more cab work

refpolicy/policy/modules/kernel/devices.if

@@ -122,6 +122,21 @@ type device_t;
 class blk_file getattr;
 ')
 
+########################################
+#
+# devices_manage_generic_block_device(domain)
+#
+define(`devices_manage_generic_block_device',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir rw_dir_perms;
+allow $1 device_t:blk_file create_file_perms;
+')
+
+define(`devices_manage_generic_block_device_depend',`
+type device_t;
+class blk_file create_file_perms;
+')
+
 ########################################
 #
 # devices_add_generic_character_device(domain)

refpolicy/policy/modules/system/files.if

@@ -1038,6 +1038,24 @@ attribute pidfile;
 class file ioctl;
 ')
 
+########################################
+#
+# files_read_all_daemon_runtime_data(domain)
+#
+define(`files_read_all_daemon_runtime_data',`
+requires_block_template(`$0'_depend)
+allow $1 var_t:dir search;
+allow $1 pidfile:dir r_dir_perms;
+allow $1 pidfile:file r_file_perms;
+')
+
+define(`files_read_all_daemon_runtime_data_depend',`
+attribute pidfile;
+type var_t;
+class dir r_dir_perms;
+class file r_file_perms;
+')
+
 ########################################
 #
 # files_remove_all_daemon_runtime_data(domain)

refpolicy/policy/modules/system/getty.te

@@ -52,15 +52,17 @@ filesystem_get_persistent_filesystem_attributes(getty_t)
 terminal_use_all_terminals(getty_t)
 terminal_set_console_attributes(getty_t)
 
-init_script_modify_runtime_data(getty_t)
-init_script_use_pseudoterminal(getty_t)
+authlogin_modify_login_records(getty_t)
+
+corecommands_search_general_programs_directory(getty_t)
 
 files_modify_system_runtime_data(getty_t)
 files_manage_system_lock_files(getty_t)
 files_read_runtime_system_config(getty_t)
 files_read_general_system_config(getty_t)
 
-authlogin_modify_login_records(getty_t)
+init_script_modify_runtime_data(getty_t)
+init_script_use_pseudoterminal(getty_t)
 
 libraries_use_dynamic_loader(getty_t)
 libraries_use_shared_libraries(getty_t)

refpolicy/policy/modules/system/init.if

@@ -70,12 +70,14 @@ define(`init_make_daemon_domain',`
 ')
 
 define(`init_make_daemon_domain_depend',`
-type initrc_t;
-class file { getattr read execute };
-class fifo_file rw_file_perms;
-class fd use;
-class process { transition noatsecure siginh rlimitinh sigchld };
-role system_r;
+	type initrc_t;
+
+	role system_r;
+
+	class file { getattr read execute };
+	class fifo_file rw_file_perms;
+	class fd use;
+	class process { transition noatsecure siginh rlimitinh sigchld };
 ')
 
 ########################################
@@ -83,27 +85,39 @@ role system_r;
 # init_make_system_domain(domain,entrypointfile)
 #
 define(`init_make_system_domain',`
-requires_block_template(`$0'_depend)
-domain_make_domain($1)
-domain_make_entrypoint_file($1,$2)
-role system_r types $1;
-allow initrc_t $1:process transition;
-allow initrc_t $2:file { getattr read execute };
-dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
-type_transition initrc_t $2:process $1;
-allow initrc_t $1:fd use;
-allow $1 initrc_t:fd use;
-allow $1 initrc_t:fifo_file rw_file_perms;
-allow $1 initrc_t:process sigchld;
+	requires_block_template(`$0'_depend)
+
+	domain_make_domain($1)
+	domain_make_entrypoint_file($1,$2)
+
+	role system_r types $1;
+
+	allow initrc_t $1:process transition;
+	allow initrc_t $2:file { getattr read execute };
+	dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
+	type_transition initrc_t $2:process $1;
+
+	allow initrc_t $1:fd use;
+	allow $1 initrc_t:fd use;
+	allow $1 initrc_t:fifo_file rw_file_perms;
+	allow $1 initrc_t:process sigchld;
+
+	# Red Hat systems seem to have a stray
+	# fd open from the initrd
+	optional_policy(`distro_redhat',`
+		kernel_ignore_use_file_descriptors($1)
+		files_ignore_read_rootfs_file($1)
+	')
 ')
 
 define(`init_make_system_domain_depend',`
-type initrc_t;
-class file { getattr read execute };
-class fd use;
-class fifo_file rw_file_perms;
-class process { transition noatsecure siginh rlimitinh sigchld };
-role system_r;
+	type initrc_t;
+	role system_r;
+
+	class file { getattr read execute };
+	class fd use;
+	class fifo_file rw_file_perms;
+	class process { transition noatsecure siginh rlimitinh sigchld };
 ')
 
