83,6 +83,18 @@ storage_raw_write_removable_device(fsadm_t)
 storage_read_scsi_generic(fsadm_t)
 storage_swapon_fixed_disk(fsadm_t)
 
+corecmd_list_bin(fsadm_t)
+corecmd_list_sbin(fsadm_t)
+corecmd_read_bin_symlink(fsadm_t)
+corecmd_read_sbin_symlink(fsadm_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_file(fsadm_t)
+corecmd_read_bin_pipe(fsadm_t)
+corecmd_read_bin_socket(fsadm_t)
+corecmd_read_sbin_file(fsadm_t)
+corecmd_read_sbin_pipe(fsadm_t)
+corecmd_read_sbin_socket(fsadm_t)
+
 domain_use_wide_inherit_fd(fsadm_t)
 
 files_list_home(fsadm_t)
@@ -132,13 +144,5 @@ optional_policy(`nis.te',`
 ')
 
 ifdef(`TODO',`
-
-allow fsadm_t bin_t:dir r_dir_perms;
-allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
-allow fsadm_t sbin_t:dir r_dir_perms;
-allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
-
-# Access terminals.
 ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
-
 ') dnl end TODO

refpolicy/policy/modules/system/hostname.te

@@ -82,7 +82,7 @@ optional_policy(`hotplug.te',`
 	hotplug_dontaudit_use_fd(hostname_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(hostname_t)
 ')
 

refpolicy/policy/modules/system/hotplug.if

@@ -77,9 +77,43 @@ interface(`hotplug_dontaudit_search_config',`
 ')
 
 ########################################
-## <desc>
+## <summary>
+##	Get the attributes of the hotplug configuration directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`hotplug_getattr_config_dir',`
+	gen_require(`
+		type hotplug_etc_t;
+		class dir getattr;
+	')
+
+	allow $1 hotplug_etc_t:dir getattr;
+')
+
+########################################
+## <summary>
+##	Search the hotplug configuration directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`hotplug_search_config',`
+	gen_require(`
+		type hotplug_etc_t;
+		class dir search;
+	')
+
+	allow $1 hotplug_etc_t:dir search;
+')
+
+########################################
+## <summary>
 ##	Read the configuration files for hotplug.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>

refpolicy/policy/modules/system/hotplug.te

@@ -111,6 +111,7 @@ mount_domtrans(hotplug_t)
 sysnet_read_config(hotplug_t)
 
 userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
+userdom_dontaudit_search_sysadm_home_dir(hotplug_t)
 
 ifdef(`distro_redhat', `
 	optional_policy(`netutils.te', `
@@ -151,7 +152,7 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(hotplug_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(hotplug_t)
 ')
 
@@ -177,7 +178,6 @@ optional_policy(`updfstab.te', `
 ')
 
 ifdef(`TODO',`
-dontaudit hotplug_t sysadm_home_dir_t:dir search;
 optional_policy(`rhgb.te',`
 rhgb_domain(hotplug_t)
 ')

refpolicy/policy/modules/system/iptables.te

@@ -102,7 +102,7 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(iptables_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(iptables_t)
 ')
 

refpolicy/policy/modules/system/locallogin.te

@@ -68,6 +68,7 @@ dev_dontaudit_getattr_generic_blk_file(local_login_t)
 dev_dontaudit_setattr_generic_blk_file(local_login_t)
 dev_dontaudit_getattr_generic_chr_file(local_login_t)
 dev_dontaudit_setattr_generic_chr_file(local_login_t)
+dev_dontaudit_setattr_generic_symlink(local_login_t)
 dev_dontaudit_getattr_misc(local_login_t)
 dev_dontaudit_setattr_misc(local_login_t)
 dev_dontaudit_getattr_scanner(local_login_t)
@@ -107,6 +108,18 @@ auth_rw_faillog(local_login_t)
 auth_exec_pam(local_login_t)
 auth_manage_pam_console_data(local_login_t)
 
