another cleanup pass

refpolicy/policy/modules/admin/rpm.if

@@ -30,13 +30,13 @@ class process { transition noatsecure siginh rlimitinh };
 ########################################
 ## <interface name="rpm_transition_add_role_use_terminal">
 ##	<description>
-##		Execute rpm programs in the rpm domain.
+##		Execute RPM programs in the RPM domain.
 ##	</description>
 ##	<parameter name="domain">
 ##		The type of the process performing this action.
 ##	</parameter>
 ##	<parameter name="role">
-##		The role to allow the rpm domain.
+##		The role to allow the RPM domain.
 ##	</parameter>
 ##	<parameter name="terminal">
 ##		The type of the terminal allow the RPM domain to use.
@@ -100,18 +100,43 @@ class fifo_file { getattr read };
 ')
 
 ########################################
+## <interface name="rpm_read_package_database">
+##	<description>
+##		Read RPM package database.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
-# rpm_read_library_state(domain)
+define(`rpm_read_package_database',`
-#
-define(`rpm_read_library_state',`
 requires_block_template(`$0'_depend)
 allow $1 rpm_var_lib_t:dir { getattr read search };
 allow $1 rpm_var_lib_t:file { read getattr };
 allow $1 rpm_var_lib_t:lnk_file { getattr read };
 ')
 
-define(`kernel_read_system_state_depend',`
+define(`rpm_read_package_database_depend',`
-type proc_t;
+type rpm_var_lib_t_t;
+class dir { search getattr read };
+class lnk_file { getattr read };
+class file { getattr read };
+')
+
+########################################
+#
+# rpm_manage_package_database(domain)
+#
+define(`rpm_manage_package_database',`
+requires_block_template(`$0'_depend)
+allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name };
+allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
+allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
+')
+
+define(`rpm_manage_package_database_depend',`
+type rpm_var_lib_t_t;
 class dir { search getattr read };
 class lnk_file { getattr read };
 class file { getattr read };

refpolicy/policy/modules/kernel/bootloader.if

@@ -86,6 +86,21 @@ type boot_t;
 class dir search;
 ')
 
+########################################
+#
+# bootloader_modify_bootloader_data_directory_symbolic_links(domain)
+#
+define(`bootloader_modify_bootloader_data_directory_symbolic_links',`
+requires_block_template(`$0'_depend)
+allow $1 boot_t:dir { getattr search read };
+allow $1 boot_t:lnk_file { getattr read write };
+')
+
+define(`bootloader_modify_bootloader_data_directory_symbolic_links_depend',`
+type boot_t;
+class dir { getattr search read };
+')
+
 ########################################
 #
 # bootloader_install_kernel(domain)

refpolicy/policy/modules/kernel/bootloader.te

@@ -179,9 +179,6 @@ modutils_update_modules_execute(bootloader_t)
 ')
 
 ifdef(`TODO',`
-# admin runs bootloader:
-domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
-allow bootloader_t admin_tty_type:chr_file rw_file_perms;
 
 allow bootloader_t initrc_t:fifo_file { read write };
 

refpolicy/policy/modules/kernel/devices.if

@@ -132,6 +132,30 @@ type device_t;
 class chr_file getattr;
 ')
 
+########################################
+## <interface name="devices_remove_dev_symbolic_links">
+##	<description>
+##		Delete symbolic links in /dev.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="1"/>
+## </interface>
+#
+define(`devices_remove_dev_symbolic_links',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr read write remove_name };
+allow $1 device_t:lnk_file unlink;
+')
+
+define(`devices_remove_dev_symbolic_links_depend',`
+attribute device_node, memory_raw_read, memory_raw_write;
+type device_t;
+class dir { getattr read write remove_name };
+class lnk_file unlink;
+')
+
 ########################################
 #
 # devices_manage_dev_symbolic_links(domain)
@@ -143,7 +167,6 @@ allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
 ')
 
 define(`devices_manage_dev_symbolic_links_depend',`
-attribute device_node, memory_raw_read, memory_raw_write;
 type device_t;
 class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
 class lnk_file { create read getattr setattr link unlink rename };

refpolicy/policy/modules/kernel/filesystem.if

@@ -117,6 +117,20 @@ type fs_t;
 class filesystem getattr;
 ')
 
