many fixes from cab work

refpolicy/policy/modules/kernel/devices.if

@@ -74,6 +74,20 @@ type device_t;
 class dir { getattr read search };
 ')
 
+########################################
+#
+# devices_ignore_get_generic_pipe_attributes(domain)
+#
+define(`devices_ignore_get_generic_pipe_attributes',`
+requires_block_template(`$0'_depend)
+dontaudit $1 device_t:fifo_file getattr;
+')
+
+define(`devices_ignore_get_generic_pipe_attributes_depend',`
+type device_t;
+class fifo_file getattr;
+')
+
 ########################################
 #
 # devices_get_generic_block_device_attributes(domain)
@@ -86,6 +100,7 @@ allow $1 device_t:blk_file getattr;
 
 define(`devices_get_generic_block_device_attributes_depend',`
 type device_t;
+class dir { getattr search read };
 class blk_file getattr;
 ')
 
@@ -103,6 +118,24 @@ type device_t;
 class blk_file getattr;
 ')
 
+########################################
+#
+# devices_add_generic_character_device(domain)
+#
+define(`devices_add_generic_character_device',`
+requires_block_template(`$0'_depend)
+allow $1 device_t:dir { getattr search read write add_name };
+allow $1 device_t:chr_file create;
+allow $1 self:capability mknod;
+')
+
+define(`devices_add_generic_character_device_depend',`
+type device_t;
+class dir { getattr search read write add_name };
+class chr_file create;
+class capability mknod;
+')
+
 ########################################
 #
 # devices_get_generic_character_device_attributes(domain)
@@ -115,6 +148,7 @@ allow $1 device_t:chr_file getattr;
 
 define(`devices_get_generic_character_device_attributes_depend',`
 type device_t;
+class dir { getattr search read };
 class chr_file getattr;
 ')
 
@@ -420,7 +454,7 @@ class capability sys_rawio;
 #
 define(`devices_raw_write_memory',`
 requires_block_template(`$0'_depend)
-typeattribute $1 memory_raw_write
+typeattribute $1 memory_raw_write;
 allow $1 device_t:dir { getattr read search };
 allow $1 memory_device_t:chr_file write;
 allow $1 self:capability sys_rawio;
@@ -434,6 +468,36 @@ class chr_file write;
 class capability sys_rawio;
 ')
 
+########################################
+#
+# devices_legacy_raw_read_memory(domain)
+#
+define(`devices_legacy_raw_read_memory',`
+requires_block_template(`$0'_depend)
+devices_raw_read_memory($1)
+allow $1 memory_device_t:chr_file execute;
+')
+
+define(`devices_legacy_raw_read_memory_depend',`
+type device_t, memory_device_t;
+class chr_file execute;
+')
+
+########################################
+#
+# devices_legacy_raw_write_memory(domain)
+#
+define(`devices_legacy_raw_write_memory',`
+requires_block_template(`$0'_depend)
+devices_raw_write_memory($1)
+allow $1 memory_device_t:chr_file execute;
+')
+
+define(`devices_legacy_raw_write_memory_depend',`
+type device_t, memory_device_t;
+class chr_file execute;
+')
+
 ########################################
 #
 # devices_get_random_data(domain)
@@ -530,6 +594,21 @@ class device_t:dir { getattr read search };
 class chr_file { getattr read write append ioctl };
 ')
 
+########################################
+#
+# devices_legacy_use_dev_zero(domain)
+#
+define(`devices_legacy_use_dev_zero',`
+requires_block_template(`$0'_depend)
+devices_use_dev_zero($1)
+allow $1 zero_device_t:chr_file execute;
+')
+
+define(`devices_legacy_use_dev_zero_depend',`
+type zero_device_t;
+class chr_file execute;
+')
+
 ########################################
 #
 # devices_read_realtime_clock(domain)

refpolicy/policy/modules/kernel/filesystem.if

@@ -942,11 +942,13 @@ type_transition $1 tmpfs_t:file $2;
 ',`
 type_transition $1 tmpfs_t:$3 $2;
 ')
+allow $2 tmpfs_t:filesystem associate;
 ')
 
 define(`filesystem_create_private_tmpfs_data_depend',`
 type tmpfs_t;
 class dir { getattr search read write add_name }; 
+class filesystem associate;
 ')
 
 ########################################

refpolicy/policy/modules/kernel/filesystem.te

@@ -46,6 +46,8 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
 # tmpfs_t is the type for tmpfs filesystems
 #
 type tmpfs_t, fs_type;
+files_make_file(tmpfs_t)
+
 allow tmpfs_t self:filesystem associate;
 allow tmpfs_t autofs_t:filesystem associate;
 allow tmpfs_t cifs_t:filesystem associate;

refpolicy/policy/modules/kernel/kernel.if

@@ -8,6 +8,7 @@ define(`kernel_make_userland_entrypoint',`
 requires_block_template(`$0'_depend)
 allow kernel_t $2:file { getattr read execute };
 allow kernel_t $1:process transition;
+allow $1 kernel_t:fd use;
 type_transition kernel_t $2:process $1;
 dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
 ')
@@ -418,14 +419,14 @@ class file { getattr read };
 define(`kernel_read_system_state',`
 requires_block_template(`$0'_depend)
 allow $1 proc_t:dir { getattr search read };
-allow $1 proc_t:{ lnk_file file } { getattr read };
+allow $1 proc_t:{ lnk_file file } { getattr read ioctl };
 ')
 
 define(`kernel_read_system_state_depend',`
 type proc_t;
 class dir { search getattr read };
 class lnk_file { getattr read };
-class file { getattr read };
+class file { getattr read ioctl };
 ')
 
