add xml comments to interfaces, convert over userdomain stuff

refpolicy/policy/modules/admin/consoletype.te

@@ -51,13 +51,20 @@ files_ignore_read_rootfs_file(consoletype_t)
 libraries_use_dynamic_loader(consoletype_t)
 libraries_use_shared_libraries(consoletype_t)
 
+tunable_policy(`distro_redhat', `
+filesystem_use_tmpfs_character_devices(consoletype_t)
+')
+
 optional_policy(`authlogin.te', `
 authlogin_pam_read_runtime_data(consoletype_t)
 ')
 
+optional_policy(`userdomain.te',`
+userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t)
+')
+
 ifdef(`TODO',`
 
-allow consoletype_t unpriv_userdomain:fd use;
 allow consoletype_t sysadm_t:fd use;
 allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
 allow consoletype_t sysadm_t:fifo_file rw_file_perms;
@@ -97,10 +104,6 @@ optional_policy(`lpd.te', `
 allow consoletype_t printconf_t:file { getattr read };
 ')
 
-tunable_policy(`distro_redhat', `
-allow consoletype_t tmpfs_t:chr_file rw_file_perms;
-')
-
 optional_policy(`firstboot.te', `
 allow consoletype_t firstboot_t:fifo_file write;
 ')

refpolicy/policy/modules/kernel/filesystem.if

@@ -882,8 +882,15 @@ class filesystem getattr;
 ')
 
 ########################################
-#
-# filesystem_tmpfs_associate(type)
+## <interface name="filesystem_tmpfs_associate">
+##	<description>
+##		Allow the type to associate to tmpfs filesystems.
+##	</description>
+##	<parameter name="type">
+##		The type of the object to be associated.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`filesystem_tmpfs_associate',`
 requires_block_template(`$0'_depend)
@@ -914,6 +921,100 @@ type tmpfs_t;
 class dir { getattr search read write add_name }; 
 ')
 
+########################################
+## <interface name="filesystem_use_tmpfs_character_devices">
+##	<description>
+##		Read and write character nodes on tmpfs filesystems.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`filesystem_use_tmpfs_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:chr_file { getattr read write ioctl };
+')
+
+define(`filesystem_use_tmpfs_character_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read }; 
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+## <interface name="filesystem_use_tmpfs_block_devices">
+##	<description>
+##		Read and write block nodes on tmpfs filesystems.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`filesystem_use_tmpfs_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:blk_file { getattr read write ioctl };
+')
+
+define(`filesystem_use_tmpfs_block_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read }; 
+class blk_file { getattr read write ioctl };
+')
+
+########################################
+## <interface name="filesystem_manage_tmpfs_character_devices">
+##	<description>
+##		Read and write, create and delete character
+##		nodes on tmpfs filesystems.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`filesystem_manage_tmpfs_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read write add_name remove_name };
+allow $1 tmpfs_t:chr_file { getattr read write ioctl create unlink setattr };
+')
+
+define(`filesystem_mange_tmpfs_character_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read write add_name remove_name }; 
+class chr_file { getattr read write ioctl create unlink setattr };
+')
+
+########################################
+## <interface name="filesystem_manage_tmpfs_block_devices">
+##	<description>
+##		Read and write, create and delete block nodes
+##		on tmpfs filesystems.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`filesystem_manage_tmpfs_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read write add_name remove_name };
+allow $1 tmpfs_t:blk_file { getattr read write ioctl create unlink setattr };
+')
+
+define(`filesystem_manage_tmpfs_block_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read write add_name remove_name }; 
+class blk_file { getattr read write ioctl create unlink setattr };
+')
+
 ########################################
 #
 # filesystem_mount_all_filesystems(type)

refpolicy/policy/modules/kernel/kernel.if

@@ -1058,8 +1058,16 @@ class lnk_file { getattr read };
 ')
 
 ########################################
-#
-# kernel_read_usb_hardware_state(domain)
+## <interface name="kernel_read_usb_hardware_state">
+##	<description>
+##		Read USB hardware information using
+##		the usbfs filesystem interface.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`kernel_read_usb_hardware_state',`
 requires_block_template(`$0'_depend)

refpolicy/policy/modules/kernel/terminal.if

@@ -104,24 +104,37 @@ class chr_file { read write };
 ')
 
 ########################################
-#
-# terminal_use_console(domain)
+## <interface name="terminal_use_console">
+##	<description>
+##		Read from and write to the console.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`terminal_use_console',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 console_device_t:chr_file { read write };
 ')
 
 define(`terminal_use_console_depend',`
 type console_device_t;
 class chr_file { read write };
-devices_list_device_nodes_depend
 ')
 
 ########################################
-#
-# terminal_ignore_use_console(domain)
+## <interface name="terminal_ignore_use_console">
+##	<description>
+##		Do not audit read from or write to the console.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`terminal_ignore_use_console',`
 requires_block_template(`$0'_depend)
@@ -155,7 +168,7 @@ devices_list_device_nodes_depend
 #
 define(`terminal_list_pseudoterminals',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 devpts_t:dir { getattr search read };
 ')
 
@@ -333,6 +346,29 @@ class chr_file { relabelfrom relabelto };
 devices_list_device_nodes_depend
 ')
 
+########################################
+## <interface name="terminal_write_general_physical_terminal">
+##	<description>
+##		Write to general ttys.  Has a backchannel of
+##		getting all tty attributes.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`terminal_write_general_physical_terminal',`
+requires_block_template(`$0'_depend)
+devices_list_device_nodes($1)
+allow $1 tty_device_t:chr_file { getattr write };
+')
+
+define(`terminal_write_general_physical_terminal_depend',`
+type tty_device_t;
+class chr_file { read write };
+')
+
 ########################################
 #
 # terminal_use_general_physical_terminal(domain)
@@ -391,6 +427,29 @@ attribute ttynode;
 class chr_file getattr;
 ')
 
+########################################
+## <interface name="terminal_write_all_private_physical_terminals">
+##	<description>
+##		Write to all private ttys.  Has a backchannel of
+##		getting all private tty attributes.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`terminal_write_all_private_physical_terminals',`
+requires_block_template(`$0'_depend)
+devices_list_device_nodes($1)
+allow $1 ttynode:chr_file { getattr write };
+')
+
+define(`terminal_write_all_private_physical_terminals_depend',`
+attribute ttynode;
+class chr_file { getattr write };
+')
+
 ########################################
 #
 # terminal_use_all_private_physical_terminals(domain)

refpolicy/policy/modules/services/cron.if

@@ -2,7 +2,7 @@
 
 ########################################
 #
-# cron_per_userdomain_template(domain)
+# cron_per_userdomain_template(domainprefix)
 #
 
 define(`cron_per_userdomain_template',`
@@ -213,3 +213,24 @@ ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
 dontaudit $1_crontab_t var_run_t:dir search;
 ') dnl endif TODO
 ')
+
+########################################
+#
+# cron_admin_template(domainprefix)
+#
+
+define(`cron_admin_template',`
+
+logging_read_system_logs($1_crond_t)
+
+# Allow our crontab domain to unlink a user cron spool file.
+#allow $1_crontab_t user_cron_spool_t:file unlink;
+
+# Manipulate other users crontab.
+kernel_get_selinuxfs_mount_point($1_crontab_t)
+kernel_validate_selinux_context($1_crontab_t)
+kernel_compute_selinux_access_vector($1_crontab_t)
+kernel_compute_selinux_create_context($1_crontab_t)
+kernel_compute_selinux_relabel_context($1_crontab_t)
+kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
+')

refpolicy/policy/modules/services/mta.if

@@ -204,6 +204,27 @@ type sendmail_exec_t;
 class file { getattr read execute execute_no_trans };
 ')
 
+########################################
+## <interface name="mta_read_mail_aliases">
+##	<description>
+##		Read mail address aliases.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
+#
+define(`mta_read_mail_aliases',`
+requires_block_template(`$0'_depend)
+allow $1 etc_aliases_t:file { getattr read };
+')
+
+define(`mta_read_mail_aliases_depend',`
+type etc_aliases_t;
+class file { getattr read };
+')
+
 #######################################
 #
 # mta_modify_mail_aliases(domain)

refpolicy/policy/modules/system/clock.if

@@ -1,8 +1,15 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
-#######################################
-#
-# clock_transition(domain)
+########################################
+## <interface name="clock_transition">
+##	<description>
+##		Execute hwclock in the clock domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`clock_transition',`
 requires_block_template(`$0'_depend)
@@ -18,6 +25,36 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="clock_transition_add_role_use_terminal">
+##	<description>
+##		Execute hwclock in the clock domain, and
+##		allow the specified role the hwclock domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the clock domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the clock domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`clock_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+clock_transition($1)
+role $2 types hwclock_t;
+allow hwclock_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`clock_transition_add_role_use_terminal_depend',`
+type hwclock_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # clock_execute(domain)

refpolicy/policy/modules/system/clock.te

@@ -68,6 +68,10 @@ optional_policy(`udev.te', `
 udev_read_database(hwclock_t)
 ')
 
+optional_policy(`userdomain.te',`
+userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t)
+')
+
 ifdef(`TODO',`
 
 allow hwclock_t proc_t:dir r_dir_perms;
@@ -79,10 +83,8 @@ allow hwclock_t rhgb_t:fd use;
 allow hwclock_t rhgb_t:fifo_file { read write };
 ')
 
-dontaudit hwclock_t unpriv_userdomain:fd use;
 allow hwclock_t autofs_t:dir { search getattr };
 
-domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
 optional_policy(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
 
 optional_policy(`apmd.te', `

refpolicy/policy/modules/system/domain.if

@@ -148,8 +148,15 @@ class capability kill;
 ')
 
 ########################################
-#
-# domain_read_all_domains_process_state(domain)
+## <interface name="domain_read_all_domains_process_state">
+##	<description>
+##		Read the process state (/proc/pid) of all domains.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`domain_read_all_domains_process_state',`
 requires_block_template(`$0'_depend)

refpolicy/policy/modules/system/files.if

@@ -263,7 +263,7 @@ type root_t;
 class chr_file { read write };
 ')
 
-#
+########################################
 ## <interface name="files_create_private_root_dir_entry">
 ##	<description>
 ##		Create an object in the root directory, with a private
@@ -282,7 +282,6 @@ class chr_file { read write };
 ##	<infoflow type="write" weight="10"/>
 ## </interface>
 #
-
 define(`files_create_private_root_dir_entry',`
 requires_block_template(`$0'_depend)
 allow $1 root_t:dir { getattr search read write add_name remove_name };
@@ -498,8 +497,15 @@ class dir { getattr search read write add_name remove_name };
 ')
 
 ########################################
-#
-# files_list_home_directories(type)
+## <interface name="files_list_home_directories">
+##	<description>
+##		Get listing home home directories.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`files_list_home_directories',`
 requires_block_template(`$0'_depend)
@@ -569,6 +575,32 @@ class file { getattr read };
 class lnk_file { getattr read };
 ')
 