+########################################
+#
+# filesystem_relabelfrom_persistent_filesystem(domain)
+#
+define(`filesystem_relabelfrom_persistent_filesystem',`
+requires_block_template(`$0'_depend)
+allow $1 fs_t:filesystem relabelfrom;
+')
+
+define(`filesystem_relabelfrom_persistent_filesystem_depend',`
+type fs_t;
+class filesystem relabelfrom;
+')
+
 ########################################
 #
 # filesystem_mount_automount_filesystem(domain)
@@ -395,6 +409,20 @@ type dosfs_t;
 class filesystem getattr;
 ')
 
+########################################
+#
+# filesystem_relabelfrom_dos_filesystem(domain)
+#
+define(`filesystem_relabelfrom_dos_filesystem',`
+requires_block_template(`$0'_depend)
+allow $1 dosfs_t:filesystem relabelfrom;
+')
+
+define(`filesystem_relabelfrom_dos_filesystem_depend',`
+type dosfs_t;
+class filesystem relabelfrom;
+')
+
 ########################################
 #
 # filesystem_mount_cd_filesystem(domain)

refpolicy/policy/modules/kernel/kernel.if

@@ -142,6 +142,20 @@ type unlabeled_t;
 class process sigkill;
 ')
 
+########################################
+#
+# kernel_ignore_get_unlabeled_block_device_attributes(domain)
+#
+define(`kernel_ignore_get_unlabeled_block_device_attributes',`
+requires_block_template(`$0'_depend)
+allow $1 unlabeled_t:blk_file getattr;
+')
+
+define(`kernel_ignore_get_unlabeled_block_device_attributes_depend',`
+type unlabeled_t;
+class process getattr;
+')
+
 ########################################
 #
 # kernel_relabel_unlabeled_object(domain)

refpolicy/policy/modules/system/authlogin.if

@@ -1,4 +1,6 @@
 # Copyright (C) 2005 Tresys Technology, LLC
+## <module name="authlogin" layer="system">
+## <summary>Common policy for authentication and user login.</summary>
 
 #######################################
 #
@@ -249,9 +251,16 @@ type lastlog_t;
 class file { getattr read write setattr };
 ')
 
-#######################################
+########################################
-#
+## <interface name="authlogin_pam_transition">
-# authlogin_pam_transition(domain)
+##	<description>
+##		Execute pam programs in the pam domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`authlogin_pam_transition',`
 requires_block_template(`$0'_depend)
@@ -267,6 +276,35 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+########################################
+## <interface name="authlogin_pam_transition_add_role_use_terminal">
+##	<description>
+##		Execute pam programs in the PAM domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to allow the PAM domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the PAM domain to use.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`authlogin_pam_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+authlogin_pam_transition($1)
+role $2 types pam_t;
+allow pam_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`authlogin_pam_transition_add_role_use_terminal_depend',`
+type pam_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # authlogin_pam_execute(domain)
@@ -373,6 +411,60 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 class lnk_file { create read getattr setattr link unlink rename };
 ')
 
+########################################
+## <interface name="authlogin_utempter_transition">
+##	<description>
+##		Execute utempter programs in the utempter domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`authlogin_utempter_transition',`
+requires_block_template(`$0'_depend)
+allow $1 utempter_exec_t:file { getattr read execute };
+allow $1 utempter_t:process transition;
+type_transition $1 utempter_exec_t:file utempter_t;
+dontaudit $1 utempter_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`authlogin_utempter_transition_depend',`
+type utempter_t, utempter_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+########################################
+## <interface name="authlogin_utempter_transition_add_role_use_terminal">
+##	<description>
+##		Execute utempter programs in the utempter domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="role">
+##		The role to allow the utempter domain.
+##	</parameter>
+##	<parameter name="terminal">
+##		The type of the terminal allow the utempter domain to use.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`authlogin_utempter_transition_add_role_use_terminal',`
+requires_block_template(`$0'_depend)
+authlogin_utempter_transition($1)
+role $2 types utempter_t;
+allow utempter_t $3:chr_file { getattr read write ioctl };
+')
+
+define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
+type utempter_t;
+class chr_file { getattr read write ioctl };
+')
+
 #######################################
 #
 # authlogin_read_login_records(domain)
@@ -416,3 +508,5 @@ define(`authlogin_modify_login_records_depend',`
 type wtmp_t;
 class file { getattr read write setattr };
 ')
+
+## </module>

refpolicy/policy/modules/system/authlogin.te

@@ -107,19 +107,18 @@ libraries_use_shared_libraries(pam_t)
 
 logging_send_system_log_message(pam_t)
 
