more work on current modules

refpolicy/policy/modules/admin/consoletype.te

@@ -51,6 +51,10 @@ files_dontaudit_read_root_file(consoletype_t)
 libs_use_ld_so(consoletype_t)
 libs_use_shared_libs(consoletype_t)
 
+userdom_use_sysadm_terms(consoletype_t)
+userdom_use_sysadm_fd(consoletype_t)
+userdom_rw_sysadm_pipe(consoletype_t)
+
 ifdef(`distro_redhat', `
 	fs_use_tmpfs_chr_dev(consoletype_t)
 ')
@@ -59,6 +63,10 @@ optional_policy(`authlogin.te', `
 	auth_read_pam_pid(consoletype_t)
 ')
 
+optional_policy(`cron.te',`
+	cron_read_pipe(consoletype_t)
+')
+
 optional_policy(`logrotate.te',`
 	logrotate_dontaudit_use_fd(consoletype_t)
 ')
@@ -77,21 +85,19 @@ optional_policy(`userdomain.te',`
 ')
 
 ifdef(`TODO',`
-
-allow consoletype_t sysadm_t:fd use;
-allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
-allow consoletype_t sysadm_t:fifo_file rw_file_perms;
-
 allow consoletype_t nfs_t:file write;
 
-allow consoletype_t crond_t:fifo_file r_file_perms;
 allow consoletype_t system_crond_t:fd use;
 
 optional_policy(`xdm.te', `
-domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
 allow consoletype_t xdm_tmp_t:file rw_file_perms;
 ')
 
+# is goes to xserver module
+optional_policy(`consoletype.te',`
+	consoletype_domtrans(xdm_t)
+')
+
 optional_policy(`lpd.te', `
 allow consoletype_t printconf_t:file r_file_perms;
 ')

refpolicy/policy/modules/admin/logrotate.te

@@ -150,8 +150,6 @@ allow squid_t self:capability kill;
 # for /var/lib/logrotate.status and /var/lib/logcheck
 file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file)
 
-allow crond_t logrotate_var_lib_t:dir search;
-
 # for /var/backups on Debian
 ifdef(`backup.te', `
 rw_dir_create_file(logrotate_t, backup_store_t)

refpolicy/policy/modules/admin/netutils.te

@@ -135,13 +135,17 @@ optional_policy(`sysnetwork.te',`
 	')
 ')
 
+
+
 ifdef(`TODO',`
 in_user_role(ping_t)
 tunable_policy(`user_ping',`
 	domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
 	ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
 ')
-
+ifdef(`cardmgr.te',`
+	allow ping_t cardmgr_t:fd use;
+')
 ') dnl end TODO
 
 ########################################

refpolicy/policy/modules/kernel/corenetwork.te.in

@@ -1,6 +1,11 @@
 
 policy_module(corenetwork,1.0)
 
+########################################
+#
+# Declarations
+#
+
 attribute netif_type;
 attribute node_type;
 attribute port_type;

refpolicy/policy/modules/kernel/devices.if

@@ -646,6 +646,80 @@ interface(`dev_manage_all_chr_files',`
 	typeattribute $1 memory_raw_read, memory_raw_write;
 ')
 
+########################################
+## <summary>
+##	Get the attributes of the apm bios device node.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_getattr_apm_bios',`
+	gen_require(`
+		type device_t, apm_bios_t;
+		class dir r_dir_perms;
+		class chr_file getattr;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 apm_bios_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	the apm bios device node.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_getattr_apm_bios',`
+	gen_require(`
+		type apm_bios_t;
+		class chr_file getattr;
+	')
+
+	dontaudit $1 apm_bios_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the apm bios device node.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_setattr_apm_bios',`
+	gen_require(`
+		type device_t, apm_bios_t;
+		class dir r_dir_perms;
+		class chr_file setattr;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 apm_bios_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of
+##	the apm bios device node.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_setattr_apm_bios',`
+	gen_require(`
+		type apm_bios_t;
+		class chr_file setattr;
+	')
+
+	dontaudit $1 apm_bios_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the apm bios.
@@ -1163,7 +1237,7 @@ interface(`dev_write_mtrr',`
 
