many fixes from cab testing

refpolicy/policy/modules/admin/rpm.te

@@ -266,6 +266,8 @@ terminal_get_general_physical_terminal_attributes(rpm_script_t)
 terminal_list_pseudoterminals(rpm_script_t)
 
 authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t)
+# ideally we would not need this
+authlogin_manage_all_files_except_shadow(rpm_script_t)
 
 corecommands_execute_general_programs(rpm_script_t)
 corecommands_execute_system_programs(rpm_script_t)
@@ -307,8 +309,6 @@ ifdef(`TODO',`
 allow rpm_script_t sysfs_t:dir r_dir_perms;
 
 # ideally we would not need this
-allow rpm_script_t { file_type - shadow_t }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } { create ioctl read getattr lock write setattr append link unlink rename };
 allow rpm_script_t { device_t device_type }:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename };
 
 allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };

refpolicy/policy/modules/kernel/bootloader.if

@@ -300,9 +300,11 @@ define(`bootloader_modify_kernel_modules',`
 requires_block_template(`$0'_depend)
 allow $1 modules_object_t:file { getattr create read write setattr unlink };
 allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
+typeattribute $1 can_modify_kernel_modules;
 ')
 
 define(`bootloader_modify_kernel_modules_depend',`
+attribute can_modify_kernel_modules;
 type modules_object_t;
 class file { getattr create read write setattr unlink };
 class dir { getattr search read write add_name remove_name };

refpolicy/policy/modules/kernel/devices.if

@@ -425,77 +425,20 @@ class dir { getattr read search };
 class chr_file { getattr write ioctl };
 ')
 
-########################################
-#
-# devices_read_dev_null(domain)
-#
-define(`devices_read_dev_null',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 null_device_t:chr_file { getattr read };
-')
-
-define(`devices_read_dev_null_depend',`
-type device_t, null_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr read };
-')
-
-########################################
-#
-# devices_write_dev_null(domain)
-#
-define(`devices_write_dev_null',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 null_device_t:chr_file { getattr append write };
-')
-
-define(`devices_write_dev_null_depend',`
-type device_t, null_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr append write };
-')
-
 ########################################
 #
 # devices_use_dev_null(domain)
 #
 define(`devices_use_dev_null',`
-devices_read_dev_null($1)
-devices_write_dev_null($1)
-')
-
-########################################
-#
-# devices_read_dev_zero(domain)
-#
-define(`devices_read_dev_zero',`
 requires_block_template(`$0'_depend)
 allow $1 device_t:dir { getattr read search };
-allow $1 zero_device_t:chr_file { getattr read };
+allow $1 null_device_t:chr_file { getattr read write append ioctl };
 ')
 
-define(`devices_read_dev_zero_depend',`
+define(`devices_use_dev_null_depend',`
-type device_t, zero_device_t;
+type device_t, null_device_t;
 class device_t:dir { getattr read search };
-class chr_file { getattr read };
+class chr_file { getattr read write append ioctl };
-')
-
-########################################
-#
-# devices_write_dev_zero(domain)
-#
-define(`devices_write_dev_zero',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 zero_device_t:chr_file { getattr append write };
-')
-
-define(`devices_write_dev_zero_depend',`
-type device_t, zero_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr append write };
 ')
 
 ########################################
@@ -503,8 +446,15 @@ class chr_file { getattr append write };
 # devices_use_dev_zero(domain)
 #
 define(`devices_use_dev_zero',`
-devices_read_dev_zero($1)
+requires_block_template(`$0'_depend)
-devices_write_dev_zero($1)
+allow $1 device_t:dir { getattr read search };
+allow $1 zero_device_t:chr_file { getattr read write append ioctl };
+')
+
+define(`devices_use_dev_zero_depend',`
+type device_t, zero_device_t;
+class device_t:dir { getattr read search };
+class chr_file { getattr read write append ioctl };
 ')
 
 ########################################

refpolicy/policy/modules/kernel/filesystem.if

@@ -972,6 +972,29 @@ class dir { getattr search read };
 class chr_file { getattr read write ioctl };
 ')
 