+userdomain_use_all_unprivileged_users_file_descriptors(pam_t)
+
 optional_policy(`locallogin.te',`
 locallogin_use_file_descriptors(pam_t)
 ')
 
 ifdef(`TODO',`
-allow pam_t unpriv_userdomain:fd use;
 can_ypbind(pam_t)
 ifdef(`automount.te', `
 allow pam_t autofs_t:dir { search getattr };
 ')
 
-in_user_role(pam_t)
-domain_auto_trans(userdomain, pam_exec_t, pam_t)
 ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
 ') dnl endif TODO
 
@@ -169,6 +168,8 @@ logging_send_system_log_message(pam_console_t)
 
 selinux_read_file_contexts(pam_console_t)
 
+userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t)
+
 tunable_policy(`direct_sysadm_daemon', `
 dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms;
 ')
@@ -198,7 +199,6 @@ allow pam_console_t rhgb_t:process sigchld;
 allow pam_console_t rhgb_t:fd use;
 allow pam_console_t rhgb_t:fifo_file { read write };
 ')
-dontaudit pam_console_t unpriv_userdomain:fd use;
 allow pam_console_t autofs_t:dir { search getattr };
 
 allow pam_console_t { 
@@ -214,8 +214,6 @@ removable_device_t
 scsi_generic_device_t
 }:chr_file { getattr setattr };
 
-
-
 allow pam_console_t mnt_t:dir r_dir_perms;
 
 ifdef(`gpm.te', `
@@ -306,10 +304,6 @@ libraries_use_shared_libraries(utempter_t)
 logging_search_system_log_directory(utempter_t)
 
 ifdef(`TODO',`
-in_user_role(utempter_t)
-role sysadm_r types utempter_t;
-domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
-
 # Allow utemper to write to /tmp/.xses-*
 allow utempter_t user_tmpfile:file { getattr write append };
 

refpolicy/policy/modules/system/files.if

@@ -200,6 +200,48 @@ attribute file_type;
 class dir { getattr search read };
 ')
 
+#######################################
+#
+# files_relabelto_all_file_type_filesystems(domain)
+#
+define(`files_relabelto_all_file_type_filesystems',`
+requires_block_template(`$0'_depend)
+allow $1 file_type:filesystem relabelto;
+')
+
+define(`files_relabelto_all_file_type_filesystems_depend',`
+attribute file_type;
+filesystem relabelto;
+')
+
+#######################################
+#
+# files_mount_all_file_type_filesystems(domain)
+#
+define(`files_mount_all_file_type_filesystems',`
+requires_block_template(`$0'_depend)
+allow $1 file_type:filesystem mount;
+')
+
+define(`files_mount_all_file_type_filesystems_depend',`
+attribute file_type;
+filesystem mount;
+')
+
+#######################################
+#
+# files_unmount_all_file_type_filesystems(domain)
+#
+define(`files_unmount_all_file_type_filesystems',`
+requires_block_template(`$0'_depend)
+allow $1 file_type:filesystem mount;
+')
+
+define(`files_unmount_all_file_type_filesystems_depend',`
+attribute file_type;
+filesystem mount;
+')
+
 ########################################
 #
 # files_mount_on_all_mountpoints(domain)
@@ -710,6 +752,22 @@ class dir { getattr search read write add_name remove_name };
 class file { getattr create read write setattr unlink };
 ')
 
+########################################
+#
+# files_get_system_lock_file_attributes(domain)
+#
+define(`files_get_system_lock_file_attributes',`
+requires_block_template(`$0'_depend)
+allow $1 var_lock_t:dir { getattr search read };
+allow $1 var_lock_t:file getattr;
+')
+
+define(`files_get_system_lock_file_attributes_depend',`
+type var_lock_t;
+class dir { getattr search read };
+class file getattr;
+')
+
 ########################################
 #
 # files_manage_system_lock_files(domain)
@@ -843,6 +901,50 @@ class dir { getattr search read };
 class file { getattr read write };
 ')
 
