clean up more todos

refpolicy/policy/modules/admin/consoletype.te

@@ -52,7 +52,7 @@ libs_use_ld_so(consoletype_t)
 libs_use_shared_libs(consoletype_t)
 
 ifdef(`distro_redhat', `
-	fs_use_tmpfs_character_devices(consoletype_t)
+	fs_use_tmpfs_chr_dev(consoletype_t)
 ')
 
 optional_policy(`authlogin.te', `
@@ -67,6 +67,11 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(consoletype_t)
 ')
 
+optional_policy(`rpm.te',`
+	# Commonly used from postinst scripts
+	rpm_read_pipe(consoletype_t)
+')
+
 optional_policy(`userdomain.te',`
 	userdom_use_unpriv_users_fd(consoletype_t)
 ')
@@ -94,4 +99,5 @@ allow consoletype_t printconf_t:file r_file_perms;
 optional_policy(`firstboot.te', `
 allow consoletype_t firstboot_t:fifo_file write;
 ')
+
 ') dnl end TODO

refpolicy/policy/modules/admin/logrotate.te

@@ -158,6 +158,7 @@ rw_dir_create_file(logrotate_t, backup_store_t)
 ')
 
 allow logrotate_t syslogd_t:unix_dgram_socket sendto;
+allow logrotate_t syslogd_exec_t:file r_file_perms;
 
 dontaudit logrotate_t selinux_config_t:dir search;
 ') dnl end TODO

refpolicy/policy/modules/admin/netutils.te

@@ -129,6 +129,12 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(ping_t)
 ')
 
+optional_policy(`sysnetwork.te',`
+	optional_policy(`hotplug.te',`
+		hotplug_use_fd(ping_t)
+	')
+')
+
 ifdef(`TODO',`
 in_user_role(ping_t)
 tunable_policy(`user_ping',`

refpolicy/policy/modules/admin/rpm.if

@@ -1,9 +1,9 @@
 ## <summary>Policy for the RPM package manager.</summary>
 
 ########################################
-## <desc>
+## <summary>
 ##	Execute rpm programs in the rpm domain.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -27,9 +27,9 @@ interface(`rpm_domtrans',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Execute RPM programs in the RPM domain.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -53,9 +53,9 @@ interface(`rpm_run',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Inherit and use file descriptors from RPM.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -70,9 +70,9 @@ interface(`rpm_use_fd',`
 ')
 
 ########################################
-## <desc>
+## <summary>
 ##	Read from a RPM pipe.
-## </desc>
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -87,9 +87,9 @@ interface(`rpm_read_pipe',`
 ')
 
 ########################################
-## <desc>
-##	Read RPM package database.
-## </desc>
+## <summary>
+##	Read the RPM package database.
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
@@ -108,8 +108,12 @@ interface(`rpm_read_db',`
 ')
 
 ########################################
-#
-# rpm_manage_db(domain)
+## <summary>
+##	Create, read, write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
 #
 interface(`rpm_manage_db',`
 	gen_require(`

refpolicy/policy/modules/admin/rpm.te

@@ -95,6 +95,7 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
 
 kernel_read_system_state(rpm_t)
 kernel_read_kernel_sysctl(rpm_t)
+
 selinux_get_fs_mount(rpm_t)
 selinux_validate_context(rpm_t)
 selinux_compute_access_vector(rpm_t)
@@ -128,6 +129,8 @@ storage_raw_read_fixed_disk(rpm_t)
 
 term_list_ptys(rpm_t)
 
+auth_relabel_all_files_except_shadow(rpm_t)
+auth_manage_all_files_except_shadow(rpm_t)
 auth_dontaudit_read_shadow(rpm_t)
 
 corecmd_exec_bin(rpm_t)
@@ -162,6 +165,10 @@ optional_policy(`cron.te',`
 	cron_system_entry(rpm_t,rpm_exec_t)
 ')
 
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(rpm_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(rpm_t)
 ')
@@ -173,9 +180,6 @@ type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpf
 dontaudit rpm_t domain:process ptrace;
 
 # read/write/create any files in the system
-allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
-allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
-allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
 dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
 allow rpm_t ttyfile:chr_file unlink;
 
@@ -194,23 +198,10 @@ optional_policy(`gnome-pty-helper.te', `
 allow rpm_t sysadm_gph_t:fd use;
 ')
 
-optional_policy(`mount.te', `
-allow rpm_t mount_t:udp_socket rw_socket_perms;
-')
-
 # for kernel package installation
 optional_policy(`mount.te', `
 allow mount_t rpm_t:fifo_file rw_file_perms;
 ')
-
-# Commonly used from postinst scripts
-optional_policy(`consoletype.te', `
-allow consoletype_t rpm_t:fifo_file r_file_perms;
-')
-optional_policy(`crond.te', `
-allow crond_t rpm_t:fifo_file r_file_perms;
-')
-
 ') dnl endif TODO
 
 ########################################
@@ -289,6 +280,7 @@ domain_signull_all_domains(rpm_script_t)
 
 files_exec_etc_files(rpm_script_t)
 files_read_etc_runtime_files(rpm_script_t)
+files_exec_usr_files(rpm_script_t)
 
 init_domtrans_script(rpm_script_t)
 
@@ -322,8 +314,6 @@ ifdef(`TODO',`
 
 allow rpm_script_t sysfs_t:dir r_dir_perms;
 
-can_exec(rpm_script_t,usr_t)
-
 optional_policy(`lpd.te', `
 can_exec(rpm_script_t,printconf_t)
 ')

refpolicy/policy/modules/admin/usermanage.if

@@ -208,3 +208,19 @@ interface(`usermanage_run_useradd',`
 	allow useradd_t $3:chr_file rw_term_perms;
 ')
 