 ########################################
 ## <summary>
-##	Get the attributes of the framebuffer device.
+##	Get the attributes of the framebuffer device node.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
@@ -1171,7 +1245,7 @@ interface(`dev_write_mtrr',`
 #
 interface(`dev_getattr_framebuffer',`
 	gen_require(`
-		type framebuf_device_t;
+		type device_t, framebuf_device_t;
 		class dir r_dir_perms;
 		class chr_file getattr;
 	')
@@ -1182,7 +1256,7 @@ interface(`dev_getattr_framebuffer',`
 
 ########################################
 ## <summary>
-##	Set the attributes of the framebuffer device.
+##	Set the attributes of the framebuffer device node.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
@@ -1190,9 +1264,9 @@ interface(`dev_getattr_framebuffer',`
 #
 interface(`dev_setattr_framebuffer',`
 	gen_require(`
-		type framebuf_device_t;
+		type device_t, framebuf_device_t;
 		class dir r_dir_perms;
-		class chr_file getattr;
+		class chr_file setattr;
 	')
 
 	allow $1 device_t:dir r_dir_perms;
@@ -1201,7 +1275,25 @@ interface(`dev_setattr_framebuffer',`
 
 ########################################
 ## <summary>
-##	Read the framebuffer device.
+##	Dot not audit attempts to set the attributes
+##	of the framebuffer device node.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_setattr_framebuffer',`
+	gen_require(`
+		type framebuf_device_t;
+		class chr_file setattr;
+	')
+
+	dontaudit $1 framebuf_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read the framebuffer.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
@@ -1220,7 +1312,24 @@ interface(`dev_read_framebuffer',`
 
 ########################################
 ## <summary>
-##	Write the framebuffer device.
+##	Do not audit attempts to read the framebuffer.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_dontaudit_read_framebuffer',`
+	gen_require(`
+		type framebuf_device_t;
+		class chr_file r_file_perms;
+	')
+
+	dontaudit $1 framebuf_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Write the framebuffer.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
@@ -1763,6 +1872,23 @@ interface(`dev_rw_sysfs',`
 	allow $1 sysfs_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Mount a usbfs filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`dev_mount_usbfs',`
+	gen_require(`
+		type usbfs_t;
+		class filesystem mount;
+	')
+
+	allow $1 usbfs_t:filesystem mount;
+')
+
 ########################################
 ## <summary>
 ##	Search the directory containing USB hardware information.
@@ -1848,7 +1974,7 @@ interface(`dev_rw_usbfs',`
 ##	Get the attributes of video4linux devices.
 ## </summary>
 ## <param name="domain">
-##	The process type modifying the options.
+##	Domain allowed access.
 ## </param>
 #
 interface(`dev_getattr_video_dev',`
@@ -1864,10 +1990,28 @@ interface(`dev_getattr_video_dev',`
 
 ########################################
 ## <summary>
-##	Set the attributes of video4linux devices.
+##	Do not audit attempts to get the attributes
+##	of video4linux device nodes.
 ## </summary>
 ## <param name="domain">
-##	The process type modifying the options.
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_getattr_video_dev',`
+	gen_require(`
+		type v4l_device_t;
+		class chr_file getattr;
+	')
+
+	dontaudit $1 v4l_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of video4linux device nodes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
 ## </param>
 #
 interface(`dev_setattr_video_dev',`
@@ -1881,3 +2025,20 @@ interface(`dev_setattr_video_dev',`
 	allow $1 v4l_device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes
+##	of video4linux device nodes.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`dev_dontaudit_setattr_video_dev',`
+	gen_require(`
+		type v4l_device_t;
+		class chr_file setattr;
+	')
+
+	dontaudit $1 v4l_device_t:chr_file setattr;
+')

refpolicy/policy/modules/kernel/devices.te

@@ -1,6 +1,11 @@
 
 policy_module(devices,1.0)
 
