From d35c621eb0d40723ba9505f5a9a6ce8b21b18aa5 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 16 Jun 2005 20:33:51 +0000
Subject: [PATCH] add a couple more nfs and cifs interfaces, to cover most of
 the use_(nfs|cifs)_home_dirs tunable

---
 refpolicy/policy/modules/admin/rpm.te         |   2 +-
 refpolicy/policy/modules/apps/gpg.if          |  76 ++---
 refpolicy/policy/modules/kernel/filesystem.if | 190 ++++++++++--
 refpolicy/policy/modules/kernel/storage.if    | 277 +++++++-----------
 .../policy/modules/services/remotelogin.te    |  18 +-
 refpolicy/policy/modules/system/authlogin.te  |   9 +-
 refpolicy/policy/modules/system/clock.te      |   6 +-
 refpolicy/policy/modules/system/hostname.te   |   3 +-
 refpolicy/policy/modules/system/hotplug.te    |   6 +-
 refpolicy/policy/modules/system/init.te       |   6 +-
 refpolicy/policy/modules/system/iptables.te   |   3 +-
 refpolicy/policy/modules/system/libraries.te  |   1 -
 refpolicy/policy/modules/system/locallogin.te |  43 +--
 refpolicy/policy/modules/system/logging.te    |   3 +-
 refpolicy/policy/modules/system/lvm.te        |  18 +-
 refpolicy/policy/modules/system/modutils.te   |   6 +-
 .../policy/modules/system/selinuxutil.te      |  31 +-
 refpolicy/policy/modules/system/sysnetwork.te |   4 +-
 refpolicy/policy/modules/system/udev.te       |   9 +-
 19 files changed, 402 insertions(+), 309 deletions(-)

diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index e33466b7..b3f6badc 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -118,6 +118,7 @@ dev_read_urand(rpm_t)
 
 #fs_manage_nfs_dir(rpm_t)
 #fs_manage_nfs_files(rpm_t)
+fs_manage_nfs_symlinks(rpm_t)
 fs_getattr_all_fs(rpm_t)
 
 storage_raw_write_fixed_disk(rpm_t)
@@ -176,7 +177,6 @@ allow rpm_t ttyfile:chr_file unlink;
 allow rpm_t fs_type:dir { setattr rw_dir_perms };
 
 allow rpm_t mount_t:tcp_socket write;
-allow rpm_t nfs_t:lnk_file create_file_perms;
 
 allow rpm_t sysfs_t:dir r_dir_perms;
 allow rpm_t usbdevfs_t:dir r_dir_perms;
diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index 4e3a53a3..903524b3 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -43,10 +43,7 @@ define(`gpg_per_userdomain_template',`
 	#
 
 	# transition from the userdomain to the derived domain
-	allow $1_t $1_gpg_t:process transition;
-	allow $1_t gpg_exec_t:file rx_file_perms;
-	type_transition $1_t gpg_exec_t:process $1_gpg_t;
-	dontaudit $1_t $1_gpg_t:process { noatsecure siginh rlimitinh };
+	domain_auto_trans($1_t,gpg_exec_t,$1_gpg_t)
 
 	allow $1_t $1_gpg_t:fd use;
 	allow $1_gpg_t $1_t:fd use;
@@ -103,6 +100,18 @@ define(`gpg_per_userdomain_template',`
 		allow $1_gpg_t gpg_exec_t:file execmod;
 	')
 
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_dirs($1_gpg_t)
+		fs_manage_nfs_files($1_gpg_t)
+		fs_manage_nfs_symlinks($1_gpg_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_dirs($1_gpg_t)
+		fs_manage_cifs_files($1_gpg_t)
+		fs_manage_cifs_symlinks($1_gpg_t)
+	')
+
 	ifdef(`TODO',`
 
 	can_ypbind($1_gpg_t)
@@ -134,13 +143,6 @@ define(`gpg_per_userdomain_template',`
 	# allow the usual access to /tmp
 	file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
 
-	tunable_policy(`use_nfs_home_dirs',`
-		create_dir_file($1_gpg_t, nfs_t)
-	')
-	tunable_policy(`use_samba_home_dirs',`
-		create_dir_file($1_gpg_t, cifs_t)
-	')
-
 	rw_dir_create_file($1_gpg_t, $1_file_type)
 
 	allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
@@ -157,11 +159,12 @@ define(`gpg_per_userdomain_template',`
 	# Note: this is only tested with the hkp interface. If you use eg the 
 	# mail interface you will likely need additional permissions.
 
+	# communicate with the user 
+	allow $1_gpg_helper_t $1_t:fd use;
+	allow $1_gpg_helper_t $1_t:fifo_file write;
+
 	# transition from the gpg domain to the helper domain
-	allow $1_gpg_t $1_gpg_helper_t:process transition;
-	allow $1_gpg_t gpg_helper_exec_t:file rx_file_perms;
-	type_transition $1_gpg_t gpg_helper_exec_t:process $1_gpg_helper_t;
-	dontaudit $1_gpg_helper_t $1_gpg_t:process { noatsecure siginh rlimitinh };
+	domain_auto_trans($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
 
 	allow $1_gpg_t $1_gpg_helper_t:fd use;
 	allow $1_gpg_helper_t $1_gpg_t:fd use;
@@ -197,18 +200,15 @@ define(`gpg_per_userdomain_template',`
 
 	sysnet_read_config($1_gpg_helper_t)
 
-	ifdef(`TODO',`
-
 	tunable_policy(`use_nfs_home_dirs',`
-		dontaudit $1_gpg_helper_t nfs_t:file { read write };
-	')
-	tunable_policy(`use_samba_home_dirs',`
-		dontaudit $1_gpg_helper_t cifs_t:file { read write };
+		fs_dontaudit_rw_nfs_files($1_gpg_helper_t)
 	')
 