 ########################################

refpolicy/policy/modules/system/init.te

@@ -141,17 +141,17 @@ selinux_read_config(init_t)
 miscfiles_read_localization(init_t)
 
 tunable_policy(`distro_redhat',`
-filesystem_use_tmpfs_character_devices(init_t)
-filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
+	filesystem_use_tmpfs_character_devices(init_t)
+	filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
 ')
 
 optional_policy(`authlogin.te',`
-authlogin_modify_login_records(init_t)
+	authlogin_modify_login_records(init_t)
 ')
 
 # Run the shell in the sysadm_t domain for single-user mode.
 optional_policy(`userdomain.te',`
-userdomain_sysadm_shell_transition(init_t)
+	userdomain_sysadm_shell_transition(init_t)
 ')
 
 ########################################
@@ -272,6 +272,7 @@ domain_ignore_get_all_domains_pipe_attributes(initrc_t)
 files_get_all_file_attributes(initrc_t)
 files_remove_all_tmp_data(initrc_t)
 files_remove_all_lock_files(initrc_t)
+files_read_all_daemon_runtime_data(initrc_t)
 files_remove_all_daemon_runtime_data(initrc_t)
 files_read_general_system_config(initrc_t)
 files_manage_runtime_system_config(initrc_t)
@@ -279,6 +280,7 @@ files_manage_system_lock_files(initrc_t)
 files_execute_system_config_script(initrc_t)
 files_read_general_application_resources(initrc_t)
 files_manage_pseudorandom_saved_seed(initrc_t)
+files_manage_system_spools(initrc_t)
 
 libraries_modify_dynamic_loader_cache(initrc_t)
 libraries_use_dynamic_loader(initrc_t)
@@ -307,61 +309,71 @@ userdomain_read_all_users_data(initrc_t)
 userdomain_use_admin_terminals(initrc_t)
 
 tunable_policy(`distro_debian', `
-filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir)
+	filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir)
 ')
 
 tunable_policy(`distro_redhat',`
-kernel_set_selinux_enforcement_mode(initrc_t)
+	# Red Hat systems seem to have a stray
+	# fd open from the initrd
+	kernel_ignore_use_file_descriptors(initrc_t)
+	files_ignore_read_rootfs_file(initrc_t)
 
-# Create and read /boot/kernel.h and /boot/System.map.
-# Redhat systems typically create this file at boot time.
-bootloader_create_runtime_data(initrc_t)
-bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t)
+	kernel_set_selinux_enforcement_mode(initrc_t)
 
-# These seem to be from the initrd:
-kernel_use_file_descriptors(initrc_t)
-# during device initialization:
-devices_legacy_use_dev_zero(initrc_t)
-devices_legacy_raw_read_memory(initrc_t)
-devices_legacy_raw_write_memory(initrc_t)
-storage_raw_read_fixed_disk(initrc_t)
-storage_raw_write_fixed_disk(initrc_t)
+	# Create and read /boot/kernel.h and /boot/System.map.
+	# Redhat systems typically create this file at boot time.
+	bootloader_create_runtime_data(initrc_t)
+	bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t)
 
-filesystem_use_tmpfs_character_devices(initrc_t)
+	# These seem to be from the initrd
+	# during device initialization:
+	devices_legacy_use_dev_zero(initrc_t)
+	devices_legacy_raw_read_memory(initrc_t)
+	devices_legacy_raw_write_memory(initrc_t)
+	storage_raw_read_fixed_disk(initrc_t)
+	storage_raw_write_fixed_disk(initrc_t)
 