+########################################
+## <summary>
+##	Read the crack database.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`usermanage_read_crack_db',`
+	gen_require(`
+		type crack_db_t;
+		class file r_file_perms;
+	')
+
+	allow $1 crack_db_t:file r_file_perms;
+')

refpolicy/policy/modules/admin/usermanage.te

@@ -93,6 +93,10 @@ fs_search_auto_mountpoints(chfn_t)
 # for SSP
 dev_read_urand(chfn_t)
 
+# can exec /sbin/unix_chkpwd
+corecmd_search_bin(chfn_t)
+corecmd_search_sbin(chfn_t)
+
 domain_use_wide_inherit_fd(chfn_t)
 
 files_manage_etc_files(chfn_t)
@@ -120,10 +124,9 @@ optional_policy(`nis.te',`
 ')
 
 ifdef(`TODO',`
-role sysadm_r types chfn_t;
-in_user_role(chfn_t)
-
-domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
+ifdef(`firstboot.te',`
+domain_auto_trans(firstboot_t, chfn_exec_t, chfn_t)
+')
 
 ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
 
@@ -134,9 +137,6 @@ allow chfn_t shell_exec_t:file execute;
 # on user home dir
 dontaudit chfn_t { user_home_dir_type user_home_type }:dir search;
 
-# can exec /sbin/unix_chkpwd
-allow chfn_t { bin_t sbin_t }:dir search;
-
 # uses unix_chkpwd for checking passwords
 dontaudit chfn_t selinux_config_t:dir search;
 ') dnl endif TODO

refpolicy/policy/modules/apps/gpg.if

@@ -79,6 +79,9 @@ template(`gpg_per_userdomain_template',`
 	allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
 	allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
 
+	allow $1_t $1_gpg_secret_t:file getattr;
+	allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
+
 	corenet_tcp_sendrecv_all_if($1_gpg_t)
 	corenet_raw_sendrecv_all_if($1_gpg_t)
 	corenet_udp_sendrecv_all_if($1_gpg_t)
@@ -95,8 +98,13 @@ template(`gpg_per_userdomain_template',`
 
 	fs_getattr_xattr_fs($1_gpg_t)
 
+	domain_use_wide_inherit_fd($1_gpg_t)
+
 	files_read_etc_files($1_gpg_t)
 	files_read_usr_files($1_gpg_t)
+	files_dontaudit_search_var($1_gpg_t)
+	# should not need read access...
+	files_list_home($1_gpg_t)
 
 	libs_use_shared_libs($1_gpg_t)
 	libs_use_ld_so($1_gpg_t)
@@ -135,20 +143,12 @@ template(`gpg_per_userdomain_template',`
 
 	ifdef(`TODO',`
 
-	allow $1_t $1_gpg_secret_t:file getattr;
-
 	access_terminal($1_gpg_t, $1)
 	ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
 
-	# Inherit and use descriptors
-	allow $1_gpg_t { privfd $1_t }:fd use;
-
 	# allow ps to show gpg
 	can_ps($1_t, $1_gpg_t)
 
-	# should not need read access...
-	allow $1_gpg_t home_root_t:dir { read search };
-
 	# use $1_gpg_secret_t for files it creates
 	# NB we are doing the type transition for directory creation only!
 	# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
@@ -164,9 +164,6 @@ template(`gpg_per_userdomain_template',`
 
 	rw_dir_create_file($1_gpg_t, $1_file_type)
 
-	allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
-
-	dontaudit $1_gpg_t var_t:dir search;
 	') dnl end TODO
 
 	########################################
@@ -246,11 +243,26 @@ template(`gpg_per_userdomain_template',`
 	allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
 	allow $1_gpg_agent_t self:fifo_file rw_file_perms;
 
+	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+	allow $1_gpg_agent_t $1_gpg_secret_t:dir create_dir_perms;
+	allow $1_gpg_agent_t $1_gpg_secret_t:file create_file_perms;
+	allow $1_gpg_agent_t $1_gpg_secret_t:lnk_file create_lnk_perms;
+
+	# allow gpg to connect to the gpg agent
+	allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
+	allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
+	allow $1_gpg_t $1_gpg_agent_t:unix_stream_socket connectto;
+
+	# Allow the user shell to signal the gpg-agent program.
+	allow $1_t $1_gpg_agent_t:process { signal sigkill };
+
 	allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
 	allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
 	allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
 	files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
 
+	corecmd_search_bin($1_gpg_agent_t)
+
 	# Transition from the user domain to the derived domain.
 	domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
 
@@ -280,24 +292,15 @@ template(`gpg_per_userdomain_template',`
 	# Write to the user domain tty.
 	access_terminal($1_gpg_agent_t, $1)
 
-	# Allow the user shell to signal the gpg-agent program.
-	allow $1_t $1_gpg_agent_t:process { signal sigkill };
 	# allow ps to show gpg-agent
 	can_ps($1_t, $1_gpg_agent_t)
 
 	allow $1_gpg_agent_t proc_t:dir search;
 	allow $1_gpg_agent_t proc_t:lnk_file read;
 
-	allow $1_gpg_agent_t device_t:dir r_file_perms;
-
 	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
 	allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
-	create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
 
-	# gpg connect
-	allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
-	allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
-	can_unix_connect($1_gpg_t, $1_gpg_agent_t)
 	') dnl endif TODO
 
 	##############################
@@ -330,14 +333,20 @@ template(`gpg_per_userdomain_template',`
 	miscfiles_read_fonts($1_gpg_pinentry_t)
 	miscfiles_read_localization($1_gpg_pinentry_t)
 