-	# communicate with the user 
-	allow $1_gpg_helper_t $1_t:fd use;
-	allow $1_gpg_helper_t $1_t:fifo_file write;
+	tunable_policy(`use_samba_home_dirs',`
+		fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
+	')
+
+	ifdef(`TODO',`
 
 	ifdef(`xdm.te', `
 		dontaudit $1_gpg_t xdm_t:fd use;
@@ -232,6 +232,9 @@ define(`gpg_per_userdomain_template',`
 	allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
 	files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
 
+	# Transition from the user domain to the derived domain.
+	domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
+
 	domain_use_wide_inherit_fd($1_gpg_agent_t)
 
 	libs_use_ld_so($1_gpg_agent_t)
@@ -239,9 +242,19 @@ define(`gpg_per_userdomain_template',`
 
 	miscfiles_read_localization($1_gpg_agent_t)
 
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_dirs($1_gpg_agent_t)
+		fs_manage_nfs_files($1_gpg_agent_t)
+		fs_manage_nfs_symlinks($1_gpg_agent_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_dirs($1_gpg_agent_t)
+		fs_manage_cifs_files($1_gpg_agent_t)
+		fs_manage_cifs_symlinks($1_gpg_agent_t)
+	')
+
 	ifdef(`TODO',`
-	# Transition from the user domain to the derived domain.
-	domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
 
 	allow $1_gpg_agent_t xdm_t:fd use;
 
@@ -261,12 +274,6 @@ define(`gpg_per_userdomain_template',`
 	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
 	allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
 	create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
-	tunable_policy(`use_nfs_home_dirs',`
-		create_dir_file($1_gpg_agent_t, nfs_t)
-	')
-	tunable_policy(`use_samba_home_dirs',`
-		create_dir_file($1_gpg_agent_t, cifs_t)
-	')
 
 	# gpg connect
 	allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
@@ -281,10 +288,7 @@ define(`gpg_per_userdomain_template',`
 
 	# we need to allow gpg-agent to call pinentry so it can get the passphrase 
 	# from the user.
-	allow $1_gpg_agent_t $1_gpg_pinentry_t:process transition;
-	allow $1_gpg_agent_t pinentry_exec_t:file rx_file_perms;
-	type_transition $1_gpg_agent_t pinentry_exec_t:process $1_gpg_pinentry_t;
-	dontaudit $1_gpg_agent_t $1_gpg_pinentry_t:process { noatsecure siginh rlimitinh };
+	domain_auto_trans($1_gpg_agent_t,pinentry_exec_t,$1_gpg_pinentry_t)
 
 	allow $1_gpg_pinentry_t $1_gpg_agent_t:fd use;
 	allow $1_gpg_agent_t $1_gpg_pinentry_t:fd use;
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 2c03327f..6d7b9f69 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -399,17 +399,14 @@ define(`fs_mount_cifs_depend',`
 ## </interface>
 #
 define(`fs_remount_cifs',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type cifs_t;
+		class filesystem remount;
+	')
 
 	allow $1 cifs_t:filesystem remount;
 ')
 
-define(`fs_remount_cifs_depend',`
-	type cifs_t;
-
-	class filesystem remount;
-')
-
 ########################################
 ## <interface name="fs_unmount_cifs">
 ##	<description>
@@ -421,17 +418,14 @@ define(`fs_remount_cifs_depend',`
 ## </interface>
 #
 define(`fs_unmount_cifs',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type cifs_t;
+		class filesystem unmount;
+	')
 
 	allow $1 cifs_t:filesystem mount;
 ')
 
-define(`fs_unmount_cifs_depend',`
-	type cifs_t;
-
-	class filesystem unmount;
-')
-
 ########################################
 ## <interface name="fs_getattr_cifs">
 ##	<description>
@@ -445,15 +439,74 @@ define(`fs_unmount_cifs_depend',`
 ## </interface>
 #
 define(`fs_getattr_cifs',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type cifs_t;
+		class filesystem getattr;
+	')
 
 	allow $1 cifs_t:filesystem getattr;
 ')
 
-define(`fs_getattr_cifs_depend',`
-	type cifs_t;
+########################################
+## <interface name="fs_read_cifs_files">
+##	<description>
+##		Read files on a CIFS or SMB filesystem.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain reading the files.
+##	</parameter>
+## </interface>
+#
+define(`fs_read_cifs_files',`
+	gen_require(`
+		type cifs_t;
+		class dir r_dir_perms;
+		class file r_file_perms;
+	')
 
-	class filesystem getattr;
+	allow $1 cifs_t:dir r_dir_perms;
+	allow $1 cifs_t:file r_file_perms;
+')
+
+########################################
+## <interface name="fs_dontaudit_rw_cifs_files">
+##	<description>
+##		Do not audit attempts to read or
+##		write files on a CIFS or SMB filesystem.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain to not audit.
+##	</parameter>
+## </interface>
+#
+define(`fs_dontaudit_rw_cifs_files',`
+	gen_require(`
+		type cifs_t;
+		class file { read write };
+	')
+
+	dontaudit $1 cifs_t:file { read write };
+')
+
+########################################
+## <interface name="fs_read_cifs_symlinks">
+##	<description>
+##		Read symbolic links on a CIFS or SMB filesystem.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain reading the symbolic links.
+##	</parameter>
+## </interface>
+#
+define(`fs_read_cifs_symlinks',`
+	gen_require(`
+		type cifs_t;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 cifs_t:dir r_dir_perms;
+	allow $1 cifs_t:lnk_file r_file_perms;
 ')
 
 ########################################
@@ -482,6 +535,26 @@ define(`fs_execute_cifs_files_depend',`
 	class file { getattr read execute execute_no_trans };
 ')
 
