From 8bd678995459b1105f0eef8df2d0b87ac3f1be7c Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Jun 14 2005 19:56:46 +0000
Subject: move constraints interfaces to domain module.  move sysfs and usbfs to

devices module


---

diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 074246d..ca23adb 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -22,7 +22,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
 allow dmesg_t self:process signal_perms;
 
 kernel_read_kernel_sysctl(dmesg_t)
-kernel_read_hardware_state(dmesg_t)
+dev_read_sysfs(dmesg_t)
 kernel_read_ring_buffer(dmesg_t)
 kernel_clear_ring_buffer(dmesg_t)
 kernel_change_ring_buffer_level(dmesg_t)
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 2936e1c..a018e06 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -9,7 +9,7 @@ policy_module(rpm,1.0)
 type rpm_t; #, admin, privmem, priv_system_role;
 type rpm_exec_t;
 init_system_domain(rpm_t,rpm_exec_t)
-kernel_obj_id_change_exempt(rpm_t)
+domain_obj_id_change_exempt(rpm_t)
 domain_wide_inherit_fd(rpm_t)
 role system_r types rpm_t;
 
@@ -31,7 +31,7 @@ typealias rpm_var_lib_t alias var_lib_rpm_t;
 
 type rpm_script_t; #, admin, privmem, priv_system_role;
 type rpm_script_exec_t;
-kernel_obj_id_change_exempt(rpm_script_t)
+domain_obj_id_change_exempt(rpm_script_t)
 corecmd_shell_entry_type(rpm_script_t)
 domain_type(rpm_script_t)
 domain_entry_file(rpm_t,rpm_script_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 1e41365..ba4b220 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -10,7 +10,7 @@ type admin_passwd_exec_t;
 files_file_type(admin_passwd_exec_t)
 
 type chfn_t;
-kernel_obj_id_change_exempt(chfn_t)
+domain_obj_id_change_exempt(chfn_t)
 domain_type(chfn_t)
 role system_r types chfn_t;
 
@@ -31,12 +31,12 @@ files_tmp_file(crack_tmp_t)
 
 type groupadd_t; #, nscd_client_domain;
 type groupadd_exec_t;
-kernel_obj_id_change_exempt(groupadd_t)
+domain_obj_id_change_exempt(groupadd_t)
 init_system_domain(groupadd_t,groupadd_exec_t)
 role system_r types groupadd_t;
 
 type passwd_t;
-kernel_obj_id_change_exempt(passwd_t)
+domain_obj_id_change_exempt(passwd_t)
 domain_type(passwd_t)
 role system_r types passwd_t;
 
@@ -44,7 +44,7 @@ type passwd_exec_t;
 domain_entry_file(passwd_t,passwd_exec_t)
 
 type sysadm_passwd_t;
-kernel_obj_id_change_exempt(sysadm_passwd_t)
+domain_obj_id_change_exempt(sysadm_passwd_t)
 domain_type(sysadm_passwd_t)
 domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
 
@@ -53,7 +53,7 @@ files_file_type(sysadm_passwd_tmp_t)
 
 type useradd_t; # nscd_client_domain;
 type useradd_exec_t;
-kernel_obj_id_change_exempt(useradd_t)
+domain_obj_id_change_exempt(useradd_t)
 init_system_domain(useradd_t,useradd_exec_t)
 role system_r types useradd_t;
 
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 5308261..df0f9dc 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1621,4 +1621,177 @@ define(`dev_rw_power_management_depend',`
 	class chr_file rw_file_perms;
 ')
 
