more testing fixes

policy/modules/kernel/devices.if

@@ -1798,6 +1798,27 @@ interface(`dev_rw_null',`
 	allow $1 null_device_t:chr_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Create the null device (/dev/null).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_null_dev',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	allow $1 device_t:dir add_entry_dir_perms;
+	allow $1 null_device_t:chr_file create;
+
+	allow $1 self:capability mknod;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the printer device nodes.
@@ -2975,6 +2996,27 @@ interface(`dev_execmod_zero',`
 	allow $1 zero_device_t:chr_file execmod;
 ')
 
+########################################
+## <summary>
+##	Create the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_zero_dev',`
+	gen_require(`
+		type device_t, zero_device_t;
+	')
+
+	allow $1 device_t:dir add_entry_dir_perms;
+	allow $1 zero_device_t:chr_file create;
+
+	allow $1 self:capability mknod;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to devices.

policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.17)
+policy_module(devices,1.1.18)
 
 ########################################
 #

policy/modules/kernel/terminal.if

@@ -254,6 +254,27 @@ interface(`term_setattr_console',`
 	allow $1 console_device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Create the console device (/dev/console).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_create_console_dev',`
+	gen_require(`
+		type device_t, console_device_t;
+	')
+
+	allow $1 device_t:dir add_entry_dir_perms;
+	allow $1 console_device_t:chr_file create;
+
+	allow $1 self:capability mknod;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the

policy/modules/kernel/terminal.te

@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.1.3)
+policy_module(terminal,1.1.4)
 
 ########################################
 #

policy/modules/services/rpc.te

@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.2.10)
+policy_module(rpc,1.2.11)
 
 ########################################
 #
@@ -37,8 +37,8 @@ files_mountpoint(var_lib_nfs_t)
 # RPC local policy
 #
 
+allow rpcd_t self:capability { chown dac_override setgid setuid };
 allow rpcd_t self:fifo_file rw_file_perms;
-allow rpcd_t self:file { getattr read };
 
 allow rpcd_t rpcd_var_run_t:file manage_file_perms;
 allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr };
@@ -64,11 +64,6 @@ miscfiles_read_certs(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
 
-
-ifdef(`distro_redhat',`
-	allow rpcd_t self:capability { chown dac_override setgid setuid };
-')
-
 optional_policy(`
 	nis_read_ypserv_config(rpcd_t)
 ')

policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.20)
+policy_module(init,1.3.21)
 
 gen_require(`
 	class passwd rootok;
@@ -173,6 +173,10 @@ seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
 
+ifdef(`distro_gentoo',`
+	allow init_t self:process { getcap setcap };
+')
+
 ifdef(`distro_redhat',`
 	fs_rw_tmpfs_chr_files(init_t)
 	fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
@@ -397,6 +401,15 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
+	kernel_dontaudit_getattr_core_if(initrc_t)
+
+	# seed udev /dev
+	allow initrc_t self:process setfscreate;
+	dev_create_null_dev(initrc_t)
+	dev_create_zero_dev(initrc_t)
+	dev_create_generic_dirs(initrc_t)
+	term_create_console_dev(initrc_t)
+
 	# needed until baselayout is fixed to have the
 	# restorecon on /dev to again be immediately after
 	# mounting tmpfs on /dev
@@ -487,7 +500,7 @@ ifdef(`targeted_policy',`
 		mono_domtrans(initrc_t)
 	')
 ',`
-	# cjp: require doesnt work in optionals :\
+	# cjp: require doesnt work in the else of optionals :\
 	# this also would result in a type transition
 	# conflict if sendmail is enabled
 #	optional_policy(`',`

policy/modules/system/modutils.te

@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.1.4)
+policy_module(modutils,1.1.5)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -275,6 +275,14 @@ miscfiles_read_localization(update_modules_t)
 
 userdom_dontaudit_search_sysadm_home_dirs(update_modules_t)
 
+ifdef(`distro_gentoo',`
+	files_search_pids(update_modules_t)
+
+	optional_policy(`
+		consoletype_exec(update_modules_t)
+	')
+')
+
 ifdef(`targeted_policy',`
 	term_use_generic_ptys(update_modules_t)
 	term_use_unallocated_ttys(update_modules_t)