+########################################
+## <interface name="fs_dontaudit_rw_cifs_files">
+##	<description>
+##		Do not audit attempts to read or
+##		write files on a CIFS or SMB filesystems.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain to not audit.
+##	</parameter>
+## </interface>
+#
+define(`fs_read_cifs_files',`
+	gen_require(`
+		type cifs_t;
+		class file { read write };
+	')
+
+	dontaudit $1 cifs_t:file { read write };
+')
+
 ########################################
 ## <interface name="fs_manage_cifs_dirs">
 ##	<description>
@@ -906,6 +979,27 @@ define(`fs_getattr_nfs_depend',`
 	class filesystem getattr;
 ')
 
+########################################
+## <interface name="fs_read_nfs_files">
+##	<description>
+##		Read files on a NFS filesystem.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain reading the files.
+##	</parameter>
+## </interface>
+#
+define(`fs_read_nfs_files',`
+	gen_require(`
+		type nfs_t;
+		class dir r_dir_perms;
+		class file r_file_perms;
+	')
+
+	allow $1 nfs_t:dir r_dir_perms;
+	allow $1 nfs_t:file r_file_perms;
+')
+
 ########################################
 ## <interface name="fs_execute_nfs_files">
 ##	<description>
@@ -917,17 +1011,54 @@ define(`fs_getattr_nfs_depend',`
 ## </interface>
 #
 define(`fs_execute_nfs_files',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type nfs_t;
+		class dir r_dir_perms;
+	')
 
 	allow $1 nfs_t:dir r_dir_perms;
 	can_exec($1, nfs_t)
 ')
 
-define(`fs_execute_nfs_files_depend',`
-	type nfs_t;
+########################################
+## <interface name="fs_dontaudit_rw_nfs_files">
+##	<description>
+##		Do not audit attempts to read or
+##		write files on a NFS filesystem.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain to not audit.
+##	</parameter>
+## </interface>
+#
+define(`fs_dontaudit_rw_nfs_files',`
+	gen_require(`
+		type nfs_t;
+		class file { read write };
+	')
 
-	class dir r_dir_perms;
-	class file { getattr read execute execute_no_trans };
+	dontaudit $1 nfs_t:file { read write };
+')
+
+########################################
+## <interface name="fs_read_nfs_symlinks">
+##	<description>
+##		Read symbolic links on a NFS filesystem.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain reading the symbolic links.
+##	</parameter>
+## </interface>
+#
+define(`fs_read_nfs_symlinks',`
+	gen_require(`
+		type nfs_t;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 nfs_t:dir r_dir_perms;
+	allow $1 nfs_t:lnk_file r_file_perms;
 ')
 
 ########################################
@@ -990,19 +1121,16 @@ define(`fs_manage_nfs_files_depend',`
 ## </interface>
 #
 define(`fs_manage_nfs_symlinks',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type nfs_t;
+		class dir r_dir_perms;
+		class lnk_file create_lnk_perms;
+	')
 
 	allow $1 nfs_t:dir rw_dir_perms;
 	allow $1 nfs_t:lnk_file create_lnk_perms;
 ')
 
-define(`fs_manage_nfs_symlinks_depend',`
-	type nfs_t;
-
-	class dir r_dir_perms;
-	class lnk_file create_lnk_perms;
-')
-
 #########################################
 ## <interface name="fs_manage_nfs_named_pipes">
 ##	<description>
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index f081d537..7a340cf9 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -13,18 +13,15 @@
 ## </interface>
 #
 define(`storage_getattr_fixed_disk',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type fixed_disk_device_t;
+		class blk_file getattr;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 fixed_disk_device_t:blk_file getattr;
 ')
 
-define(`storage_getattr_fixed_disk_depend',`
-	type fixed_disk_device_t;
-
-	class blk_file getattr;
-')
-
 ########################################
 ## <interface name="storage_dontaudit_getattr_fixed_disk">
 ##	<description>
@@ -37,17 +34,14 @@ define(`storage_getattr_fixed_disk_depend',`
 ## </interface>
 #
 define(`storage_dontaudit_getattr_fixed_disk',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type fixed_disk_device_t;
+		class blk_file getattr;
+	')
 
 	dontaudit $1 fixed_disk_device_t:blk_file getattr;
 ')
 
-define(`storage_dontaudit_getattr_fixed_disk_depend',`
-	type fixed_disk_device_t;
-
-	class blk_file getattr;
-')
-
 ########################################
 ## <interface name="storage_setattr_fixed_disk">
 ##	<description>
@@ -60,16 +54,33 @@ define(`storage_dontaudit_getattr_fixed_disk_depend',`
 ## </interface>
 #
 define(`storage_setattr_fixed_disk',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type fixed_disk_device_t;
+		class blk_file setattr;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 fixed_disk_device_t:blk_file setattr;
 ')
 
-define(`storage_setattr_fixed_disk_depend',`
-	type fixed_disk_device_t;
+########################################
+## <interface name="storage_dontaudit_setattr_fixed_disk">
+##	<description>
+##		Do not audit attempts made by the caller to set
+##		the attributes of fixed disk device nodes.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process to not audit.
+##	</parameter>
+## </interface>
+#
+define(`storage_dontaudit_setattr_fixed_disk',`
+	gen_require(`
+		type fixed_disk_device_t;
+		class blk_file getattr;
+	')
 
-	class blk_file setattr;
+	dontaudit $1 fixed_disk_device_t:blk_file getattr;
 ')
 
 ########################################
@@ -86,21 +97,17 @@ define(`storage_setattr_fixed_disk_depend',`
 ## </interface>
 #
 define(`storage_raw_read_fixed_disk',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		attribute fixed_disk_raw_read;
+		type fixed_disk_device_t;
+		class blk_file r_file_perms;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 fixed_disk_device_t:blk_file r_file_perms;
 	typeattribute $1 fixed_disk_raw_read;
 ')
 