+corecmd_list_bin(local_login_t)
+corecmd_list_sbin(local_login_t)
+corecmd_read_bin_symlink(local_login_t)
+corecmd_read_sbin_symlink(local_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_file(local_login_t)
+corecmd_read_bin_pipe(local_login_t)
+corecmd_read_bin_socket(local_login_t)
+corecmd_read_sbin_file(local_login_t)
+corecmd_read_sbin_pipe(local_login_t)
+corecmd_read_sbin_socket(local_login_t)
+
 domain_read_all_entry_files(local_login_t)
 
 files_read_etc_files(local_login_t)
@@ -114,6 +127,13 @@ files_read_etc_runtime_files(local_login_t)
 files_read_usr_files(local_login_t)
 files_manage_generic_locks(var_lock_t)
 files_list_mnt(local_login_t)
+files_list_world_readable(local_login_t)
+files_read_world_readable_files(local_login_t)
+files_read_world_readable_symlinks(local_login_t)
+files_read_world_readable_pipes(local_login_t)
+files_read_world_readable_sockets(local_login_t)
+# for when /var/mail is a symlink
+files_read_var_symlink(local_login_t)
 
 init_rw_script_pid(local_login_t)
 init_dontaudit_use_fd(local_login_t)
@@ -175,22 +195,6 @@ optional_policy(`usermanage.te',`
 ')
 
 ifdef(`TODO',`
-
-allow local_login_t bin_t:dir r_dir_perms;
-allow local_login_t bin_t:notdevfile_class_set r_file_perms;
-allow local_login_t sbin_t:dir r_dir_perms;
-allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
-
-# Read directories and files with the readable_t type.
-# This type is a general type for "world"-readable files.
-allow local_login_t readable_t:dir r_dir_perms;
-allow local_login_t readable_t:notdevfile_class_set r_file_perms;
-
-# for when /var/mail is a sym-link
-allow local_login_t var_t:lnk_file read;
-
-dontaudit local_login_t device_t:lnk_file setattr;
-
 # this goes to xdm:
 optional_policy(`locallogin.te',`
 	# FIXME: what is this for?
@@ -200,7 +204,6 @@ optional_policy(`locallogin.te',`
 optional_policy(`gpm.te',`
 	allow local_login_t gpmctl_t:sock_file { getattr setattr };
 ')
-
 ') dnl endif TODO
 
 #################################
@@ -243,12 +246,14 @@ auth_read_shadow(sulogin_t)
 userdom_shell_domtrans_sysadm(sulogin_t)
 userdom_use_unpriv_users_fd(sulogin_t)
 userdom_use_sysadm_pty(sulogin_t)
+userdom_search_staff_home_dir(sulogin_t)
+userdom_search_sysadm_home_dir(sulogin_t)
 
 # suse and debian do not use pam with sulogin...
 ifdef(`monolithic_policy',`
 	ifdef(`distro_suse', `define(`sulogin_no_pam')')
 	ifdef(`distro_debian', `define(`sulogin_no_pam')')
-') dnl end monolithic_policy
+')
 
 ifdef(`sulogin_no_pam', `
 	allow sulogin_t self:capability sys_tty_config;
@@ -266,7 +271,3 @@ ifdef(`sulogin_no_pam', `
 optional_policy(`nis.te',`
 	nis_use_ypbind(sulogin_t)
 ')
-
-ifdef(`TODO',`
-allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-') dnl endif TODO

refpolicy/policy/modules/system/logging.te

@@ -84,6 +84,7 @@ libs_use_shared_libs(auditd_t)
 miscfiles_read_localization(auditd_t)
 
 userdom_dontaudit_use_unpriv_user_fd(auditd_t)
+userdom_dontaudit_search_sysadm_home_dir(auditd_t)
 # cjp: this is questionable
 userdom_use_sysadm_tty(auditd_t)
 