+########################################
+## <interface name="files_execute_system_source_code_scripts">
+##	<description>
+##		Execute programs in /usr/src in the caller domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="none"/>
+## </interface>
+#
+define(`files_execute_system_source_code_scripts',`
+requires_block_template(`$0'_depend)
+allow $1 usr_t:dir search;
+allow $1 src_t:dir { getattr search read };
+allow $1 src_t:lnk_file { getattr read };
+allow $1 src_t:file { getattr read execute execute_no_trans };
+')
+
+define(`files_read_system_source_code_depend',`
+type usr_t, src_t;
+class dir { getattr search read };
+class file { getattr read execute execute_no_trans };
+class lnk_file { getattr read };
+')
+
 ########################################
 #
 # files_read_system_source_code(domain)

refpolicy/policy/modules/system/hotplug.if

@@ -75,8 +75,15 @@ class dir search;
 ')
 
 ########################################
-#
-# hotplug_read_config(domain)
+## <interface name="hotplug_read_config">
+##	<description>
+##		Read the configuration files for hotplug.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`hotplug_read_config',`
 requires_block_template(`$0'_depend)

refpolicy/policy/modules/system/hotplug.te

@@ -60,13 +60,9 @@ storage_set_removable_device_attributes(hotplug_t)
 
 terminal_ignore_use_console(hotplug_t)
 
-init_use_file_descriptors(hotplug_t)
-init_script_use_pseudoterminal(hotplug_t)
-# Allow hotplug (including /sbin/ifup-local) to start/stop services and
-# run sendmail -q
-init_script_transition(hotplug_t)
-# kernel threads inherit from shared descriptor table used by init
-init_ignore_use_control_channel(hotplug_t)
+corecommands_execute_general_programs(hotplug_t)
+corecommands_execute_shell(hotplug_t)
+corecommands_execute_system_programs(hotplug_t)
 
 domain_use_widely_inheritable_file_descriptors(hotplug_t)
 
@@ -74,11 +70,17 @@ files_read_general_system_config(hotplug_t)
 files_create_runtime_system_config(hotplug_t)
 files_execute_system_config_script(hotplug_t)
 
-corecommands_execute_general_programs(hotplug_t)
-corecommands_execute_shell(hotplug_t)
-corecommands_execute_system_programs(hotplug_t)
+init_use_file_descriptors(hotplug_t)
+init_script_use_pseudoterminal(hotplug_t)
+init_script_read_process_state(hotplug_t)
+# Allow hotplug (including /sbin/ifup-local) to start/stop services and
+# run sendmail -q
+init_script_transition(hotplug_t)
+# kernel threads inherit from shared descriptor table used by init
+init_ignore_use_control_channel(hotplug_t)
 
 logging_send_system_log_message(hotplug_t)
+logging_search_system_log_directory(hotplug_t)
 
 libraries_use_dynamic_loader(hotplug_t)
 libraries_use_shared_libraries(hotplug_t)
@@ -92,6 +94,8 @@ miscfiles_read_localization(hotplug_t)
 
 mount_transition(hotplug_t)
 
+userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
+
 tunable_policy(`targeted_policy', `
 terminal_ignore_use_general_physical_terminal(hotplug_t)
 terminal_ignore_use_general_pseudoterminal(hotplug_t)
@@ -110,6 +114,10 @@ optional_policy(`iptables.te',`
 iptables_transition(hotplug_t)
 ')
 
+optional_policy(`mta.te', `
+mta_send_mail(hotplug_t)
+')
+
 optional_policy(`selinux.te',`
 selinux_newrole_sigchld(hotplug_t)
 ')
@@ -128,7 +136,6 @@ updfstab_transition(hotplug_t)
 ')
 
 ifdef(`TODO',`
-dontaudit hotplug_t unpriv_userdomain:fd use;
 allow hotplug_t autofs_t:dir { search getattr };
 dontaudit hotplug_t sysadm_home_dir_t:dir search;
 optional_policy(`rhgb.te', `
@@ -147,11 +154,6 @@ can_network_server(hotplug_t)
 can_ypbind(hotplug_t)
 dbusd_client(system, hotplug)
 
-allow initrc_t usbdevfs_t:file { getattr read ioctl };
-allow initrc_t modules_dep_t:file { getattr read ioctl };
-# init scripts run /etc/hotplug/usb.rc
-allow initrc_t hotplug_etc_t:dir r_dir_perms;
-
 allow hotplug_t kernel_t:process sigchld;
 
 # for when filesystems are not mounted early in the boot
@@ -159,8 +161,6 @@ dontaudit hotplug_t file_t:dir { search getattr };
 
 allow hotplug_t udev_runtime_t:file rw_file_perms;
 
-allow hotplug_t var_log_t:dir search;
-
 # for ps
 dontaudit hotplug_t domain:dir { getattr search };
 dontaudit hotplug_t { init_t kernel_t }:file read;
@@ -178,6 +178,10 @@ allow hotplug_t var_lock_t:file getattr;
 
 optional_policy(`hald.te', `
 allow hotplug_t hald_t:unix_dgram_socket sendto;
+')
+
+# this goes to hald:
+optional_policy(`hotplug.te',`
 allow hald_t hotplug_etc_t:dir search;
 allow hald_t hotplug_etc_t:file { getattr read };
 ')
@@ -186,15 +190,7 @@ optional_policy(`fsadm.te', `
 domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
 ')
 
-optional_policy(`initrc.te', `
-can_ps(hotplug_t, initrc_t)
-')
-
 optional_policy(`lpd.te', `
 allow hotplug_t printer_device_t:chr_file setattr;
 ')
-
-optional_policy(`mta.te', `
-domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
-')
 ') dnl end TODO

refpolicy/policy/modules/system/init.if

@@ -221,6 +221,37 @@ type initrc_exec_t;
 class file { getattr read execute execute_no_trans };
 ')
 
+########################################
+## <interface name="init_script_read_process_state">
+##	<description>
+##		Read the process state (/proc/pid) of the init scripts.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
+#
+define(`init_script_read_process_state',`
+requires_block_template(`$0'_depend)
+allow $1 initrc_t:dir { search getattr read };
+allow $1 initrc_t:{ file lnk_file } { read getattr };
+allow $1 initrc_t:process getattr;
+# We need to suppress this denial because procps tries to access
+# /proc/pid/environ and this now triggers a ptrace check in recent kernels
+# (2.4 and 2.6).  Might want to change procps to not do this, or only if
+# running in a privileged domain.
+dontaudit $1 initrc_t:process ptrace;
+')
+
+define(`init_script_read_process_state_depend',`
+type initrc_t;
+class dir { search getattr read };
+class file { read getattr };
+class lnk_file { read getattr };
+class process { getattr ptrace };
+')
+
 ########################################
 #
 # init_script_direct_admin_transition(role,domain)
@@ -255,6 +286,20 @@ type initrc_t;
 class fd use;
 ')
 
+########################################
+#
+# init_script_ignore_use_file_descriptors(domain)
+#
+define(`init_script_ignore_use_file_descriptors',`
+requires_block_template(`$0'_depend)
+dontaudit $1 initrc_t:fd use;
+')
+
+define(`init_script_ignore_use_file_descriptors_depend',`
+type initrc_t;
+class fd use;
+')
+
 ########################################
 #
 # init_script_get_process_group(domain)
@@ -275,6 +320,7 @@ class process getpgid;
 #
 define(`init_script_use_pseudoterminal',`
 requires_block_template(`$0'_depend)
+terminal_list_pseudoterminals($1)
 allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
 ')
 
@@ -297,6 +343,28 @@ type initrc_devpts_t;
 class chr_file { read write ioctl };
 ')
 
+########################################
+## <interface name="init_script_modify_temporary_data">
+##	<description>
+##		Read and write init script temporary data.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
+#
+define(`init_script_modify_temporary_data',`
+requires_block_template(`$0'_depend)
+# FIXME: read tmp_t
+allow $1 initrc_tmp_t:file { getattr read write };
+')
+
+define(`init_script_modify_temporary_data_depend',`
+type initrc_var_run_t;
+class file { getattr read write };
+')
+
 ########################################
 #
 # init_script_read_runtime_data(domain)

refpolicy/policy/modules/system/init.te

@@ -187,12 +187,7 @@ kernel_list_usb_hardware(initrc_t)
 # for lsof which is used by alsa shutdown:
 kernel_ignore_get_message_interface_attributes(initrc_t)
 
-filesystem_register_binary_executable_type(initrc_t)
-# cjp: not sure why these are here; should use mount policy
-filesystem_mount_all_filesystems(initrc_t)
-filesystem_unmount_all_filesystems(initrc_t)
-filesystem_remount_all_filesystems(initrc_t)
-filesystem_get_all_filesystems_attributes(initrc_t)
+bootloader_read_kernel_symbol_table(initrc_t)
 
 corenetwork_network_tcp_on_all_interfaces(initrc_t)
 corenetwork_network_raw_on_all_interfaces(initrc_t)
@@ -215,6 +210,13 @@ devices_read_sound_mixer_levels(initrc_t)
 devices_write_sound_mixer_levels(initrc_t)
 devices_set_all_character_device_attributes(initrc_t)
 
+filesystem_register_binary_executable_type(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+filesystem_mount_all_filesystems(initrc_t)
+filesystem_unmount_all_filesystems(initrc_t)
+filesystem_remount_all_filesystems(initrc_t)
+filesystem_get_all_filesystems_attributes(initrc_t)
+
 storage_get_fixed_disk_attributes(initrc_t)
 storage_set_fixed_disk_attributes(initrc_t)
 storage_set_removable_device_attributes(initrc_t)
@@ -222,17 +224,14 @@ storage_set_removable_device_attributes(initrc_t)
 terminal_use_all_terminals(initrc_t)
 terminal_reset_physical_terminal_labels(initrc_t)
 
-bootloader_read_kernel_symbol_table(initrc_t)
+corecommands_execute_general_programs(initrc_t)
+corecommands_execute_system_programs(initrc_t)
+corecommands_execute_shell(initrc_t)
 
 domain_kill_all_domains(initrc_t)
 domain_read_all_domains_process_state(initrc_t)
 domain_use_widely_inheritable_file_descriptors(initrc_t)
 
-libraries_modify_dynamic_loader_cache(initrc_t)
-libraries_use_dynamic_loader(initrc_t)
-libraries_use_shared_libraries(initrc_t)
-libraries_execute_library_scripts(initrc_t)
-
 files_get_all_file_attributes(initrc_t)
 files_remove_all_tmp_data(initrc_t)
 files_remove_all_lock_files(initrc_t)
@@ -244,9 +243,10 @@ files_execute_system_config_script(initrc_t)
 files_read_general_application_resources(initrc_t)
 files_manage_pseudorandom_saved_seed(initrc_t)
 
-corecommands_execute_general_programs(initrc_t)
-corecommands_execute_system_programs(initrc_t)
-corecommands_execute_shell(initrc_t)
+libraries_modify_dynamic_loader_cache(initrc_t)
+libraries_use_dynamic_loader(initrc_t)
+libraries_use_shared_libraries(initrc_t)
+libraries_execute_library_scripts(initrc_t)
 
 logging_send_system_log_message(initrc_t)
 