 ########################################
@@ -944,30 +945,37 @@ kernel_read_rpc_sysctl_depend
 # kernel_modify_all_sysctl(domain)
 #
 define(`kernel_modify_all_sysctl',`
-requires_block_template(`$0'_depend)
+kernel_modify_device_sysctl($1)
-kernel_modify_device_sysctl($1,optional)
+kernel_modify_virtual_memory_sysctl($1)
-kernel_modify_virtual_memory_sysctl($1,optional)
+kernel_modify_network_sysctl($1)
-kernel_modify_network_sysctl($1,optional)
+kernel_modify_unix_sysctl($1)
-kernel_modify_unix_sysctl($1,optional)
+kernel_modify_hotplug_sysctl($1)
-kernel_modify_hotplug_sysctl($1,optional)
+kernel_modify_modprobe_sysctl($1)
-kernel_modify_modprobe_sysctl($1,optional)
+kernel_modify_kernel_sysctl($1)
-kernel_modify_kernel_sysctl($1,optional)
+kernel_modify_filesystem_sysctl($1)
-kernel_modify_filesystem_sysctl($1,optional)
+kernel_modify_irq_sysctl($1)
-kernel_modify_irq_sysctl($1,optional)
+kernel_modify_rpc_sysctl($1)
-kernel_modify_rpc_sysctl($1,optional)
 ')
 
-define(`kernel_modify_all_sysctl_depend',`
+########################################
-kernel_modify_device_sysctl_depend
+## <interface name="kernel_search_hardware_state_dir">
-kernel_modify_virtual_memory_sysctl_depend
+##	<description>
-kernel_modify_network_sysctl_depend
+##		Search the directory containing hardware information.
-kernel_modify_unix_sysctl_depend
+##	</description>
-kernel_modify_hotplug_sysctl_depend
+##	<parameter name="domain">
-kernel_modify_modprobe_sysctl_depend
+##		The type of the process performing this action.
-kernel_modify_kernel_sysctl_depend
+##	</parameter>
-kernel_modify_filesystem_sysctl_depend
+##	<infoflow type="read" weight="10"/>
-kernel_modify_irq_sysctl_depend
+## </interface>
-kernel_modify_rpc_sysctl_depend
+#
+define(`kernel_search_hardware_state_dir',`
+requires_block_template(`$0'_depend)
+allow $1 sysfs_t:dir search;
+')
+
+define(`kernel_search_hardware_state_dir_depend',`
+type sysfs_t;
+class dir search;
 ')
 
 ########################################
@@ -1144,6 +1152,27 @@ class chr_file { getattr relabelfrom };
 class blk_file { getattr relabelfrom };
 ')
 
+########################################
+## <interface name="kernel_search_usb_hardware_state_dir">
+##	<description>
+##		Search the directory containing USB hardware information.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
+#
+define(`kernel_search_usb_hardware_state_dir',`
+requires_block_template(`$0'_depend)
+allow $1 usbfs_t:dir search;
+')
+
+define(`kernel_search_usb_hardware_state_dir_depend',`
+type usbfs_t;
+class dir search;
+')
+
 ########################################
 #
 # kernel_list_usb_hardware(domain)

refpolicy/policy/modules/kernel/storage.if

@@ -98,7 +98,7 @@ class blk_file { getattr read ioctl };
 ')
 
 ########################################
-## <interface name="storage_write_read_fixed_disk">
+## <interface name="storage_raw_write_fixed_disk">
 ##	<description>
 ##		Allow the caller to directly write to a fixed disk.
 ##		This is extremly dangerous as it can bypass the
@@ -124,6 +124,51 @@ attribute fixed_disk_raw_write;
 class blk_file { getattr write ioctl };
 ')
 
+########################################
+## <interface name="storage_create_fixed_disk_dev_entry">
+##	<description>
+##		Create block devices in /dev with the fixed disk type.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`storage_create_fixed_disk_dev_entry',`
+requires_block_template(`$0'_depend)
+devices_create_dev_entry($1,fixed_disk_device_t,blk_file)
+')
+
+define(`storage_create_fixed_disk_dev_entry_depend',`
+type fixed_disk_device_t;
+')
+
+########################################
+## <interface name="storage_manage_fixed_disk">
+##	<description>
+##		Manage fixed disk device nodes.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`storage_manage_fixed_disk',`
+requires_block_template(`$0'_depend)
+devices_list_device_nodes($1)
+allow $1 fixed_disk_device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
+')
+
+define(`storage_manage_fixed_disk_depend',`
+attribute fixed_disk_raw_read;
+attribute fixed_disk_raw_write;
+type fixed_disk_device_t;
+class blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
 ########################################
 ## <interface name="storage_raw_read_lvm_volume">
 ##	<description>

refpolicy/policy/modules/kernel/terminal.if

@@ -57,6 +57,9 @@ type_change $1 tty_device_t:chr_file $2;
 tunable_policy(`distro_debian',`
 type_change $1 ttyfile:chr_file $2;
 ')
+tunable_policy(`distro_redhat',`
+tmpfs_associate($2)
+')
 ')
 
 define(`terminal_make_physical_terminal_depend',`
@@ -93,12 +96,12 @@ define(`terminal_use_all_terminals',`
 requires_block_template(`$0'_depend)
 devices_list_device_nodes($1)
 allow $1 devpts_t:dir { getattr search read };
-allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { getattr read write ioctl };
+allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file { getattr read write ioctl };
 ')
 
 define(`terminal_use_all_terminals_depend',`
 attribute ttynode, ptynode;
-type console_device_t, devtty_t, devpts_t;
+type console_device_t, devpts_t, tty_device_t;
 class dir { getattr search read };
 class chr_file { getattr read write };
 ')

refpolicy/policy/modules/system/authlogin.if

@@ -402,6 +402,22 @@ class file { getattr read execute };
 class process { transition noatsecure siginh rlimitinh };
 ')
 