-files_create_boot_flag(initrc_t)
+	filesystem_use_tmpfs_character_devices(initrc_t)
 
-# readahead asks for these
-mta_read_mail_aliases(initrc_t)
+	files_create_boot_flag(initrc_t)
+
+	# readahead asks for these
+	mta_read_mail_aliases(initrc_t)
 
 ') dnl end distro_redhat
 
 optional_policy(`hotplug.te',`
-kernel_read_usb_hardware_state(initrc_t)
-# init scripts run /etc/hotplug/usb.rc
-hotplug_read_config(initrc_t)
-modutils_read_kernel_module_dependencies(initrc_t)
+	kernel_read_usb_hardware_state(initrc_t)
+
+	# init scripts run /etc/hotplug/usb.rc
+	hotplug_read_config(initrc_t)
+
+	modutils_read_kernel_module_dependencies(initrc_t)
 ')
 
 optional_policy(`lvm.te',`
-#allow initrc_t lvm_control_t:chr_file unlink;
-devices_read_lvm_control_channel(initrc_t)
-devices_add_generic_character_device(initrc_t)
+	#allow initrc_t lvm_control_t:chr_file unlink;
+
+	devices_read_lvm_control_channel(initrc_t)
+	devices_add_generic_character_device(initrc_t)
 ')
 
 optional_policy(`rhgb.te',`
-corecommands_make_shell_entrypoint(initrc_t)
+	corecommands_make_shell_entrypoint(initrc_t)
 ')
 
 optional_policy(`rpm.te',`
-# why is this needed:
-rpm_manage_package_database(initrc_t)
-# for a bug in rm
-files_ignore_write_all_daemon_runtime_data(initrc_t)
-# bash tries ioctl for some reason
-files_ignore_ioctl_all_daemon_runtime_data(initrc_t)
-# bash tries to access a block device in the initrd
-kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
+	# bash tries to access a block device in the initrd
+	kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
+
+	# for a bug in rm
+	files_ignore_write_all_daemon_runtime_data(initrc_t)
+
+	# bash tries ioctl for some reason
+	files_ignore_ioctl_all_daemon_runtime_data(initrc_t)
+
+	# why is this needed:
+	rpm_manage_package_database(initrc_t)
 ') dnl end rpm.te
 
 ifdef(`TODO',`
@@ -369,8 +381,6 @@ ifdef(`TODO',`
 # Mount and unmount file systems.
 allow initrc_t { file_t default_t }:dir { read search getattr mounton };
 
-allow initrc_t var_spool_t:file rw_file_perms;
-
 # Set device ownerships/modes.
 allow initrc_t xconsole_device_t:fifo_file setattr;
 
@@ -388,24 +398,24 @@ role system_r types initrc_su_t;
 ')
 
 tunable_policy(`distro_debian', `
-allow initrc_t { etc_t device_t }:dir setattr;
+	allow initrc_t { etc_t device_t }:dir setattr;
 
-# for storing state under /dev/shm
-allow initrc_t tmpfs_t:dir setattr;
-file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
-')dnl end distro_debian
+	# for storing state under /dev/shm
+	allow initrc_t tmpfs_t:dir setattr;
+	file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
+')
 
 tunable_policy(`distro_redhat', `
-# readahead asks for these
-allow initrc_t var_lib_nfs_t:file { getattr read };
-')dnl end distro_redhat
+	# readahead asks for these
+	allow initrc_t var_lib_nfs_t:file { getattr read };
+')
 
 tunable_policy(`targeted_policy', `
-domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
-allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
-allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
-domain_trans(initrc_t, shell_exec_t, unconfined_t)
-') dnl endif targeted policy
+	domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+	allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
+	allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+	domain_trans(initrc_t, shell_exec_t, unconfined_t)
+')
 