@@ -267,14 +267,29 @@ logging_append_all_logs(initrc_t)
 
 udev_modify_database(initrc_t)
 
+userdomain_read_all_users_data(initrc_t)
+# Allow access to the sysadm TTYs. Note that this will give access to the 
+# TTYs to any process in the initrc_t domain. Therefore, daemons and such
+# started from init should be placed in their own domain.
+userdomain_use_admin_terminals(initrc_t)
+
+tunable_policy(`distro_debian', `
+filesystem_tmpfs_associate(initrc_var_run_t)
+')
+
 tunable_policy(`distro_redhat',`
 kernel_set_selinux_enforcement_mode(initrc_t)
 
-files_create_boot_flag(initrc_t)
-
 # Create and read /boot/kernel.h and /boot/System.map.
 # Redhat systems typically create this file at boot time.
 bootloader_create_runtime_data(initrc_t)
+
+filesystem_use_tmpfs_character_devices(initrc_t)
+
+files_create_boot_flag(initrc_t)
+
+# readahead asks for these
+mta_read_mail_aliases(initrc_t)
 ') dnl end distro_redhat
 
 optional_policy(`authlogin.te',`
@@ -282,7 +297,15 @@ authlogin_pam_read_runtime_data(initrc_t)
 authlogin_pam_remove_runtime_data(initrc_t)
 ')
 
+optional_policy(`hotplug.te',`
+kernel_read_usb_hardware_state(initrc_t)
+# init scripts run /etc/hotplug/usb.rc
+hotplug_read_config(initrc_t)
+modutils_read_kernel_module_dependencies(initrc_t)
+')
+
 ifdef(`TODO',`
+
 # Mount and unmount file systems.
 allow initrc_t { file_t default_t }:dir { read search getattr mounton };
 
@@ -291,15 +314,6 @@ allow initrc_t var_spool_t:file rw_file_perms;
 # Set device ownerships/modes.
 allow initrc_t xconsole_device_t:fifo_file setattr;
 
-# Allow access to the sysadm TTYs. Note that this will give access to the 
-# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-# started from init should be placed in their own domain.
-allow initrc_t admin_tty_type:chr_file rw_file_perms;
-
-# Read user home directories.
-allow initrc_t { home_root_t home_type }:dir r_dir_perms;
-allow initrc_t home_type:file r_file_perms;
-
 # for lsof in shutdown scripts
 can_kerberos(initrc_t)
 dontaudit initrc_t krb5_conf_t:file write;
@@ -326,7 +340,6 @@ allow initrc_t { etc_t device_t }:dir setattr;
 allow initrc_t tmpfs_t:dir setattr;
 file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
 file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
-allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
 ')dnl end distro_debian
 
 tunable_policy(`distro_redhat', `
@@ -334,22 +347,13 @@ tunable_policy(`distro_redhat', `
 # Redhat systems typically create this file at boot time.
 allow initrc_t boot_t:lnk_file rw_file_perms;
 
-allow initrc_t tmpfs_t:chr_file rw_file_perms;
-allow initrc_t tmpfs_t:dir r_dir_perms;
-
-#
 # readahead asks for these
-#
-allow initrc_t etc_aliases_t:file { getattr read };
 allow initrc_t var_lib_nfs_t:file { getattr read };
-
 ')dnl end distro_redhat
 
 #
 # Shutting down xinet causes these
 #
-# Fam
-dontaudit initrc_t device_t:dir { read write };
 # Rsync
 dontaudit initrc_t mail_spool_t:lnk_file read;
 

refpolicy/policy/modules/system/iptables.if

@@ -1,8 +1,15 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
-#######################################
-#
-# iptables_transition(domain)
+########################################
+## <interface name="iptables_transition">
+##	<description>
+##		Execute iptables in the iptables domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`iptables_transition',`
 requires_block_template(`$0'_depend)
@@ -18,9 +25,46 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
-#######################################
+########################################
+## <interface name="iptables_transition_add_role_use_terminal">
+##	<description>
+##		Execute iptables in the iptables domain, and
+##		allow the specified role the iptables domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the iptables domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the iptables domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
-# iptables_execute(domain)
+define(`iptables_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+iptables_transition($1)
+role $2 types iptables_t;
+allow iptables_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`iptables_transition_add_role_use_terminal_depend',`
+type iptables_t;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+## <interface name="iptables_execute">
+##	<description>
+##		Execute iptables in the caller domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`iptables_execute',`
 requires_block_template(`$0'_depend)

refpolicy/policy/modules/system/iptables.te

@@ -49,13 +49,15 @@ filesystem_get_persistent_filesystem_attributes(iptables_t)
 
 terminal_ignore_use_console(iptables_t)
 
-init_use_file_descriptors(iptables_t)
-init_script_use_pseudoterminal(iptables_t)
-
 domain_use_widely_inheritable_file_descriptors(iptables_t)
 
 files_read_general_system_config(iptables_t)
 
+init_use_file_descriptors(iptables_t)
+init_script_use_pseudoterminal(iptables_t)
+# to allow rules to be saved on reboot:
+init_script_modify_temporary_data(iptables_t)
+
 libraries_use_dynamic_loader(iptables_t)
 libraries_use_shared_libraries(iptables_t)
 
@@ -67,6 +69,19 @@ miscfiles_read_localization(iptables_t)
 
 sysnetwork_ifconfig_transition(iptables_t)
 
+userdomain_use_all_users_file_descriptors(iptables_t)
+
+tunable_policy(`use_dns',`
+allow iptables_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces(iptables_t)
+corenetwork_network_raw_on_all_interfaces(iptables_t)
+corenetwork_network_udp_on_all_nodes(iptables_t)
+corenetwork_network_raw_on_all_nodes(iptables_t)
+corenetwork_bind_udp_on_all_nodes(iptables_t)
+corenetwork_network_udp_on_dns_port(iptables_t)
+sysnetwork_read_network_config(iptables_t)
+')
+
 optional_policy(`modutils.te', `
 modutils_insmod_transition(iptables_t)
 ')
@@ -92,26 +107,12 @@ allow iptables_t rhgb_t:process sigchld;
 allow iptables_t rhgb_t:fd use;
 allow iptables_t rhgb_t:fifo_file { read write };
 ')
-dontaudit iptables_t unpriv_userdomain:fd use;
+
 allow iptables_t autofs_t:dir { search getattr };
-tunable_policy(`direct_sysadm_daemon', `
-dontaudit iptables_t admin_tty_type:chr_file rw_file_perms;
-')
-
-domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
-role sysadm_r types iptables_t;
-
-# to allow rules to be saved on reboot
-allow iptables_t initrc_tmp_t:file rw_file_perms;
 
 # for iptables -L
-can_resolve(iptables_t)
 can_ypbind(iptables_t)
 
-allow iptables_t userdomain:fd use;
-
-# Access terminals.
-allow iptables_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
 optional_policy(`gnome-pty-helper.te',`
 allow iptables_t sysadm_gph_t:fd use;
 ')

refpolicy/policy/modules/system/locallogin.te

@@ -11,9 +11,9 @@ type local_login_t; #, nscd_client_domain;
 kernel_make_object_identity_change_constraint_exception(local_login_t)
 kernel_make_process_identity_change_constraint_exception(local_login_t)
 kernel_make_role_change_constraint_exception(local_login_t)
+authlogin_make_login_program_entrypoint(local_login_t)
 domain_make_domain(local_login_t)
 domain_make_file_descriptors_widely_inheritable(local_login_t)
-authlogin_make_login_program_entrypoint(local_login_t)
 role system_r types local_login_t;
 
 type local_login_tmp_t;
@@ -24,10 +24,9 @@ type sulogin_exec_t;
 kernel_make_object_identity_change_constraint_exception(sulogin_t)
 kernel_make_process_identity_change_constraint_exception(sulogin_t)
 kernel_make_role_change_constraint_exception(sulogin_t)
+domain_make_file_descriptors_widely_inheritable(sulogin_t)
 init_make_init_domain(sulogin_t,sulogin_exec_t)
 init_make_system_domain(sulogin_t,sulogin_exec_t)
-domain_make_file_descriptors_widely_inheritable(sulogin_t)
-
 role system_r types sulogin_t;
 
 ########################################
@@ -68,8 +67,12 @@ devices_get_pseudorandom_data(local_login_t)
 terminal_use_all_private_physical_terminals(local_login_t)
 terminal_use_general_physical_terminal(local_login_t)
 
-init_script_modify_runtime_data(local_login_t)
-init_ignore_use_file_descriptors(local_login_t)
+authlogin_check_password_transition(local_login_t)
+authlogin_ignore_read_shadow_passwords(local_login_t)
+authlogin_modify_login_records(local_login_t)
+authlogin_modify_last_login_log(local_login_t)
+authlogin_pam_execute(local_login_t)
+authlogin_pam_console_manage_runtime_data(local_login_t)
 
 domain_read_all_entrypoint_programs(local_login_t)
 
@@ -78,22 +81,19 @@ files_read_runtime_system_config(local_login_t)
 files_list_home_directories(local_login_t)
 files_read_general_application_resources(local_login_t)
 
+init_script_modify_runtime_data(local_login_t)
+init_ignore_use_file_descriptors(local_login_t)
+
 libraries_use_dynamic_loader(local_login_t)
 libraries_use_shared_libraries(local_login_t)
 
 logging_send_system_log_message(local_login_t)
 
+miscfiles_read_localization(local_login_t)
+
 selinux_read_config(local_login_t)
 selinux_read_default_contexts(local_login_t)
 
-authlogin_check_password_transition(local_login_t)
-authlogin_ignore_read_shadow_passwords(local_login_t)
-authlogin_modify_login_records(local_login_t)
-authlogin_modify_last_login_log(local_login_t)
-authlogin_pam_execute(local_login_t)
-authlogin_pam_console_manage_runtime_data(local_login_t)
-
-miscfiles_read_localization(local_login_t)
 
 ifdef(`TODO',`
 allow local_login_t unpriv_userdomain:fd use;

refpolicy/policy/modules/system/logging.if

@@ -57,9 +57,18 @@ class unix_dgram_socket { create read getattr write setattr append bind connect
 class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown connectto };
 ')
 
-#######################################
-#
-# logging_search_system_log_directory(domain)
+########################################
+## <interface name="logging_search_system_log_directory">
+##	<description>
+##		Allows the domain to open a file in the
+##		log directory, but does not allow the listing
+##		of the contents of the log directory.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="3"/>
+## </interface>
 #
 define(`logging_search_system_log_directory',`
 requires_block_template(`$0'_depend)

refpolicy/policy/modules/system/logging.te

@@ -36,6 +36,8 @@ files_make_file(var_log_t)
 #
 
 allow klogd_t klogd_tmp_t:file { getattr create read write append setattr unlink };
+files_create_private_tmp_data(klogd_t,klogd_tmp_t)
+
 allow klogd_t klogd_var_run_t:file { getattr create read write append setattr unlink };
 
 allow klogd_t self:capability sys_admin;
@@ -46,26 +48,25 @@ kernel_read_messages(klogd_t)
 # Control syslog and console logging
 kernel_clear_ring_buffer(klogd_t)
 kernel_change_ring_buffer_level(klogd_t)
+
+bootloader_read_kernel_symbol_table(klogd_t)
+
 devices_raw_read_memory(klogd_t)
 
 filesystem_get_all_filesystems_attributes(klogd_t)
 