@@ -93,7 +94,7 @@ ifdef(`targeted_policy', `
 	files_dontaudit_read_root_file(auditd_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(auditd_t)
 ')
 
@@ -105,8 +106,6 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te', `
 rhgb_domain(auditd_t)
 ')
-
-dontaudit auditd_t sysadm_home_dir_t:dir search;
 ') dnl endif TODO
 
 ########################################
@@ -228,6 +227,7 @@ sysnet_read_config(syslogd_t)
 miscfiles_read_localization(syslogd_t)
 
 userdom_dontaudit_use_unpriv_user_fd(syslogd_t)
+userdom_dontaudit_search_sysadm_home_dir(syslogd_t)
 
 #
 # /initrd is not umounted before minilog starts
@@ -260,7 +260,7 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(syslogd_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(syslogd_t)
 ')
 
@@ -269,7 +269,7 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
-dontaudit syslogd_t sysadm_home_dir_t:dir search;
+
 optional_policy(`rhgb.te', `
 	rhgb_domain(syslogd_t)
 ')

refpolicy/policy/modules/system/modutils.te

@@ -213,6 +213,4 @@ logging_send_syslog_msg(update_modules_t)
 
 miscfiles_read_localization(update_modules_t)
 
-ifdef(`TODO',`
-dontaudit update_modules_t sysadm_home_dir_t:dir search;
-') dnl endif TODO
+userdom_dontaudit_search_sysadm_home_dir(update_modules_t)

refpolicy/policy/modules/system/mount.te

@@ -63,6 +63,9 @@ files_unmount_rootfs(mount_t)
 files_relabelto_all_file_type_fs(mount_t)
 files_mount_all_file_type_fs(mount_t)
 files_mount_all_file_type_fs(mount_t)
+# for when /etc/mtab loses its type
+# cjp: this seems wrong, the type should probably be etc
+files_read_isid_type_file(mount_t)
 
 init_use_fd(mount_t)
 init_use_script_pty(mount_t)
@@ -122,9 +125,8 @@ files_mountpoint(var_lib_nfs_t)
 #allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom };
 #allow mount_t sysadm_mount_source_t:file rw_file_perms;
 
-# TODO: Probably need a macro for reading/unlinking files
 # for when /etc/mtab loses its type
-allow mount_t file_t:file { r_file_perms unlink };
+allow mount_t file_t:file unlink;
 
 ifdef(`gnome-pty-helper.te', `
 allow mount_t sysadm_gph_t:fd use;

refpolicy/policy/modules/system/selinuxutil.if

@@ -457,6 +457,24 @@ interface(`seutil_exec_setfiles',`
 	can_exec($1,setfiles_exec_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search the SELinux
+##	configuration directory (/etc/selinux).
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`seutil_dontaudit_search_config',`
+	gen_require(`
+		type selinux_config_t;
+		class dir search;
+	')
+
+	dontaudit $1 selinux_config_t:dir search;
+')
+
 ########################################
 #
 # seutil_read_config(domain)

refpolicy/policy/modules/system/selinuxutil.te

@@ -229,6 +229,8 @@ logging_send_syslog_msg(newrole_t)
 miscfiles_read_localization(newrole_t)
 
 userdom_use_unpriv_users_fd(newrole_t)
+# for some PAM modules and for cwd
+userdom_dontaudit_search_all_users_home(newrole_t)
 
 # if secure mode is enabled, then newrole
 # can only transition to unprivileged users
@@ -244,9 +246,6 @@ optional_policy(`nis.te',`
 
 ifdef(`TODO',`
 ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
-
-# for some PAM modules and for cwd
-dontaudit newrole_t { home_root_t home_type }:dir search;
 ') dnl ifdef TODO
 
 ########################################
@@ -261,9 +260,14 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
 allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
 
 kernel_use_fd(restorecon_t)
+kernel_rw_pipe(restorecon_t)
 kernel_read_system_state(restorecon_t)
 