-	ifdef(`TODO',`
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_read_nfs_files($1_gpg_pinentry_t)
+	')
 
-	allow $1_gpg_agent_t bin_t:dir search;
+	tunable_policy(`use_samba_home_dirs',`
+		fs_read_cifs_files($1_gpg_pinentry_t)
+	')
+
+	ifdef(`TODO',`
 
 	ifdef(`xdm.te', `
 		allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
 		allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
-		can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
+		allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto;
 		allow $1_gpg_pinentry_t xdm_t:fd use;
 	')
 
@@ -351,16 +360,12 @@ template(`gpg_per_userdomain_template',`
 	dontaudit $1_gpg_pinentry_t $1_home_t:file write;
 
 	tunable_policy(`use_nfs_home_dirs',`
-		allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
-		allow $1_gpg_pinentry_t nfs_t:file r_file_perms;
-		dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
+		dontaudit $1_gpg_pinentry_t nfs_t:dir write;
 		dontaudit $1_gpg_pinentry_t nfs_t:file write;
 	')
 
 	tunable_policy(`use_samba_home_dirs',`
-		allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
-		allow $1_gpg_pinentry_t cifs_t:file r_file_perms;
-		dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
+		dontaudit $1_gpg_pinentry_t cifs_t:dir write;
 		dontaudit $1_gpg_pinentry_t cifs_t:file write;
 	')
 

refpolicy/policy/modules/kernel/corenetwork.if.in

@@ -950,3 +950,21 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
 
 	dontaudit $1 reserved_port_type:udp_socket name_bind;
 ')
+
+########################################
+## <summary>
+##	Read and write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##	The domain allowed access.
+## </param>
+#
+interface(`corenet_use_tun_tap_device',`
+	gen_require(`
+		type tun_tap_device_t;
+		class chr_file { read write };
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file { read write };
+')

refpolicy/policy/modules/kernel/devices.if

@@ -646,6 +646,25 @@ interface(`dev_manage_all_chr_files',`
 	typeattribute $1 memory_raw_read, memory_raw_write;
 ')
 
+########################################
+## <summary>
+##	Read and write the apm bios.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_rw_apm_bios',`
+	gen_require(`
+		type device_t, apm_bios_t;
+		class dir r_dir_perms;
+		class chr_file rw_file_perms;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 apm_bios_t:chr_file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read raw memory devices (e.g. /dev/mem).
@@ -1671,7 +1690,7 @@ interface(`dev_getattr_sysfs_dir',`
 
 ########################################
 ## <summary>
-##	Search the directory containing hardware information.
+##	Search sysfs.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
@@ -1686,6 +1705,23 @@ interface(`dev_search_sysfs',`
 	allow $1 sysfs_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search sysfs.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`dev_dontaudit_search_sysfs',`
+	gen_require(`
+		type sysfs_t;
+		class dir search;
+	')
+
+	dontaudit $1 sysfs_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to read hardware state information.

refpolicy/policy/modules/kernel/filesystem.if

@@ -1380,7 +1380,7 @@ interface(`fs_create_tmpfs_data',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`fs_use_tmpfs_character_devices',`
+interface(`fs_use_tmpfs_chr_dev',`
 	gen_require(`
 		type tmpfs_t;
 		class dir r_dir_perms; 
@@ -1399,7 +1399,7 @@ interface(`fs_use_tmpfs_character_devices',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`fs_relabel_tmpfs_character_devices',`
+interface(`fs_relabel_tmpfs_chr_dev',`
 	gen_require(`
 		type tmpfs_t;
 		class dir r_dir_perms;
@@ -1418,7 +1418,7 @@ interface(`fs_relabel_tmpfs_character_devices',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`fs_use_tmpfs_block_devices',`
+interface(`fs_use_tmpfs_blk_dev',`
 	gen_require(`
 		type tmpfs_t;
 		class dir r_dir_perms; 
@@ -1437,7 +1437,7 @@ interface(`fs_use_tmpfs_block_devices',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`fs_relabel_tmpfs_block_devices',`
+interface(`fs_relabel_tmpfs_blk_dev',`
 	gen_require(`
 		type tmpfs_t;
 		class dir r_dir_perms;
@@ -1448,6 +1448,46 @@ interface(`fs_relabel_tmpfs_block_devices',`
 	allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
 ')
 
+########################################
+## <desc>
+##	Read and write, create and delete symbolic
+##	links on tmpfs filesystems.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fs_manage_tmpfs_symlinks',`
+	gen_require(`
+		type tmpfs_t;
+		class dir rw_dir_perms;
+		class chr_file create_lnk_perms;
+	')
+
+	allow $1 tmpfs_t:dir rw_dir_perms;
+	allow $1 tmpfs_t:chr_file create_lnk_perms;
+')
+
+########################################
+## <desc>
+##	Read and write, create and delete socket
+##	files on tmpfs filesystems.
+## </desc>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fs_manage_tmpfs_sockets',`
+	gen_require(`
+		type tmpfs_t;
+		class dir rw_dir_perms;
+		class sock_file create_file_perms;
+	')
+
+	allow $1 tmpfs_t:dir rw_dir_perms;
+	allow $1 tmpfs_t:sock_file create_file_perms;
+')
+
 ########################################
 ## <desc>
 ##	Read and write, create and delete character
@@ -1457,7 +1497,7 @@ interface(`fs_relabel_tmpfs_block_devices',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`fs_manage_tmpfs_character_devices',`
+interface(`fs_manage_tmpfs_chr_dev',`
 	gen_require(`
 		type tmpfs_t;
 		class dir rw_dir_perms;
@@ -1477,7 +1517,7 @@ interface(`fs_manage_tmpfs_character_devices',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`fs_manage_tmpfs_block_devices',`
+interface(`fs_manage_tmpfs_blk_dev',`
 	gen_require(`
 		type tmpfs_t;
 		class dir rw_dir_perms;

refpolicy/policy/modules/services/cron.te

@@ -132,6 +132,11 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(crond_t)
 ')
 