-define(`storage_raw_read_fixed_disk_depend',`
-	attribute fixed_disk_raw_read;
-
-	type fixed_disk_device_t;
-
-	class blk_file r_file_perms;
-')
-
 ########################################
 ## <interface name="storage_raw_write_fixed_disk">
 ##	<description>
@@ -115,21 +122,17 @@ define(`storage_raw_read_fixed_disk_depend',`
 ## </interface>
 #
 define(`storage_raw_write_fixed_disk',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		attribute fixed_disk_raw_write;
+		type fixed_disk_device_t;
+		class blk_file { getattr write ioctl };
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
 	typeattribute $1 fixed_disk_raw_write;
 ')
 
-define(`storage_raw_write_fixed_disk_depend',`
-	attribute fixed_disk_raw_write;
-
-	type fixed_disk_device_t;
-
-	class blk_file { getattr write ioctl };
-')
-
 ########################################
 ## <interface name="storage_create_fixed_disk">
 ##	<description>
@@ -141,19 +144,17 @@ define(`storage_raw_write_fixed_disk_depend',`
 ## </interface>
 #
 define(`storage_create_fixed_disk_dev_entry',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		attribute fixed_disk_raw_read, fixed_disk_raw_write;
+		type fixed_disk_device_t;
+		class blk_file create_file_perms;
+	')
 
 	allow $1 fixed_disk_device_t:blk_file create_file_perms;
 	dev_create_dev_node($1,fixed_disk_device_t,blk_file)
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')
 
-define(`storage_create_fixed_disk_dev_entry_depend',`
-	type fixed_disk_device_t;
-
-	class blk_file create_file_perms;
-')
-
 ########################################
 ## <interface name="storage_manage_fixed_disk">
 ##	<description>
@@ -165,21 +166,17 @@ define(`storage_create_fixed_disk_dev_entry_depend',`
 ## </interface>
 #
 define(`storage_manage_fixed_disk',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		attribute fixed_disk_raw_read, fixed_disk_raw_write;
+		type fixed_disk_device_t;
+		class blk_file create_file_perms;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 fixed_disk_device_t:blk_file create_file_perms;
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')
 
-define(`storage_manage_fixed_disk_depend',`
-	attribute fixed_disk_raw_read, fixed_disk_raw_write;
-
-	type fixed_disk_device_t;
-
-	class blk_file create_file_perms;
-')
-
 ########################################
 ## <interface name="storage_raw_read_lvm_volume">
 ##	<description>
@@ -194,21 +191,17 @@ define(`storage_manage_fixed_disk_depend',`
 ## </interface>
 #
 define(`storage_raw_read_lvm_volume',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		attribute fixed_disk_raw_read;
+		type lvm_vg_t;
+		class blk_file r_file_perms;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 lvm_vg_t:blk_file r_file_perms;
 	typeattribute $1 fixed_disk_raw_read;
 ')
 
-define(`storage_raw_read_lvm_volume_depend',`
-	attribute fixed_disk_raw_read;
-
-	type lvm_vg_t;
-
-	class blk_file r_file_perms;
-')
-
 ########################################
 ## <interface name="storage_raw_write_lvm_volume">
 ##	<description>
@@ -223,21 +216,17 @@ define(`storage_raw_read_lvm_volume_depend',`
 ## </interface>
 #
 define(`storage_raw_write_lvm_volume',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		attribute fixed_disk_raw_write;
+		type lvm_vg_t;
+		class blk_file { getattr write ioctl };
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 lvm_vg_t:blk_file { getattr write ioctl };
 	typeattribute $1 fixed_disk_raw_write;
 ')
 
-define(`storage_raw_write_lvm_volume_depend',`
-	attribute fixed_disk_raw_write;
-
-	type lvm_vg_t;
-
-	class blk_file { getattr write ioctl };
-')
-
 ########################################
 ## <interface name="storage_read_scsi_generic">
 ##	<description>
@@ -253,21 +242,17 @@ define(`storage_raw_write_lvm_volume_depend',`
 ## </interface>
 #
 define(`storage_read_scsi_generic',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		attribute scsi_generic_read;
+		type scsi_generic_device_t;
+		class blk_file r_file_perms;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 scsi_generic_device_t:blk_file r_file_perms;
 	typeattribute $1 scsi_generic_read;
 ')
 
-define(`storage_read_scsi_generic_depend',`
-	attribute scsi_generic_read;
-
-	type scsi_generic_device_t;
-
-	class blk_file r_file_perms;
-')
-
 ########################################
 ## <interface name="storage_write_scsi_generic">
 ##	<description>
@@ -283,21 +268,17 @@ define(`storage_read_scsi_generic_depend',`
 ## </interface>
 #
 define(`storage_write_scsi_generic',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		attribute scsi_generic_write;
+		type scsi_generic_device_t;
+		class blk_file { getattr write ioctl };
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
 	typeattribute $1 scsi_generic_write;
 ')
 
-define(`storage_write_scsi_generic_depend',`
-	attribute scsi_generic_write;
-
-	type scsi_generic_device_t;
-
-	class blk_file { getattr write ioctl };
-')
-
 ########################################
 ## <interface name="storage_getattr_scsi_generic">
 ##	<description>
@@ -310,18 +291,15 @@ define(`storage_write_scsi_generic_depend',`
 ## </interface>
 #
 define(`storage_getattr_scsi_generic',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type scsi_generic_device_t;
+		class blk_file getattr;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 scsi_generic_device_t:blk_file getattr;
 ')
 
-define(`storage_getattr_scsi_generic_depend',`
-	type scsi_generic_device_t;
-
-	class blk_file getattr;
-')
-
 ########################################
 ## <interface name="storage_setattr_scsi_generic">
 ##	<description>
@@ -334,18 +312,15 @@ define(`storage_getattr_scsi_generic_depend',`
 ## </interface>
 #
 define(`storage_set_scsi_generic_attributes',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type scsi_generic_device_t;
+		class blk_file setattr;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 scsi_generic_device_t:blk_file setattr;
 ')
 