+########################################
+## <interface name="files_ignore_write_all_daemon_runtime_data">
+##	<description>
+##		Do not audit attempts to write to daemon runtime data files.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="none"/>
+## </interface>
+#
+
+define(`files_ignore_write_all_daemon_runtime_data',`
+requires_block_template(`$0'_depend)
+dontaudit $1 pidfile:file write;
+')
+
+define(`files_ignore_write_all_daemon_runtime_data_depend',`
+attribute pidfile;
+class file write;
+')
+
+########################################
+## <interface name="files_ignore_ioctl_all_daemon_runtime_data">
+##	<description>
+##		Do not audit attempts to ioctl daemon runtime data files.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="none"/>
+## </interface>
+#
+
+define(`files_ignore_ioctl_all_daemon_runtime_data',`
+requires_block_template(`$0'_depend)
+dontaudit $1 pidfile:file ioctl;
+')
+
+define(`files_ignore_ioctl_all_daemon_runtime_data_depend',`
+attribute pidfile;
+class file ioctl;
+')
+
 ########################################
 #
 # files_remove_all_daemon_runtime_data(domain)

refpolicy/policy/modules/system/hotplug.te

@@ -32,6 +32,7 @@ allow hotplug_t self:process { getsession getattr };
 
 allow hotplug_t self:fifo_file { read write getattr ioctl };
 allow hotplug_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow hotplug_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept };
 
 allow hotplug_t hotplug_etc_t:file { read getattr lock ioctl };
 allow hotplug_t hotplug_etc_t:dir { read getattr lock search ioctl };
@@ -50,6 +51,13 @@ kernel_read_usb_hardware_state(hotplug_t)
 
 bootloader_read_kernel_modules(hotplug_t)
 
+corenetwork_network_tcp_on_all_interfaces(hotplug_t)
+corenetwork_network_raw_on_all_interfaces(hotplug_t)
+corenetwork_network_tcp_on_all_nodes(hotplug_t)
+corenetwork_network_raw_on_all_nodes(hotplug_t)
+corenetwork_network_tcp_on_all_ports(hotplug_t)
+corenetwork_bind_tcp_on_all_nodes(hotplug_t)
+
 # for SSP
 devices_get_pseudorandom_data(hotplug_t)
 
@@ -94,8 +102,19 @@ miscfiles_read_localization(hotplug_t)
 
 mount_transition(hotplug_t)
 
+sysnetwork_read_network_config(hotplug_t)
+
 userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
 
+tunable_policy(`distro_redhat', `
+optional_policy(`netutils.te', `
+# for arping used for static IP addresses on PCMCIA ethernet
+netutils_transition(hotplug_t)
+filesystem_use_tmpfs_character_devices(hotplug_t)
+') dnl endif netutils optional
+files_get_system_lock_file_attribues(hotplug_t)
+')dnl end distro_redhat tunable
+
 tunable_policy(`targeted_policy', `
 terminal_ignore_use_general_physical_terminal(hotplug_t)
 terminal_ignore_use_general_pseudoterminal(hotplug_t)
@@ -144,13 +163,10 @@ allow hotplug_t rhgb_t:fd use;
 allow hotplug_t rhgb_t:fifo_file { read write };
 ')
 
-can_exec(hotplug_t, { ls_exec_t })
-
 allow kernel_t hotplug_etc_t:dir search;
 
 allow hotplug_t sound_device_t:chr_file setattr;
 
-can_network_server(hotplug_t)
 can_ypbind(hotplug_t)
 dbusd_client(system, hotplug)
 
@@ -159,23 +175,10 @@ allow hotplug_t kernel_t:process sigchld;
 # for when filesystems are not mounted early in the boot
 dontaudit hotplug_t file_t:dir { search getattr };
 
-allow hotplug_t udev_runtime_t:file rw_file_perms;
-
 # for ps
 dontaudit hotplug_t domain:dir { getattr search };
 dontaudit hotplug_t { init_t kernel_t }:file read;
 