+optional_policy(`crond.te',`
+	# Commonly used from postinst scripts
+	rpm_read_pipe(crond_t)
+')
+
 optional_policy(`udev.te', `
 	udev_read_db(crond_t)
 ')
@@ -355,4 +360,7 @@ allow mta_user_agent system_crond_t:fd use;
 r_dir_file(system_mail_t, crond_tmp_t)
 ')
 
+# for daemon re-start
+allow system_crond_t syslogd_t:lnk_file read;
+
 ') dnl end TODO

refpolicy/policy/modules/system/authlogin.te

@@ -257,6 +257,8 @@ miscfiles_read_localization(system_chkpwd_t)
 
 seutil_read_config(system_chkpwd_t)
 
+userdom_dontaudit_use_unpriv_user_tty(system_chkpwd_t)
+
 tunable_policy(`use_dns',`
 	allow system_chkpwd_t self:udp_socket create_socket_perms;
 	corenet_udp_sendrecv_all_if(system_chkpwd_t)
@@ -275,8 +277,6 @@ optional_policy(`nis.te',`
 ifdef(`TODO',`
 can_kerberos(system_chkpwd_t)
 can_ldap(system_chkpwd_t)
-
-dontaudit system_chkpwd_t user_tty_type:chr_file rw_file_perms;
 ') dnl end TODO
 
 ########################################
@@ -309,10 +309,9 @@ logging_search_logs(utempter_t)
 # Allow utemper to write to /tmp/.xses-*
 userdom_write_unpriv_user_tmp(utempter_t)
 
-ifdef(`TODO',`
-ifdef(`xdm.te', `
-allow utempter_t xdm_t:fd use;
-allow utempter_t xdm_t:fifo_file { write getattr };
+optional_policy(`xserver.te', `
+	#allow utempter_t xdm_t:fd use;
+	xserver_use_xdm_fd(utempter_t)
+	#allow utempter_t xdm_t:fifo_file { write getattr };
+	xserver_write_xdm_fifo(utempter_t)
 ')
-
-') dnl endif TODO

refpolicy/policy/modules/system/domain.if

@@ -167,6 +167,25 @@ interface(`domain_dontaudit_use_wide_inherit_fd',`
 	dontaudit $1 privfd:fd use;
 ')
 
+########################################
+## <summary>
+##	Send a SIGCHLD signal to domains whose file
+##	discriptors are widely inheritable.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: this was added because of newrole
+interface(`domain_sigchld_wide_inherit_fd',`
+	gen_require(`
+		attribute privfd;
+		class process signal;
+	')
+
+	dontaudit $1 privfd:fd use;
+')
+
 ########################################
 #
 # domain_setpriority_all_domains(domain)

refpolicy/policy/modules/system/files.if

@@ -814,6 +814,23 @@ interface(`files_list_mnt',`
 	allow $1 mnt_t:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Search the tmp directory (/tmp)
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_search_tmp',`
+	gen_require(`
+		type tmp_t;
+		class dir search;
+	')
+
+	allow $1 tmp_t:dir search;
+')
+
 ########################################
 #
 # files_create_tmp_files(domain,private_type,[object class(es)])
@@ -1000,17 +1017,33 @@ interface(`files_manage_urandom_seed',`
 	allow $1 var_lib_t:file { getattr create read write setattr unlink };
 ')
 
+########################################
+#
+# files_search_generic_locks(domain)
+#
+interface(`files_search_generic_locks',`
+	gen_require(`
+		type var_t;
+		type var_lock_t;
+		class dir search;
+	')
+
+	allow $1 { var_t var_lock_t }:dir search;
+')
+
 ########################################
 #
 # files_getattr_generic_locks(domain)
 #
 interface(`files_getattr_generic_locks',`
 	gen_require(`
+		type var_t;
 		type var_lock_t;
 		class dir r_dir_perms;
 		class file getattr;
 	')
 
+	allow $1 var_t:dir search;
 	allow $1 var_lock_t:dir r_dir_perms;
 	allow $1 var_lock_t:file getattr;
 ')

refpolicy/policy/modules/system/hostname.te

@@ -56,7 +56,7 @@ miscfiles_read_localization(hostname_t)
 userdom_use_all_user_fd(hostname_t)
 
 ifdef(`distro_redhat', `
-	fs_use_tmpfs_character_devices(hostname_t)
+	fs_use_tmpfs_chr_dev(hostname_t)
 ')
 
 ifdef(`targeted_policy', `
@@ -92,7 +92,7 @@ ifdef(`TODO',`
 
 ##daemon_base_domain(hostname, , nosysadm)
 ##must remembe to go back and take care of the nosysadm part
-allow hostname_t proc_t:dir { read getattr lock search ioctl };
+allow hostname_t proc_t:dir r_dir_perms;
 allow hostname_t proc_t:lnk_file read;
 
 optional_policy(`rhgb.te', `

refpolicy/policy/modules/system/hotplug.te

@@ -43,7 +43,6 @@ allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
 allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
 files_create_pid(hotplug_t,hotplug_var_run_t)
 