-bootloader_read_kernel_symbol_table(klogd_t)
+files_create_daemon_runtime_data(klogd_t,klogd_var_run_t)
+files_read_runtime_system_config(klogd_t)
+# read /etc/nsswitch.conf
+files_read_general_system_config(klogd_t)
 
 libraries_use_dynamic_loader(klogd_t)
 libraries_use_shared_libraries(klogd_t)
 
-files_create_daemon_runtime_data(klogd_t,klogd_var_run_t)
-files_create_private_tmp_data(klogd_t,klogd_tmp_t)
-
-# read /etc/nsswitch.conf
-files_read_general_system_config(klogd_t)
-
-files_read_runtime_system_config(klogd_t)
-miscfiles_read_localization(klogd_t)
-
 logging_send_system_log_message(klogd_t)
 
+miscfiles_read_localization(klogd_t)
+
 ########################################
 #
 # syslogd local policy
@@ -104,6 +105,13 @@ kernel_read_kernel_sysctl(syslogd_t)
 devices_create_dev_entry(syslogd_t,devlog_t,sock_file)
 
 terminal_ignore_use_console(syslogd_t)
+# Allow syslog to a terminal
+terminal_write_general_physical_terminal(syslogd_t)
+
+# for sending messages to logged in users
+init_script_read_runtime_data(syslogd_t)
+init_script_ignore_write_runtime_data(syslogd_t)
+terminal_write_all_private_physical_terminals(syslogd_t)
 
 corenetwork_network_raw_on_all_interfaces(syslogd_t)
 corenetwork_network_udp_on_all_interfaces(syslogd_t)
@@ -132,11 +140,13 @@ sysnetwork_read_network_config(syslogd_t)
 
 miscfiles_read_localization(syslogd_t)
 
+userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t)
+
 #
 # /initrd is not umounted before minilog starts
 #
 #dontaudit syslogd_t file_t:dir search;
-#allow syslogd_t { tmpfs_t devpts_t }:dir search;
+#allow syslogd_t tmpfs_t:dir search;
 #dontaudit syslogd_t unlabeled_t:file read;
 #dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
 allow syslogd_t self:capability net_admin;
@@ -165,7 +175,6 @@ files_ignore_read_rootfs_file(syslogd_t)
 
 ifdef(`TODO',`
 allow syslogd_t proc_t:lnk_file read;
-dontaudit syslogd_t unpriv_userdomain:fd use;
 allow syslogd_t autofs_t:dir { search getattr };
 dontaudit syslogd_t sysadm_home_dir_t:dir search;
 optional_policy(`rhgb.te', `
@@ -199,16 +208,8 @@ ifdef(`logrotate.te', `
 allow logrotate_t syslogd_exec_t:file r_file_perms;
 ')
 
-# for sending messages to logged in users
-allow syslogd_t initrc_var_run_t:file { read lock };
-dontaudit syslogd_t initrc_var_run_t:file write;
-allow syslogd_t ttyfile:chr_file { getattr write };
-
 #
 # Special case to handle crashes
 #
 allow syslogd_t { device_t file_t }:sock_file unlink;
-
-# Allow syslog to a terminal
-allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
 ') dnl end TODO

refpolicy/policy/modules/system/lvm.if

@@ -1,8 +1,15 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
-#######################################
-#
-# lvm_transition(domain)
+########################################
+## <interface name="lvm_transition">
+##	<description>
+##		Execute lvm programs in the lvm domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`lvm_transition',`
 requires_block_template(`$0'_depend)
@@ -18,9 +25,45 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
-#######################################
+########################################
+## <interface name="lvm_transition_add_role_use_terminal">
+##	<description>
+##		Execute lvm programs in the lvm domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to allow the LVM domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the LVM domain to use.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
-# lvm_read_config(domain)
+define(`lvm_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+lvm_transition($1)
+role $2 types lvm_t;
+allow lvm_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`lvm_transition_add_role_use_terminal_depend',`
+type lvm_t;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+## <interface name="lvm_read_config">
+##	<description>
+##		Read LVM configuration files.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`lvm_read_config',`
 requires_block_template(`$0'_depend)

refpolicy/policy/modules/system/lvm.te

@@ -15,18 +15,18 @@ init_make_system_domain(lvm_t,lvm_exec_t)
 kernel_make_object_identity_change_constraint_exception(lvm_t)
 role system_r types lvm_t;
 
-type lvm_tmp_t;
-files_make_temporary_file(lvm_tmp_t)
-
-type lvm_metadata_t;
-files_make_file(lvm_metadata_t)
-
 type lvm_etc_t;
 files_make_file(lvm_etc_t)
 
 type lvm_lock_t;
 files_make_lock_file(lvm_lock_t)
 
+type lvm_metadata_t;
+files_make_file(lvm_metadata_t)
+
+type lvm_tmp_t;
+files_make_temporary_file(lvm_tmp_t)
+
 ########################################
 #
 # Local policy
@@ -137,7 +137,6 @@ udev_read_database(lvm_t)
 
 ifdef(`TODO',`
 
-role sysadm_r types lvm_t;
 allow lvm_t autofs_t:dir { search getattr };
 
 # LVM creates block devices in /dev/mapper or /dev/<vg>
@@ -154,9 +153,6 @@ allow lvm_t default_context_t:dir search;
 allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
 allow lvm_t device_t:lnk_file { relabelfrom relabelto };
 
-# Access terminals.
-allow lvm_t admin_tty_type:chr_file { ioctl read getattr lock write append };
-
 # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
 dontaudit lvm_t device_t:fifo_file getattr;
 

refpolicy/policy/modules/system/modutils.if

@@ -1,8 +1,15 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
 ########################################
-#
-# modutils_read_kernel_module_dependencies(domain)
+## <interface name="modutils_read_kernel_module_dependencies">
+##	<description>
+##		Read the dependencies of kernel modules.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`modutils_read_kernel_module_dependencies',`
 requires_block_template(`$0'_depend)
@@ -18,8 +25,16 @@ bootloader_list_kernel_modules_depend
 ')
 
 ########################################
-#
-# modutils_read_kernel_module_loading_config(domain)
+## <interface name="modutils_read_kernel_module_loading_config">
+##	<description>
+##		Read the configuration options used when
+##		loading modules.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`modutils_read_kernel_module_loading_config',`
 requires_block_template(`$0'_depend)
@@ -32,8 +47,15 @@ class file { getattr create read write setattr unlink };
 ')
 
 ########################################
-#
-# modutils_insmod_transition(domain)
+## <interface name="modutils_insmod_transition">
+##	<description>
+##		Execute insmod in the insmod domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`modutils_insmod_transition',`
 requires_block_template(`$0'_depend)
@@ -49,6 +71,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="modutils_insmod_transition_add_role_use_terminal">
+##	<description>
+##		Execute insmod in the insmod domain, and
+##		allow the specified role the insmod domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the insmod domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the insmod domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`modutils_insmod_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+modutils_insmod_transition($1)
+role $2 types insmod_t;
+allow insmod_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`modutils_insmod_transition_add_role_use_terminal_depend',`
+type insmod_t;
+class chr_file { getattr read write ioctl };
+')
+
 ########################################
 #
 # modutils_insmod_execute(domain)
@@ -64,8 +117,15 @@ class file { getattr read execute execute_no_trans };
 ')
 
 ########################################
-#
-# modutils_depmod_transition(domain)
+## <interface name="modutils_depmod_transition">
+##	<description>
+##		Execute depmod in the depmod domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`modutils_depmod_transition',`
 requires_block_template(`$0'_depend)
@@ -81,6 +141,35 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="modutils_depmod_transition_add_role_use_terminal">
+##	<description>
+##		Execute depmod in the depmod domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the depmod domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the depmod domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`modutils_depmod_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+modutils_depmod_transition($1)
+role $2 types insmod_t;
+allow insmod_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`modutils_depmod_transition_add_role_use_terminal_depend',`
+type depmod_t;
+class chr_file { getattr read write ioctl };
+')
+
 ########################################
 #
 # modutils_depmod_execute(domain)
@@ -96,8 +185,15 @@ class file { getattr read execute execute_no_trans };
 ')
 
 ########################################
-#
-# modutils_update_modules_transition(domain)
+## <interface name="modutils_update_modules_transition">
+##	<description>
+##		Execute depmod in the depmod domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`modutils_update_modules_transition',`
 requires_block_template(`$0'_depend)
@@ -113,6 +209,35 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="modutils_update_modules_transition_add_role_use_terminal">
+##	<description>
+##		Execute update_modules in the update_modules domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the update_modules domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the update_modules domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`modutils_update_modules_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+modutils_update_modules_transition($1)
+role $2 types update_modules_t;
+allow update_modules_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
+type update_modules_t;
+class chr_file { getattr read write ioctl };
+')
+
 ########################################
 #
 # modutils_update_modules_execute(domain)

refpolicy/policy/modules/system/modutils.te

@@ -110,8 +110,6 @@ allow insmod_t sysfs_t:dir search;
 allow insmod_t usbfs_t:dir search;
 allow insmod_t usbfs_t:filesystem mount;
 
-allow insmod_t admin_tty_type:chr_file { getattr read write };
-
 # for when /var is not mounted early in the boot
 dontaudit insmod_t file_t:dir search;
 
@@ -159,10 +157,6 @@ ifdef(`TODO',`
 
 allow depmod_t { bin_t sbin_t }:dir search;
 
-domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
-
-# Access terminals.
-allow depmod_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
 
 # Read System.map from home directories.
@@ -228,8 +222,5 @@ logging_send_system_log_message(update_modules_t)
 miscfiles_read_localization(update_modules_t)
 
 ifdef(`TODO',`
-role sysadm_r types update_modules_t;
-domain_auto_trans(sysadm_t, update_modules_exec_t, update_modules_t)
-allow update_modules_t admin_tty_type:chr_file rw_file_perms;
 dontaudit update_modules_t sysadm_home_dir_t:dir search;
 ') dnl endif TODO

refpolicy/policy/modules/system/mount.if

@@ -1,8 +1,15 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
-#######################################
-#
-# mount_transition(domain)
+########################################
+## <interface name="mount_transition">
+##	<description>
+##		Execute mount in the mount domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`mount_transition',`
 requires_block_template(`$0'_depend)
@@ -18,6 +25,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="mount_transition_add_role_use_terminal">
+##	<description>
+##		Execute mount in the mount domain, and
+##		allow the specified role the mount domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the mount domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the mount domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`mount_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+mount_transition($1)
+role $2 types mount_t;
+allow mount_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`mount_transition_add_role_use_terminal_depend',`
+type mount_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # mount_use_file_descriptors(domain)

refpolicy/policy/modules/system/mount.te

@@ -21,6 +21,9 @@ allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr
 kernel_read_system_state(mount_t)
 kernel_ignore_use_file_descriptors(mount_t)
 
+corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t)
+corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t)
+
 devices_get_all_block_device_attributes(mount_t)
 devices_list_device_nodes(mount_t)
 
@@ -37,11 +40,9 @@ files_unmount_root_filesystem(mount_t)
 
 terminal_use_console(mount_t)
 
-corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t)
-corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t)
-
-init_use_file_descriptors(mount_t)
-init_script_use_pseudoterminal(mount_t)
+# required for mount.smbfs
+corecommands_execute_system_programs(mount_t)
+corecommands_execute_general_programs(mount_t)
 
 domain_use_widely_inheritable_file_descriptors(mount_t)
 
@@ -51,21 +52,55 @@ files_read_general_system_config(mount_t)
 files_create_runtime_system_config(mount_t)
 files_mount_on_all_mountpoints(mount_t)
 
+init_use_file_descriptors(mount_t)
+init_script_use_pseudoterminal(mount_t)
+
 libraries_use_dynamic_loader(mount_t)
 libraries_use_shared_libraries(mount_t)
 
-# required for mount.smbfs
-corecommands_execute_system_programs(mount_t)
-corecommands_execute_general_programs(mount_t)
-
 logging_send_system_log_message(mount_t)
 
 miscfiles_read_localization(mount_t)
 
+userdomain_use_all_users_file_descriptors(mount_t)
+
+tunable_policy(`distro_redhat',`
+filesystem_use_tmpfs_character_devices(mount_t)
+allow mount_t tmpfs_t:dir mounton;
+
+optional_policy(`authlogin.te',`
+authlogin_pam_console_read_runtime_data(mount_t)
+# mount config by default sets fscontext=removable_t
+allow mount_t dosfs_t:filesystem relabelfrom;
+') dnl end authlogin
+
+') dnl end distro_redhat
+
+optional_policy(`portmap.te', `
+# for nfs
+#can_ypbind(mount_t)
+#allow portmap_t mount_t:udp_socket { sendto recvfrom };
+#allow mount_t portmap_t:udp_socket { sendto recvfrom };
+#allow mount_t rpc_pipefs_t:dir search;
+corenetwork_network_tcp_on_all_interfaces(mount_t)
+corenetwork_network_raw_on_all_interfaces(mount_t)
+corenetwork_network_udp_on_all_interfaces(mount_t)
+corenetwork_network_tcp_on_all_nodes(mount_t)
+corenetwork_network_raw_on_all_nodes(mount_t)
+corenetwork_network_udp_on_all_nodes(mount_t)
+corenetwork_network_tcp_on_all_ports(mount_t)
+corenetwork_network_udp_on_all_ports(mount_t)
+corenetwork_bind_tcp_on_all_nodes(mount_t)
+corenetwork_bind_udp_on_all_nodes(mount_t)
+corenetwork_bind_tcp_on_general_port(mount_t)
+corenetwork_bind_udp_on_general_port(mount_t)
+corenetwork_bind_tcp_on_reserved_port(mount_t)
+corenetwork_bind_udp_on_reserved_port(mount_t)
+')
+
 ifdef(`TODO',`
-# Mount, remount and unmount file systems.
-# nfsv4 has a filesystem to mount for its userspace daemons
-allow mount_t var_lib_nfs_t:dir mounton;
+# this goes to the nfs/rpc module
+files_make_mountpoint(var_lib_nfs_t)
 
 # TODO: Need to examine this further. Not sure how to handle this
 #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
@@ -83,59 +118,18 @@ allow mount_t fs_t:filesystem relabelfrom;
 # This rule needs to be generalized.  Only admin, initrc should have it.
 allow mount_t file_type:filesystem { unmount mount relabelto };
 
-allow mount_t userdomain:fd use;
-
-domain_auto_trans(sysadm_t, mount_exec_t, mount_t)
-role sysadm_r types mount_t;
-allow mount_t sysadm_tty_device_t:chr_file { getattr read write ioctl };
-allow mount_t sysadm_devpts_t:chr_file { getattr read write };
 ifdef(`gnome-pty-helper.te', `
 allow mount_t sysadm_gph_t:fd use;
 ')
 
-tunable_policy(`distro_redhat',`
-optional_policy(`authlogin.te',`
-r_dir_file($2_t,pam_var_console_t)
-# mount config by default sets fscontext=removable_t
-allow $2_t dosfs_t:filesystem relabelfrom;
-') dnl end authlogin
-') dnl end distro_redhat
-
 optional_policy(`rhgb.te', `
 allow mount_t rhgb_t:process sigchld;
 allow mount_t rhgb_t:fd use;
 allow mount_t rhgb_t:fifo_file { read write };
 ')
 
-tunable_policy(`distro_redhat', `
-allow mount_t tmpfs_t:chr_file { read write };
-allow mount_t tmpfs_t:dir mounton;
-')
-
 optional_policy(`automount.te', `
 allow mount_t autofs_t:dir read;
 ')
 
-optional_policy(`portmap.te', `
-# for nfs
-can_ypbind(mount_t)
-can_udp_send(mount_t, portmap_t)
-can_udp_send(portmap_t, mount_t)
-allow mount_t rpc_pipefs_t:dir search;
-corenetwork_network_tcp_on_all_interfaces(mount_t)
-corenetwork_network_raw_on_all_interfaces(mount_t)
-corenetwork_network_udp_on_all_interfaces(mount_t)
-corenetwork_network_tcp_on_all_nodes(mount_t)
-corenetwork_network_raw_on_all_nodes(mount_t)
-corenetwork_network_udp_on_all_nodes(mount_t)
-corenetwork_network_tcp_on_all_ports(mount_t)
-corenetwork_network_udp_on_all_ports(mount_t)
-corenetwork_bind_tcp_on_all_nodes(mount_t)
-corenetwork_bind_udp_on_all_nodes(mount_t)
-corenetwork_bind_tcp_on_general_port(mount_t)
-corenetwork_bind_udp_on_general_port(mount_t)
-corenetwork_bind_tcp_on_reserved_port(mount_t)
-corenetwork_bind_udp_on_reserved_port(mount_t)
-')
-
 ') dnl endif TODO

refpolicy/policy/modules/system/selinux.if

@@ -1,8 +1,15 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
 #######################################
-#
-# selinux_checkpolicy_transition(domain)
+## <interface name="selinux_checkpolicy_transition">
+##	<description>
+##		Execute checkpolicy in the checkpolicy domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_checkpolicy_transition',`
 requires_block_template(`$0'_depend)
@@ -18,6 +25,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_checkpolicy_transition_add_role_use_terminal">
+##	<description>
+##		Execute checkpolicy in the checkpolicy domain, and
+##		allow the specified role the checkpolicy domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the checkpolicy domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the checkpolicy domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_checkpolicy_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_checkpolicy_transition($1)
+role $2 types checkpolicy_t;
+allow checkpolicy_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
+type checkpolicy_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # selinux_checkpolicy_execute(domain)
@@ -33,8 +71,15 @@ class file { getattr read execute execute_no_trans };
 ')
 
 #######################################
-#
-# selinux_load_policy_transition(domain)
+## <interface name="selinux_load_policy_transition">
+##	<description>
+##		Execute load_policy in the load_policy domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_load_policy_transition',`
 requires_block_template(`$0'_depend)
@@ -50,6 +95,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_load_policy_transition_add_role_use_terminal">
+##	<description>
+##		Execute load_policy in the load_policy domain, and
+##		allow the specified role the load_policy domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the load_policy domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the load_policy domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_load_policy_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_load_policy_transition($1)
+role $2 types load_policy_t;
+allow load_policy_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
+type load_policy_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # selinux_load_policy_execute(domain)
@@ -79,8 +155,15 @@ class file { getattr read };
 ')
 
 #######################################
-#
-# selinux_newrole_transition(domain)
+## <interface name="selinux_newrole_transition">
+##	<description>
+##		Execute newrole in the load_policy domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_newrole_transition',`
 requires_block_template(`$0'_depend)
@@ -91,11 +174,42 @@ dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
 ')
 
 define(`selinux_newrole_transition_depend',`
-type newrole_exec_t;
+type newrole_t, newrole_exec_t;
 class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_newrole_transition_add_role_use_terminal">
+##	<description>
+##		Execute newrole in the newrole domain, and
+##		allow the specified role the newrole domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the newrole domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the newrole domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_newrole_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_newrole_transition($1)
+role $2 types newrole_t;
+allow newrole_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_newrole_transition_add_role_use_terminal_depend',`
+type newrole_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # selinux_newrole_execute(domain)
@@ -110,6 +224,28 @@ type newrole_t, newrole_exec_t;
 class file { getattr read execute execute_no_trans };
 ')
 
+########################################
+## <interface name="selinux_newrole_ignore_signal">
+##	<description>
+##		Do not audit the caller attempts to send
+##		a signal to newrole.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="none"/>
+## </interface>
+#
+define(`selinux_newrole_ignore_signal',`
+requires_block_template(`$0'_depend)
+dontaudit $1 newrole_t:process signal;
+')
+
+define(`selinux_newrole_ignore_signal_depend',`
+type newrole_t;
+class process signal;
+')
+
 #######################################
 #
 # selinux_newrole_sigchld(domain)
@@ -139,8 +275,15 @@ class fd use;
 ')
 
 #######################################
-#
-# selinux_restorecon_transition(domain)
+## <interface name="selinux_restorecon_transition">
+##	<description>
+##		Execute restorecon in the restorecon domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_restorecon_transition',`
 requires_block_template(`$0'_depend)
@@ -156,6 +299,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_restorecon_transition_add_role_use_terminal">
+##	<description>
+##		Execute restorecon in the restorecon domain, and
+##		allow the specified role the restorecon domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the restorecon domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the restorecon domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_restorecon_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_restorecon_transition($1)
+role $2 types restorecon_t;
+allow restorecon_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
+type restorecon_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # selinux_restorecon_execute(domain)
@@ -171,8 +345,15 @@ class file { getattr read execute execute_no_trans };
 ')
 
 ########################################
-#
-# selinux_run_init_transition(domain)
+## <interface name="selinux_run_init_transition">
+##	<description>
+##		Execute run_init in the run_init domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_run_init_transition',`
 requires_block_template(`$0'_depend)
@@ -188,6 +369,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_run_init_transition_add_role_use_terminal">
+##	<description>
+##		Execute run_init in the run_init domain, and
+##		allow the specified role the run_init domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the run_init domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the run_init domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_run_init_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_run_init_transition($1)
+role $2 types run_init_t;
+allow run_init_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_run_init_transition_add_role_use_terminal_depend',`
+type run_init_t;
+class chr_file { getattr read write ioctl };
+')
+
 ########################################
 #
 # selinux_run_init_use_file_descriptors(domain)
@@ -202,9 +414,16 @@ type run_init_t;
 class fd use;
 ')
 