+########################################
+## <interface name="dev_search_sysfs">
+##	<description>
+##		Search the directory containing hardware information.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+## </interface>
+#
+define(`dev_search_sysfs',`
+	gen_require(`$0'_depend)
+
+	allow $1 sysfs_t:dir search;
+')
+
+define(`dev_search_sysfs_depend',`
+	type sysfs_t;
+
+	class dir search;
+')
+
+########################################
+## <interface name="dev_read_sysfs">
+##	<description>
+## 		Allow caller to read hardware state information.
+##	</description>
+##	<parameter name="domain">
+##		The process type reading hardware state information.
+##	</parameter>
+## </interface>
+#
+define(`dev_read_sysfs',`
+	gen_require(`$0'_depend)
+
+	allow $1 sysfs_t:dir r_dir_perms;
+	allow $1 sysfs_t:{ file lnk_file } r_file_perms;
+')
+
+define(`dev_read_sysfs_depend',`
+	type sysfs_t;
+
+	class dir r_dir_perms;
+	class file r_file_perms;
+	class lnk_file r_file_perms;
+')
+
+########################################
+## <interface name="dev_rw_sysfs">
+##	<description>
+## 		Allow caller to modify hardware state information.
+##	</description>
+##	<parameter name="domain">
+##		The process type modifying hardware state information.
+##	</parameter>
+## </interface>
+#
+define(`dev_rw_sysfs',`
+	gen_require(`$0'_depend)
+
+	allow $1 sysfs_t:dir r_dir_perms;
+	allow $1 sysfs_t:lnk_file r_file_perms;
+	allow $1 sysfs_t:file rw_file_perms;
+')
+
+define(`dev_rw_sysfs_depend',`
+	type sysfs_t;
+
+	class dir r_dir_perms;
+	class file rw_file_perms;
+	class lnk_file r_file_perms;
+')
+
+########################################
+## <interface name="dev_search_usbfs">
+##	<description>
+##		Search the directory containing USB hardware information.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+## </interface>
+#
+define(`dev_search_usbfs',`
+	gen_require(`$0'_depend)
+
+	allow $1 usbfs_t:dir search;
+')
+
+define(`dev_search_usbfs_depend',`
+	type usbfs_t;
+
+	class dir search;
+')
+
+########################################
+## <interface name="dev_list_usbfs">
+##	<description>
+## 		Allow caller to get a list of usb hardware.
+##	</description>
+##	<parameter name="domain">
+##		The process type getting the list.
+##	</parameter>
+## </interface>
+#
+define(`dev_list_usbfs',`
+	gen_require(`$0'_depend)
+
+	allow $1 usbfs_t:dir r_dir_perms;
+	allow $1 usbfs_t:lnk_file r_file_perms;
+	allow $1 usbfs_t:file getattr;
+')
+
+define(`dev_list_usbfs_depend',`
+	type usbfs_t;
+
+	class dir r_dir_perms;
+	class file getattr;
+	class lnk_file r_file_perms;
+')
+
+########################################
+## <interface name="dev_read_usbfs">
+##	<description>
+##		Read USB hardware information using
+##		the usbfs filesystem interface.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+## </interface>
+#
+define(`dev_read_usbfs',`
+	gen_require(`$0'_depend)
+
+	allow $1 usbfs_t:dir r_dir_perms;
+	allow $1 usbfs_t:{ file lnk_file } r_file_perms;
+')
+
+define(`dev_read_usbfs_depend',`
+	type usbfs_t;
+
+	class dir r_dir_perms;
+	class file r_file_perms;
+	class lnk_file r_file_perms;
+')
+
+########################################
+## <interface name="dev_rw_usbfs">
+##	<description>
+## 		Allow caller to modify usb hardware configuration files.
+##	</description>
+##	<parameter name="domain">
+##		The process type modifying the options.
+##	</parameter>
+## </interface>
+#
+define(`dev_rw_usbfs',`
+	gen_require(`$0'_depend)
+
+	allow $1 usbfs_t:dir r_dir_perms;
+	allow $1 usbfs_t:lnk_file r_file_perms;
+	allow $1 usbfs_t:file rw_file_perms;
+')
+
+define(`dev_rw_usbfs_depend',`
+	type usbfs_t;
+
+	class dir r_dir_perms;
+	class file rw_file_perms;
+	class lnk_file r_file_perms;
+')
+
 ## </module>
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index b69faa2..302796e 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -144,12 +144,29 @@ fs_associate(sound_device_t)
 fs_associate_tmpfs(sound_device_t)
 
 #
+# sysfs_t is the type for the /sys pseudofs
+#
+type sysfs_t;
+files_mountpoint(sysfs_t)
+fs_make_fs(sysfs_t)
+genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
+
+#
 # urandom_device_t is the type of /dev/urandom
 #
 type urandom_device_t, device_node;
 fs_associate(urandom_device_t)
 fs_associate_tmpfs(urandom_device_t)
 
+#
+# usbfs_t is the type for the /proc/bus/usb pseudofs
+#
+type usbfs_t alias usbdevfs_t;
+files_mountpoint(usbfs_t)
+fs_make_noxattr_fs(usbfs_t)
+genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
+genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
+
 type v4l_device_t, device_node;
 fs_associate(v4l_device_t)
 fs_associate_tmpfs(v4l_device_t)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index e61d608..8a85ac7 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -130,69 +130,6 @@ define(`kernel_dontaudit_use_fd_depend',`
 ')
 
