diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 1065c318..3e208423 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -345,6 +345,27 @@ interface(`term_getattr_all_user_ptys',`
allow $1 ptynode:chr_file getattr;
')
+########################################
+##
+## Do not audit attempts to get the
+## attributes of any user pty
+## device nodes.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`term_dontaudit_getattr_all_user_ptys',`
+ gen_require(`
+ attribute ptynode;
+ class chr_file getattr;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir r_dir_perms;
+ dontaudit $1 ptynode:chr_file getattr;
+')
+
########################################
##
## Read and write all user ptys.
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 129f4754..6f930ea2 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1551,6 +1551,55 @@ interface(`files_search_var_lib',`
allow $1 { var_t var_lib_t }:dir search;
')
+########################################
+##
+## Create objects in the /var/lib directory
+##
+##
+## Domain allowed access.
+##
+##
+## The type of the object to be created
+##
+##
+## The object class. If not specified, file is used.
+##
+#
+interface(`files_create_var_lib',`
+ gen_require(`
+ type var_t, var_lib_t;
+ class dir rw_dir_perms;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_lib_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $1 var_lib_t:file $2;
+ ',`
+ type_transition $1 var_lib_t:$3 $2;
+ ')
+')
+
+########################################
+##
+## Read generic files in /var/lib
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_read_var_lib_files',`
+ gen_require(`
+ type var_t, var_lib_t;
+ class dir search;
+ class file r_file_perms;
+ ')
+
+ allow $1 { var_t var_lib_t }:dir search;
+ allow $1 var_lib_t:file r_file_perms;
+')
+
########################################
#
# files_manage_urandom_seed(domain)
diff --git a/refpolicy/policy/modules/system/pcmcia.if b/refpolicy/policy/modules/system/pcmcia.if
index 3aefa05b..389ba9bf 100644
--- a/refpolicy/policy/modules/system/pcmcia.if
+++ b/refpolicy/policy/modules/system/pcmcia.if
@@ -73,3 +73,45 @@ interface(`pcmcia_run_cardctl',`
role $2 types cardmgr_t;
allow cardmgr_t $3:chr_file rw_term_perms;
')
+
+########################################
+##
+## Create, read, write, and delete
+## cardmgr pid files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`pcmcia_manage_pid',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ files_search_pids($1)
+ allow $1 cardmgr_var_run_t:dir rw_dir_perms;
+ allow $1 cardmgr_var_run_t:file create_file_perms;
+')
+
+########################################
+##
+## Create, read, write, and delete
+## cardmgr runtime character nodes.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`pcmcia_manage_runtime_chr',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ class dir rw_dir_perms;
+ class chr_file create_file_perms;
+ ')
+
+ files_search_pids($1)
+ allow $1 cardmgr_var_run_t:dir rw_dir_perms;
+ allow $1 cardmgr_var_run_t:chr_file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 8a7849bd..9e7bbdb0 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -15,6 +15,9 @@ init_daemon_domain(cardmgr_t,cardmgr_exec_t)
type cardmgr_lnk_t;
files_type(cardmgr_lnk_t)
+type cardmgr_var_lib_t;
+files_type(cardmgr_var_lib_t)
+
type cardmgr_var_run_t;
files_pid_file(cardmgr_var_run_t)
@@ -36,6 +39,10 @@ allow cardmgr_t self:fifo_file rw_file_perms;
allow cardmgr_t cardmgr_lnk_t:lnk_file create_lnk_perms;
dev_create_dev_node(cardmgr_t,cardmgr_lnk_t,lnk_file)
+# Create stab file
+allow cardmgr_t cardmgr_var_lib_t:file create_file_perms;
+files_create_var_lib(cardmgr_t,cardmgr_var_lib_t)
+
allow cardmgr_t cardmgr_var_run_t:file create_file_perms;
files_create_pid(cardmgr_t,cardmgr_var_run_t)
@@ -57,6 +64,7 @@ fs_search_auto_mountpoints(cardmgr_t)
term_use_unallocated_tty(cardmgr_t)
term_getattr_all_user_ttys(cardmgr_t)
term_dontaudit_use_console(cardmgr_t)
+term_dontaudit_getattr_all_user_ptys(cardmgr_t)
corecmd_exec_bin(cardmgr_t)
corecmd_exec_sbin(cardmgr_t)
@@ -72,6 +80,9 @@ domain_dontaudit_getattr_all_sockets(cardmgr_t)
files_search_home(cardmgr_t)
files_read_etc_runtime_files(cardmgr_t)
files_exec_etc_files(cardmgr_t)
+# for /var/lib/misc/pcmcia-scheme
+# would be better to have it in a different type if I knew how it was created..
+files_read_var_lib_files(cardmgr_t)
# cjp: these look excessive:
files_dontaudit_getattr_all_dirs(cardmgr_t)
files_dontaudit_getattr_all_files(cardmgr_t)
@@ -119,26 +130,19 @@ optional_policy(`udev.te', `
ifdef(`TODO',`
allow cardmgr_t modules_object_t:dir search;
-# Create stab file
-var_lib_domain(cardmgr)
-
-# for /var/lib/misc/pcmcia-scheme
-# would be better to have it in a different type if I knew how it was created..
-allow cardmgr_t var_lib_t:file { getattr read };
-
# Create device files in /tmp.
+# cjp: why is this created all over the place?
file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
-dontaudit cardmgr_t ptyfile:chr_file getattr;
-
# this goes to apm
optional_policy(`pcmcia.te',`
pcmcia_domtrans_cardmgr(apmd_t)
pcmcia_domtrans_cardctl(apmd_t)
')
-ifdef(`hald.te', `
-rw_dir_file(hald_t, cardmgr_var_run_t)
-allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
+# this goes to hald
+optional_policy(`pcmcia.te',`
+ pcmcia_manage_pid(hald_t)
+ pcmcia_manage_runtime_chr(hald_t)
')
') dnl end TODO