+########################################
+## <interface name="filesystem_relabel_tmpfs_character_devices">
+##	<description>
+##		Relabel character nodes on tmpfs filesystems.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`filesystem_relabel_tmpfs_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
+')
+
+define(`filesystem_relabel_tmpfs_character_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read }; 
+class chr_file { getattr relabelfrom relabelto };
+')
+
 ########################################
 ## <interface name="filesystem_use_tmpfs_block_devices">
 ##	<description>
@@ -995,6 +1018,29 @@ class dir { getattr search read };
 class blk_file { getattr read write ioctl };
 ')
 
+########################################
+## <interface name="filesystem_relabel_tmpfs_block_devices">
+##	<description>
+##		Relabel block nodes on tmpfs filesystems.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`filesystem_relabel_tmpfs_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
+')
+
+define(`filesystem_use_tmpfs_block_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read }; 
+class blk_file { getattr relabelfrom relabelto };
+')
+
 ########################################
 ## <interface name="filesystem_manage_tmpfs_character_devices">
 ##	<description>

refpolicy/policy/modules/services/cron.te

@@ -94,15 +94,19 @@ filesystem_get_all_filesystems_attributes(crond_t)
 
 terminal_ignore_use_console(crond_t)
 
-init_use_file_descriptors(crond_t)
+# need auth_chkpwd to check for locked accounts.
-init_script_use_pseudoterminal(crond_t)
+authlogin_check_password_transition(crond_t)
+
+corecommands_execute_shell(crond_t)
+corecommands_read_system_programs_directory(crond_t)
 
 domain_use_widely_inheritable_file_descriptors(crond_t)
 
 files_read_general_system_config(crond_t)
+files_read_system_spools(crond_t)
 
-corecommands_execute_shell(crond_t)
+init_use_file_descriptors(crond_t)
-corecommands_read_system_programs_directory(crond_t)
+init_script_use_pseudoterminal(crond_t)
 
 libraries_use_dynamic_loader(crond_t)
 libraries_use_shared_libraries(crond_t)
@@ -115,8 +119,7 @@ selinux_newrole_sigchld(crond_t)
 
 miscfiles_read_localization(crond_t)
 
-# need auth_chkpwd to check for locked accounts.
+userdomain_use_all_unprivileged_users_file_descriptors(crond_t)
-authlogin_check_password_transition(crond_t)
 
 tunable_policy(`fcron_crond', `
 allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
@@ -136,7 +139,6 @@ ifdef(`TODO',`
 # NB The constraints file has some entries for crond_t, this makes it
 # different from all other domains...
 
-allow crond_t unpriv_userdomain:fd use;
 allow crond_t autofs_t:dir { search getattr };
 dontaudit crond_t sysadm_home_dir_t:dir search;
 
@@ -153,18 +155,15 @@ allow crond_t autofs_t:dir { search getattr };
 
 # Read from /var/spool/cron.
 allow crond_t var_lib_t:dir search;
-allow crond_t var_spool_t:dir r_dir_perms;
-allow crond_t var_spool_t:file { getattr read };
 allow crond_t mail_spool_t:dir search;
+# for if /var/mail is a symlink
+allow crond_t mail_spool_t:lnk_file read;
 
 allow crond_t default_t:dir search;
 
 # crond tries to search /root.  Not sure why.
 allow crond_t sysadm_home_dir_t:dir r_dir_perms;
 
-# for if /var/mail is a symlink
-allow crond_t mail_spool_t:lnk_file read;
-
 # to search /home
 allow crond_t user_home_dir_type:dir r_dir_perms;
 
@@ -269,6 +268,9 @@ files_get_all_file_attributes(system_crond_t)
 files_read_general_application_resources(system_crond_t)
 # for nscd:
 files_ignore_search_runtime_data_directory(system_crond_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
+files_manage_system_spools(system_crond_t)
 
 corecommands_execute_general_programs(system_crond_t)
 corecommands_execute_system_programs(system_crond_t)
@@ -324,14 +326,9 @@ allow system_crond_t var_t:file { getattr read ioctl };
 allow system_crond_t var_lib_t:dir rw_dir_perms;
 allow system_crond_t var_lib_t:file create_file_perms;
 