+########################################
+#
+# Declarations
+#
+
 attribute device_node;
 attribute memory_raw_read;
 attribute memory_raw_write;
@@ -19,7 +24,7 @@ fs_associate_tmpfs(device_t)
 # a device node has no specific type yet, but is for some
 # reason labeled with a specific type
 #cjp: want this, but udev policy breaks this
-#neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
+#neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
 
 #
 # Type for /dev/agpgart

refpolicy/policy/modules/kernel/filesystem.te

@@ -1,10 +1,15 @@
 
 policy_module(filesystem,1.0)
 
+########################################
+#
+# Declarations
+#
+
 attribute filesystem_type;
 attribute noxattrfs;
 
-########################################
+##############################
 #
 # fs_t is the default type for persistent
 # filesystems with extended attributes
@@ -27,7 +32,7 @@ fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0);
 fs_use_task pipefs context_template(system_u:object_r:fs_t,s0);
 fs_use_task sockfs context_template(system_u:object_r:fs_t,s0);
 
-########################################
+##############################
 #
 # Non-persistent/pseudo filesystems
 #
@@ -75,7 +80,7 @@ fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
 allow tmpfs_t self:filesystem associate;
 allow tmpfs_t noxattrfs:filesystem associate;
 
-########################################
+##############################
 #
 # Filesystems without extended attribute support
 #

refpolicy/policy/modules/kernel/storage.te

@@ -1,6 +1,11 @@
 
 policy_module(storage,1.0)
 
+########################################
+#
+# Declarations
+#
+
 attribute fixed_disk_raw_read;
 attribute fixed_disk_raw_write;
 attribute scsi_generic_read;

refpolicy/policy/modules/kernel/terminal.te

@@ -1,6 +1,10 @@
 
 policy_module(terminal,1.0)
 
+########################################
+#
+# Declarations
+#
 attribute ttynode;
 attribute ptynode;
 attribute server_ptynode;

refpolicy/policy/modules/services/cron.if

@@ -302,6 +302,24 @@ interface(`cron_system_entry',`
 	allow $1 crond_t:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Read a cron daemon unnamed pipe
+## </summary>
+## <param name="domain">
+##	The type of the process to performing this action.
+## </param>
+#
+interface(`cron_read_pipe',`
+	gen_require(`
+		type crond_t;
+		class file r_file_perms;
+	')
+
+	allow $1 crond_t:file r_file_perms;
+')
+
+
 ########################################
 ## <summary>
 ##	Read and write the cron daemon log files.

refpolicy/policy/modules/system/authlogin.te

@@ -142,6 +142,8 @@ kernel_read_system_state(pam_console_t)
 kernel_use_fd(pam_console_t)
 
 dev_read_sysfs(pam_console_t)
+dev_getattr_apm_bios(pam_console_t)
+dev_setattr_apm_bios(pam_console_t)
 dev_getattr_framebuffer(pam_console_t)
 dev_setattr_framebuffer(pam_console_t)
 dev_getattr_misc(pam_console_t)
@@ -216,8 +218,6 @@ optional_policy(`rhgb.te', `
 	rhgb_domain(pam_console_t)
 ')
 
-allow pam_console_t apm_bios_t:chr_file { getattr setattr };
-
 ifdef(`gpm.te', `
 	allow pam_console_t gpmctl_t:sock_file { getattr setattr };
 ')

refpolicy/policy/modules/system/corecommands.te

@@ -1,6 +1,11 @@
 
 policy_module(corecommands,1.0)
 
+########################################
+#
+# Declarations
+#
+
 #
 # bin_t is the type of files in the system bin directories.
 #

refpolicy/policy/modules/system/domain.te

@@ -1,6 +1,11 @@
 
 policy_module(domain,1.0)
 