 #
 # Shutting down xinet causes these

refpolicy/policy/modules/system/iptables.te

@@ -72,32 +72,36 @@ sysnetwork_ifconfig_transition(iptables_t)
 userdomain_use_all_users_file_descriptors(iptables_t)
 
 tunable_policy(`use_dns',`
-allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
-corenetwork_network_udp_on_all_interfaces(iptables_t)
-corenetwork_network_raw_on_all_interfaces(iptables_t)
-corenetwork_network_udp_on_all_nodes(iptables_t)
-corenetwork_network_raw_on_all_nodes(iptables_t)
-corenetwork_bind_udp_on_all_nodes(iptables_t)
-corenetwork_network_udp_on_dns_port(iptables_t)
-sysnetwork_read_network_config(iptables_t)
+	allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+
+	corenetwork_network_udp_on_all_interfaces(iptables_t)
+	corenetwork_network_raw_on_all_interfaces(iptables_t)
+	corenetwork_network_udp_on_all_nodes(iptables_t)
+	corenetwork_network_raw_on_all_nodes(iptables_t)
+	corenetwork_bind_udp_on_all_nodes(iptables_t)
+	corenetwork_network_udp_on_dns_port(iptables_t)
+
+	sysnetwork_read_network_config(iptables_t)
 ')
 
 optional_policy(`modutils.te', `
-modutils_insmod_transition(iptables_t)
+	corecommands_search_system_programs_directory(iptables_t)
+	modutils_insmod_transition(iptables_t)
 ')
 
 optional_policy(`selinux.te',`
-selinux_newrole_sigchld(iptables_t)
+	selinux_newrole_sigchld(iptables_t)
 ')
 
 optional_policy(`udev.te', `
-udev_read_database(iptables_t)
+	udev_read_database(iptables_t)
 ')
 
 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(iptables_t)
-terminal_ignore_use_general_pseudoterminal(iptables_t)
-files_ignore_read_rootfs_file(iptables_t)
+	terminal_ignore_use_general_physical_terminal(iptables_t)
+	terminal_ignore_use_general_pseudoterminal(iptables_t)
+
+	files_ignore_read_rootfs_file(iptables_t)
 ')
 
 ifdef(`TODO',`

refpolicy/policy/modules/system/locallogin.te

@@ -107,6 +107,13 @@ userdomain_use_all_unprivileged_users_file_descriptors(local_login_t)
 # Search for mail spool file.
 mta_get_mail_spool_attributes(local_login_t)
 
+# Red Hat systems seem to have a stray
+# fd open from the initrd
+optional_policy(`distro_redhat',`
+	kernel_ignore_use_file_descriptors(local_login_t)
+	files_ignore_read_rootfs_file(local_login_t)
+')
+
 ifdef(`TODO',`
 
 can_ypbind(local_login_t)

refpolicy/policy/modules/system/logging.te

@@ -74,9 +74,16 @@ miscfiles_read_localization(klogd_t)
 # syslogd local policy
 #
 
-# Use capabilities.
 allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
 dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:process signal_perms;
+
+# receive messages to be logged
+allow syslogd_t self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+allow syslogd_t self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow syslogd_t self:unix_dgram_socket sendto;
+allow syslogd_t self:fifo_file { getattr read write ioctl lock };
+allow syslogd_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
 
 # create/append log files.
 allow syslogd_t var_log_t:dir rw_dir_perms;
@@ -89,17 +96,12 @@ files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
 allow syslogd_t syslogd_var_run_t:file create_file_perms;
 files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
 
-# receive messages to be logged
-allow syslogd_t devlog_t:unix_stream_socket name_bind;
-allow syslogd_t devlog_t:unix_dgram_socket name_bind;
-allow syslogd_t self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-allow syslogd_t self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown listen accept };
-allow syslogd_t self:unix_dgram_socket sendto;
-allow syslogd_t self:fifo_file { getattr read write ioctl lock };
-
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
 files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
+# I belive these are not needed:
+allow syslogd_t devlog_t:unix_stream_socket name_bind;
+allow syslogd_t devlog_t:unix_dgram_socket name_bind;
 
 # manage pid file
 allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };

refpolicy/policy/modules/system/lvm.te

@@ -90,6 +90,7 @@ devices_get_random_data(lvm_t)
 devices_get_pseudorandom_data(lvm_t)
 devices_use_lvm_control_channel(lvm_t)
 devices_manage_dev_symbolic_links(lvm_t)
+devices_manage_generic_block_device(lvm_t)
 