+#######################################
+#
+# authlogin_pam_console_read_runtime_data_dir(domain)
+#
+define(`authlogin_pam_console_read_runtime_data_dir',`
+requires_block_template(`$0'_depend)
+files_search_system_state_data_directory($1)
+files_search_runtime_data_directory($1)
+allow $1 pam_var_console_t:dir { getattr search read };
+')
+
+define(`authlogin_pam_console_read_runtime_data_dir_depend',`
+type pam_var_console_t;
+class dir { getattr search read };
+')
+
 #######################################
 #
 # authlogin_pam_console_read_runtime_data(domain)

refpolicy/policy/modules/system/corecommands.if

@@ -54,14 +54,14 @@ define(`corecommands_execute_general_programs',`
 requires_block_template(`$0'_depend)
 allow $1 bin_t:dir { getattr search read };
 allow $1 bin_t:lnk_file { getattr read };
-allow $1 bin_t:file { getattr read execute execute_no_trans };
+allow $1 bin_t:file { getattr read ioctl execute execute_no_trans };
 ')
 
 define(`corecommands_execute_general_programs_depend',`
 type bin_t;
 class dir { getattr search read };
 class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
+class file { getattr read ioctl execute execute_no_trans };
 ')
 
 ########################################
@@ -92,6 +92,20 @@ type sbin_t;
 class dir { getattr search read };
 ')
 
+########################################
+#
+# corecommands_ignore_get_system_programs_attributes(domain)
+#
+define(`corecommands_ignore_get_system_programs_attributes',`
+requires_block_template(`$0'_depend)
+allow $1 sbin_t:file getattr;
+')
+
+define(`corecommands_ignore_get_system_programs_attributes_depend',`
+type sbin_t;
+class file getattr;
+')
+
 ########################################
 #
 # corecommands_execute_system_programs(domain)
@@ -100,14 +114,14 @@ define(`corecommands_execute_system_programs',`
 requires_block_template(`$0'_depend)
 allow $1 sbin_t:dir { getattr search read };
 allow $1 sbin_t:lnk_file { getattr read };
-allow $1 sbin_t:file { getattr read execute execute_no_trans };
+allow $1 sbin_t:file { getattr read ioctl execute execute_no_trans };
 ')
 
 define(`corecommands_execute_system_programs_depend',`
 type sbin_t;
 class dir { getattr search read };
 class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
+class file { getattr read ioctl execute execute_no_trans };
 ')
 
 ########################################
@@ -128,6 +142,24 @@ class lnk_file { getattr read };
 class file { getattr read execute execute_no_trans };
 ')
 
+########################################
+#
+# corecommands_execute_ls(domain)
+#
+define(`corecommands_execute_ls',`
+requires_block_template(`$0'_depend)
+allow $1 bin_t:dir { getattr search read };
+allow $1 bin_t:lnk_file { getattr read };
+allow $1 ls_exec_t:file { getattr read execute execute_no_trans };
+')
+
+define(`corecommands_execute_shell_depend',`
+type bin_t, ls_exec_t;
+class dir { getattr search read };
+class lnk_file { getattr read };
+class file { getattr read execute execute_no_trans };
+')
+
 ########################################
 ## <interface name="corecommands_shell_transition">
 ##	<description>

refpolicy/policy/modules/system/domain.if

@@ -14,7 +14,7 @@ typeattribute $1 domain;
 
 # allow the domain to read its /proc/pid entries
 allow $1 self:dir { getattr search read };
-allow $1 self:{ file lnk_file } { getattr read write };
+allow $1 self:{ file lnk_file } { getattr read write ioctl };
 
 # allow $1 to create child processes in this domain
 allow $1 self:process { fork sigchld };
@@ -23,7 +23,7 @@ allow $1 self:process { fork sigchld };
 define(`domain_make_base_domain_depend',`
 attribute domain;
 class dir { getattr search read };
-class file { getattr read write };
+class file { getattr read write ioctl };
 class lnk_file { getattr read };
 ')
 
@@ -308,18 +308,106 @@ attribute domain;
 class process getsession;
 ')
 
+########################################
+## <interface name="domain_ignore_get_all_domains_udp_socket_attributes">
+##	<description>
+##		Do not audit attempts to get the attributes
+##		of all domains UDP sockets.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="none"/>
+## </interface>
+#
+define(`domain_ignore_get_all_domains_udp_socket_attributes',`
+requires_block_template(`$0'_depend)
+dontaudit $1 domain:udp_socket getattr;
+')
+
+define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
+attribute domain;
+class udp_socket getattr;
+')
+
+########################################
+## <interface name="domain_ignore_get_all_domains_tcp_socket_attributes">
+##	<description>
+##		Do not audit attempts to get the attributes
+##		of all domains TCP sockets.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="none"/>
+## </interface>
+#
+define(`domain_ignore_get_all_domains_tcp_socket_attributes',`
+requires_block_template(`$0'_depend)
+dontaudit $1 domain:tcp_socket getattr;
+')
+
+define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
+attribute domain;
+class tcp_socket getattr;
+')
+
+########################################
+## <interface name="domain_ignore_get_all_domains_unix_dgram_socket_attributes">
+##	<description>
+##		Do not audit attempts to get the attributes
+##		of all domains unix datagram sockets.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="none"/>
+## </interface>
+#
+define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',`
+requires_block_template(`$0'_depend)
+dontaudit $1 domain:unix_dgram_socket getattr;
+')
+
+define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
+attribute domain;
+class unix_dgram_socket getattr;
+')
+
+########################################
+## <interface name="domain_ignore_get_all_domains_pipe_attributes">
+##	<description>
+##		Do not audit attempts to get the attributes
+##		of all domains unnamed pipes.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="none"/>
+## </interface>
+#
+define(`domain_ignore_get_all_domains_pipe_attributes',`
+requires_block_template(`$0'_depend)
+dontaudit $1 domain:fifo_file getattr;
+')
+
+define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
+attribute domain;
+class fifo_file getattr;
+')
+
 ########################################
 #
 # domain_execute_all_entrypoint_programs(domain)
 #
 define(`domain_execute_all_entrypoint_programs',`
 requires_block_template(`$0'_depend)
-allow $1 entry_type:file { getattr read execute execute_no_trans };
+allow $1 entry_type:file { getattr read ioctl execute execute_no_trans };
 ')
 
 define(`domain_execute_all_entrypoint_programs_depend',`
 attribute entry_type;
-class file { getattr read execute execute_no_trans };
+class file { getattr read ioctl execute execute_no_trans };
 ')
 