+########################################
+#
+# Declarations
+#
+
 # Mark process types as domains
 attribute domain;
 

refpolicy/policy/modules/system/files.if

@@ -745,6 +745,23 @@ interface(`files_manage_isid_type_chr_node',`
 	allow $1 file_t:chr_file create_file_perms;
 ')
 
+########################################
+## <summary>
+##	Search home directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_search_home',`
+	gen_require(`
+		type home_root_t;
+		class dir search;
+	')
+
+	allow $1 home_root_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Get listing of home directories.

refpolicy/policy/modules/system/files.te

@@ -1,6 +1,11 @@
 
 policy_module(files,1.0)
 
+########################################
+#
+# Declarations
+#
+
 attribute file_type;
 attribute lockfile;
 attribute mountpoint;

refpolicy/policy/modules/system/fstools.te

@@ -5,6 +5,7 @@ policy_module(fstools,1.0)
 #
 # Declarations
 #
+
 type fsadm_t;
 type fsadm_exec_t;
 init_system_domain(fsadm_t,fsadm_exec_t)
@@ -17,6 +18,9 @@ type swapfile_t;
 files_type(swapfile_t)
 
 ########################################
+#
+# local policy
+#
 
 # ipc_lock is for losetup
 allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };

refpolicy/policy/modules/system/init.te

@@ -291,7 +291,7 @@ sysnet_read_config(initrc_t)
 
 udev_rw_db(initrc_t)
 
-userdom_read_all_user_data(initrc_t)
+userdom_read_all_user_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the 
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.

refpolicy/policy/modules/system/locallogin.if

@@ -1,12 +1,12 @@
 ## <summary>Policy for local logins.</summary>
 
 ########################################
-##     <desc>
+## <summary>
-##             Execute local logins in the locallogin domain.
+##	Execute local logins in the local login domain.
-##     </desc>
+## </summary>
-##     <param name="domain">
+## <param name="domain">
-##             The type of the process performing this action.
+##	The type of the process performing this action.
-##     </param>
+## </param>
 #
 interface(`locallogin_domtrans',`
 	gen_require(`
@@ -17,12 +17,12 @@ interface(`locallogin_domtrans',`
 ')
 
 ########################################
-##     <desc>
+## <summary>
-##             Allow processes to inherit local login file descriptors
+##	Allow processes to inherit local login file descriptors
-##     </desc>
+## </summary>
-##     <param name="domain">
+## <param name="domain">
-##             The type of the process performing this action.
+##	The type of the process performing this action.
-##     </param>
+## </param>
 #
 interface(`locallogin_use_fd',`
 	gen_require(`
@@ -33,3 +33,19 @@ interface(`locallogin_use_fd',`
 	allow $1 local_login_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Send a null signal to local login processes.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`locallogin_signull',`
+	gen_require(`
+		type local_login_t;
+		class process signull;
+	')
+
+	allow $1 local_login_t:process signull;
+')

refpolicy/policy/modules/system/locallogin.te

@@ -56,10 +56,14 @@ kernel_read_kernel_sysctl(local_login_t)
 
 dev_setattr_mouse(local_login_t)
 dev_getattr_mouse(local_login_t)
-dev_getattr_snd_dev(local_login_t)
-dev_setattr_snd_dev(local_login_t)
 dev_getattr_power_management(local_login_t)
 dev_setattr_power_management(local_login_t)
+dev_getattr_snd_dev(local_login_t)
+dev_setattr_snd_dev(local_login_t)
+dev_dontaudit_getattr_apm_bios(local_login_t)
+dev_dontaudit_setattr_apm_bios(local_login_t)
+dev_dontaudit_read_framebuffer(local_login_t)
+dev_dontaudit_setattr_framebuffer(local_login_t)
 dev_dontaudit_getattr_generic_blk_file(local_login_t)
 dev_dontaudit_setattr_generic_blk_file(local_login_t)
 dev_dontaudit_getattr_generic_chr_file(local_login_t)
@@ -69,6 +73,8 @@ dev_dontaudit_setattr_misc(local_login_t)
 dev_dontaudit_getattr_scanner(local_login_t)
 dev_dontaudit_setattr_scanner(local_login_t)
 dev_dontaudit_search_sysfs(local_login_t)
+dev_dontaudit_getattr_video_dev(local_login_t)
+dev_dontaudit_setattr_video_dev(local_login_t)
 # for SSP/ProPolice
 dev_read_urand(local_login_t)
 