 ########################################
-## <interface name="kernel_subj_id_change_exempt">
-##	<description>
-## 		Makes caller an exception to the constraint preventing
-## 		changing of user identity.
-##	</description>
-##	<parameter name="domain">
-##		The process type to make an exception to the constraint.
-##	</parameter>
-## </interface>
-#
-define(`kernel_subj_id_change_exempt',`
-	gen_require(`$0'_depend)
-
-	typeattribute $1 can_change_process_identity;
-')
-
-define(`kernel_subj_id_change_exempt_depend',`
-	attribute can_change_process_identity;
-')
-
-########################################
-## <interface name="kernel_role_change_exempt">
-##	<description>
-## 		Makes caller an exception to the constraint preventing
-## 		changing of role.
-##	</description>
-##	<parameter name="domain">
-##		The process type to make an exception to the constraint.
-##	</parameter>
-## </interface>
-#
-define(`kernel_role_change_exempt',`
-	gen_require(`$0'_depend)
-
-	typeattribute $1 can_change_process_role;
-')
-
-define(`kernel_role_change_exempt_depend',`
-	attribute can_change_process_role;
-')
-
-########################################
-## <interface name="kernel_obj_id_change_exempt">
-##	<description>
-## 		Makes caller an exception to the constraint preventing 
-## 		changing the user identity in object contexts.
-##	</description>
-##	<parameter name="domain">
-##		The process type to make an exception to the constraint.
-##	</parameter>
-## </interface>
-#
-define(`kernel_obj_id_change_exempt',`
-	gen_require(`$0'_depend)
-
-	typeattribute $1 can_change_object_identity;
-')
-
-define(`kernel_obj_id_change_exempt_depend',`
-	attribute can_change_object_identity;
-')
-
-########################################
 ## <interface name="kernel_load_module">
 ##	<description>
 ## 		Allows caller to load kernel modules
@@ -1458,79 +1395,6 @@ define(`kernel_rw_all_sysctl',`
 ')
 
 ########################################
-## <interface name="kernel_search_sysfs">
-##	<description>
-##		Search the directory containing hardware information.
-##	</description>
-##	<parameter name="domain">
-##		The type of the process performing this action.
-##	</parameter>
-## </interface>
-#
-define(`kernel_search_sysfs',`
-	gen_require(`$0'_depend)
-
-	allow $1 sysfs_t:dir search;
-')
-
-define(`kernel_search_sysfs_depend',`
-	type sysfs_t;
-
-	class dir search;
-')
-
-########################################
-## <interface name="kernel_read_hardware_state">
-##	<description>
-## 		Allow caller to read hardware state information.
-##	</description>
-##	<parameter name="domain">
-##		The process type reading hardware state information.
-##	</parameter>
-## </interface>
-#
-define(`kernel_read_hardware_state',`
-	gen_require(`$0'_depend)
-
-	allow $1 sysfs_t:dir r_dir_perms;
-	allow $1 sysfs_t:{ file lnk_file } r_file_perms;
-')
-
-define(`kernel_read_hardware_state_depend',`
-	type sysfs_t;
-
-	class dir r_dir_perms;
-	class file r_file_perms;
-	class lnk_file r_file_perms;
-')
-
-########################################
-## <interface name="kernel_rw_hardware_config_option">
-##	<description>
-## 		Allow caller to modify hardware state information.
-##	</description>
-##	<parameter name="domain">
-##		The process type modifying hardware state information.
-##	</parameter>
-## </interface>
-#
-define(`kernel_rw_hardware_config_option',`
-	gen_require(`$0'_depend)
-
-	allow $1 sysfs_t:dir r_dir_perms;
-	allow $1 sysfs_t:lnk_file r_file_perms;
-	allow $1 sysfs_t:file rw_file_perms;
-')
-
-define(`kernel_rw_hardware_config_option_depend',`
-	type sysfs_t;
-
-	class dir r_dir_perms;
-	class file rw_file_perms;
-	class lnk_file r_file_perms;
-')
-
-########################################
 ## <interface name="kernel_kill_unlabeled">
 ##	<description>
 ##		Send a kill signal to unlabeled processes.
@@ -1691,104 +1555,4 @@ define(`kernel_relabel_unlabeled_depend',`
 	class blk_file { getattr relabelfrom };
 ')
 
