rules picked up from sediff

refpolicy/policy/modules/system/corecommands.te

@@ -18,8 +18,8 @@ kernel_read_directory_from(sbin_t)
 #
 # ls_exec_t is the type of the ls program.
 #
-#type ls_exec_t;
+type ls_exec_t;
-typealias bin_t alias ls_exec_t;
+files_make_file(ls_exec_t)
 
 #
 # shell_exec_t is the type of user shells such as /bin/bash.

refpolicy/policy/modules/system/domain.if

@@ -30,18 +30,9 @@ class lnk_file { getattr read };
 # domain_make_domain(domain)
 #
 define(`domain_make_domain',`
-requires_block_template(`$0'_depend)
+domain_make_base_domain($1)
-
+files_read_root_dir($1)
-domain_make_base_domain($1,optional)
+init_sigchld($1)
-
-files_read_root_dir($1,optional)
-init_sigchld($1,optional)
-')
-
-define(`domain_make_domain_depend',`
-domain_make_base_domain_depend
-files_read_root_dir_depend
-init_send_sigchld_depend
 ')
 
 ########################################
@@ -51,7 +42,7 @@ init_send_sigchld_depend
 define(`domain_make_entrypoint_file',`
 requires_block_template(`$0'_depend)
 allow $1 $2:file entrypoint;
-files_make_file($2,$3)
+files_make_file($2)
 typeattribute $1 entry_type;
 ')
 
@@ -239,3 +230,17 @@ define(`domain_execute_all_entrypoint_programs_depend',`
 attribute entry_type;
 class file { getattr read execute execute_no_trans };
 ')
+
+########################################
+#
+# domain_read_all_entrypoint_programs(domain)
+#
+define(`domain_read_all_entrypoint_programs',`
+requires_block_template(`$0'_depend)
+allow $1 entry_type:{ file lnk_file } { getattr read };
+')
+
+define(`domain_read_all_entrypoint_programs_depend',`
+attribute entry_type;
+class file { getattr read };
+')

refpolicy/policy/modules/system/files.if

@@ -7,14 +7,12 @@
 define(`files_make_file',`
 requires_block_template(`$0'_depend)
 typeattribute $1 file_type;
-filesystem_associate($1,optional)
+filesystem_associate($1)
-filesystem_noxattr_associate($1,optional)
+filesystem_noxattr_associate($1)
 ')
 
 define(`files_make_file_depend',`
 attribute file_type;
-filesystem_associate_depend
-filesystem_noxattr_associate_depend
 ')
 
 ########################################

refpolicy/policy/modules/system/init.te

@@ -395,11 +395,19 @@ kernel_ignore_get_message_interface_attributes(initrc_t)
 # Run_init local policy
 #
 
+kernel_get_selinuxfs_mount_point(run_init_t)
+kernel_validate_selinux_context(run_init_t)
+kernel_compute_selinux_av(run_init_t)
+kernel_compute_create(run_init_t)
+kernel_compute_relabel(run_init_t)
+kernel_compute_reachable_user_contexts(run_init_t)
+
 tunable_policy(`targeted_policy',`
 # targeted/unconfined stuff
 ',`
 allow run_init_t initrc_t:process transition;
 allow run_init_t initrc_exec_t:file { getattr read execute };
+dontaudit run_init_t initrc_t : process { noatsecure siginh rlimitinh };
 
 # for utmp
 allow run_init_t initrc_var_run_t:file { getattr read write };

refpolicy/policy/modules/system/iptables.te

@@ -16,7 +16,7 @@ type iptables_tmp_t;
 files_make_file(iptables_tmp_t)
 
 type iptables_var_run_t; #, pidfile;
-files_make_file(iptables_t)
+files_make_file(iptables_var_run_t)
 