-
 kernel_sigchld(hotplug_t)
 kernel_read_system_state(hotplug_t)
 kernel_read_kernel_sysctl(hotplug_t)
@@ -116,7 +115,7 @@ ifdef(`distro_redhat', `
 	optional_policy(`netutils.te', `
 		# for arping used for static IP addresses on PCMCIA ethernet
 		netutils_domtrans(hotplug_t)
-		fs_use_tmpfs_character_devices(hotplug_t)
+		fs_use_tmpfs_chr_dev(hotplug_t)
 	')
 	files_getattr_generic_locks(hotplug_t)
 ')
@@ -156,6 +155,14 @@ optional_policy(`selinux.te',`
 ')
 
 optional_policy(`sysnetwork.te',`
+	sysnet_domtrans_dhcpc(hotplug_t)
+	sysnet_signal_dhcpc(hotplug_t)
+	sysnet_kill_dhcpc(hotplug_t)
+	sysnet_signull_dhcpc(hotplug_t)
+	sysnet_sigstop_dhcpc(hotplug_t)
+	sysnet_sigchld_dhcpc(hotplug_t)
+	sysnet_read_dhcpc_pid(hotplug_t)
+	sysnet_rw_dhcp_config(hotplug_t)
 	sysnet_domtrans_ifconfig(hotplug_t)
 ')
 
@@ -188,8 +195,7 @@ optional_policy(`hald.te', `
 
 # this block goes to hald:
 optional_policy(`hotplug.te',`
-	allow hald_t hotplug_etc_t:dir search;
-	allow hald_t hotplug_etc_t:file { getattr read };
+	hotplug_read_config(hald_t)
 ')
 
 optional_policy(`lpd.te', `

refpolicy/policy/modules/system/init.te

@@ -130,7 +130,7 @@ seutil_read_config(init_t)
 miscfiles_read_localization(init_t)
 
 ifdef(`distro_redhat',`
-	fs_use_tmpfs_character_devices(init_t)
+	fs_use_tmpfs_chr_dev(init_t)
 	fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
 ')
 
@@ -326,7 +326,7 @@ ifdef(`distro_redhat',`
 	storage_raw_read_fixed_disk(initrc_t)
 	storage_raw_write_fixed_disk(initrc_t)
 
-	fs_use_tmpfs_character_devices(initrc_t)
+	fs_use_tmpfs_chr_dev(initrc_t)
 
 	files_create_boot_flag(initrc_t)
 
@@ -383,6 +383,14 @@ optional_policy(`ssh.te',`
 	')
 ')
 
+optional_policy(`sysnetwork.te',`
+	ifdef(`distro_redhat',`
+		sysnet_rw_dhcp_config(initrc_t)
+	')
+
+	sysnet_read_dhcpc_state(initrc_t)
+')
+
 ifdef(`TODO',`
 
 # Mount and unmount file systems.

refpolicy/policy/modules/system/libraries.te

@@ -66,6 +66,7 @@ domain_use_wide_inherit_fd(ldconfig_t)
 
 files_search_var_lib(ldconfig_t)
 files_read_etc_files(ldconfig_t)
+files_search_tmp(ldconfig_t)
 # for when /etc/ld.so.cache is mislabeled:
 files_delete_etc_files(ldconfig_t)
 
@@ -77,8 +78,6 @@ userdom_use_all_user_fd(ldconfig_t)
 
 ifdef(`TODO',`
 
-allow ldconfig_t tmp_t:dir search;
-
 ifdef(`apache.te', `
 	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
 	dontaudit ldconfig_t httpd_modules_t:dir search;

refpolicy/policy/modules/system/locallogin.te

@@ -68,6 +68,7 @@ dev_dontaudit_getattr_misc(local_login_t)
 dev_dontaudit_setattr_misc(local_login_t)
 dev_dontaudit_getattr_scanner(local_login_t)
 dev_dontaudit_setattr_scanner(local_login_t)
+dev_dontaudit_search_sysfs(local_login_t)
 # for SSP/ProPolice
 dev_read_urand(local_login_t)
 
@@ -106,6 +107,7 @@ files_read_etc_files(local_login_t)
 files_read_etc_runtime_files(local_login_t)
 files_read_usr_files(local_login_t)
 files_manage_generic_locks(var_lock_t)
+files_list_mnt(local_login_t)
 
 init_rw_script_pid(local_login_t)
 init_dontaudit_use_fd(local_login_t)
@@ -149,6 +151,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(local_login_t)
 ')
 
+optional_policy(`usermanage.te',`
+	usermanage_read_crack_db(local_login_t)
+')
+
 ifdef(`TODO',`
 
 allow local_login_t bin_t:dir r_dir_perms;
@@ -169,32 +175,22 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms;
 # for when /var/mail is a sym-link
 allow local_login_t var_t:lnk_file read;
 
-dontaudit local_login_t sysfs_t:dir search;
-
-allow local_login_t mnt_t:dir r_dir_perms;
-
-# FIXME: what is this for?
-optional_policy(`xdm.te', `
-	allow xdm_t local_login_t:process signull;
-')
-
-ifdef(`crack.te', `
-	allow local_login_t crack_db_t:file r_file_perms;
-')
-
-ifdef(`targeted_policy',`
-	unconfined_domain(local_login_t)
-	domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
-')
-
 # Do not audit denied attempts to access devices.
 dontaudit local_login_t device_t:lnk_file { getattr setattr };
 dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
 dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
 dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
 
-# Do not audit denied attempts to access /mnt.
-dontaudit local_login_t mnt_t:dir r_dir_perms;
+# FIXME: what is this for?
+optional_policy(`xdm.te', `
+	allow xdm_t local_login_t:process signull;
+
+')
+
+ifdef(`targeted_policy',`
+	unconfined_domain(local_login_t)
+	domain_auto_trans(local_login_t, shell_exec_t, unconfined_t)
+')
 
 optional_policy(`gpm.te',`
 	allow local_login_t gpmctl_t:sock_file { getattr setattr };

refpolicy/policy/modules/system/logging.te

@@ -247,6 +247,10 @@ ifdef(`klogd.te', `', `
 	kernel_change_ring_buffer_level(syslogd_t)
 ')
 