-# Access other spool directories like
-# /var/spool/anacron and /var/spool/slrnpull.
-allow system_crond_t var_spool_t:file create_file_perms;
-allow system_crond_t var_spool_t:dir rw_dir_perms;
 # for if /var/mail is a symlink
 allow system_crond_t mail_spool_t:lnk_file read;
 
-
 #
 #  These rules are here to allow system cron jobs to su
 #
@@ -360,7 +357,6 @@ mta_send_mail_transition(system_crond_t)
 # system_mail_t should only be reading from the cron fifo not needing to write
 dontaudit system_mail_t crond_t:fifo_file write;
 allow mta_user_agent system_crond_t:fd use;
-allow mta_user_agent system_crond_t:fd use;
 r_dir_file(system_mail_t, crond_tmp_t)
 ')
 

refpolicy/policy/modules/system/authlogin.if

@@ -440,6 +440,58 @@ class file { create ioctl read getattr lock write setattr append link unlink ren
 class lnk_file { create read getattr setattr link unlink rename };
 ')
 
+########################################
+## <interface name="authlogin_relabel_all_files_except_shadow">
+##	<description>
+##		Relabel all files on the filesystem, except
+##		the shadow passwords and listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+
+define(`authlogin_relabel_all_files_except_shadow',`
+requires_block_template(`$0'_depend)
+files_relabel_all_files($1,$2 -shadow_t)
+')
+
+define(`authlogin_relabel_all_files_except_shadow_depend',`
+type shadow_t;
+')
+
+########################################
+## <interface name="authlogin_manage_all_files_except_shadow">
+##	<description>
+##		Manage all files on the filesystem, except
+##		the shadow passwords and listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+
+define(`authlogin_manage_all_files_except_shadow',`
+requires_block_template(`$0'_depend)
+files_manage_all_files($1,$2 -shadow_t)
+')
+
+define(`authlogin_manage_all_files_except_shadow_depend',`
+type shadow_t;
+')
+
 ########################################
 ## <interface name="authlogin_utempter_transition">
 ##	<description>

refpolicy/policy/modules/system/domain.if

@@ -62,7 +62,7 @@ define(`domain_make_entrypoint_file',`
 requires_block_template(`$0'_depend)
 allow $1 $2:file entrypoint;
 files_make_file($2)
-typeattribute $1 entry_type;
+typeattribute $2 entry_type;
 ')
 
 define(`domain_make_entrypoint_file_depend',`

refpolicy/policy/modules/system/files.if

@@ -99,7 +99,7 @@ attribute tmpfsfile;
 ########################################
 #
 # files_get_all_file_attributes(domain)
-#
+
 define(`files_get_all_file_attributes',`
 requires_block_template(`$0'_depend)
 allow $1 file_type:dir { search getattr };
@@ -119,23 +119,37 @@ class sock_file getattr;
 ')
 
 ########################################
+## <interface name="files_relabel_all_files">
+##	<description>
+##		Relabel all files on the filesystem, except
+##		the listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
-# files_manage_all_files_labels(type)
+define(`files_relabel_all_files',`
-#
-define(`files_manage_all_files_labels',`
 requires_block_template(`$0'_depend)
-allow $1 file_type:dir { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:dir { getattr search read relabelfrom relabelto };
-allow $1 file_type:file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
-allow $1 file_type:lnk_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
-allow $1 file_type:fifo_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
-allow $1 file_type:sock_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
-allow $1 file_type:blk_file { getattr relabelfrom };
+allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
-allow $1 file_type:chr_file { getattr relabelfrom };
+allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
+# satisfy the assertions:
+selinux_relabelto_binary_policy($1)
 ')
 
-define(`files_manage_all_files_labels_depend',`
+define(`files_relabel_all_files_depend',`
 attribute file_type;
-class dir { relabelfrom relabelto };
+class dir { getattr search read relabelfrom relabelto };
 class file { relabelfrom relabelto };
 class lnk_file { relabelfrom relabelto };
 class fifo_file { relabelfrom relabelto };
@@ -144,6 +158,43 @@ class blk_file relabelfrom;
 class chr_file relabelfrom;
 ')
 