-define(`storage_set_scsi_generic_attributes_depend',`
-	type scsi_generic_device_t;
-
-	class blk_file setattr;
-')
-
 ########################################
 ## <interface name="storage_getattr_removable_device">
 ##	<description>
@@ -358,18 +333,15 @@ define(`storage_set_scsi_generic_attributes_depend',`
 ## </interface>
 #
 define(`storage_getattr_removable_device',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type removable_device_t;
+		class blk_file getattr;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 removable_device_t:blk_file getattr;
 ')
 
-define(`storage_getattr_removable_device_depend',`
-	type removable_device_t;
-
-	class blk_file getattr;
-')
-
 ########################################
 ## <interface name="storage_dontaudit_getattr_removable_device">
 ##	<description>
@@ -382,17 +354,14 @@ define(`storage_getattr_removable_device_depend',`
 ## </interface>
 #
 define(`storage_dontaudit_getattr_removable_device',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type removable_device_t;
+		class blk_file getattr;
+	')
 
 	dontaudit $1 removable_device_t:blk_file getattr;
 ')
 
-define(`storage_dontaudit_getattr_removable_device_depend',`
-	type removable_device_t;
-
-	class blk_file getattr;
-')
-
 ########################################
 ## <interface name="storage_setattr_removable_device">
 ##	<description>
@@ -405,18 +374,15 @@ define(`storage_dontaudit_getattr_removable_device_depend',`
 ## </interface>
 #
 define(`storage_setattr_removable_device',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type removable_device_t;
+		class blk_file setattr;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 removable_device_t:blk_file setattr;
 ')
 
-define(`storage_setattr_removable_device_depend',`
-	type removable_device_t;
-
-	class blk_file setattr;
-')
-
 ########################################
 ## <interface name="storage_raw_read_removable_device">
 ##	<description>
@@ -432,18 +398,15 @@ define(`storage_setattr_removable_device_depend',`
 ## </interface>
 #
 define(`storage_raw_read_removable_device',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type removable_device_t;
+		class blk_file r_file_perms;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 removable_device_t:blk_file r_file_perms;
 ')
 
-define(`storage_raw_read_removable_device_depend',`
-	type removable_device_t;
-
-	class blk_file r_file_perms;
-')
-
 ########################################
 ## <interface name="storage_raw_write_removable_device">
 ##	<description>
@@ -459,18 +422,15 @@ define(`storage_raw_read_removable_device_depend',`
 ## </interface>
 #
 define(`storage_raw_write_removable_device',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type removable_device_t;
+		class blk_file { getattr write ioctl };
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 removable_device_t:blk_file { getattr write ioctl };
 ')
 
-define(`storage_raw_write_removable_device_depend',`
-	type removable_device_t;
-
-	class blk_file { getattr write ioctl };
-')
-
 ########################################
 ## <interface name="storage_read_tape_device">
 ##	<description>
@@ -483,18 +443,15 @@ define(`storage_raw_write_removable_device_depend',`
 ## </interface>
 #
 define(`storage_read_tape_device',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type tape_device_t;
+		class blk_file r_file_perms;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 tape_device_t:blk_file r_file_perms;
 ')
 
-define(`storage_read_tape_device_depend',`
-	type tape_device_t;
-
-	class blk_file r_file_perms;
-')
-
 ########################################
 ## <interface name="storage_write_tape_device">
 ##	<description>
@@ -507,18 +464,15 @@ define(`storage_read_tape_device_depend',`
 ## </interface>
 #
 define(`storage_write_tape_device',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type tape_device_t;
+		class blk_file { getattr write ioctl };
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 tape_device_t:blk_file { getattr write ioctl };
 ')
 
-define(`storage_write_tape_device_depend',`
-	type tape_device_t;
-
-	class blk_file { getattr write ioctl };
-')
-
 ########################################
 ## <interface name="storage_getattr_tape_device">
 ##	<description>
@@ -531,18 +485,15 @@ define(`storage_write_tape_device_depend',`
 ## </interface>
 #
 define(`storage_getattr_tape_device',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type tape_device_t;
+		class blk_file getattr;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 tape_device_t:blk_file getattr;
 ')
 
-define(`storage_getattr_tape_device_depend',`
-	type tape_device_t;
-
-	class blk_file getattr;
-')
-
 ########################################
 ## <interface name="storage_setattr_tape_device">
 ##	<description>
@@ -555,15 +506,13 @@ define(`storage_getattr_tape_device_depend',`
 ## </interface>
 #
 define(`storage_setattr_tape_device',`
-	gen_require(`$0'_depend)
+	gen_require(`
+		type tape_device_t;
+		class blk_file setattr;
+	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 tape_device_t:blk_file setattr;
 ')
 
-define(`storage_setattr_tape_device_depend',`
-	type tape_device_t;
-	class blk_file setattr;
-')
-
 ## </module>
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 0119ff78..0fd4a229 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -81,6 +81,16 @@ auth_manage_pam_console_data(remote_login_t)
 
 miscfiles_read_localization(remote_login_t)
 
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(remote_login_t)
+	fs_read_nfs_symlinks(remote_login_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(remote_login_t)
+	fs_read_cifs_symlinks(remote_login_t)
+')
+
 ifdef(`TODO',`
 allow remote_login_t unpriv_userdomain:fd use;
 can_ypbind(remote_login_t)
@@ -116,14 +126,6 @@ dontaudit remote_login_t sysfs_t:dir search;
 allow remote_login_t autofs_t:dir r_dir_perms;
 allow remote_login_t mnt_t:dir r_dir_perms;
 