-#######################################
-#
-# selinux_setfiles_transition(domain)
+########################################
+## <interface name="selinux_setfiles_transition">
+##	<description>
+##		Execute setfiles in the setfiles domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_setfiles_transition',`
 requires_block_template(`$0'_depend)
@@ -220,6 +439,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_setfiles_transition_add_role_use_terminal">
+##	<description>
+##		Execute setfiles in the setfiles domain, and
+##		allow the specified role the setfiles domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the setfiles domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the setfiles domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_setfiles_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_setfiles_transition($1)
+role $2 types setfiles_t;
+allow setfiles_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
+type setfiles_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # selinux_setfiles_execute(domain)

refpolicy/policy/modules/system/selinux.te

@@ -117,6 +117,9 @@ terminal_use_console(checkpolicy_t)
 
 domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
 
+# directory search permissions for path to source and binary policy files
+files_search_general_system_config_directory(checkpolicy_t)
+
 init_use_file_descriptors(checkpolicy_t)
 init_script_use_pseudoterminal(checkpolicy_t)
 
@@ -126,20 +129,8 @@ libraries_use_shared_libraries(checkpolicy_t)
 userdomain_use_all_users_file_descriptors(checkpolicy_t)
 
 ifdef(`TODO',`
-role sysadm_r types checkpolicy_t;
-domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
-allow checkpolicy_t sysadm_tmp_t:file { getattr write };
-
-# directory search permissions for path to source and binary policy files
-allow checkpolicy_t etc_t:dir search;
-
 # Read the devpts root directory.  
 ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
-
-# Allow users to execute checkpolicy without a domain transition
-# so it can be used without privilege to write real binary policy file
-can_exec(unpriv_userdomain, checkpolicy_exec_t)
 ') dnl endif TODO
 
 ########################################
@@ -180,10 +171,6 @@ miscfiles_read_localization(load_policy_t)
 userdomain_use_all_users_file_descriptors(load_policy_t)
 
 ifdef(`TODO',`
-role sysadm_r types load_policy_t;
-domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
-allow load_policy_t sysadm_tmp_t:file { getattr write };
-allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
 
 # directory search permissions for path to binary policy files
 allow load_policy_t etc_t:dir search;
@@ -227,11 +214,13 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
 terminal_use_all_private_physical_terminals(newrole_t)
 terminal_use_all_private_pseudoterminals(newrole_t)
 
-# Write to utmp.
-init_script_modify_runtime_data(newrole_t)
+authlogin_check_password_transition(newrole_t)
 
 domain_use_widely_inheritable_file_descriptors(newrole_t)
 
+# Write to utmp.
+init_script_modify_runtime_data(newrole_t)
+
 files_read_general_system_config(newrole_t)
 
 libraries_use_dynamic_loader(newrole_t)
@@ -241,13 +230,10 @@ logging_send_system_log_message(newrole_t)
 
 miscfiles_read_localization(newrole_t)
 
-authlogin_check_password_transition(newrole_t)
+userdomain_use_all_unprivileged_users_file_descriptors(newrole_t)
 
 ifdef(`TODO',`
-in_user_role(newrole_t)
-role sysadm_r types newrole_t;
 
-allow newrole_t unpriv_userdomain:fd use;
 can_ypbind(newrole)
 ifdef(`automount.te', `
 allow newrole_t autofs_t:dir { search getattr };
@@ -283,10 +269,6 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
 
 # for some PAM modules and for cwd
 dontaudit newrole_t { home_root_t home_type }:dir search;
-
-# for when the network connection is killed
-dontaudit unpriv_userdomain newrole_t:process signal;
-
 ') dnl ifdef TODO
 
 ########################################
@@ -340,17 +322,20 @@ files_read_all_directories(restorecon_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(restorecon_t)
 
+tunable_policy(`distro_redhat', `
+filesystem_use_tmpfs_character_devices(restorecon_t)
+filesystem_use_tmpfs_block_devices(restorecon_t)
+')
+
 ifdef(`TODO',`
-allow restorecon_t admin_tty_type:chr_file { read write ioctl };
-domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
-role sysadm_r types restorecon_t;
 
 # for upgrading glibc and other shared objects - without this the upgrade
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
 
 tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
+allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
+allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
 ')
 
 allow restorecon_t fs_type:dir r_dir_perms;
@@ -391,6 +376,7 @@ devices_ignore_list_device_nodes(run_init_t)
 
 terminal_ignore_list_pseudoterminals(run_init_t)
 
+authlogin_check_password_transition(run_init_t)
 authlogin_ignore_read_shadow_passwords(run_init_t)
 
 corecommands_execute_general_programs(run_init_t)
@@ -423,11 +409,6 @@ domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
 allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
 allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
 domain_trans(initrc_t, shell_exec_t, unconfined_t)
-', `
-domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
-role sysadm_r types run_init_t;
-domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
-allow run_init_t admin_tty_type:chr_file rw_file_perms;
 ') dnl endif targeted policy
 
 tunable_policy(`distro_gentoo', `
@@ -479,6 +460,8 @@ logging_send_system_log_message(setfiles_t)
 miscfiles_read_localization(setfiles_t)
 
 userdomain_use_all_users_file_descriptors(setfiles_t)
+# for config files in a home directory
+userdomain_read_all_users_data(setfiles_t)
 
 # relabeling rules
 kernel_relabel_unlabeled_object(setfiles_t)
@@ -489,10 +472,6 @@ files_manage_all_files_labels(setfiles_t)
 authlogin_relabel_to_shadow_passwords(setfiles_t)
 
 ifdef(`TODO',`
-
-domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
-role sysadm_r types setfiles_t;
-
 # for upgrading glibc and other shared objects - without this the upgrade
 # scripts will put things in a state such that setfiles can not be run!
 allow setfiles_t lib_t:file { read execute };
@@ -501,6 +480,4 @@ allow setfiles_t unlabeled_t:dir read;
 
 allow setfiles_t fs_type:dir r_dir_perms;
 
-# for config files in a home directory
-allow setfiles_t home_type:file r_file_perms;
 ') dnl endif TODO

refpolicy/policy/modules/system/selinuxutil.if

@@ -1,8 +1,15 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
 #######################################
-#
-# selinux_checkpolicy_transition(domain)
+## <interface name="selinux_checkpolicy_transition">
+##	<description>
+##		Execute checkpolicy in the checkpolicy domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_checkpolicy_transition',`
 requires_block_template(`$0'_depend)
@@ -18,6 +25,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_checkpolicy_transition_add_role_use_terminal">
+##	<description>
+##		Execute checkpolicy in the checkpolicy domain, and
+##		allow the specified role the checkpolicy domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the checkpolicy domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the checkpolicy domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_checkpolicy_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_checkpolicy_transition($1)
+role $2 types checkpolicy_t;
+allow checkpolicy_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
+type checkpolicy_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # selinux_checkpolicy_execute(domain)
@@ -33,8 +71,15 @@ class file { getattr read execute execute_no_trans };
 ')
 
 #######################################
-#
-# selinux_load_policy_transition(domain)
+## <interface name="selinux_load_policy_transition">
+##	<description>
+##		Execute load_policy in the load_policy domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_load_policy_transition',`
 requires_block_template(`$0'_depend)
@@ -50,6 +95,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_load_policy_transition_add_role_use_terminal">
+##	<description>
+##		Execute load_policy in the load_policy domain, and
+##		allow the specified role the load_policy domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the load_policy domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the load_policy domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_load_policy_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_load_policy_transition($1)
+role $2 types load_policy_t;
+allow load_policy_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
+type load_policy_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # selinux_load_policy_execute(domain)
@@ -79,8 +155,15 @@ class file { getattr read };
 ')
 
 #######################################
-#
-# selinux_newrole_transition(domain)
+## <interface name="selinux_newrole_transition">
+##	<description>
+##		Execute newrole in the load_policy domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_newrole_transition',`
 requires_block_template(`$0'_depend)
@@ -91,11 +174,42 @@ dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
 ')
 
 define(`selinux_newrole_transition_depend',`
-type newrole_exec_t;
+type newrole_t, newrole_exec_t;
 class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_newrole_transition_add_role_use_terminal">
+##	<description>
+##		Execute newrole in the newrole domain, and
+##		allow the specified role the newrole domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the newrole domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the newrole domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_newrole_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_newrole_transition($1)
+role $2 types newrole_t;
+allow newrole_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_newrole_transition_add_role_use_terminal_depend',`
+type newrole_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # selinux_newrole_execute(domain)
@@ -110,6 +224,28 @@ type newrole_t, newrole_exec_t;
 class file { getattr read execute execute_no_trans };
 ')
 
+########################################
+## <interface name="selinux_newrole_ignore_signal">
+##	<description>
+##		Do not audit the caller attempts to send
+##		a signal to newrole.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="none"/>
+## </interface>
+#
+define(`selinux_newrole_ignore_signal',`
+requires_block_template(`$0'_depend)
+dontaudit $1 newrole_t:process signal;
+')
+
+define(`selinux_newrole_ignore_signal_depend',`
+type newrole_t;
+class process signal;
+')
+
 #######################################
 #
 # selinux_newrole_sigchld(domain)
@@ -139,8 +275,15 @@ class fd use;
 ')
 
 #######################################
-#
-# selinux_restorecon_transition(domain)
+## <interface name="selinux_restorecon_transition">
+##	<description>
+##		Execute restorecon in the restorecon domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_restorecon_transition',`
 requires_block_template(`$0'_depend)
@@ -156,6 +299,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_restorecon_transition_add_role_use_terminal">
+##	<description>
+##		Execute restorecon in the restorecon domain, and
+##		allow the specified role the restorecon domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the restorecon domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the restorecon domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_restorecon_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_restorecon_transition($1)
+role $2 types restorecon_t;
+allow restorecon_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
+type restorecon_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # selinux_restorecon_execute(domain)
@@ -171,8 +345,15 @@ class file { getattr read execute execute_no_trans };
 ')
 
 ########################################
-#
-# selinux_run_init_transition(domain)
+## <interface name="selinux_run_init_transition">
+##	<description>
+##		Execute run_init in the run_init domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_run_init_transition',`
 requires_block_template(`$0'_depend)
@@ -188,6 +369,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_run_init_transition_add_role_use_terminal">
+##	<description>
+##		Execute run_init in the run_init domain, and
+##		allow the specified role the run_init domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the run_init domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the run_init domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_run_init_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_run_init_transition($1)
+role $2 types run_init_t;
+allow run_init_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_run_init_transition_add_role_use_terminal_depend',`
+type run_init_t;
+class chr_file { getattr read write ioctl };
+')
+
 ########################################
 #
 # selinux_run_init_use_file_descriptors(domain)
@@ -202,9 +414,16 @@ type run_init_t;
 class fd use;
 ')
 