@@ -175,16 +181,12 @@ allow local_login_t readable_t:notdevfile_class_set r_file_perms;
 # for when /var/mail is a sym-link
 allow local_login_t var_t:lnk_file read;
 
-# Do not audit denied attempts to access devices.
 dontaudit local_login_t device_t:lnk_file { getattr setattr };
-dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
-dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
-dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
-
-# FIXME: what is this for?
-optional_policy(`xdm.te', `
-	allow xdm_t local_login_t:process signull;
 
+# this goes to xserver:
+optional_policy(`locallogin.te',`
+	# FIXME: what is this for?
+	locallogin_signull(xdm_t)
 ')
 
 ifdef(`targeted_policy',`
@@ -237,6 +239,7 @@ auth_read_shadow(sulogin_t)
 
 userdom_shell_domtrans_sysadm(sulogin_t)
 userdom_use_unpriv_users_fd(sulogin_t)
+userdom_use_sysadm_pty(sulogin_t)
 
 # suse and debian do not use pam with sulogin...
 ifdef(`monolithic_policy',`
@@ -262,6 +265,5 @@ optional_policy(`nis.te',`
 ')
 
 ifdef(`TODO',`
-allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
 allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
 ') dnl endif TODO

refpolicy/policy/modules/system/logging.te

@@ -82,6 +82,10 @@ libs_use_shared_libs(auditd_t)
 miscfiles_read_localization(auditd_t)
 
 userdom_dontaudit_use_unpriv_user_fd(auditd_t)
+# cjp: this is questionable.  it should probably
+# be a userdom_dontaudit_use_sysadm_terms(auditd_t)
+# in a direct_sysadm_daemon tunable
+userdom_use_sysadm_tty(auditd_t)
 
 ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(auditd_t)
@@ -106,9 +110,6 @@ rhgb_domain(auditd_t)
 ')
 
 dontaudit auditd_t sysadm_home_dir_t:dir search;
-
-# cjp: this is questionable:
-allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
 ') dnl endif TODO
 
 ########################################

refpolicy/policy/modules/system/miscfiles.te

@@ -1,6 +1,11 @@
 
 policy_module(miscfiles,1.0)
 
+########################################
+#
+# Declarations
+#
+
 #
 # catman_t is the type for /var/catman.
 #

refpolicy/policy/modules/system/modutils.te

@@ -68,6 +68,9 @@ dev_rw_agp_dev(insmod_t)
 dev_read_snd_dev(insmod_t)
 dev_write_snd_dev(insmod_t)
 dev_rw_apm_bios(insmod_t)
+# cjp: why is this needed?  insmod cannot mounton any dir
+# and it also transitions to mount
+dev_mount_usbfs(insmod_t)
 
 fs_getattr_xattr_fs(insmod_t)
 
@@ -104,17 +107,10 @@ optional_policy(`mount.te',`
 	mount_domtrans(insmod_t)
 ')
 
-ifdef(`TODO',`
+optional_policy(`xserver.te',`
-
+	xserver_getattr_log(insmod_t)
-ifdef(`xserver.te', `
-	allow insmod_t xserver_log_t:file getattr;
 ')
 
-# why is this needed?  insmod cannot mounton any dir
-# and it also transitions to mount
-allow insmod_t usbfs_t:filesystem mount;
-') dnl if TODO
-
 ########################################
 #
 # depmod local policy
@@ -153,13 +149,14 @@ files_read_usr_src_files(depmod_t)
 libs_use_ld_so(depmod_t)
 libs_use_shared_libs(depmod_t)
 