-tunable_policy(`use_nfs_home_dirs',`
-	r_dir_file(remote_login_t, nfs_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	r_dir_file(remote_login_t, cifs_t)
-')
-
 # FIXME: what is this for?
 ifdef(`xdm.te', `
 allow xdm_t remote_login_t:process signull;
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index b63ea5b6..fdd84a1f 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -138,9 +138,10 @@ allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
 
 kernel_read_kernel_sysctl(pam_console_t)
 kernel_read_system_state(pam_console_t)
-dev_read_sysfs(pam_console_t)
 kernel_use_fd(pam_console_t)
 
+dev_read_sysfs(pam_console_t)
+
 # Allow to set attributes on /dev entries
 storage_getattr_fixed_disk(pam_console_t)
 storage_setattr_fixed_disk(pam_console_t)
@@ -151,15 +152,15 @@ term_use_console(pam_console_t)
 term_getattr_unallocated_ttys(pam_console_t)
 term_setattr_unallocated_ttys(pam_console_t)
 
-init_use_fd(pam_console_t)
-init_use_script_pty(pam_console_t)
-
 domain_use_wide_inherit_fd(pam_console_t)
 
 files_read_generic_etc_files(pam_console_t)
 files_search_pids(pam_console_t)
 files_list_mnt(pam_console_t)
 
+init_use_fd(pam_console_t)
+init_use_script_pty(pam_console_t)
+
 libs_use_ld_so(pam_console_t)
 libs_use_shared_libs(pam_console_t)
 
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index fb8eb669..50c4cfed 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -30,8 +30,8 @@ dontaudit hwclock_t self:capability sys_tty_config;
 allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
 
 kernel_read_kernel_sysctl(hwclock_t)
-dev_read_sysfs(hwclock_t)
 
+dev_read_sysfs(hwclock_t)
 dev_rw_realtime_clock(hwclock_t)
 
 fs_getattr_xattr_fs(hwclock_t)
@@ -41,11 +41,11 @@ term_use_unallocated_tty(hwclock_t)
 term_use_all_user_ttys(hwclock_t)
 term_use_all_user_ptys(hwclock_t)
 
+domain_use_wide_inherit_fd(hwclock_t)
+
 init_use_fd(hwclock_t)
 init_use_script_pty(hwclock_t)
 
-domain_use_wide_inherit_fd(hwclock_t)
-
 files_read_generic_etc_files_directory(hwclock_t)
 # for when /usr is not mounted:
 files_dontaudit_search_isid_type_dir(hwclock_t)
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 000fd821..8a0404d3 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -26,9 +26,10 @@ dontaudit hostname_t self:capability sys_tty_config;
 sysnet_read_config(hostname_t)
 
 kernel_read_kernel_sysctl(hostname_t)
-dev_read_sysfs(hostname_t)
 kernel_dontaudit_use_fd(hostname_t)
 
+dev_read_sysfs(hostname_t)
+
 fs_getattr_xattr_fs(hostname_t)
 
 term_dontaudit_use_console(hostname_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 9775a8d6..52259dd5 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -45,9 +45,7 @@ files_create_pid(hotplug_t,hotplug_var_run_t)
 
 kernel_read_system_state(hotplug_t)
 kernel_read_kernel_sysctl(hotplug_t)
-dev_read_sysfs(hotplug_t)
 kernel_read_net_sysctl(hotplug_t)
-dev_read_usbfs(hotplug_t)
 
 bootloader_read_kernel_modules(hotplug_t)
 
@@ -58,7 +56,9 @@ corenet_raw_sendrecv_all_nodes(hotplug_t)
 corenet_tcp_sendrecv_all_ports(hotplug_t)
 corenet_tcp_bind_all_nodes(hotplug_t)
 
-# for SSP
+dev_read_sysfs(hotplug_t)
+dev_read_usbfs(hotplug_t)
+# for SSP:
 dev_read_urand(hotplug_t)
 
 fs_getattr_all_fs(hotplug_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index f6217ed8..1ee33b68 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -88,11 +88,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 # Run init scripts.
 domain_auto_trans(init_t,initrc_exec_t,initrc_t)
 
-selinux_set_boolean(init_t)
 kernel_read_system_state(init_t)
-dev_read_sysfs(init_t)
 kernel_share_state(init_t)
 
+dev_read_sysfs(init_t)
+
+selinux_set_boolean(init_t)
+
 term_use_all_terms(init_t)
 
 corecmd_chroot_exec_chroot(init_t)
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index dd2edc75..01f62e88 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -39,11 +39,12 @@ allow iptables_t self:rawip_socket create_socket_perms;
 
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
-dev_read_sysfs(iptables_t)
 kernel_read_kernel_sysctl(iptables_t)
 kernel_read_modprobe_sysctl(iptables_t)
 kernel_use_fd(iptables_t)
 
+dev_read_sysfs(iptables_t)
+
 fs_getattr_xattr_fs(iptables_t)
 
 term_dontaudit_use_console(iptables_t)
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 4b34dae8..29b289af 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -74,7 +74,6 @@ logging_send_syslog_msg(ldconfig_t)
 
 userdom_use_all_user_fd(ldconfig_t)
 
-
 ifdef(`TODO',`
 
 allow ldconfig_t tmp_t:dir search;
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index fb6ae0ab..b590167f 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -7,11 +7,11 @@ policy_module(locallogin,1.0)
 #
 
 type local_login_t; #, nscd_client_domain;
+auth_login_entry_type(local_login_t)
+domain_type(local_login_t)
 domain_obj_id_change_exempt(local_login_t)
 domain_subj_id_change_exempt(local_login_t)
 domain_role_change_exempt(local_login_t)
-auth_login_entry_type(local_login_t)
-domain_type(local_login_t)
 domain_wide_inherit_fd(local_login_t)
 role system_r types local_login_t;
 