-#######################################
-#
-# selinux_setfiles_transition(domain)
+########################################
+## <interface name="selinux_setfiles_transition">
+##	<description>
+##		Execute setfiles in the setfiles domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`selinux_setfiles_transition',`
 requires_block_template(`$0'_depend)
@@ -220,6 +439,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="selinux_setfiles_transition_add_role_use_terminal">
+##	<description>
+##		Execute setfiles in the setfiles domain, and
+##		allow the specified role the setfiles domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the setfiles domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the setfiles domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_setfiles_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+selinux_setfiles_transition($1)
+role $2 types setfiles_t;
+allow setfiles_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
+type setfiles_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # selinux_setfiles_execute(domain)

refpolicy/policy/modules/system/selinuxutil.te

@@ -117,6 +117,9 @@ terminal_use_console(checkpolicy_t)
 
 domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
 
+# directory search permissions for path to source and binary policy files
+files_search_general_system_config_directory(checkpolicy_t)
+
 init_use_file_descriptors(checkpolicy_t)
 init_script_use_pseudoterminal(checkpolicy_t)
 
@@ -126,20 +129,8 @@ libraries_use_shared_libraries(checkpolicy_t)
 userdomain_use_all_users_file_descriptors(checkpolicy_t)
 
 ifdef(`TODO',`
-role sysadm_r types checkpolicy_t;
-domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
-allow checkpolicy_t admin_tty_type:chr_file { read write ioctl getattr };
-allow checkpolicy_t sysadm_tmp_t:file { getattr write };
-
-# directory search permissions for path to source and binary policy files
-allow checkpolicy_t etc_t:dir search;
-
 # Read the devpts root directory.  
 ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
-
-# Allow users to execute checkpolicy without a domain transition
-# so it can be used without privilege to write real binary policy file
-can_exec(unpriv_userdomain, checkpolicy_exec_t)
 ') dnl endif TODO
 
 ########################################
@@ -180,10 +171,6 @@ miscfiles_read_localization(load_policy_t)
 userdomain_use_all_users_file_descriptors(load_policy_t)
 
 ifdef(`TODO',`
-role sysadm_r types load_policy_t;
-domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
-allow load_policy_t sysadm_tmp_t:file { getattr write };
-allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
 
 # directory search permissions for path to binary policy files
 allow load_policy_t etc_t:dir search;
@@ -227,11 +214,13 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
 terminal_use_all_private_physical_terminals(newrole_t)
 terminal_use_all_private_pseudoterminals(newrole_t)
 
-# Write to utmp.
-init_script_modify_runtime_data(newrole_t)
+authlogin_check_password_transition(newrole_t)
 
 domain_use_widely_inheritable_file_descriptors(newrole_t)
 
+# Write to utmp.
+init_script_modify_runtime_data(newrole_t)
+
 files_read_general_system_config(newrole_t)
 
 libraries_use_dynamic_loader(newrole_t)
@@ -241,13 +230,10 @@ logging_send_system_log_message(newrole_t)
 
 miscfiles_read_localization(newrole_t)
 
-authlogin_check_password_transition(newrole_t)
+userdomain_use_all_unprivileged_users_file_descriptors(newrole_t)
 
 ifdef(`TODO',`
-in_user_role(newrole_t)
-role sysadm_r types newrole_t;
 
-allow newrole_t unpriv_userdomain:fd use;
 can_ypbind(newrole)
 ifdef(`automount.te', `
 allow newrole_t autofs_t:dir { search getattr };
@@ -283,10 +269,6 @@ ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
 
 # for some PAM modules and for cwd
 dontaudit newrole_t { home_root_t home_type }:dir search;
-
-# for when the network connection is killed
-dontaudit unpriv_userdomain newrole_t:process signal;
-
 ') dnl ifdef TODO
 
 ########################################
@@ -340,17 +322,20 @@ files_read_all_directories(restorecon_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(restorecon_t)
 
+tunable_policy(`distro_redhat', `
+filesystem_use_tmpfs_character_devices(restorecon_t)
+filesystem_use_tmpfs_block_devices(restorecon_t)
+')
+
 ifdef(`TODO',`
-allow restorecon_t admin_tty_type:chr_file { read write ioctl };
-domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
-role sysadm_r types restorecon_t;
 
 # for upgrading glibc and other shared objects - without this the upgrade
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
 
 tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
+allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
+allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
 ')
 
 allow restorecon_t fs_type:dir r_dir_perms;
@@ -391,6 +376,7 @@ devices_ignore_list_device_nodes(run_init_t)
 
 terminal_ignore_list_pseudoterminals(run_init_t)
 
+authlogin_check_password_transition(run_init_t)
 authlogin_ignore_read_shadow_passwords(run_init_t)
 
 corecommands_execute_general_programs(run_init_t)
@@ -423,11 +409,6 @@ domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
 allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
 allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
 domain_trans(initrc_t, shell_exec_t, unconfined_t)
-', `
-domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
-role sysadm_r types run_init_t;
-domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
-allow run_init_t admin_tty_type:chr_file rw_file_perms;
 ') dnl endif targeted policy
 
 tunable_policy(`distro_gentoo', `
@@ -479,6 +460,8 @@ logging_send_system_log_message(setfiles_t)
 miscfiles_read_localization(setfiles_t)
 
 userdomain_use_all_users_file_descriptors(setfiles_t)
+# for config files in a home directory
+userdomain_read_all_users_data(setfiles_t)
 
 # relabeling rules
 kernel_relabel_unlabeled_object(setfiles_t)
@@ -489,10 +472,6 @@ files_manage_all_files_labels(setfiles_t)
 authlogin_relabel_to_shadow_passwords(setfiles_t)
 
 ifdef(`TODO',`
-
-domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
-role sysadm_r types setfiles_t;
-
 # for upgrading glibc and other shared objects - without this the upgrade
 # scripts will put things in a state such that setfiles can not be run!
 allow setfiles_t lib_t:file { read execute };
@@ -501,6 +480,4 @@ allow setfiles_t unlabeled_t:dir read;
 
 allow setfiles_t fs_type:dir r_dir_perms;
 
-# for config files in a home directory
-allow setfiles_t home_type:file r_file_perms;
 ') dnl endif TODO

refpolicy/policy/modules/system/sysnetwork.if

@@ -18,9 +18,16 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
-########################################
-#
-# sysnetwork_ifconfig_transition(domain)
+#######################################
+## <interface name="sysnetwork_ifconfig_transition">
+##	<description>
+##		Execute ifconfig in the ifconfig domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`sysnetwork_ifconfig_transition',`
 requires_block_template(`$0'_depend)
@@ -36,6 +43,37 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="sysnetwork_ifconfig_transition_add_role_use_terminal">
+##	<description>
+##		Execute ifconfig in the ifconfig domain, and
+##		allow the specified role the ifconfig domain,
+##		and use the caller's terminal.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to be allowed the ifconfig domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the ifconfig domain to use.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`sysnetwork_ifconfig_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+sysnetwork_ifconfig_transition($1)
+role $2 types ifconfig_t;
+allow ifconfig_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
+type ifconfig_t;
+class chr_file { getattr read write ioctl };
+')
+
 ########################################
 #
 # sysnetwork_read_network_config(domain)

refpolicy/policy/modules/system/sysnetwork.te

@@ -94,28 +94,28 @@ terminal_ignore_use_all_private_physical_terminals(dhcpc_t)
 terminal_ignore_use_all_private_pseudoterminals(dhcpc_t)
 terminal_ignore_use_general_physical_terminal(dhcpc_t)
 
-init_use_file_descriptors(dhcpc_t)
-init_script_use_pseudoterminal(dhcpc_t)
-init_script_modify_runtime_data(dhcpc_t)
+corecommands_execute_general_programs(dhcpc_t)
+corecommands_execute_system_programs(dhcpc_t)
+corecommands_execute_shell(dhcpc_t)
 
 domain_use_widely_inheritable_file_descriptors(dhcpc_t)
 
 files_read_general_system_config(dhcpc_t)
 files_read_runtime_system_config(dhcpc_t)
 
-corecommands_execute_general_programs(dhcpc_t)
-corecommands_execute_system_programs(dhcpc_t)
-corecommands_execute_shell(dhcpc_t)
+init_use_file_descriptors(dhcpc_t)
+init_script_use_pseudoterminal(dhcpc_t)
+init_script_modify_runtime_data(dhcpc_t)
 
 logging_send_system_log_message(dhcpc_t)
 
 libraries_use_dynamic_loader(dhcpc_t)
 libraries_use_shared_libraries(dhcpc_t)
 
-modutils_insmod_transition(dhcpc_t)
-
 miscfiles_read_localization(dhcpc_t)
 
+modutils_insmod_transition(dhcpc_t)
+
 tunable_policy(`targeted_policy', `
 terminal_ignore_use_general_physical_terminal(dhcpc_t)
 terminal_ignore_use_general_pseudoterminal(dhcpc_t)
@@ -142,6 +142,10 @@ optional_policy(`udev.te',`
 udev_read_database(dhcpc_t)
 ')
 
+optional_policy(`userdomain.te',`
+userdomain_use_all_users_file_descriptors(dhcpc_t)
+')
+
 #
 # dhclient sometimes starts ypbind and ntpd
 #
@@ -203,8 +207,6 @@ allow dhcpc_t dhcp_etc_t:file { read getattr };
 allow dhcpc_t dhcp_etc_t:lnk_file { getattr read };
 allow dhcpc_t dhcp_etc_t:file { getattr read execute execute_no_trans };
 
-allow dhcpc_t userdomain:fd use;
-
 ifdef(`distro_redhat', `
 files_execute_system_config_script(dhcpc_t)
 allow initrc_t dhcp_etc_t:file rw_file_perms;
@@ -273,6 +275,8 @@ miscfiles_read_localization(ifconfig_t)
 
 selinux_run_init_use_file_descriptors(ifconfig_t)
 
+userdomain_use_all_users_file_descriptors(ifconfig_t)
+
 ifdef(`TODO',`
 
 can_ypbind(ifconfig_t)
@@ -280,10 +284,6 @@ ifdef(`automount.te', `
 allow ifconfig_t autofs_t:dir { search getattr };
 ')
 
-domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
-role sysadm_r types ifconfig_t;
-allow ifconfig_t userdomain:fd use;
-
 # Access terminals.
 ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
 

refpolicy/policy/modules/system/udev.te

@@ -81,6 +81,7 @@ devices_manage_device_nodes(udev_t)
 filesystem_get_all_filesystems_attributes(udev_t)
 
 init_script_read_runtime_data(udev_t)
+init_script_ignore_write_runtime_data(udev_t)
 
 files_read_runtime_system_config(udev_t)
 files_read_general_system_config(udev_t)
@@ -102,6 +103,14 @@ logging_send_system_log_message(udev_t)
 
 sysnetwork_ifconfig_transition(udev_t)
 
+tunable_policy(`distro_redhat',`
+filesystem_manage_tmpfs_block_devices(udev_t)
+filesystem_manage_tmpfs_character_devices(udev_t)
+
+# for arping used for static IP addresses on PCMCIA ethernet
+netutils_transition(udev_t)
+') dnl end ifdef distro_redhat
+
 optional_policy(`authlogin.te',`
 authlogin_pam_console_read_runtime_data(udev_t)
 authlogin_pam_console_transition(udev_t)
@@ -127,10 +136,10 @@ allow udev_t var_lock_t:file getattr;
 allow udev_t mnt_t:dir search;
 
 allow udev_t devpts_t:dir { getattr search };
+
 allow udev_t sysadm_tty_device_t:chr_file { read write };
 