 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
 devices_ignore_get_all_character_device_attributes(lvm_t)
@@ -136,27 +137,29 @@ selinux_read_file_contexts(lvm_t)
 selinux_newrole_sigchld(lvm_t)
 
 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(lvm_t)
-terminal_ignore_use_general_pseudoterminal(lvm_t)
-files_ignore_read_rootfs_file(lvm_t)
-')dnl end targeted_policy tunable
+	terminal_ignore_use_general_physical_terminal(lvm_t)
+	terminal_ignore_use_general_pseudoterminal(lvm_t)
+
+	files_ignore_read_rootfs_file(lvm_t)
+')
 
 optional_policy(`bootloader.te',`
-bootloader_modify_temporary_data(lvm_t)
+	bootloader_modify_temporary_data(lvm_t)
 ')
 
 optional_policy(`udev.te', `
-udev_read_database(lvm_t)
+	udev_read_database(lvm_t)
 ')
 
 ifdef(`TODO',`
 
 allow lvm_t autofs_t:dir { search getattr };
 
-allow lvm_t device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
-
 allow lvm_t default_context_t:dir search;
 allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
+
+# cjp: ? this has no effect since LVM does not
+# have lnk_file relabelto for anything else.
 allow lvm_t device_t:lnk_file { relabelfrom relabelto };
 
 dontaudit lvm_t var_run_t:dir getattr;

refpolicy/policy/modules/system/sysnetwork.fc

@@ -8,13 +8,13 @@
 #
 # /etc
 #
-#/etc/dhclient.*conf	--	context_template(system_u:object_r:dhcp_etc_t,s0)
-#/etc/dhclient-script	--	context_template(system_u:object_r:dhcp_etc_t,s0)
-#/etc/dhcpc.*			context_template(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhclient.*conf	--	context_template(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhclient-script	--	context_template(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcpc.*			context_template(system_u:object_r:dhcp_etc_t,s0)
 /etc/resolv\.conf.*	--	context_template(system_u:object_r:net_conf_t,s0)
 /etc/yp\.conf.*		--	context_template(system_u:object_r:net_conf_t,s0)
 
-#/etc/dhcp3?/dhclient.*		context_template(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp3?/dhclient.*		context_template(system_u:object_r:dhcp_etc_t,s0)
 
 #
 # /sbin
@@ -40,7 +40,7 @@
 #
 # /var
 #
-#/var/lib/dhcp3?		-d	context_template(system_u:object_r:dhcp_state_t,s0)
+/var/lib/dhcp3?		-d	context_template(system_u:object_r:dhcp_state_t,s0)
 /var/lib/dhcp3?/dhclient.*	context_template(system_u:object_r:dhcpc_state_t,s0)
 
 /var/run/dhclient.*\.pid --	context_template(system_u:object_r:dhcpc_var_run_t,s0)

refpolicy/policy/modules/system/sysnetwork.te

@@ -7,6 +7,15 @@ policy_module(sysnetwork,1.0)
 # Declarations
 #
 
+# this is shared between dhcpc and dhcpd:
+type dhcp_etc_t; #, usercanread; 
+typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+files_make_file(dhcp_etc_t)
+
+# this is shared between dhcpc and dhcpd:
+type dhcp_state_t;
+files_make_file(dhcp_state_t)
+
 type dhcpc_t;
 type dhcpc_exec_t;
 init_make_daemon_domain(dhcpc_t,dhcpc_exec_t)
@@ -38,20 +47,24 @@ dontaudit dhcpc_t self:capability sys_tty_config;
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
 
+allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
+allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };
+
+allow dhcpc_t dhcp_etc_t:dir r_dir_perms;
+allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
+allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans };
+
+allow dhcpc_t dhcpc_state_t:dir rw_dir_perms;
+allow dhcpc_t dhcpc_state_t:file create_file_perms;
+type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
+
 # create pid file
 allow dhcpc_t dhcpc_var_run_t:file { getattr create read write append setattr unlink };
 files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)
 