+# cjp: why is this needed?
+dev_rw_generic_file(restorecon_t)
+
 fs_getattr_xattr_fs(restorecon_t)
+fs_list_all(restorecon_t)
 
 selinux_get_fs_mount(restorecon_t)
 selinux_validate_context(restorecon_t)
@@ -305,24 +309,18 @@ ifdef(`distro_redhat', `
 	fs_relabel_tmpfs_chr_dev(restorecon_t)
 ')
 
+ifdef(`hide_broken_symptoms',`
+	udev_donaudit_rw_unix_dgram_socket(restorecon_t)
+')
+
 optional_policy(`hotplug.te',`
 	hotplug_use_fd(restorecon_t)
 ')
 
 ifdef(`TODO',`
-
 # for upgrading glibc and other shared objects - without this the upgrade
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
-
-allow restorecon_t fs_type:dir r_dir_perms;
-
-allow restorecon_t device_t:file { read write };
-allow restorecon_t kernel_t:fifo_file { read write };
-
-tunable_policy(`hide_broken_symptoms',`
-dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
-')
 ') dnl endif TODO
 
 #################################
@@ -380,15 +378,12 @@ ifdef(`targeted_policy',`',`
 	logging_send_syslog_msg(run_init_t)
 ') dnl end ifdef targeted policy
 
-
 ifdef(`TODO',`
-
 ifdef(`distro_gentoo', `
 	# Gentoo integrated run_init+open_init_pty-runscript:
 	domain_entry_file(run_init_t,initrc_exec_t)
 	domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
 ')
-
 ') dnl end TODO
 
 ########################################
@@ -403,8 +398,10 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
 
 kernel_read_system_state(setfiles_t)
+kernel_list_unlabeled(setfiles_t)
 
 fs_getattr_xattr_fs(setfiles_t)
+fs_list_all(setfiles_t)
 
 selinux_get_fs_mount(setfiles_t)
 selinux_validate_context(setfiles_t)
@@ -449,9 +446,4 @@ ifdef(`TODO',`
 # for upgrading glibc and other shared objects - without this the upgrade
 # scripts will put things in a state such that setfiles can not be run!
 allow setfiles_t lib_t:file { read execute };
-
-allow setfiles_t unlabeled_t:dir read;
-
-allow setfiles_t fs_type:dir r_dir_perms;
-
 ') dnl endif TODO

refpolicy/policy/modules/system/sysnetwork.te

@@ -121,6 +121,8 @@ domain_use_wide_inherit_fd(dhcpc_t)
 files_read_etc_files(dhcpc_t)
 files_read_etc_runtime_files(dhcpc_t)
 files_search_home(dhcpc_t)
+files_search_var_lib(dhcpc_t)
+files_dontaudit_search_locks(dhcpc_t)
 
 init_use_fd(dhcpc_t)
 init_use_script_pty(dhcpc_t)
@@ -135,6 +137,8 @@ miscfiles_read_localization(dhcpc_t)
 
 modutils_domtrans_insmod(dhcpc_t)
 
+userdom_dontaudit_search_staff_home_dir(sysadm_t)
+
 ifdef(`distro_redhat', `
 	files_exec_etc_files(dhcpc_t)
 ')
@@ -154,6 +158,15 @@ optional_policy(`hostname.te',`
 	hostname_domtrans(dhcpc_t)
 ')
 
+optional_policy(`hotplug.te',`
+	hotplug_getattr_config_dir(dhcpc_t)
+	hotplug_search_config(dhcpc_t)
+
+	ifdef(`distro_redhat',`
+		logging_syslogd_transition(dhcpc_t)
+	')
+')
+
 # for the dhcp client to run ping to check IP addresses
 optional_policy(`netutils.te',`
 	netutils_domtrans_ping(dhcpc_t)
@@ -176,8 +189,9 @@ optional_policy(`ntpd.te',`
 	ntpd_domtrans(dhcpc_t)
 ')
 