 ########################################

refpolicy/policy/modules/system/hostname.te

@@ -50,12 +50,29 @@ logging_send_system_log_message(hostname_t)
 
 miscfiles_read_localization(hostname_t)
 
+userdomain_use_all_users_file_descriptors(hostname_t)
+
+tunable_policy(`distro_redhat', `
+filesystem_use_tmpfs_character_devices(hostname_t)
+')
+
 tunable_policy(`targeted_policy', `
 terminal_ignore_use_general_physical_terminal(hostname_t)
 terminal_ignore_use_general_pseudoterminal(hostname_t)
 files_ignore_read_rootfs_file(hostname_t)
 ')dnl end targeted_policy tunable
 
+tunable_policy(`use_dns',`
+allow hostname_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
+corenetwork_network_udp_on_all_interfaces(hostname_t)
+corenetwork_network_raw_on_all_interfaces(hostname_t)
+corenetwork_network_udp_on_all_nodes(hostname_t)
+corenetwork_network_raw_on_all_nodes(hostname_t)
+corenetwork_bind_udp_on_all_nodes(hostname_t)
+corenetwork_network_udp_on_dns_port(hostname_t)
+sysnetwork_read_network_config(hostname_t)
+')
+
 optional_policy(`hotplug.te',`
 hotplug_ignore_use_file_descriptors(hostname_t)
 ')
@@ -81,24 +98,10 @@ allow hostname_t rhgb_t:fd use;
 allow hostname_t rhgb_t:fifo_file { read write };
 ')
 
-dontaudit hostname_t unpriv_userdomain:fd use;
 allow hostname_t autofs_t:dir { search getattr };
 ##end daemon_base_domain
 
-##can_resolve(hostname_t)
-ifdef(`use_dns',`
-base_can_network(hostname_t, udp, `dns_port_t')
-allow hostname_t self:udp_socket { connect };
-')
-##end can_resolve
-
-allow hostname_t userdomain:fd use;
-
 # for when /usr is not mounted
 dontaudit hostname_t file_t:dir search;
 
-tunable_policy(`distro_redhat', `
-allow hostname_t tmpfs_t:chr_file { ioctl read getattr lock write append };
-')
-
 ') dnl end TODO

refpolicy/policy/modules/system/hotplug.te

@@ -38,7 +38,8 @@ allow hotplug_t hotplug_etc_t:file { read getattr lock ioctl };
 allow hotplug_t hotplug_etc_t:dir { read getattr lock search ioctl };
 allow hotplug_t hotplug_etc_t:lnk_file { getattr read };
 
-allow hotplug_t { hotplug_exec_t hotplug_etc_t }:file { getattr read execute execute_no_trans };
+allow hotplug_t hotplug_exec_t:file { getattr read ioctl execute execute_no_trans };
+allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
 
 allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
 files_create_daemon_runtime_data(hotplug_t,hotplug_var_run_t)

refpolicy/policy/modules/system/init.if

@@ -37,13 +37,18 @@ allow initrc_t $2:file { getattr read execute };
 dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
 type_transition initrc_t $2:process $1;
 allow $1 initrc_t:fd use;
+# backchannels:
+allow $1 initrc_t:process sigchld;
+# cjp: probably for logging
+allow $1 initrc_t:fifo_file { getattr write };
 ')
 
 define(`init_make_daemon_domain_depend',`
 type initrc_t;
 class file { getattr read execute };
+class fifo_file { getattr write };
 class fd use;
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
 role system_r;
 ')
 
@@ -61,16 +66,17 @@ allow initrc_t $2:file { getattr read execute };
 dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
 type_transition initrc_t $2:process $1;
 allow $1 initrc_t:fd use;
+# backchannels:
 allow $1 initrc_t:process sigchld;
 # cjp: probably for logging
-allow $1 initrc_t:fifo_file write;
+allow $1 initrc_t:fifo_file { getattr write };
 ')
 
 define(`init_make_system_domain_depend',`
 type initrc_t;
 class file { getattr read execute };
 class fd use;
-class fifo_file write;
+class fifo_file { getattr write };
 class process { transition noatsecure siginh rlimitinh sigchld };
 role system_r;
 ')

refpolicy/policy/modules/system/init.te

@@ -64,7 +64,7 @@ files_make_temporary_file(initrc_tmp_t)
 allow init_t self:fifo_file { read write ioctl };
 
 # Re-exec itself
-allow init_t init_exec_t:file { getattr read execute execute_no_trans };
+allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
 
 # For /var/run/shutdown.pid.
 allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
@@ -107,7 +107,10 @@ domain_sigstop_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
 domain_sigchld_all_domains(init_t)
 
+files_read_general_system_config(init_t)
 files_modify_system_runtime_data(init_t)
+# Run /etc/X11/prefdm:
+files_execute_system_config_script(init_t)
 # file descriptors inherited from the rootfs:
 files_ignore_modify_rootfs_file(init_t)
 files_ignore_modify_rootfs_device(init_t)
@@ -123,6 +126,7 @@ miscfiles_read_localization(init_t)
 
 tunable_policy(`distro_redhat',`
 filesystem_use_tmpfs_character_devices(init_t)
+filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
 ')
 