+########################################
+## <interface name="files_manage_all_files">
+##	<description>
+##		Manage all files on the filesystem, except
+##		the listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`files_manage_all_files',`
+requires_block_template(`$0'_depend)
+allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename };
+allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+# satisfy the assertions:
+selinux_write_binary_policy($1)
+bootloader_modify_kernel_modules($1)
+')
+
+define(`files_manage_all_files_depend',`
+attribute file_type;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+class lnk_file { create read getattr setattr link unlink rename };
+class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
 ########################################
 #
 # files_search_all_directories(domain)
@@ -646,6 +697,20 @@ class fifo_file { getattr unlink };
 class sock_file { getattr unlink };
 ')
 
+########################################
+#
+# files_search_general_application_resources_dir(domain)
+#
+define(`files_search_general_application_resources_dir',`
+requires_block_template(`$0'_depend)
+allow $1 usr_t:dir search;
+')
+
+define(`files_search_general_application_resources_dir_depend',`
+type usr_t;
+class dir search;
+')
+
 ########################################
 #
 # files_read_general_application_resources(domain)
@@ -998,4 +1063,38 @@ type var_t, var_spool_t;
 class dir { getattr search read };
 ')
 
+########################################
+#
+# files_read_system_spools(domain)
+#
+define(`files_read_system_spools',`
+requires_block_template(`$0'_depend)
+allow $1 var_t:dir search;
+allow $1 var_spool_t:dir { getattr search read };
+allow $1 var_spool_t:file { getattr read };
+')
+
+define(`files_read_system_spools_depend',`
+type var_t, var_spool_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# files_manage_system_spools(domain)
+#
+define(`files_manage_system_spools',`
+requires_block_template(`$0'_depend)
+allow $1 var_t:dir search;
+allow $1 var_spool_t:dir { getattr search read write add_name remove_name };
+allow $1 var_spool_t:file { getattr create read write append unlink setattr };
+')
+
+define(`files_manage_system_spools_depend',`
+type var_t, var_spool_t;
+class dir { getattr search read write add_name remove_name };
+class file { getattr create read write append unlink setattr };
+')
+
 ## </module>

refpolicy/policy/modules/system/getty.te

@@ -44,6 +44,7 @@ filesystem_get_persistent_filesystem_attributes(getty_t)
 terminal_use_all_terminals(getty_t)
 terminal_set_console_attributes(getty_t)
 
+init_script_modify_runtime_data(getty_t)
 init_script_use_pseudoterminal(getty_t)
 
 files_modify_system_runtime_data(getty_t)
@@ -55,6 +56,9 @@ files_read_general_system_config(getty_t)
 
 authlogin_modify_login_records(getty_t)
 
+libraries_use_dynamic_loader(getty_t)
+libraries_use_shared_libraries(getty_t)
+
 locallogin_transition(getty_t)
 
 logging_send_system_log_message(getty_t)

refpolicy/policy/modules/system/hotplug.te

@@ -112,7 +112,7 @@ optional_policy(`netutils.te', `
 netutils_transition(hotplug_t)
 filesystem_use_tmpfs_character_devices(hotplug_t)
 ') dnl endif netutils optional
-files_get_system_lock_file_attribues(hotplug_t)
+files_get_system_lock_file_attributes(hotplug_t)
 ')dnl end distro_redhat tunable
 
 tunable_policy(`targeted_policy', `

refpolicy/policy/modules/system/init.te

@@ -21,6 +21,12 @@ type init_exec_t;
 kernel_make_userland_entrypoint(init_t,init_exec_t)
 domain_make_entrypoint_file(init_t,init_exec_t)
 