+ifdef(`direct_sysadm_daemon',`
+	userdom_dontaudit_use_sysadm_terms(syslogd_t)
+')
+
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(syslogd_t)
 	term_dontaudit_use_generic_pty(syslogd_t)
@@ -275,9 +279,6 @@ dontaudit syslogd_t sysadm_home_dir_t:dir search;
 optional_policy(`rhgb.te', `
 	rhgb_domain(syslogd_t)
 ')
-tunable_policy(`direct_sysadm_daemon',`
-	dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
-')
 
 ifdef(`distro_suse', `
 	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
@@ -287,15 +288,6 @@ ifdef(`distro_suse', `
 # log to the xconsole
 allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
 
-ifdef(`crond.te', `
-	# for daemon re-start
-	allow system_crond_t syslogd_t:lnk_file read;
-')
-
-ifdef(`logrotate.te', `
-	allow logrotate_t syslogd_exec_t:file r_file_perms;
-')
-
 #
 # Special case to handle crashes
 #

refpolicy/policy/modules/system/lvm.te

@@ -141,6 +141,7 @@ miscfiles_read_localization(lvm_t)
 
 seutil_read_config(lvm_t)
 seutil_read_file_contexts(lvm_t)
+seutil_search_default_contexts(lvm_t)
 seutil_sigchld_newrole(lvm_t)
 
 ifdef(`distro_redhat',`
@@ -164,8 +165,6 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
-allow lvm_t default_context_t:dir search;
-
 dontaudit lvm_t var_run_t:dir getattr;
 
 optional_policy(`gnome-pty-helper.te', `

refpolicy/policy/modules/system/modutils.te

@@ -67,6 +67,7 @@ dev_read_urand(insmod_t)
 dev_rw_agp_dev(insmod_t)
 dev_read_snd_dev(insmod_t)
 dev_write_snd_dev(insmod_t)
+dev_rw_apm_bios(insmod_t)
 
 fs_getattr_xattr_fs(insmod_t)
 
@@ -105,8 +106,6 @@ optional_policy(`mount.te',`
 
 ifdef(`TODO',`
 
-allow insmod_t apm_bios_t:chr_file { read write };
-
 ifdef(`xserver.te', `
 	allow insmod_t xserver_log_t:file getattr;
 ')

refpolicy/policy/modules/system/mount.te

@@ -77,7 +77,7 @@ miscfiles_read_localization(mount_t)
 userdom_use_all_user_fd(mount_t)
 
 ifdef(`distro_redhat',`
-	fs_use_tmpfs_character_devices(mount_t)
+	fs_use_tmpfs_chr_dev(mount_t)
 	allow mount_t tmpfs_t:dir mounton;
 
 	optional_policy(`authlogin.te',`

refpolicy/policy/modules/system/selinuxutil.if

@@ -473,6 +473,25 @@ interface(`seutil_read_config',`
 	allow $1 selinux_config_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Search the policy directory with default_context files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`seutil_search_default_contexts',`
+	gen_require(`
+		type selinux_config_t, default_context_t;
+		class dir search;
+	')
+
+	files_search_etc($1)
+	allow $1 { selinux_config_t default_context_t }:dir search;
+')
+
+
 ########################################
 #
 # seutil_read_default_contexts(domain)

refpolicy/policy/modules/system/selinuxutil.te

@@ -212,11 +212,14 @@ term_relabel_all_user_ptys(newrole_t)
 auth_domtrans_chk_passwd(newrole_t)
 
 domain_use_wide_inherit_fd(newrole_t)
+# for when the user types "exec newrole" at the command line:
+domain_sigchld_wide_inherit_fd(newrole_t)
 
 # Write to utmp.
 init_rw_script_pid(newrole_t)
 
 files_read_etc_files(newrole_t)
+files_read_var_files(newrole_t)
 
 libs_use_ld_so(newrole_t)
 libs_use_shared_libs(newrole_t)
@@ -240,13 +243,6 @@ optional_policy(`nis.te',`
 ')
 
 ifdef(`TODO',`
-# for when the user types "exec newrole" at the command line
-allow newrole_t privfd:process sigchld;
- 
-# Read /var.
-allow newrole_t var_t:dir r_dir_perms;
-allow newrole_t var_t:notdevfile_class_set r_file_perms;
-
 ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
 
 # for some PAM modules and for cwd
@@ -303,10 +299,10 @@ files_list_all_dirs(restorecon_t)
 auth_relabelto_shadow(restorecon_t)
 
 ifdef(`distro_redhat', `
-	fs_use_tmpfs_character_devices(restorecon_t)
-	fs_use_tmpfs_block_devices(restorecon_t)
-	fs_relabel_tmpfs_block_devices(restorecon_t)
-	fs_relabel_tmpfs_character_devices(restorecon_t)
+	fs_use_tmpfs_chr_dev(restorecon_t)
+	fs_use_tmpfs_blk_dev(restorecon_t)
+	fs_relabel_tmpfs_blk_dev(restorecon_t)
+	fs_relabel_tmpfs_chr_dev(restorecon_t)
 ')
 
 optional_policy(`hotplug.te',`
@@ -323,6 +319,10 @@ allow restorecon_t fs_type:dir r_dir_perms;
 
 allow restorecon_t device_t:file { read write };
 allow restorecon_t kernel_t:fifo_file { read write };
+
+tunable_policy(`hide_broken_symptoms',`
+dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
+')
 ') dnl endif TODO
 