 # Run the shell in the sysadm_t domain for single-user mode.
@@ -170,19 +174,19 @@ allow initrc_t self:passwd rootok;
 # Allow IPC with self
 allow initrc_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
+allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
 allow initrc_t self:fifo_file { getattr read write ioctl };
-
 allow initrc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
 
 allow initrc_t init_t:fd use;
 
+allow initrc_t initrc_exec_t:file { getattr read ioctl execute execute_no_trans };
+
 allow initrc_t initrc_state_t:dir { create read getattr lock setattr ioctl unlink rename search add_name remove_name reparent write rmdir };
 allow initrc_t initrc_state_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
 
-allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown };
-allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
-
 allow initrc_t initrc_var_run_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 files_create_daemon_runtime_data(initrc_t,initrc_var_run_t)
 
@@ -249,15 +253,29 @@ terminal_reset_physical_terminal_labels(initrc_t)
 
 authlogin_modify_login_records(initrc_t)
 authlogin_modify_last_login_log(initrc_t)
+authlogin_pam_read_runtime_data(initrc_t)
+authlogin_pam_remove_runtime_data(initrc_t)
+authlogin_pam_console_read_runtime_data_dir(initrc_t)
 
 corecommands_execute_general_programs(initrc_t)
 corecommands_execute_system_programs(initrc_t)
 corecommands_execute_shell(initrc_t)
+corecommands_execute_ls(initrc_t)
 
 domain_kill_all_domains(initrc_t)
+domain_signal_all_domains(initrc_t)
+domain_signull_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
+domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_process_state(initrc_t)
 domain_get_all_domains_session_id(initrc_t)
 domain_use_widely_inheritable_file_descriptors(initrc_t)
+# for lsof which is used by alsa shutdown:
+domain_ignore_get_all_domains_udp_socket_attributes(initrc_t)
+domain_ignore_get_all_domains_tcp_socket_attributes(initrc_t)
+domain_ignore_get_all_domains_unix_dgram_socket_attributes(initrc_t)
+domain_ignore_get_all_domains_pipe_attributes(initrc_t)
 
 files_get_all_file_attributes(initrc_t)
 files_remove_all_tmp_data(initrc_t)
@@ -297,7 +315,7 @@ userdomain_read_all_users_data(initrc_t)
 userdomain_use_admin_terminals(initrc_t)
 
 tunable_policy(`distro_debian', `
-filesystem_tmpfs_associate(initrc_var_run_t)
+filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir)
 ')
 
 tunable_policy(`distro_redhat',`
@@ -308,18 +326,23 @@ kernel_set_selinux_enforcement_mode(initrc_t)
 bootloader_create_runtime_data(initrc_t)
 bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t)
 
+# These seem to be from the initrd:
+kernel_use_file_descriptors(initrc_t)
+# during device initialization:
+devices_legacy_use_dev_zero(initrc_t)
+devices_legacy_raw_read_memory(initrc_t)
+devices_legacy_raw_write_memory(initrc_t)
+storage_raw_read_fixed_disk(initrc_t)
+storage_raw_write_fixed_disk(initrc_t)
+
 filesystem_use_tmpfs_character_devices(initrc_t)
 
 files_create_boot_flag(initrc_t)
 
 # readahead asks for these
 mta_read_mail_aliases(initrc_t)
-') dnl end distro_redhat
 
-optional_policy(`authlogin.te',`
+') dnl end distro_redhat
-authlogin_pam_read_runtime_data(initrc_t)
-authlogin_pam_remove_runtime_data(initrc_t)
-')
 
 optional_policy(`hotplug.te',`
 kernel_read_usb_hardware_state(initrc_t)
@@ -328,6 +351,12 @@ hotplug_read_config(initrc_t)
 modutils_read_kernel_module_dependencies(initrc_t)
 ')
 
+optional_policy(`lvm.te',`
+#allow initrc_t lvm_control_t:chr_file unlink;
+devices_read_lvm_control_channel(initrc_t)
+devices_add_generic_character_device(initrc_t)
+')
+
 optional_policy(`rhgb.te',`
 corecommands_make_shell_entrypoint(initrc_t)
 ')
@@ -345,8 +374,6 @@ kernel_ignore_get_unlabeled_block_device_attributes(initrc_t)
 
 ifdef(`TODO',`
 
-allow initrc_t pam_var_console_t:dir r_dir_perms;
-
 # Mount and unmount file systems.
 allow initrc_t { file_t default_t }:dir { read search getattr mounton };
 
@@ -373,7 +400,6 @@ allow initrc_t { etc_t device_t }:dir setattr;
 
 # for storing state under /dev/shm
 allow initrc_t tmpfs_t:dir setattr;
-file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
 file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
 ')dnl end distro_debian
 
@@ -382,13 +408,16 @@ tunable_policy(`distro_redhat', `
 allow initrc_t var_lib_nfs_t:file { getattr read };
 ')dnl end distro_redhat
 
+tunable_policy(`targeted_policy', `
+domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
+allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+domain_trans(initrc_t, shell_exec_t, unconfined_t)
+') dnl endif targeted policy
+
 #
 # Shutting down xinet causes these
 #
 # Rsync
 dontaudit initrc_t mail_spool_t:lnk_file read;
-
-# for lsof which is used by alsa shutdown
-dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
-
 ') dnl end TODO

refpolicy/policy/modules/system/libraries.if

@@ -57,11 +57,20 @@ class chr_file { getattr read write ioctl };
 ')
 
 ########################################
-#
+## <interface name="libraries_use_dynamic_loader">
-# libraries_use_dynamic_loader(domain)
+##	<description>
+##		Use the dynamic link/loader for automatic loading
+##		of shared libraries.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`libraries_use_dynamic_loader',`
 requires_block_template(`$0'_depend)
+files_read_general_system_config_directory($1)
 allow $1 lib_t:dir { getattr search read };
 allow $1 lib_t:lnk_file { getattr read };
 allow $1 ld_so_t:lnk_file { getattr read };
@@ -77,25 +86,44 @@ class file { getattr read execute };
 ')
 