-tunable_policy(`distro_redhat', `
-optional_policy(`netutils.te', `
-# for arping used for static IP addresses on PCMCIA ethernet
-netutils_transition(hotplug_t)
-allow hotplug_t tmpfs_t:dir search;
-allow hotplug_t tmpfs_t:chr_file rw_file_perms;
-') dnl endif netutils optional
-allow hotplug_t var_lock_t:dir search;
-allow hotplug_t var_lock_t:file getattr;
-')dnl end distro_redhat tunable
-
 optional_policy(`hald.te', `
 allow hotplug_t hald_t:unix_dgram_socket sendto;
 ')

refpolicy/policy/modules/system/init.te

@@ -209,6 +209,8 @@ devices_read_realtime_clock(initrc_t)
 devices_read_sound_mixer_levels(initrc_t)
 devices_write_sound_mixer_levels(initrc_t)
 devices_set_all_character_device_attributes(initrc_t)
+# Wants to remove udev.tbl:
+devices_remove_dev_symbolic_links(initrc_t)
 
 filesystem_register_binary_executable_type(initrc_t)
 # cjp: not sure why these are here; should use mount policy
@@ -283,6 +285,7 @@ kernel_set_selinux_enforcement_mode(initrc_t)
 # Create and read /boot/kernel.h and /boot/System.map.
 # Redhat systems typically create this file at boot time.
 bootloader_create_runtime_data(initrc_t)
+bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t)
 
 filesystem_use_tmpfs_character_devices(initrc_t)
 
@@ -304,6 +307,17 @@ hotplug_read_config(initrc_t)
 modutils_read_kernel_module_dependencies(initrc_t)
 ')
 
+optional_policy(`rpm.te',`
+# why is this needed:
+rpm_manage_package_database(initrc_t)
+# for a bug in rm
+files_ignore_write_all_daemon_runtime_data(initrc_t)
+# bash tries ioctl for some reason
+files_ignore_ioctl_all_daemon_runtime_data(initrc_t)
+# bash tries to access a block device in the initrd
+kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
+') dnl end rpm.te
+
 ifdef(`TODO',`
 
 # Mount and unmount file systems.
@@ -319,12 +333,6 @@ can_kerberos(initrc_t)
 dontaudit initrc_t krb5_conf_t:file write;
 allow initrc_t krb5_conf_t:file { getattr read };
 
-#
-# Wants to remove udev.tbl
-#
-allow initrc_t device_t:dir rw_dir_perms;
-allow initrc_t device_t:lnk_file unlink;
-
 #
 #  These rules are here to allow init scripts to su
 #
@@ -343,10 +351,6 @@ file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
 ')dnl end distro_debian
 
 tunable_policy(`distro_redhat', `
-# Create and read /boot/kernel.h and /boot/System.map.
-# Redhat systems typically create this file at boot time.
-allow initrc_t boot_t:lnk_file rw_file_perms;
-
 # readahead asks for these
 allow initrc_t var_lib_nfs_t:file { getattr read };
 ')dnl end distro_redhat
@@ -360,19 +364,4 @@ dontaudit initrc_t mail_spool_t:lnk_file read;
 # for lsof which is used by alsa shutdown
 dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
 
-optional_policy(`rpm.te',`
-# Access /var/lib/rpm.
-allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
-allow initrc_t rpm_var_lib_t:file create_file_perms;
-
-# for a bug in rm
-dontaudit initrc_t pidfile:file write;
-
-# bash tries to access a block device in the initrd
-dontaudit initrc_t unlabeled_t:blk_file getattr;
-
-# bash tries ioctl for some reason
-dontaudit initrc_t pidfile:file ioctl;
-') dnl end rpm.te
-
 ') dnl end TODO

refpolicy/policy/modules/system/locallogin.te

@@ -94,9 +94,10 @@ miscfiles_read_localization(local_login_t)
 selinux_read_config(local_login_t)
 selinux_read_default_contexts(local_login_t)
 
+userdomain_use_all_unprivileged_users_file_descriptors(local_login_t)
 
 ifdef(`TODO',`
-allow local_login_t unpriv_userdomain:fd use;
+
 can_ypbind(local_login_t)
 ifdef(`automount.te', `
 allow local_login_t autofs_t:dir { search getattr };
@@ -240,6 +241,8 @@ selinux_read_default_contexts(sulogin_t)
 
 authlogin_read_shadow_passwords(sulogin_t)
 
+userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t)
+
 # suse and debian do not use pam with sulogin...
 ifdef(`monolithic_policy',`
 ifdef(`distro_suse', `define(`sulogin_no_pam')')
@@ -249,7 +252,6 @@ ifdef(`distro_debian', `define(`sulogin_no_pam')')
 tunable_policy(`sulogin_no_pam', `
 allow sulogin_t self:capability sys_tty_config;
 init_get_process_group(sulogin_t)
-#domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
 ', `
 allow sulogin_t self:process setexec;
 kernel_get_selinuxfs_mount_point(sulogin_t)
@@ -258,17 +260,18 @@ kernel_compute_selinux_access_vector(sulogin_t)
 kernel_compute_selinux_create_context(sulogin_t)
 kernel_compute_selinux_relabel_context(sulogin_t)
 kernel_compute_selinux_reachable_user_contexts(sulogin_t)
-#domain_trans(sulogin_t, shell_exec_t, sysadm_t)
 ')
 
 ifdef(`TODO',`
-allow sulogin_t unpriv_userdomain:fd use;
+
+domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
+allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
+
 can_ypbind(sulogin_t)
 ifdef(`automount.te', `
 allow sulogin_t autofs_t:dir { search getattr };
 ')
 
-allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
 allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
 
 # because file systems are not mounted

refpolicy/policy/modules/system/modutils.te

@@ -69,6 +69,8 @@ files_read_runtime_system_config(insmod_t)
 files_read_general_system_config(insmod_t)
 files_read_general_application_resources(insmod_t)
 files_execute_system_config_script(insmod_t)
+# for nscd
+files_ignore_search_runtime_data_directory(insmod_t)
 
 init_use_file_descriptors(insmod_t)
 init_script_use_file_descriptors(insmod_t)
@@ -113,8 +115,6 @@ allow insmod_t usbfs_t:filesystem mount;
 # for when /var is not mounted early in the boot
 dontaudit insmod_t file_t:dir search;
 
-# for nscd
-dontaudit insmod_t var_run_t:dir search;
 
 ') dnl if TODO
 

refpolicy/policy/modules/system/mount.te

@@ -36,7 +36,7 @@ filesystem_get_persistent_filesystem_attributes(mount_t)
 filesystem_mount_all_filesystems(mount_t)
 filesystem_unmount_all_filesystems(mount_t)
 filesystem_remount_all_filesystems(mount_t)
-files_unmount_root_filesystem(mount_t)
+filesystem_relabelfrom_persistent_filesystem(mount_t)
 
 terminal_use_console(mount_t)
 
@@ -51,6 +51,11 @@ files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
 files_read_general_system_config(mount_t)
 files_create_runtime_system_config(mount_t)
 files_mount_on_all_mountpoints(mount_t)
+files_unmount_root_filesystem(mount_t)
+# These rules need to be generalized.  Only admin, initrc should have it:
+files_relabelto_all_file_type_filesystems(mount_t)
+files_mount_all_file_type_filesystems(mount_t)
+files_mount_all_file_type_filesystems(mount_t)
 
 init_use_file_descriptors(mount_t)
 init_script_use_pseudoterminal(mount_t)
@@ -71,7 +76,7 @@ allow mount_t tmpfs_t:dir mounton;
 optional_policy(`authlogin.te',`
 authlogin_pam_console_read_runtime_data(mount_t)
 # mount config by default sets fscontext=removable_t
-allow mount_t dosfs_t:filesystem relabelfrom;
+filesystem_relabelfrom_dos_filesystem(mount_t)
 ') dnl end authlogin
 
 ') dnl end distro_redhat
@@ -112,12 +117,6 @@ files_make_mountpoint(var_lib_nfs_t)
 # for when /etc/mtab loses its type
 allow mount_t file_t:file { getattr read unlink };
 
-# TODO: Need macro for granting relabelto, relabelfrom
-allow mount_t fs_t:filesystem relabelfrom;
-
-# This rule needs to be generalized.  Only admin, initrc should have it.
-allow mount_t file_type:filesystem { unmount mount relabelto };
-
 ifdef(`gnome-pty-helper.te', `
 allow mount_t sysadm_gph_t:fd use;
 ')

refpolicy/policy/modules/system/userdomain.if

@@ -105,6 +105,8 @@ storage_get_fixed_disk_attributes($1_t)
 
 authlogin_read_login_records($1_t)
 authlogin_ignore_write_login_records($1_t)
+authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 
 corecommands_execute_general_programs($1_t)
 corecommands_execute_system_programs($1_t)

refpolicy/policy/modules/system/userdomain.te

@@ -98,6 +98,10 @@ admin_domain_template(sysadm)
 # for su
 allow sysadm_t userdomain:fd use;
 
+optional_policy(`bootloader.te',`
+bootloader_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
+')
+
 optional_policy(`iptables.te',`
 iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal)
 ')