 ########################################
 #

refpolicy/policy/modules/system/locallogin.te

@@ -18,13 +18,25 @@ files_make_file(local_login_tmp_t)
 #
 
 allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
 allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:fd use;
+allow local_login_t self:fifo_file { read getattr lock ioctl write append };
+allow local_login_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow local_login_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow local_login_t self:unix_dgram_socket sendto;
+allow local_login_t self:unix_stream_socket connectto;
+allow local_login_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
+allow local_login_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
+allow local_login_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
+allow local_login_t self:msg { send receive };
 
 allow local_login_t local_login_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
 allow local_login_t local_login_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir })
 
 kernel_read_system_state(local_login_t)
+kernel_read_kernel_sysctl(local_login_t)
 kernel_get_selinuxfs_mount_point(local_login_t)
 kernel_validate_selinux_context(local_login_t)
 kernel_compute_selinux_av(local_login_t)
@@ -41,8 +53,12 @@ terminal_use_general_physical_terminal(local_login_t)
 init_script_modify_runtime_data(local_login_t)
 init_ignore_use_file_descriptors(local_login_t)
 
+domain_read_all_entrypoint_programs(local_login_t)
+
 files_read_general_system_config(local_login_t)
 files_read_runtime_system_config(local_login_t)
+files_list_home_directories(local_login_t)
+files_read_general_application_resources(local_login_t)
 
 libraries_use_dynamic_loader(local_login_t)
 libraries_read_shared_libraries(local_login_t)
@@ -61,9 +77,20 @@ authlogin_pam_console_manage_runtime_data(local_login_t)
 miscfiles_read_localization(local_login_t)
 
 ifdef(`TODO',`
-general_domain_access(local_login_t)
+allow local_login_t unpriv_userdomain:fd use;
+can_ypbind(local_login_t)
+ifdef(`automount.te', `
+allow local_login_t autofs_t:dir { search getattr };
+')
 
-base_file_read_access(local_login_t)
+allow local_login_t bin_t:dir r_dir_perms;
+allow local_login_t bin_t:notdevfile_class_set r_file_perms;
+allow local_login_t sbin_t:dir r_dir_perms;
+allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
+if (read_default_t) {
+allow local_login_t default_t:dir r_dir_perms;
+allow local_login_t default_t:notdevfile_class_set r_file_perms;
+}
 
 # Read directories and files with the readable_t type.
 # This type is a general type for "world"-readable files.
@@ -76,9 +103,6 @@ allow local_login_t { var_t var_spool_t }:dir search;
 # for when /var/mail is a sym-link
 allow local_login_t var_t:lnk_file read;
 
-# Read executable types.
-allow local_login_t exec_type:{ file lnk_file } r_file_perms;
-
 # Read /dev directories and any symbolic links.
 allow local_login_t device_t:lnk_file r_file_perms;
 

refpolicy/policy/modules/system/logging.if

@@ -27,6 +27,8 @@ allow $1 syslogd_t:unix_dgram_socket sendto;
 allow $1 syslogd_t:unix_stream_socket connectto;
 allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
 allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
+# cjp: this should most likely be removed:
+terminal_use_console($1)
 ')
 
 define(`logging_send_system_log_message_depend',`

refpolicy/policy/modules/system/modutils.te

@@ -195,7 +195,9 @@ files_create_private_config(update_modules_t,modules_conf_t)
 
 # transition to depmod
 allow update_modules_t depmod_exec_t:file { getattr read execute };
+allow update_modules_t depmod_t:process transition;
 type_transition update_modules_t depmod_exec_t:process depmod_t;
+dontaudit update_modules_t depmod_t : process { noatsecure siginh rlimitinh };
 
 allow update_modules_t update_modules_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
 allow update_modules_t update_modules_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };

refpolicy/policy/modules/system/udev.te

@@ -77,6 +77,8 @@ kernel_transition_from(udev_t,udev_exec_t)
 
 devices_manage_device_nodes(udev_t)
 
+filesystem_get_all_filesystems_attributes(udev_t)
+
 init_script_read_runtime_data(udev_t)
 
 files_read_runtime_system_config(udev_t)