 ########################################
-#
+## <interface name="libraries_legacy_use_dynamic_loader">
-# libraries_legacy_use_dynamic_loader(domain)
+##	<description>
+##		Use the dynamic link/loader for automatic loading
+##		of shared libraries with legacy support.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`libraries_legacy_use_dynamic_loader',`
 requires_block_template(`$0'_depend)
-libraries_use_dynamic_loader($1,optional)
+libraries_use_dynamic_loader($1)
 allow $1 ld_so_t:file execmod;
 allow $1 ld_so_cache_t:file execute;
 ')
 
 define(`libraries_legacy_use_dynamic_loader_depend',`
-libraries_use_dynamic_loader_depend
 type ld_so_t, ld_so_cache_t;
 class file { execute execmod };
 ')
 
 ########################################
-#
+## <interface name="libraries_execute_dynamic_loader">
-# libraries_execute_dynamic_loader(domain)
+##	<description>
+##		Execute the dynamic link/loader in the caller's
+##		domain.  This is commonly needed for the
+##		/usr/bin/ldd program.  Note: this can be used
+##		to execute any binary that the caller can
+##		read, even if the caller does not have execute
+##		permissions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`libraries_execute_dynamic_loader',`
 requires_block_template(`$0'_depend)
@@ -113,11 +141,20 @@ class file { getattr read execute execute_no_trans };
 ')
 
 ########################################
-#
+## <interface name="libraries_modify_dynamic_loader_cache">
-# libraries_modify_dynamic_loader_cache(domain)
+##	<description>
+##		Modify the dynamic link/loader's cached listing
+##		of shared libraries.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
 define(`libraries_modify_dynamic_loader_cache',`
 requires_block_template(`$0'_depend)
+files_read_general_system_config_directory($1)
 allow $1 ld_so_cache_t:file { getattr read write };
 ')
 
@@ -127,8 +164,65 @@ class file { getattr read write };
 ')
 
 ########################################
+## <interface name="libraries_read_library_resources">
+##	<description>
+##		Read files in the library directories, such
+##		as static libraries.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
-# libraries_use_shared_libraries(domain)
+define(`libraries_read_library_resources',`
+requires_block_template(`$0'_depend)
+allow $1 lib_t:dir { getattr read search };
+allow $1 lib_t:{ file lnk_file } { getattr read };
+')
+
+define(`libraries_read_library_resources_depend',`
+type lib_t;
+class dir { getattr read search };
+class lnk_file { getattr read };
+class file { getattr read };
+')
+
+########################################
+## <interface name="libraries_execute_library_scripts">
+##	<description>
+##		Execute library scripts in the caller domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
+#
+define(`libraries_execute_library_scripts',`
+requires_block_template(`$0'_depend)
+allow $1 lib_t:dir { getattr read search };
+allow $1 lib_t:lnk_file { getattr read };
+allow $1 lib_t:file { getattr read execute execute_no_trans };
+')
+
+define(`libraries_execute_library_scripts_depend',`
+type lib_t;
+class dir { getattr read search };
+class lnk_file { getattr read };
+class file { getattr read execute execute_no_trans };
+')
+
+########################################
+## <interface name="libraries_use_shared_libraries">
+##	<description>
+##		Load and execute functions from shared libraries.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`libraries_use_shared_libraries',`
 requires_block_template(`$0'_depend)
@@ -147,8 +241,16 @@ class file { getattr read execute };
 ')
 
 ########################################
-#
+## <interface name="libraries_legacy_use_shared_libraries">
-# libraries_legacy_use_shared_libraries(domain)
+##	<description>
+##		Load and execute functions from shared libraries,
+##		with legacy support.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="read" weight="10"/>
+## </interface>
 #
 define(`libraries_legacy_use_shared_libraries',`
 requires_block_template(`$0'_depend)
@@ -161,39 +263,4 @@ type shlib_t, texrel_shlib_t;
 class file execmod;
 ')
 
-########################################
-#
-# libraries_read_library_resources(domain)
-#
-define(`libraries_read_library_resources',`
-requires_block_template(`$0'_depend)
-allow $1 lib_t:dir { getattr read search };
-allow $1 lib_t:{ file lnk_file } { getattr read };
-')
-
-define(`libraries_read_library_resources_depend',`
-type lib_t;
-class dir { getattr read search };
-class lnk_file { getattr read };
-class file { getattr read };
-')
-
-########################################
-#
-# libraries_execute_library_scripts(domain)
-#
-define(`libraries_execute_library_scripts',`
-requires_block_template(`$0'_depend)
-allow $1 lib_t:dir { getattr read search };
-allow $1 lib_t:lnk_file { getattr read };
-allow $1 lib_t:file { getattr read execute execute_no_trans };
-')
-
-define(`libraries_execute_library_scripts_depend',`
-type lib_t;
-class dir { getattr read search };
-class lnk_file { getattr read };
-class file { getattr read execute execute_no_trans };
-')
-
 ## </module>

refpolicy/policy/modules/system/lvm.te

@@ -85,6 +85,7 @@ kernel_read_kernel_sysctl(lvm_t)
 # it has no reason to need this
 kernel_ignore_get_core_interface_attributes(lvm_t)
 
+devices_add_generic_character_device(lvm_t)
 devices_get_random_data(lvm_t)
 devices_get_pseudorandom_data(lvm_t)
 devices_use_lvm_control_channel(lvm_t)
@@ -95,11 +96,21 @@ devices_ignore_get_all_character_device_attributes(lvm_t)
 devices_ignore_get_all_block_device_attributes(lvm_t)
 devices_ignore_get_generic_character_device_attributes(lvm_t)
 devices_ignore_get_generic_block_device_attributes(lvm_t)
+devices_ignore_get_generic_pipe_attributes(lvm_t)
 terminal_ignore_get_all_private_physical_terminal_attributes(lvm_t)
 
 filesystem_get_persistent_filesystem_attributes(lvm_t)
 