-optional_policy(`selinux.te',`
+optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(dhcpc_t)
+	seutil_dontaudit_search_config(dhcpc_t)
 ')
 
 optional_policy(`udev.te',`
@@ -189,18 +203,15 @@ optional_policy(`userdomain.te',`
 ')
 
 ifdef(`TODO',`
-dontaudit dhcpc_t sysadm_home_dir_t:dir search;
 
 optional_policy(`rhgb.te',`
 rhgb_domain(dhcpc_t)
 ')
 
-ifdef(`cardmgr.te',`
-domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
-')
-
 #this goes to pcmcia module
 optional_policy(`sysnetwork.te',`
+	sysnet_domtrans_dhcpc(cardmgr_t)
+
 	sysnet_read_dhcpc_pid(cardmgr_t)
 	sysnet_kill_dhcpc(cardmgr_t)
 	sysnet_sigchld_dhcpc(cardmgr_t)
@@ -209,17 +220,6 @@ optional_policy(`sysnetwork.te',`
 	sysnet_sigstop_dhcpc(cardmgr_t)
 ')
 
-optional_policy(`hotplug.te', `
-	allow dhcpc_t hotplug_etc_t:dir { getattr search };
-
-	ifdef(`distro_redhat', `
-		logging_syslogd_transition(dhcpc_t)
-	')
-')
-
-allow dhcpc_t var_lib_t:dir search;
-dontaudit dhcpc_t var_lock_t:dir search;
-dontaudit dhcpc_t selinux_config_t:dir search;
 dontaudit dhcpc_t domain:dir getattr;
 ') dnl endif TODO
 
@@ -284,20 +284,17 @@ seutil_use_runinit_fd(ifconfig_t)
 
 userdom_use_all_user_fd(ifconfig_t)
 
+ifdef(`hide_broken_symptoms',`
+	udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(ifconfig_t)
 ')
 
 ifdef(`TODO',`
-
 ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
-
 optional_policy(`rhgb.te', `
 rhgb_domain(ifconfig_t)
 ')
-
-tunable_policy(`hide_broken_symptoms',`
-dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
-')
-
 ') dnl endif TODO

refpolicy/policy/modules/system/udev.if

@@ -1,12 +1,12 @@
 ## <summary>Policy for udev.</summary>
 
 ########################################
-##     <desc>
-##             Execute udev in the udev domain.
-##     </desc>
-##     <param name="domain">
-##             The type of the process performing this action.
-##     </param>
+## <summary>
+##	Execute udev in the udev domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`udev_domtrans',`
 	gen_require(`
@@ -25,12 +25,30 @@ interface(`udev_domtrans',`
 ')
 
 ########################################
-##     <desc>
-##             Allow process to read list of devices.
-##     </desc>
-##     <param name="domain">
-##             The type of the process performing this action.
-##     </param>
+## <summary>
+##	Do not audit attempts to read or write
+##	to a udev unix datagram socket.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`udev_donaudit_rw_unix_dgram_socket',`
+	gen_require(`
+		type udev_t;
+		class unix_dgram_socket { read write };
+	')
+
+	dontaudit $1 udev_t:unix_dgram_socket { read write };
+')
+
+########################################
+## <summary>
+##	Allow process to read list of devices.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`udev_read_db',`
 	gen_require(`
@@ -43,12 +61,12 @@ interface(`udev_read_db',`
 ')
 