-# transition to ifconfig
-allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
-allow dhcpc_t ifconfig_t:process transition;
-type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
-dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
-allow dhcpc_t ifconfig_t:fd use;
-allow ifconfig_t dhcpc_t:fd use;
-allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
-allow ifconfig_t dhcpc_t:process sigchld;
-
 # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
 # in /etc created by dhcpcd will be labelled net_conf_t.
 allow dhcpc_t net_conf_t:file { create ioctl read getattr lock write setattr append link unlink rename };
@@ -62,15 +75,18 @@ allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unli
 allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
 
-allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
-
-allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };
-
 allow dhcpc_t dhcpc_exec_t:file { getattr read execute execute_no_trans };
 
+# transition to ifconfig
+allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
+allow dhcpc_t ifconfig_t:process transition;
+type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
+dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
+allow dhcpc_t ifconfig_t:fd use;
+allow ifconfig_t dhcpc_t:fd use;
+allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
+allow ifconfig_t dhcpc_t:process sigchld;
+
 kernel_read_system_state(dhcpc_t)
 kernel_read_network_state(dhcpc_t)
 kernel_read_kernel_sysctl(dhcpc_t)
@@ -121,34 +137,39 @@ miscfiles_read_localization(dhcpc_t)
 
 modutils_insmod_transition(dhcpc_t)
 
+ifdef(`distro_redhat', `
+	files_execute_system_config_script(dhcpc_t)
+')
+
 tunable_policy(`targeted_policy', `
-terminal_ignore_use_general_physical_terminal(dhcpc_t)
-terminal_ignore_use_general_pseudoterminal(dhcpc_t)
-files_ignore_read_rootfs_file(dhcpc_t)
+	terminal_ignore_use_general_physical_terminal(dhcpc_t)
+	terminal_ignore_use_general_pseudoterminal(dhcpc_t)
+
+	files_ignore_read_rootfs_file(dhcpc_t)
 ')
 
 optional_policy(`consoletype.te',`
-consoletype_transition(dhcpc_t)
+	consoletype_transition(dhcpc_t)
 ')
 
 optional_policy(`hostname.te',`
-hostname_transition(dhcpc_t)
+	hostname_transition(dhcpc_t)
 ')
 
 optional_policy(`nscd.te',`
-nscd_transition(dhcpc_t)
+	nscd_transition(dhcpc_t)
 ')
 
 optional_policy(`selinux.te',`
-selinux_newrole_sigchld(dhcpc_t)
+	selinux_newrole_sigchld(dhcpc_t)
 ')
 
 optional_policy(`udev.te',`
-udev_read_database(dhcpc_t)
+	udev_read_database(dhcpc_t)
 ')
 
 optional_policy(`userdomain.te',`
-userdomain_use_all_users_file_descriptors(dhcpc_t)
+	userdomain_use_all_users_file_descriptors(dhcpc_t)
 ')
 
 #
@@ -156,10 +177,10 @@ userdomain_use_all_users_file_descriptors(dhcpc_t)
 #
 init_script_execute(dhcpc_t)
 optional_policy(`ypbind.te',`
-ypbind_transition(dhcpc_t)
+	ypbind_transition(dhcpc_t)
 ')
 optional_policy(`ntpd.te',`
-ntpd_transition(dhcpc_t)
+	ntpd_transition(dhcpc_t)
 ')
 
 ifdef(`TODO',`
@@ -201,24 +222,11 @@ allow ping_t cardmgr_t:fd use;
 ') dnl end if cardmgr
 ') dnl end if ping
 
-ifdef(`dhcpd.te', `', `
-#type dhcp_state_t, file_type, sysadmfile;
-#type dhcp_etc_t, file_type, sysadmfile, usercanread; 
-#typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
-')
-
-allow dhcpc_t dhcp_etc_t:dir { getattr read search };
-allow dhcpc_t dhcp_etc_t:file { read getattr };
-allow dhcpc_t dhcp_etc_t:lnk_file { getattr read };
-allow dhcpc_t dhcp_etc_t:file { getattr read execute execute_no_trans };
-
 ifdef(`distro_redhat', `
-files_execute_system_config_script(dhcpc_t)
 allow initrc_t dhcp_etc_t:file rw_file_perms;
 ')
 
 allow dhcpc_t var_lib_t:dir search;
-file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
 
 allow dhcpc_t home_root_t:dir search;
 allow initrc_t dhcpc_state_t:file { getattr read };