+# LVM creates block devices in /dev/mapper or /dev/<vg>
+# depending on its version
+# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
+# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
+storage_create_fixed_disk_dev_entry(lvm_t)
+# Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
+storage_manage_fixed_disk(lvm_t)
+
 corecommands_search_system_programs_directory(lvm_t)
+corecommands_ignore_get_system_programs_attributes(lvm_t)
 
 domain_use_widely_inheritable_file_descriptors(lvm_t)
 
@@ -140,24 +151,12 @@ ifdef(`TODO',`
 
 allow lvm_t autofs_t:dir { search getattr };
 
-# LVM creates block devices in /dev/mapper or /dev/<vg>
-# depending on its version
-# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
-# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
 allow lvm_t device_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
-type_transition lvm_t device_t:blk_file fixed_disk_device_t;
-
-# Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
-allow lvm_t fixed_disk_device_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
 
 allow lvm_t default_context_t:dir search;
 allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
 allow lvm_t device_t:lnk_file { relabelfrom relabelto };
 
-# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dontaudit lvm_t device_t:fifo_file getattr;
-
-dontaudit lvm_t sbin_t:file getattr;
 dontaudit lvm_t var_run_t:dir getattr;
 
 # for when /usr is not mounted

refpolicy/policy/modules/system/modutils.if

@@ -15,7 +15,7 @@
 #
 define(`modutils_read_kernel_module_dependencies',`
 requires_block_template(`$0'_depend)
-bootloader_list_kernel_modules($1,optional)
+bootloader_list_kernel_modules($1)
 allow $1 modules_dep_t:file { getattr read };
 ')
 
@@ -23,7 +23,6 @@ define(`modutils_read_kernel_module_dependencies_depend',`
 type modules_dep_t;
 class file { getattr create read write setattr unlink };
 class dir { search read write add_name remove_name };
-bootloader_list_kernel_modules_depend
 ')
 
 ########################################
@@ -51,7 +50,8 @@ class file { getattr create read write setattr unlink };
 ########################################
 ## <interface name="modutils_insmod_transition">
 ##	<description>
-##		Execute insmod in the insmod domain.
+##		Execute insmod in the insmod domain.  Has a
+##		sigchld backchannel.
 ##	</description>
 ##	<parameter name="domain">
 ##		The type of the process performing this action.
@@ -65,12 +65,14 @@ allow $1 insmod_exec_t:file { getattr read execute };
 allow $1 insmod_t:process transition;
 type_transition $1 insmod_exec_t:process insmod_t;
 dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
+# backchannel:
+allow insmod_t $1:process sigchld;
 ')
 
 define(`modutils_insmod_transition_depend',`
 type insmod_t;
 class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
 ')
 
 ########################################
@@ -78,7 +80,8 @@ class process { transition noatsecure siginh rlimitinh };
 ##	<description>
 ##		Execute insmod in the insmod domain, and
 ##		allow the specified role the insmod domain,
-##		and use the caller's terminal.
+##		and use the caller's terminal.  Has a sigchld
+##		backchannel.
 ##	</description>
 ##	<parameter name="domain">
 ##		The type of the process performing this action.

refpolicy/policy/modules/system/modutils.te

@@ -52,6 +52,8 @@ allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
 
 kernel_load_module(insmod_t)
 kernel_read_system_state(insmod_t)
+kernel_search_hardware_state_dir(insmod_t)
+kernel_search_usb_hardware_state_dir(insmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctl(insmod_t)
 kernel_modify_kernel_sysctl(insmod_t)
@@ -67,6 +69,13 @@ devices_direct_agp_access(insmod_t)
 
 filesystem_get_persistent_filesystem_attributes(insmod_t)
 
+corecommands_execute_general_programs(insmod_t)
+corecommands_execute_system_programs(insmod_t)
+corecommands_execute_shell(insmod_t)
+
+domain_signal_all_domains(insmod_t)
+domain_use_widely_inheritable_file_descriptors(insmod_t)
+
 files_read_runtime_system_config(insmod_t)
 files_read_general_system_config(insmod_t)
 files_read_general_application_resources(insmod_t)
@@ -79,28 +88,20 @@ init_use_file_descriptors(insmod_t)
 init_script_use_file_descriptors(insmod_t)
 init_script_use_pseudoterminal(insmod_t)
 
-domain_signal_all_domains(insmod_t)
-domain_use_widely_inheritable_file_descriptors(insmod_t)
-
 libraries_use_dynamic_loader(insmod_t)
 libraries_use_shared_libraries(insmod_t)
 
-corecommands_execute_general_programs(insmod_t)
+logging_send_system_log_message(insmod_t)
-corecommands_execute_system_programs(insmod_t)
+logging_search_system_log_directory(insmod_t)
-corecommands_execute_shell(insmod_t)
 
 miscfiles_read_localization(insmod_t)
 
-logging_send_system_log_message(insmod_t)
-
 optional_policy(`mount.te',`
 mount_transition(insmod_t)
 ')
 
 ifdef(`TODO',`
 
-allow insmod_t { var_t var_log_t }:dir search;
-
 allow insmod_t apm_bios_t:chr_file { read write };
 
 allow insmod_t sound_device_t:chr_file { read ioctl write };
@@ -109,8 +110,8 @@ ifdef(`xserver.te', `
 allow insmod_t xserver_log_t:file getattr;
 ')
 
-allow insmod_t sysfs_t:dir search;
+# why is this needed?  insmod cannot mounton any dir
-allow insmod_t usbfs_t:dir search;
+# and it also transitions to mount
 allow insmod_t usbfs_t:filesystem mount;
 