 #################################

refpolicy/policy/modules/system/sysnetwork.if

@@ -25,6 +25,162 @@ interface(`sysnet_domtrans_dhcpc',`
 	allow dhcpc_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Send a SIGCHLD signal to the dhcp client.
+## </summary>
+## <param name="domain">
+##	The domain sending the SIGCHLD.
+## </param>
+#
+interface(`sysnet_sigchld_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+		class process sigchld;
+	')
+
+	allow $1 dhcpc_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send a kill signal to the dhcp client.
+## </summary>
+## <param name="domain">
+##	The domain sending the SIGKILL.
+## </param>
+#
+interface(`sysnet_kill_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+		class process sigkill;
+	')
+
+	allow $1 dhcpc_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send a SIGSTOP signal to the dhcp client.
+## </summary>
+## <param name="domain">
+##	The domain sending the SIGSTOP.
+## </param>
+#
+interface(`sysnet_sigstop_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+		class process sigstop;
+	')
+
+	allow $1 dhcpc_t:process sigstop;
+')
+
+########################################
+## <summary>
+##	Send a null signal to the dhcp client.
+## </summary>
+## <param name="domain">
+##	The domain sending the null signal.
+## </param>
+#
+interface(`sysnet_signull_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+		class process signull;
+	')
+
+	allow $1 dhcpc_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send a generic signal to the dhcp client.
+## </summary>
+## <param name="domain">
+##	The domain sending the signal.
+## </param>
+#
+interface(`sysnet_signal_dhcpc',`
+	gen_require(`
+		type dhcpc_t;
+		class process signal;
+	')
+
+	allow $1 dhcpc_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read and write dhcp configuration files.
+## </summary>
+## <param name="domain">
+##	The domain allowed access.
+## </param>
+#
+interface(`sysnet_rw_dhcp_config',`
+	gen_require(`
+		type dhcp_etc_t;
+		class file { getattr read };
+	')
+
+	files_search_etc($1)
+	allow $1 dhcp_etc_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Read dhcp client state files.
+## </summary>
+## <param name="domain">
+##	The domain allowed access.
+## </param>
+#
+interface(`sysnet_read_dhcpc_state',`
+	gen_require(`
+		type dhcpc_state_t;
+		class file { getattr read };
+	')
+
+	allow $1 dhcpc_state_t:file { getattr read };
+')
+
+#######################################
+## <summary>
+##	Allow network init to read network config files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`sysnet_read_config',`
+	gen_require(`
+		type net_conf_t;
+		class file r_file_perms;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+##	Read the dhcp client pid file.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`sysnet_read_dhcpc_pid',`
+	gen_require(`
+		type dhcpc_var_run_t;
+		class file { getattr read };
+	')
+
+	files_list_pids($1)
+	allow $1 dhcpc_var_run_t:file { getattr read };
+')
+
 #######################################
 ## <desc>
 ##	Execute ifconfig in the ifconfig domain.
@@ -77,22 +233,3 @@ interface(`sysnet_run_ifconfig',`
 	role $2 types ifconfig_t;
 	allow ifconfig_t $3:chr_file rw_term_perms;
 ')
-
-#######################################
-##     <desc>
-##             Allow network init to read network config files.
-##     </desc>
-##     <param name="domain">
-##             The type of the process performing this action.
-##     </param>
-#
-interface(`sysnet_read_config',`
-	gen_require(`
-		type net_conf_t;
-		class file r_file_perms;
-	')
-
-	files_search_etc($1)
-	allow $1 net_conf_t:file r_file_perms;
-')
-

refpolicy/policy/modules/system/sysnetwork.te

@@ -194,38 +194,26 @@ domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
 allow cardmgr_t dhcpc_var_run_t:file { getattr read };
 allow cardmgr_t dhcpc_t:process signal_perms;
 ')
-ifdef(`hotplug.te', `
-domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
-allow hotplug_t dhcpc_t:process signal_perms;
-allow hotplug_t dhcpc_var_run_t:file { getattr read };
-allow hotplug_t dhcp_etc_t:file rw_file_perms;
-allow dhcpc_t hotplug_etc_t:dir { getattr search };
-ifdef(`distro_redhat', `
-logging_syslogd_transition(dhcpc_t)
+
+optional_policy(`hotplug.te', `
+	allow dhcpc_t hotplug_etc_t:dir { getattr search };
+
+	ifdef(`distro_redhat', `
+		logging_syslogd_transition(dhcpc_t)
+	')
 ')
-')dnl end hotplug.te
 
 # for the dhcp client to run ping to check IP addresses
 optional_policy(`netutils.te',`
 	netutils_domtrans_ping(dhcpc_t)
 
-	optional_policy(`hotplug.te',`
-		allow ping_t hotplug_t:fd use;
-	')
-
 	ifdef(`cardmgr.te',`
 		allow ping_t cardmgr_t:fd use;
 	')
 ')
 
-ifdef(`distro_redhat', `
-allow initrc_t dhcp_etc_t:file rw_file_perms;
-')
-
 allow dhcpc_t var_lib_t:dir search;
-
 allow dhcpc_t home_root_t:dir search;
-allow initrc_t dhcpc_state_t:file { getattr read };
 dontaudit dhcpc_t var_lock_t:dir search;
 dontaudit dhcpc_t selinux_config_t:dir search;
 dontaudit dhcpc_t domain:dir getattr;
@@ -265,6 +253,8 @@ kernel_read_network_state(ifconfig_t)
 kernel_dontaudit_search_sysctl_dir(ifconfig_t)
 kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
 