 # Dontaudits
-dontaudit udev_t initrc_var_run_t:file write;
 dontaudit udev_t staff_home_dir_t:dir search;
 dontaudit udev_t file_t:dir search;
 dontaudit udev_t domain:dir r_dir_perms;
@@ -142,14 +151,9 @@ dbusd_client(system, udev)
 
 # Ifdefs
 tunable_policy(`distro_redhat',`
-allow udev_t tmpfs_t:dir rw_dir_perms;
 allow udev_t tmpfs_t:sock_file create_file_perms;
 allow udev_t tmpfs_t:lnk_file create_lnk_perms;
-allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
-allow udev_t tmpfs_t:dir search;
-
-# for arping used for static IP addresses on PCMCIA ethernet
-netutils_transition(udev_t)
+allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto };
 ') dnl end ifdef distro_redhat
 
 tunable_policy(`hide_broken_symptoms',`

refpolicy/policy/modules/system/userdomain.if

@@ -128,6 +128,8 @@ logging_ignore_get_all_logs_attributes($1_t)
 miscfiles_read_localization($1_t)
 miscfiles_manage_man_page_cache($1_t)
 
+selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+
 mta_modify_mail_spool($1_t)
 
 if (allow_execmem) {
@@ -376,11 +378,11 @@ type $1_devpts_t; # userpty_type, user_tty_type;
 terminal_make_user_pseudoterminal($1_t,$1_devpts_t)
 
 # Type for home directory.
-type $1_home_dir_t; #, home_dir_type, home_type, user_home_dir_type;
+type $1_home_dir_t, home_dir_type, home_type; #, user_home_dir_type;
 files_make_file($1_home_dir_t)
 
 # Type for files and directories in the home directory
-type $1_home_t, $1_file_type; #, home_type, user_home_type;
+type $1_home_t, $1_file_type, home_type; #, user_home_type;
 files_make_file($1_home_t)
 
 type $1_tmp_t, $1_file_type; #, user_tmpfile
@@ -438,8 +440,16 @@ init_script_read_runtime_data($1_t)
 # The library functions always try to open read-write first,
 # then fall back to read-only if it fails. 
 init_script_ignore_write_runtime_data($1_t)
+# Stop warnings about access to /dev/console
+init_ignore_use_file_descriptors($1_t)
+init_script_ignore_use_file_descriptors($1_t)
+
+miscfiles_read_man_pages($1_t)
 
 selinux_read_config($1_t)
+# Allow users to execute checkpolicy without a domain transition
+# so it can be used without privilege to write real binary policy file
+selinux_checkpolicy_execute($1_t)
 
 if (user_dmesg) {
 kernel_read_ring_buffer($1_t)
@@ -454,6 +464,16 @@ if (user_tcp_server) {
 corenetwork_bind_tcp_on_general_port($1_t)
 }
 
+# for running depmod as part of the kernel packaging process
+optional_policy(`modutils.te',`
+modutils_read_kernel_module_loading_config($1_t)
+')
+
+optional_policy(`selinux.te',`
+# for when the network connection is killed
+selinux_newrole_ignore_signal($1_t)
+')
+
 # Need the following rule to allow users to run vpnc
 optional_policy(`xserver.te', `
 corenetwork_bind_tcp_on_xserver_port($1_t)
@@ -509,13 +529,6 @@ allow $1_t var_run_t:{ file lnk_file } r_file_perms;
 allow $1_t var_lib_t:dir r_dir_perms;
 allow $1_t var_lib_t:file { getattr read };
 
-# for running depmod as part of the kernel packaging process
-allow $1_t modules_conf_t:file { getattr read };
-
-# Read man directories and files.
-allow $1_t man_t:dir r_dir_perms;
-allow $1_t man_t:notdevfile_class_set r_file_perms;
-
 # Allow users to rw usb devices
 if (user_rw_usb) {
 rw_dir_create_file($1_t,usbdevfs_t)
@@ -523,10 +536,6 @@ rw_dir_create_file($1_t,usbdevfs_t)
 r_dir_file($1_t,usbdevfs_t)
 }
 
-# Read /dev directories and any symbolic links.
-allow $1_t device_t:dir r_dir_perms;
-allow $1_t device_t:lnk_file r_file_perms;
-
 # Do not audit write denials to /etc/ld.so.cache.
 dontaudit $1_t ld_so_cache_t:file write;
 
@@ -540,10 +549,8 @@ dontaudit $1_t devlog_t:sock_file { read write };
 dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
 ')
 
-# Stop warnings about access to /dev/console
-dontaudit $1_t init_t:fd use;
-dontaudit $1_t initrc_t:fd use;
 allow $1_t initrc_t:fifo_file write;
+
 ifdef(`user_can_mount', `
 #
 #  Allow users to mount file systems like floppies and cdrom
@@ -586,7 +593,7 @@ role system_r types $1_t;
 #; dnl end of sysadm_t type declaration
 
 # Type and access for pty devices.
-type $1_devpts_t;
+type $1_devpts_t, admin_terminal;
 terminal_make_pseudoterminal($1_devpts_t)
 
 type $1_home_t, $1_file_type; #, home_type;
@@ -598,7 +605,7 @@ files_make_file($1_home_t)
 type $1_tmp_t, $1_file_type;
 files_make_temporary_file($1_tmp_t)
 
-type $1_tty_device_t;
+type $1_tty_device_t, admin_terminal;
 terminal_make_physical_terminal($1_t,$1_tty_device_t)
 
 ##############################
@@ -675,6 +682,8 @@ terminal_use_all_private_physical_terminals($1_t)
 
 domain_set_all_domains_priorities($1_t)
 
+files_execute_system_source_code_scripts($1_t)
+
 init_use_control_channel($1_t)
 
 logging_send_system_log_message($1_t)
@@ -690,6 +699,10 @@ selinux_manage_source_policy($1_t)
 # But presently necessary for installing the file_contexts file.
 selinux_manage_binary_policy($1_t)
 
+optional_policy(`cron.te',`
+cron_admin_template($1)
+')
+
 ifdef(`TODO',`
 
 # Let admin stat the shadow file.
@@ -727,9 +740,6 @@ allow $1_t ptyfile:chr_file getattr;
 # Not ideal, but typical if users want to login as both sysadm_t or staff_t.
 can_exec($1_t, staff_home_t)
 
-# Run programs from /usr/src.
-can_exec($1_t, src_t)
-
 # Run admin programs that require different permissions in their own domain.
 # These rules were moved into the appropriate program domain file.
 
@@ -764,16 +774,6 @@ allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
 allow $1_gph_t user_home_type:file create_file_perms;
 ')
 
-# Manipulate other users crontab.
-can_getsecurity(sysadm_crontab_t)
-
-ifdef(`crond.te', `
-allow $1_crond_t var_log_t:file r_file_perms;
-')
-
-# Allow our crontab domain to unlink a user cron spool file.
-ifdef(`crontab.te',`allow $1_crontab_t user_cron_spool_t:file unlink;')
-
 # for the administrator to run TCP servers directly
 allow $1_t kernel_t:tcp_socket recvfrom;
 
@@ -794,7 +794,55 @@ allow $1_t eventpollfs_t:file getattr;
 ') dnl endif TODO
 ')
 
+########################################
+## <interface name="userdomain_use_admin_terminals">
+##	<description>
+##		Read and write administrative users
+##		physical and pseudo terminals.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
+define(`userdomain_use_admin_terminals',`
+requires_block_template(`$0'_depend)
+devices_list_device_nodes($1)
+terminal_list_pseudoterminals($1)
+allow $1 admin_terminal:chr_file { getattr read write ioctl };
+')
+
+define(`userdomain_use_admin_terminals_depend',`
+attribute admin_terminal;
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+## <interface name="userdomain_read_all_users_data">
+##	<description>
+##		Inherit the file descriptors from all user domains
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="1"/>
+## </interface>
+#
+define(`userdomain_read_all_users_data',`
+requires_block_template(`$0'_depend)
+files_list_home_directories($1)
+allow $1 home_type:dir { getattr search read };
+allow $1 home_type:file { getattr read };
+')
+
+define(`userdomain_read_all_users_data_depend',`
+attribute home_type;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
 ## <interface name="userdomain_use_all_users_file_descriptors">
 ##	<description>
 ##		Inherit the file descriptors from all user domains
@@ -815,4 +863,47 @@ attribute userdomain;
 class fd use;
 ')
 
+########################################
+## <interface name="userdomain_use_all_unprivileged_users_file_descriptors">
+##	<description>
+##		Inherit the file descriptors from all user domains.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="1"/>
+## </interface>
+#
+define(`userdomain_use_all_unprivileged_users_file_descriptors',`
+requires_block_template(`$0'_depend)
+allow $1 unpriv_userdomain:fd use;
+')
+
+define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',`
+attribute unpriv_userdomain;
+class fd use;
+')
+
+########################################
+## <interface name="userdomain_ignore_use_all_unprivileged_users_file_descriptors">
+##	<description>
+##		Do not audit attempts to inherit the
+##		file descriptors from all user domains.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="1"/>
+## </interface>
+#
+define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',`
+requires_block_template(`$0'_depend)
+dontaudit $1 unpriv_userdomain:fd use;
+')
+
+define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',`
+attribute unpriv_userdomain;
+class fd use;
+')
+
 ## </module>

refpolicy/policy/modules/system/userdomain.te

@@ -7,6 +7,15 @@ policy_module(userdomain,1.0)
 # Declarations
 #
 
+# admin users terminals (tty and pty)
+attribute admin_terminal;
+
+# users home directory
+attribute home_dir_type;
+
+# users home directory contents
+attribute home_type;
+
 # The privhome attribute identifies every domain that can create files under
 # regular user home directories in the regular context (IE act on behalf of
 # a user in writing regular files)
@@ -66,7 +75,6 @@ bool user_tcp_server false;
 # Allow w to display everyone
 bool user_ttyfile_stat false;
 
-admin_domain_template(sysadm)
 user_domain_template(staff)
 user_domain_template(user)
 
@@ -77,8 +85,51 @@ user_domain_template(user)
 
 #allow privhome home_root_t:dir { getattr search };
 
+# Add/remove user home directories
+#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+
+########################################
+#
+# Sysadm local policy
+#
+
+admin_domain_template(sysadm)
+
 # for su
 allow sysadm_t userdomain:fd use;
 
-# Add/remove user home directories
-#file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
+optional_policy(`iptables.te',`
+iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`lvm.te',`
+lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`modutils.te',`
+modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`mount.te',`
+mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`selinux.te',`
+selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+optional_policy(`targeted_policy',`',`
+selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+')
+
+optional_policy(`sysnetwork.te',`
+sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
+optional_policy(`clock.te',`
+clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')