-ifdef(`TODO',`
-
-ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
-
 # Read System.map from home directories.
-allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms;
+files_list_home(depmod_t)
-r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
+userdom_read_staff_home_files(depmod_t)
+userdom_read_sysadm_home_files(depmod_t)
+
+
+ifdef(`TODO',`
+ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
 ') dnl end ifdef TODO
 
 #################################

refpolicy/policy/modules/system/selinuxutil.te

@@ -435,7 +435,7 @@ miscfiles_read_localization(setfiles_t)
 
 userdom_use_all_user_fd(setfiles_t)
 # for config files in a home directory
-userdom_read_all_user_data(setfiles_t)
+userdom_read_all_user_files(setfiles_t)
 
 # relabeling rules
 kernel_relabel_unlabeled(setfiles_t)

refpolicy/policy/modules/system/sysnetwork.te

@@ -120,6 +120,7 @@ domain_use_wide_inherit_fd(dhcpc_t)
 
 files_read_etc_files(dhcpc_t)
 files_read_etc_runtime_files(dhcpc_t)
+files_search_home(dhcpc_t)
 
 init_use_fd(dhcpc_t)
 init_use_script_pty(dhcpc_t)
@@ -153,6 +154,11 @@ optional_policy(`hostname.te',`
 	hostname_domtrans(dhcpc_t)
 ')
 
+# for the dhcp client to run ping to check IP addresses
+optional_policy(`netutils.te',`
+	netutils_domtrans_ping(dhcpc_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(dhcpc_t)
 	# dhclient sometimes starts ypbind
@@ -189,10 +195,18 @@ optional_policy(`rhgb.te',`
 rhgb_domain(dhcpc_t)
 ')
 
-ifdef(`cardmgr.te', `
+ifdef(`cardmgr.te',`
 domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
-allow cardmgr_t dhcpc_var_run_t:file { getattr read };
+')
-allow cardmgr_t dhcpc_t:process signal_perms;
+
+#this goes to pcmcia module
+optional_policy(`sysnetwork.te',`
+	sysnet_read_dhcpc_pid(cardmgr_t)
+	sysnet_kill_dhcpc(cardmgr_t)
+	sysnet_sigchld_dhcpc(cardmgr_t)
+	sysnet_signal_dhcpc(cardmgr_t)
+	sysnet_signull_dhcpc(cardmgr_t)
+	sysnet_sigstop_dhcpc(cardmgr_t)
 ')
 
 optional_policy(`hotplug.te', `
@@ -203,17 +217,7 @@ optional_policy(`hotplug.te', `
 	')
 ')
 
-# for the dhcp client to run ping to check IP addresses
-optional_policy(`netutils.te',`
-	netutils_domtrans_ping(dhcpc_t)
-
-	ifdef(`cardmgr.te',`
-		allow ping_t cardmgr_t:fd use;
-	')
-')
-
 allow dhcpc_t var_lib_t:dir search;
-allow dhcpc_t home_root_t:dir search;
 dontaudit dhcpc_t var_lock_t:dir search;
 dontaudit dhcpc_t selinux_config_t:dir search;
 dontaudit dhcpc_t domain:dir getattr;

refpolicy/policy/modules/system/udev.te

@@ -118,6 +118,8 @@ seutil_domtrans_restorecon(udev_t)
 
 sysnet_domtrans_ifconfig(udev_t)
 
+userdom_use_sysadm_tty(udev_t)
+
 ifdef(`distro_redhat',`
 	fs_manage_tmpfs_symlinks(udev_t)
 	fs_manage_tmpfs_sockets(udev_t)
@@ -147,9 +149,12 @@ optional_policy(`sysnetwork.te',`
 	sysnet_domtrans_dhcpc(udev_t)
 ')
 