 ########################################
-##     <desc>
-##             Allow process to modify list of devices.
-##     </desc>
-##     <param name="domain">
-##             The type of the process performing this action.
-##     </param>
+## <summary>
+##	Allow process to modify list of devices.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`udev_rw_db',`
 	gen_require(`

refpolicy/policy/modules/system/udev.te

@@ -70,6 +70,8 @@ kernel_read_device_sysctl(udev_t)
 kernel_read_hotplug_sysctl(udev_t)
 kernel_read_modprobe_sysctl(udev_t)
 kernel_read_kernel_sysctl(udev_t)
+kernel_rw_unix_dgram_socket(udev_t)
+kernel_sendto_unix_dgram_socket(udev_t)
 
 dev_read_sysfs(udev_t)
 dev_manage_dev_nodes(udev_t)
@@ -119,6 +121,7 @@ seutil_domtrans_restorecon(udev_t)
 sysnet_domtrans_ifconfig(udev_t)
 
 userdom_use_sysadm_tty(udev_t)
+userdom_dontaudit_search_staff_home_dir(udev_t)
 
 ifdef(`distro_redhat',`
 	fs_manage_tmpfs_symlinks(udev_t)
@@ -154,14 +157,6 @@ optional_policy(`xserver.te',`
 ')
 
 ifdef(`TODO',`
-allow udev_t devpts_t:dir { getattr search };
-
-# Dontaudits
-dontaudit udev_t staff_home_dir_t:dir search;
 dontaudit udev_t ttyfile:chr_file unlink;
-
-allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
-
 dbusd_client(system, udev)
-
 ') dnl endif TODO

refpolicy/policy/modules/system/userdomain.if

@@ -174,7 +174,7 @@ template(`base_user_template',`
 
 	files_exec_etc_files($1_t)
 	files_read_usr_src_files($1_t)
-	files_search_generic_locks($1_t)
+	files_search_locks($1_t)
 
 	# Caused by su - init scripts
 	init_dontaudit_use_script_pty($1_t)
@@ -521,7 +521,7 @@ template(`unpriv_user_template', `
 		modutils_read_module_conf($1_t)
 	')
 
-	optional_policy(`selinux.te',`
+	optional_policy(`selinuxutil.te',`
 		# for when the network connection is killed
 		seutil_dontaudit_signal_newrole($1_t)
 	')
@@ -914,6 +914,42 @@ interface(`userdom_shell_domtrans_sysadm',`
 	')
 ')
 
+########################################
+## <summary>
+##	Search the staff users home directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_search_staff_home_dir',`
+	gen_require(`
+		type staff_home_dir_t;
+		class dir search;
+	')
+
+	files_search_home($1)
+	allow $1 staff_home_dir_t:dir search;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the staff
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_search_staff_home_dir',`
+	gen_require(`
+		type staff_home_dir_t;
+		class dir search;
+	')
+
+	dontaudit $1 staff_home_dir_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Read files in the staff users home directory.
@@ -1059,6 +1095,42 @@ interface(`userdom_rw_sysadm_pipe',`
 	')
 ')
 
+########################################
+## <summary>
+##	Search the sysadm users home directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_search_sysadm_home_dir',`
+	gen_require(`
+		type sysadm_home_dir_t;
+		class dir search;
+	')
+
+	files_search_home($1)
+	allow $1 sysadm_home_dir_t:dir search;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the sysadm
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_search_sysadm_home_dir',`
+	gen_require(`
+		type sysadm_home_dir_t;
+		class dir search;
+	')
+
+	dontaudit $1 sysadm_home_dir_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Read files in the sysadm users home directory.
@@ -1098,6 +1170,23 @@ interface(`userdom_search_all_users_home',`
 	allow $1 { home_dir_type home_type }:dir search;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search all users home directories.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_search_all_users_home',`
+	gen_require(`
+		attribute home_dir_type, home_type;
+		class dir search;
+	')
+
+	dontaudit $1 { home_dir_type home_type }:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Read all files in all users home directories.

refpolicy/policy/modules/system/userdomain.te

@@ -158,7 +158,7 @@ ifdef(`targeted_policy',`
 		rpm_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
-	optional_policy(`selinux.te',`
+	optional_policy(`selinuxutil.te',`
 		seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
 		seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
 		seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)