+#
+# init_var_run_t is the type for /var/run/shutdown.pid.
+#
+type init_var_run_t;
+files_make_daemon_runtime_file(init_var_run_t)
+
 #
 # initctl_t is the type of the named pipe created 
 # by init during initialization.  This pipe is used
@@ -28,14 +34,6 @@ domain_make_entrypoint_file(init_t,init_exec_t)
 #
 type initctl_t;
 files_make_file(initctl_t)
-filesystem_tmpfs_associate(initctl_t)
-devices_create_dev_entry(init_t,initctl_t,fifo_file)
-
-#
-# init_var_run_t is the type for /var/run/shutdown.pid.
-#
-type init_var_run_t;
-files_make_daemon_runtime_file(init_var_run_t)
 
 type initrc_t;
 domain_make_domain(initrc_t)
@@ -70,6 +68,10 @@ allow init_t init_exec_t:file { getattr read execute execute_no_trans };
 allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
 files_create_daemon_runtime_data(init_t,init_var_run_t)
 
+allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
+filesystem_tmpfs_associate(initctl_t)
+devices_create_dev_entry(init_t,initctl_t,fifo_file)
+
 # Run init scripts.  this is ok since initrc
 # is also in this module
 allow init_t initrc_t:process transition;

refpolicy/policy/modules/system/libraries.if

@@ -132,6 +132,7 @@ class file { getattr read write };
 #
 define(`libraries_use_shared_libraries',`
 requires_block_template(`$0'_depend)
+files_search_general_application_resources_dir($1)
 allow $1 lib_t:dir { getattr search read };
 allow $1 lib_t:lnk_file { getattr read };
 allow $1 { shlib_t texrel_shlib_t }:lnk_file { getattr read };

refpolicy/policy/modules/system/selinux.if

@@ -570,6 +570,29 @@ class dir { getattr search read write add_name remove_name };
 class file { getattr create write unlink };
 ')
 
+########################################
+## <interface name="selinux_relabelto_binary_policy">
+##	<description>
+##		Allow the caller to relabel a file to the binary policy type.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_relabelto_binary_policy',`
+requires_block_template(`$0'_depend)
+allow $1 policy_config_t:file relabelto;
+typeattribute $1 can_relabelto_binary_policy;
+')
+
+define(`selinux_relabelto_binary_policy_depend',`
+attribute can_relabelto_binary_policy;
+type policy_config_t;
+class file relabelto;
+')
+
 ########################################
 #
 # selinux_manage_binary_policy(domain)

refpolicy/policy/modules/system/selinux.te

@@ -108,7 +108,8 @@ type_transition checkpolicy_t policy_src_t:file policy_config_t;
 
 # only allow read of policy source files
 allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
+allow checkpolicy_t policy_src_t:file { getattr read ioctl };
+allow checkpolicy_t policy_src_t:lnk_file { getattr read };
 allow checkpolicy_t selinux_config_t:dir search;
 
 filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
@@ -145,9 +146,9 @@ allow load_policy_t policy_src_t:dir search;
 allow load_policy_t policy_config_t:dir { getattr search read };
 allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
 
-allow newrole_t selinux_config_t:dir { getattr read search };
+allow load_policy_t selinux_config_t:dir { getattr read search };
-allow newrole_t selinux_config_t:file { read getattr };
+allow load_policy_t selinux_config_t:file { read getattr };
-allow newrole_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:lnk_file { getattr read };
 
 kernel_get_selinuxfs_mount_point(load_policy_t)
 kernel_load_selinux_policy(load_policy_t)
@@ -163,6 +164,8 @@ init_script_use_pseudoterminal(load_policy_t)
 
 domain_use_widely_inheritable_file_descriptors(load_policy_t)
 
+files_search_general_system_config_directory(load_policy_t)
+
 libraries_use_dynamic_loader(load_policy_t)
 libraries_use_shared_libraries(load_policy_t)
 
@@ -170,12 +173,6 @@ miscfiles_read_localization(load_policy_t)
 
 userdomain_use_all_users_file_descriptors(load_policy_t)
 