@@ -53,6 +53,10 @@ files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
 
 kernel_read_system_state(local_login_t)
 kernel_read_kernel_sysctl(local_login_t)
+
+# for SSP/ProPolice
+dev_read_urand(local_login_t)
+
 selinux_get_fs_mount(local_login_t)
 selinux_validate_context(local_login_t)
 selinux_compute_access_vector(local_login_t)
@@ -60,8 +64,8 @@ selinux_compute_create_context(local_login_t)
 selinux_compute_relabel_context(local_login_t)
 selinux_compute_user_contexts(local_login_t)
 
-# for SSP/ProPolice
-dev_read_urand(local_login_t)
+storage_dontaudit_getattr_fixed_disk(local_login_t)
+storage_dontaudit_setattr_fixed_disk(local_login_t)
 
 term_use_all_user_ttys(local_login_t)
 term_use_unallocated_tty(local_login_t)
@@ -106,6 +110,16 @@ userdom_use_unpriv_users_fd(local_login_t)
 # Search for mail spool file.
 mta_getattr_spool(local_login_t)
 
+tunable_policy(`use_nfs_home_dirs',`
+	fs_read_nfs_files(local_login_t)
+	fs_read_nfs_symlinks(local_login_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_read_cifs_files(local_login_t)
+	fs_read_cifs_symlinks(local_login_t)
+')
+
 # Red Hat systems seem to have a stray
 # fd open from the initrd
 optional_policy(`distro_redhat',`
@@ -152,15 +166,16 @@ ifdef(`crack.te', `
 	allow local_login_t crack_db_t:file r_file_perms;
 ')
 
-allow local_login_t mouse_device_t:chr_file { getattr setattr };
-
 ifdef(`targeted_policy',`
 	unconfined_domain(local_login_t)
 	domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
 ')
 
+allow local_login_t mouse_device_t:chr_file { getattr setattr };
+allow local_login_t sound_device_t:chr_file { getattr setattr };
+allow local_login_t power_device_t:chr_file { getattr setattr };
+
 # Do not audit denied attempts to access devices.
-dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
 dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
 dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
 dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
@@ -177,20 +192,6 @@ optional_policy(`gpm.te',`
 	allow local_login_t gpmctl_t:sock_file { getattr setattr };
 ')
 
-# Allow setting of attributes on sound devices.
-allow local_login_t sound_device_t:chr_file { getattr setattr };
-
-# Allow setting of attributes on power management devices.
-allow local_login_t power_device_t:chr_file { getattr setattr };
-
-tunable_policy(`use_nfs_home_dirs',`
-	r_dir_file(local_login_t, nfs_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
-	r_dir_file(local_login_t, cifs_t)
-')
-
 ') dnl endif TODO
 
 #################################
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index b608f9db..feaf1580 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -59,6 +59,7 @@ allow auditd_t auditd_var_run_t:file create_file_perms;
 files_create_pid(auditd_t,auditd_var_run_t)
 
 kernel_read_kernel_sysctl(auditd_t)
+
 dev_read_sysfs(auditd_t)
 
 fs_getattr_all_fs(auditd_t)
@@ -186,10 +187,10 @@ allow syslogd_t devlog_t:unix_dgram_socket name_bind;
 allow syslogd_t syslogd_var_run_t:file create_file_perms;
 files_create_pid(syslogd_t,syslogd_var_run_t)
 
-dev_read_sysfs(syslogd_t)
 kernel_read_kernel_sysctl(syslogd_t)
 
 dev_create_dev_node(syslogd_t,devlog_t,sock_file)
+dev_read_sysfs(syslogd_t)
 
 term_dontaudit_use_console(syslogd_t)
 # Allow syslog to a terminal
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index b3517cb5..86569567 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -69,20 +69,18 @@ type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
 files_create_etc_config(lvm_t,lvm_metadata_t,file)
 
 kernel_read_system_state(lvm_t)
+kernel_read_kernel_sysctl(lvm_t)
+# Read system variables in /proc/sys
+kernel_read_kernel_sysctl(lvm_t)
+# it has no reason to need this
+kernel_dontaudit_getattr_core(lvm_t)
+
 selinux_get_fs_mount(lvm_t)
 selinux_validate_context(lvm_t)
 selinux_compute_access_vector(lvm_t)
 selinux_compute_create_context(lvm_t)
 selinux_compute_relabel_context(lvm_t)
 selinux_compute_user_contexts(lvm_t)
-kernel_read_kernel_sysctl(lvm_t)
-dev_read_sysfs(lvm_t)
-# Read /sys/block. Device mapper metadata is kept there.
-dev_read_sysfs(sysfs_t)
-# Read system variables in /proc/sys
-kernel_read_kernel_sysctl(lvm_t)
-# it has no reason to need this
-kernel_dontaudit_getattr_core(lvm_t)
 
 dev_create_generic_chr_file(lvm_t)
 dev_read_rand(lvm_t)
@@ -91,7 +89,9 @@ dev_rw_lvm_control(lvm_t)
 dev_manage_generic_symlinks(lvm_t)
 dev_relabel_dev_dirs(lvm_t)
 dev_manage_generic_blk_file(lvm_t)
-
+dev_read_sysfs(lvm_t)
+# Read /sys/block. Device mapper metadata is kept there.
+dev_read_sysfs(sysfs_t)
 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
 dev_dontaudit_getattr_all_chr_files(lvm_t)
 dev_dontaudit_getattr_all_blk_files(lvm_t)
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index c8f80f00..86583af9 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -131,13 +131,13 @@ bootloader_create_private_module_dir_entry(depmod_t,modules_dep_t)
 
 kernel_read_system_state(depmod_t)
 
+bootloader_read_kernel_symbol_table(depmod_t)
+bootloader_read_kernel_modules(depmod_t)
+
 fs_getattr_xattr_fs(depmod_t)
 
 term_use_console(depmod_t)
 