 # for when /var is not mounted early in the boot

refpolicy/policy/modules/system/selinux.te

@@ -350,10 +350,7 @@ kernel_compute_selinux_create_context(run_init_t)
 kernel_compute_selinux_relabel_context(run_init_t)
 kernel_compute_selinux_reachable_user_contexts(run_init_t)
 
-tunable_policy(`targeted_policy',`
+tunable_policy(`targeted_policy',`',`
-# targeted/unconfined stuff
-',`
-
 allow run_init_t self:process setexec;
 allow run_init_t self:capability setuid;
 
@@ -398,13 +395,6 @@ logging_send_system_log_message(run_init_t)
 
 ifdef(`TODO',`
 
-tunable_policy(`targeted_policy', `
-domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
-allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
-allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
-domain_trans(initrc_t, shell_exec_t, unconfined_t)
-') dnl endif targeted policy
-
 tunable_policy(`distro_gentoo', `
 # Gentoo integrated run_init+open_init_pty-runscript:
 domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)

refpolicy/policy/modules/system/selinuxutil.te

@@ -350,10 +350,7 @@ kernel_compute_selinux_create_context(run_init_t)
 kernel_compute_selinux_relabel_context(run_init_t)
 kernel_compute_selinux_reachable_user_contexts(run_init_t)
 
-tunable_policy(`targeted_policy',`
+tunable_policy(`targeted_policy',`',`
-# targeted/unconfined stuff
-',`
-
 allow run_init_t self:process setexec;
 allow run_init_t self:capability setuid;
 
@@ -398,13 +395,6 @@ logging_send_system_log_message(run_init_t)
 
 ifdef(`TODO',`
 
-tunable_policy(`targeted_policy', `
-domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
-allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
-allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
-domain_trans(initrc_t, shell_exec_t, unconfined_t)
-') dnl endif targeted policy
-
 tunable_policy(`distro_gentoo', `
 # Gentoo integrated run_init+open_init_pty-runscript:
 domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)

refpolicy/policy/modules/system/sysnetwork.te

@@ -268,6 +268,7 @@ init_script_use_pseudoterminal(ifconfig_t)
 
 libraries_use_dynamic_loader(ifconfig_t)
 libraries_use_shared_libraries(ifconfig_t)
+libraries_read_library_resources(ifconfig_t)
 
 logging_send_system_log_message(ifconfig_t)
 
@@ -294,8 +295,6 @@ allow ifconfig_t tun_tap_device_t:chr_file { read write };
 # see the denials.
 dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
 
-allow ifconfig_t lib_t:file { getattr read };
-
 optional_policy(`rhgb.te', `
 allow ifconfig_t rhgb_t:process sigchld;
 allow ifconfig_t rhgb_t:fd use;

refpolicy/policy/modules/system/udev.if

@@ -10,12 +10,15 @@ allow $1 udev_exec_t:file { getattr read execute };
 allow $1 udev_t:process transition;
 type_transition $1 udev_exec_t:process udev_t;
 dontaudit $1 udev_t:process { noatsecure siginh rlimitinh };
+# backchannels:
+allow udev_t $1:fd use;
+allow udev_t $1:process sigchld;
 ')
 
 define(`udev_transition_depend',`
 type udev_t, udev_exec_t;
 class file { getattr read execute };
-class process { transition noatsecure siginh rlimitinh };
+class process { transition noatsecure siginh rlimitinh sigchld };
 ')
 
 ########################################

refpolicy/policy/modules/system/udev.te

@@ -49,6 +49,8 @@ allow udev_t self:msgq { associate getattr setattr create destroy read write enq
 allow udev_t self:msg { send receive };
 allow udev_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
 
+allow udev_t udev_exec_t:file { getattr read write ioctl execute execute_no_trans };
+
 allow udev_t udev_helper_exec_t:dir { read getattr lock search ioctl };
 
 # read udev config
@@ -80,12 +82,6 @@ devices_manage_device_nodes(udev_t)
 
 filesystem_get_all_filesystems_attributes(udev_t)
 
-init_script_read_runtime_data(udev_t)
-init_script_ignore_write_runtime_data(udev_t)
-
-files_read_runtime_system_config(udev_t)
-files_read_general_system_config(udev_t)
-
 corecommands_execute_general_programs(udev_t)
 corecommands_execute_system_programs(udev_t)
 corecommands_execute_shell(udev_t)
@@ -93,19 +89,28 @@ corecommands_execute_shell(udev_t)
 domain_execute_all_entrypoint_programs(udev_t)
 domain_ignore_read_all_domains_process_dirs(udev_t)
 
-# Security
+files_read_runtime_system_config(udev_t)
-selinux_read_config(udev_t)
+files_read_general_system_config(udev_t)
-selinux_read_default_contexts(udev_t)
+files_execute_system_config_script(udev_t)
-selinux_read_file_contexts(udev_t)
-selinux_restorecon_transition(udev_t)
 
-modutils_insmod_transition(udev_t)
+init_use_file_descriptors(udev_t)
+init_script_read_runtime_data(udev_t)
+init_script_ignore_write_runtime_data(udev_t)
 
 libraries_use_dynamic_loader(udev_t)
 libraries_use_shared_libraries(udev_t)
 
 logging_send_system_log_message(udev_t)
 
+miscfiles_read_localization(udev_t)
+
+modutils_insmod_transition(udev_t)
+
+selinux_read_config(udev_t)
+selinux_read_default_contexts(udev_t)
+selinux_read_file_contexts(udev_t)
+selinux_restorecon_transition(udev_t)
+
 sysnetwork_ifconfig_transition(udev_t)
 
 tunable_policy(`distro_redhat',`
@@ -141,7 +146,6 @@ allow udev_t var_lock_t:file getattr;
 allow udev_t mnt_t:dir search;
 
 allow udev_t devpts_t:dir { getattr search };
-
 allow udev_t sysadm_tty_device_t:chr_file { read write };
 
 # Dontaudits