-ifdef(`TODO',`
-
-# directory search permissions for path to binary policy files
-allow load_policy_t etc_t:dir search;
-') dnl endif TODO
-
 ########################################
 #
 # Newrole local policy
@@ -317,7 +314,7 @@ hotplug_use_file_descriptors(restorecon_t)
 # relabeling rules
 kernel_relabel_unlabeled_object(restorecon_t)
 devices_manage_all_devices_labels(restorecon_t)
-files_manage_all_files_labels(restorecon_t)
+files_relabel_all_files(restorecon_t)
 files_read_all_directories(restorecon_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(restorecon_t)
@@ -325,6 +322,8 @@ authlogin_relabel_to_shadow_passwords(restorecon_t)
 tunable_policy(`distro_redhat', `
 filesystem_use_tmpfs_character_devices(restorecon_t)
 filesystem_use_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_character_devices(restorecon_t)
 ')
 
 ifdef(`TODO',`
@@ -333,11 +332,6 @@ ifdef(`TODO',`
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
 
-tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
-allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
-')
-
 allow restorecon_t fs_type:dir r_dir_perms;
 
 allow restorecon_t device_t:file { read write };
@@ -467,7 +461,7 @@ userdomain_read_all_users_data(setfiles_t)
 kernel_relabel_unlabeled_object(setfiles_t)
 devices_manage_all_devices_labels(setfiles_t)
 files_read_all_directories(setfiles_t)
-files_manage_all_files_labels(setfiles_t)
+files_relabel_all_files(setfiles_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(setfiles_t)
 

refpolicy/policy/modules/system/selinuxutil.if

@@ -570,6 +570,29 @@ class dir { getattr search read write add_name remove_name };
 class file { getattr create write unlink };
 ')
 
+########################################
+## <interface name="selinux_relabelto_binary_policy">
+##	<description>
+##		Allow the caller to relabel a file to the binary policy type.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_relabelto_binary_policy',`
+requires_block_template(`$0'_depend)
+allow $1 policy_config_t:file relabelto;
+typeattribute $1 can_relabelto_binary_policy;
+')
+
+define(`selinux_relabelto_binary_policy_depend',`
+attribute can_relabelto_binary_policy;
+type policy_config_t;
+class file relabelto;
+')
+
 ########################################
 #
 # selinux_manage_binary_policy(domain)

refpolicy/policy/modules/system/selinuxutil.te

@@ -108,7 +108,8 @@ type_transition checkpolicy_t policy_src_t:file policy_config_t;
 
 # only allow read of policy source files
 allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
+allow checkpolicy_t policy_src_t:file { getattr read ioctl };
+allow checkpolicy_t policy_src_t:lnk_file { getattr read };
 allow checkpolicy_t selinux_config_t:dir search;
 
 filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
@@ -145,9 +146,9 @@ allow load_policy_t policy_src_t:dir search;
 allow load_policy_t policy_config_t:dir { getattr search read };
 allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
 
-allow newrole_t selinux_config_t:dir { getattr read search };
+allow load_policy_t selinux_config_t:dir { getattr read search };
-allow newrole_t selinux_config_t:file { read getattr };
+allow load_policy_t selinux_config_t:file { read getattr };
-allow newrole_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:lnk_file { getattr read };
 
 kernel_get_selinuxfs_mount_point(load_policy_t)
 kernel_load_selinux_policy(load_policy_t)
@@ -163,6 +164,8 @@ init_script_use_pseudoterminal(load_policy_t)
 
 domain_use_widely_inheritable_file_descriptors(load_policy_t)
 
+files_search_general_system_config_directory(load_policy_t)
+
 libraries_use_dynamic_loader(load_policy_t)
 libraries_use_shared_libraries(load_policy_t)
 
@@ -170,12 +173,6 @@ miscfiles_read_localization(load_policy_t)
 
 userdomain_use_all_users_file_descriptors(load_policy_t)
 
-ifdef(`TODO',`
-
-# directory search permissions for path to binary policy files
-allow load_policy_t etc_t:dir search;
-') dnl endif TODO
-
 ########################################
 #
 # Newrole local policy
@@ -317,7 +314,7 @@ hotplug_use_file_descriptors(restorecon_t)
 # relabeling rules
 kernel_relabel_unlabeled_object(restorecon_t)
 devices_manage_all_devices_labels(restorecon_t)
-files_manage_all_files_labels(restorecon_t)
+files_relabel_all_files(restorecon_t)
 files_read_all_directories(restorecon_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(restorecon_t)
@@ -325,6 +322,8 @@ authlogin_relabel_to_shadow_passwords(restorecon_t)
 tunable_policy(`distro_redhat', `
 filesystem_use_tmpfs_character_devices(restorecon_t)
 filesystem_use_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_character_devices(restorecon_t)
 ')
 
 ifdef(`TODO',`
@@ -333,11 +332,6 @@ ifdef(`TODO',`
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
 
-tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
-allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
-')
-
 allow restorecon_t fs_type:dir r_dir_perms;
 
 allow restorecon_t device_t:file { read write };
@@ -467,7 +461,7 @@ userdomain_read_all_users_data(setfiles_t)
 kernel_relabel_unlabeled_object(setfiles_t)
 devices_manage_all_devices_labels(setfiles_t)
 files_read_all_directories(setfiles_t)
-files_manage_all_files_labels(setfiles_t)
+files_relabel_all_files(setfiles_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(setfiles_t)
 

refpolicy/policy/modules/system/sysnetwork.te

@@ -57,9 +57,9 @@ allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unli
 allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
 
-# Allow dhcpc_t to use packet sockets
+allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
 allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-
 allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
 
 allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };

refpolicy/policy/modules/system/userdomain.if

@@ -10,6 +10,10 @@
 
 define(`base_user_domain',`
 
+attribute $1_file_type;
+
+type $1_t, userdomain;
+corecommands_make_shell_entrypoint($1_t)
 role $1_r types $1_t;
 allow system_r $1_r;
 
@@ -370,9 +374,10 @@ define(`user_domain_template', `
 # Declarations
 #
 
-attribute $1_file_type;
+# Inherit rules for ordinary users.
+base_user_domain($1)
 
-type $1_t, userdomain, unpriv_userdomain; #, web_client_domain, nscd_client_domain;
+typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
 domain_make_domain($1_t)
 domain_make_file_descriptors_widely_inheritable($1_t)
 
@@ -398,9 +403,6 @@ terminal_make_physical_terminal($1_t,$1_tty_device_t)
 # Local policy
 #
 
-# Inherit rules for ordinary users.
-base_user_domain($1)
-
 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
 terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
 
@@ -584,9 +586,10 @@ define(`admin_domain_template',`
 # Declarations
 #
 
-attribute $1_file_type;
+# Inherit rules for ordinary users.
+base_user_domain($1)
 
-type $1_t, userdomain, privhome; #, admin, web_client_domain, nscd_client_domain;
+typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
 kernel_make_object_identity_change_constraint_exception($1_t)
 domain_make_domain($1_t)
 role system_r types $1_t;
@@ -615,9 +618,6 @@ terminal_make_physical_terminal($1_t,$1_tty_device_t)
 # $1_t local policy
 #
 
-# Inherit rules for ordinary users.
-base_user_domain($1)
-
 allow $1_t self:capability ~sys_module;
 allow $1_t self:process { setexec setfscreate };
 
@@ -682,6 +682,11 @@ terminal_use_general_physical_terminal($1_t)
 terminal_use_all_private_pseudoterminals($1_t)
 terminal_use_all_private_physical_terminals($1_t)
 
+# Manage almost all files
+authlogin_manage_all_files_except_shadow($1_t)
+# Relabel almost all files
+authlogin_relabel_all_files_except_shadow($1_t)
+
 domain_set_all_domains_priorities($1_t)
 
 files_execute_system_source_code_scripts($1_t)
@@ -710,18 +715,6 @@ ifdef(`TODO',`
 # Let admin stat the shadow file.
 allow $1_t shadow_t:file getattr;
 
-# Create and use all files that have the sysadmfile attribute.
-allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
-allow $1_t sysadmfile:lnk_file create_lnk_perms;
-allow $1_t sysadmfile:dir create_dir_perms;
-
-# Relabel all files.
-# Actually this will not allow relabeling ALL files unless you change
-# sysadmfile to file_type (and change the assertion in assert.te that
-# only auth_write can relabel shadow_t)
-allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
-allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
-
 # for lsof
 allow $1_t mtrr_device_t:file getattr;