+corenet_use_tun_tap_device(ifconfig_t)
+
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
 
@@ -298,10 +288,12 @@ ifdef(`TODO',`
 
 ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
 
-allow ifconfig_t tun_tap_device_t:chr_file { read write };
-
 optional_policy(`rhgb.te', `
 rhgb_domain(ifconfig_t)
 ')
 
+tunable_policy(`hide_broken_symptoms',`
+dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
+')
+
 ') dnl endif TODO

refpolicy/policy/modules/system/udev.te

@@ -94,6 +94,8 @@ files_read_etc_runtime_files(udev_t)
 files_read_etc_files(udev_t)
 files_exec_etc_files(udev_t)
 files_dontaudit_search_isid_type_dir(udev_t)
+files_getattr_generic_locks(udev_t)
+files_search_mnt(udev_t)
 
 init_use_fd(udev_t)
 init_read_script_pid(udev_t)
@@ -117,8 +119,12 @@ seutil_domtrans_restorecon(udev_t)
 sysnet_domtrans_ifconfig(udev_t)
 
 ifdef(`distro_redhat',`
-	fs_manage_tmpfs_block_devices(udev_t)
-	fs_manage_tmpfs_character_devices(udev_t)
+	fs_manage_tmpfs_symlinks(udev_t)
+	fs_manage_tmpfs_sockets(udev_t)
+	fs_manage_tmpfs_blk_dev(udev_t)
+	fs_manage_tmpfs_chr_dev(udev_t)
+	fs_relabel_tmpfs_blk_dev(udev_t)
+	fs_relabel_tmpfs_chr_dev(udev_t)
 
 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_domtrans(udev_t)
@@ -142,12 +148,6 @@ optional_policy(`sysnetwork.te',`
 ')
 
 ifdef(`TODO',`
-
-allow udev_t var_lock_t:dir search;
-allow udev_t var_lock_t:file getattr;
-
-allow udev_t mnt_t:dir search;
-
 allow udev_t devpts_t:dir { getattr search };
 allow udev_t sysadm_tty_device_t:chr_file { read write };
 
@@ -159,17 +159,6 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
 
 dbusd_client(system, udev)
 
-ifdef(`distro_redhat',`
-allow udev_t tmpfs_t:sock_file create_file_perms;
-allow udev_t tmpfs_t:lnk_file create_lnk_perms;
-allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto };
-')
-
-tunable_policy(`hide_broken_symptoms',`
-dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
-dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
-')
-
 optional_policy(`xdm.te',`
 allow udev_t xdm_var_run_t:file { getattr read };
 ')

refpolicy/policy/modules/system/userdomain.if

@@ -122,6 +122,8 @@ template(`base_user_template',`
 	kernel_get_sysvipc_info($1_t)
 	# Find CDROM devices:
 	kernel_read_device_sysctl($1_t)
+
+	dev_rw_power_management($1_t)
 	# GNOME checks for usb and other devices:
 	dev_rw_usbfs($1_t)
 
@@ -172,6 +174,7 @@ template(`base_user_template',`
 
 	files_exec_etc_files($1_t)
 	files_read_usr_src_files($1_t)
+	files_search_generic_locks($1_t)
 
 	# Caused by su - init scripts
 	init_dontaudit_use_script_pty($1_t)
@@ -242,9 +245,6 @@ template(`base_user_template',`
 	#
 	dontaudit $1_t usr_t:file setattr;
 
-	# Access the power device.
-	allow $1_t power_device_t:chr_file rw_file_perms;
-
 	# Check to see if cdrom is mounted
 	allow $1_t mnt_t:dir { getattr search };
 
@@ -296,7 +296,9 @@ template(`base_user_template',`
 		create_dir_file($1_t, noexattrfile)
 		create_dir_file($1_t, removable_t)
 		# Write floppies 
-		allow $1_t removable_device_t:blk_file rw_file_perms;
+		storage_raw_read_removable_device($1_t)
+		storage_raw_write_removable_device($1_t)
+		# cjp: what does this have to do with removable devices?
 		allow $1_t usbtty_device_t:chr_file write;
 	',`
 		r_dir_file($1_t, noexattrfile)
@@ -312,12 +314,8 @@ template(`base_user_template',`
 	r_dir_file($1_t, tetex_data_t)
 	can_exec($1_t, tetex_data_t)
 
-	# Run programs developed by other users in the same domain.
-
 	can_resmgrd_connect($1_t)
 
-	allow $1_t var_lock_t:dir search;
-
 	# Grant permissions to access the system DBus
 	ifdef(`dbusd.te', `
 		dbusd_client(system, $1)
@@ -442,7 +440,7 @@ template(`unpriv_user_template', `
 
 	typeattribute $1_tmp_t user_tmpfile;
 
-	#typeattribute $1_tty_device_t user_tty_type;
+	typeattribute $1_tty_device_t user_ttynode;
  
 	##############################
 	#
@@ -1105,3 +1103,20 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
 	dontaudit $1 unpriv_userdomain:fd use;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to use unprivileged
+##	user ttys.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_dontaudit_use_unpriv_user_tty',`
+	gen_require(`
+		attribute user_ttynode;
+		class chr_file rw_file_perms;
+	')
+
+	dontaudit $1 user_ttynode:chr_file rw_file_perms;
+')

refpolicy/policy/modules/system/userdomain.te

@@ -23,6 +23,9 @@ attribute privhome;
 # all unprivileged users tmp files
 attribute user_tmpfile;
 
+# all unprivileged users ttys
+attribute user_ttynode;
+
 # all user domains
 attribute userdomain;