+optional_policy(`xserver.te',`
+	xserver_read_xdm_pid(udev_t)
+')
+
 ifdef(`TODO',`
 allow udev_t devpts_t:dir { getattr search };
-allow udev_t sysadm_tty_device_t:chr_file { read write };
 
 # Dontaudits
 dontaudit udev_t staff_home_dir_t:dir search;
@@ -159,8 +164,4 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
 
 dbusd_client(system, udev)
 
-optional_policy(`xdm.te',`
-allow udev_t xdm_var_run_t:file { getattr read };
-')
-
 ') dnl endif TODO

refpolicy/policy/modules/system/userdomain.if

@@ -907,6 +907,27 @@ interface(`userdom_shell_domtrans_sysadm',`
 	corecmd_domtrans_shell($1,sysadm_t)
 ')
 
+########################################
+## <summary>
+##	Read files in the staff users home directory.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_read_staff_home_files',`
+	gen_require(`
+		type staff_home_dir_t, staff_home_t;
+		class dir r_dir_perms;
+		class file r_file_perms;
+		class lnk_file r_file_perms;
+	')
+
+	files_search_home($1)
+	allow $1 { staff_home_dir_t staff_home_t }:dir r_dir_perms;
+	allow $1 staff_home_t:{ file lnk_file } r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write sysadm ttys.
@@ -918,12 +939,31 @@ interface(`userdom_shell_domtrans_sysadm',`
 interface(`userdom_use_sysadm_tty',`
 	gen_require(`
 		type sysadm_tty_device_t;
-		class chr_file { getattr read write ioctl };
+		class chr_file rw_term_perms;
 	')
 
 	dev_list_all_dev_nodes($1)
 	term_list_ptys($1)
-	allow $1 sysadm_tty_device_t:chr_file { getattr read write ioctl };
+	allow $1 sysadm_tty_device_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Read and write sysadm ptys.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_use_sysadm_pty',`
+	gen_require(`
+		type sysadm_devpts_t;
+		class chr_file rw_term_perms;
+	')
+
+	dev_list_all_dev_nodes($1)
+	term_list_ptys($1)
+	allow $1 sysadm_devpts_t:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -937,12 +977,12 @@ interface(`userdom_use_sysadm_tty',`
 interface(`userdom_use_sysadm_terms',`
 	gen_require(`
 		attribute admin_terminal;
-		class chr_file { getattr read write ioctl };
+		class chr_file rw_term_perms;
 	')
 
 	dev_list_all_dev_nodes($1)
 	term_list_ptys($1)
-	allow $1 admin_terminal:chr_file { getattr read write ioctl };
+	allow $1 admin_terminal:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -962,6 +1002,61 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
 	dontaudit $1 admin_terminal:chr_file { read write };
 ')
 
+########################################
+## <summary>
+##	Inherit and use sysadm file descriptors
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_use_sysadm_fd',`
+	gen_require(`
+		type sysadm_t;
+		class fd use;
+	')
+
+	allow $1 sysadm_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read and write sysadm user unnamed pipes.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_rw_sysadm_pipe',`
+	gen_require(`
+		type sysadm_t;
+		class fd use;
+	')
+
+	allow $1 sysadm_t:fd use;
+')
+
+########################################
+## <summary>
+##	Read files in the sysadm users home directory.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`userdom_read_sysadm_home_files',`
+	gen_require(`
+		type sysadm_home_dir_t, sysadm_home_t;
+		class dir r_dir_perms;
+		class file r_file_perms;
+		class lnk_file r_file_perms;
+	')
+
+	files_search_home($1)
+	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir r_dir_perms;
+	allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search all users home directories.
@@ -988,7 +1083,7 @@ interface(`userdom_search_all_users_home',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`userdom_read_all_user_data',`
+interface(`userdom_read_all_user_files',`
 	gen_require(`
 		attribute home_type;
 		class dir r_dir_perms;