-bootloader_read_kernel_symbol_table(depmod_t)
-bootloader_read_kernel_modules(depmod_t)
-
 init_use_fd(depmod_t)
 init_use_script_fd(depmod_t)
 init_use_script_pty(depmod_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 28a6751f..a1787166 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -149,12 +149,12 @@ allow load_policy_t selinux_config_t:dir r_dir_perms;
 allow load_policy_t selinux_config_t:file r_file_perms;
 allow load_policy_t selinux_config_t:lnk_file r_file_perms;
 
+fs_getattr_xattr_fs(load_policy_t)
+
 selinux_get_fs_mount(load_policy_t)
 selinux_load_policy(load_policy_t)
 selinux_set_boolean(load_policy_t)
 
-fs_getattr_xattr_fs(load_policy_t)
-
 term_use_console(load_policy_t)
 term_list_ptys(load_policy_t)
 
@@ -196,6 +196,11 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
 
 kernel_read_system_state(newrole_t)
 kernel_read_kernel_sysctl(newrole_t)
+
+dev_read_urand(newrole_t)
+
+fs_getattr_xattr_fs(newrole_t)
+
 selinux_get_fs_mount(newrole_t)
 selinux_validate_context(newrole_t)
 selinux_compute_access_vector(newrole_t)
@@ -203,10 +208,6 @@ selinux_compute_create_context(newrole_t)
 selinux_compute_relabel_context(newrole_t)
 selinux_compute_user_contexts(newrole_t)
 
-dev_read_urand(newrole_t)
-
-fs_getattr_xattr_fs(newrole_t)
-
 term_use_all_user_ttys(newrole_t)
 term_use_all_user_ptys(newrole_t)
 
@@ -280,6 +281,9 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
 
 kernel_use_fd(restorecon_t)
 kernel_read_system_state(restorecon_t)
+
+fs_getattr_xattr_fs(restorecon_t)
+
 selinux_get_fs_mount(restorecon_t)
 selinux_validate_context(restorecon_t)
 selinux_compute_access_vector(restorecon_t)
@@ -287,8 +291,6 @@ selinux_compute_create_context(restorecon_t)
 selinux_compute_relabel_context(restorecon_t)
 selinux_compute_user_contexts(restorecon_t)
 
-fs_getattr_xattr_fs(restorecon_t)
-
 term_use_unallocated_tty(restorecon_t)
 
 init_use_fd(restorecon_t)
@@ -320,10 +322,10 @@ files_list_all_dirs(restorecon_t)
 auth_relabelto_shadow(restorecon_t)
 
 ifdef(`distro_redhat', `
-fs_use_tmpfs_character_devices(restorecon_t)
-fs_use_tmpfs_block_devices(restorecon_t)
-fs_relabel_tmpfs_block_devices(restorecon_t)
-fs_relabel_tmpfs_character_devices(restorecon_t)
+	fs_use_tmpfs_character_devices(restorecon_t)
+	fs_use_tmpfs_block_devices(restorecon_t)
+	fs_relabel_tmpfs_block_devices(restorecon_t)
+	fs_relabel_tmpfs_character_devices(restorecon_t)
 ')
 
 ifdef(`TODO',`
@@ -414,6 +416,9 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
 
 kernel_read_system_state(setfiles_t)
+
+fs_getattr_xattr_fs(setfiles_t)
+
 selinux_get_fs_mount(setfiles_t)
 selinux_validate_context(setfiles_t)
 selinux_compute_access_vector(setfiles_t)
@@ -421,8 +426,6 @@ selinux_compute_create_context(setfiles_t)
 selinux_compute_relabel_context(setfiles_t)
 selinux_compute_user_contexts(setfiles_t)
 
-fs_getattr_xattr_fs(setfiles_t)
-
 term_use_all_user_ttys(setfiles_t)
 term_use_all_user_ptys(setfiles_t)
 term_use_unallocated_tty(setfiles_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 0faca2c0..e4e1bd1b 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -86,7 +86,6 @@ allow ifconfig_t dhcpc_t:process sigchld;
 kernel_read_system_state(dhcpc_t)
 kernel_read_network_state(dhcpc_t)
 kernel_read_kernel_sysctl(dhcpc_t)
-dev_read_sysfs(dhcpc_t)
 kernel_use_fd(dhcpc_t)
 
 corenet_tcp_sendrecv_all_if(dhcpc_t)
@@ -101,7 +100,8 @@ corenet_tcp_bind_all_nodes(dhcpc_t)
 corenet_udp_bind_all_nodes(dhcpc_t)
 corenet_udp_bind_dhcpc_port(dhcpc_t)
 
-# for SSP
+dev_read_sysfs(dhcpc_t)
+# for SSP:
 dev_read_urand(dhcpc_t)
 
 fs_getattr_all_fs(dhcpc_t)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index c4cc2d9a..711cab74 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -70,7 +70,12 @@ kernel_read_device_sysctl(udev_t)
 kernel_read_hotplug_sysctl(udev_t)
 kernel_read_modprobe_sysctl(udev_t)
 kernel_read_kernel_sysctl(udev_t)
+
 dev_read_sysfs(udev_t)
+dev_manage_dev_nodes(udev_t)
+
+fs_getattr_all_fs(udev_t)
+
 selinux_get_fs_mount(udev_t)
 selinux_validate_context(udev_t)
 selinux_compute_access_vector(udev_t)
@@ -78,10 +83,6 @@ selinux_compute_create_context(udev_t)
 selinux_compute_relabel_context(udev_t)
 selinux_compute_user_contexts(udev_t)
 
-dev_manage_dev_nodes(udev_t)
-
-fs_getattr_all_fs(udev_t)
-
 corecmd_exec_bin(udev_t)
 corecmd_exec_sbin(udev_t)
 corecmd_exec_shell(udev_t)