-########################################
-## <interface name="kernel_search_usbfs">
-##	<description>
-##		Search the directory containing USB hardware information.
-##	</description>
-##	<parameter name="domain">
-##		The type of the process performing this action.
-##	</parameter>
-## </interface>
-#
-define(`kernel_search_usbfs',`
-	gen_require(`$0'_depend)
-
-	allow $1 usbfs_t:dir search;
-')
-
-define(`kernel_search_usbfs_depend',`
-	type usbfs_t;
-
-	class dir search;
-')
-
-########################################
-## <interface name="kernel_list_usb_hardware">
-##	<description>
-## 		Allow caller to get a list of usb hardware.
-##	</description>
-##	<parameter name="domain">
-##		The process type getting the list.
-##	</parameter>
-## </interface>
-#
-define(`kernel_list_usb_hardware',`
-	gen_require(`$0'_depend)
-
-	allow $1 usbfs_t:dir r_dir_perms;
-	allow $1 usbfs_t:lnk_file r_file_perms;
-	allow $1 usbfs_t:file getattr;
-')
-
-define(`kernel_list_usb_hardware_depend',`
-	type usbfs_t;
-
-	class dir r_dir_perms;
-	class file getattr;
-	class lnk_file r_file_perms;
-')
-
-########################################
-## <interface name="kernel_read_usb_hardware_state">
-##	<description>
-##		Read USB hardware information using
-##		the usbfs filesystem interface.
-##	</description>
-##	<parameter name="domain">
-##		The type of the process performing this action.
-##	</parameter>
-## </interface>
-#
-define(`kernel_read_usb_hardware_state',`
-	gen_require(`$0'_depend)
-
-	allow $1 usbfs_t:dir r_dir_perms;
-	allow $1 usbfs_t:{ file lnk_file } r_file_perms;
-')
-
-define(`kernel_read_usb_hardware_state_depend',`
-	type usbfs_t;
-
-	class dir r_dir_perms;
-	class file r_file_perms;
-	class lnk_file r_file_perms;
-')
-
-########################################
-## <interface name="kernel_rw_usb_hardware_config_option">
-##	<description>
-## 		Allow caller to modify usb hardware configuration files.
-##	</description>
-##	<parameter name="domain">
-##		The process type modifying the options.
-##	</parameter>
-## </interface>
-#
-define(`kernel_rw_usb_hardware_config_option',`
-	gen_require(`$0'_depend)
-
-	allow $1 usbfs_t:dir r_dir_perms;
-	allow $1 usbfs_t:lnk_file r_file_perms;
-	allow $1 usbfs_t:file rw_file_perms;
-')
-
-define(`kernel_rw_usb_hardware_config_option_depend',`
-	type usbfs_t;
-
-	class dir r_dir_perms;
-	class file rw_file_perms;
-	class lnk_file r_file_perms;
-')
-
 ## </module>
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 8881b13..0a582a3 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -8,11 +8,6 @@ attribute can_setsecparam;
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
 
-# constraint related attributes
-attribute can_change_process_identity;
-attribute can_change_process_role;
-attribute can_change_object_identity;
-
 #
 # kernel_t is the domain of kernel threads.
 # It is also the target type when checking permissions in the system class.
@@ -60,14 +55,6 @@ sid security context_template(system_u:object_r:security_t,s0)
 genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
 
 #
-# sysfs_t is the type for /sys
-#
-type sysfs_t;
-files_mountpoint(sysfs_t)
-fs_make_fs(sysfs_t)
-genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
-
-#
 # Procfs types
 #
 
@@ -144,15 +131,6 @@ genfscon proc /sys/vm context_template(system_u:object_r:sysctl_vm_t,s0)
 type sysctl_dev_t;
 genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0)
 
-#
-# usbfs_t is the type for /proc/bus/usb
-#
-type usbfs_t alias usbdevfs_t;
-files_mountpoint(usbfs_t)
-fs_make_noxattr_fs(usbfs_t)
-genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
-genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
-
 ########################################
 #
 # kernel local policy
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 7d25e80..6a3a773 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -76,7 +76,7 @@ allow crond_t system_cron_spool_t:dir r_dir_perms;
 allow crond_t system_cron_spool_t:file r_file_perms;
 
 kernel_read_kernel_sysctl(crond_t)
-kernel_read_hardware_state(crond_t)
+dev_read_sysfs(crond_t)
 kernel_get_selinuxfs_mount_point(crond_t)
 kernel_validate_context(crond_t)
 kernel_compute_access_vector(crond_t)
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 3d00299..3058991 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -7,9 +7,9 @@ policy_module(authlogin,1.0)
 #
 
 type remote_login_t; #, nscd_client_domain;
-kernel_obj_id_change_exempt(remote_login_t)
-kernel_subj_id_change_exempt(remote_login_t)
-kernel_role_change_exempt(remote_login_t)
+domain_obj_id_change_exempt(remote_login_t)
+domain_subj_id_change_exempt(remote_login_t)
+domain_role_change_exempt(remote_login_t)
 domain_type(remote_login_t)
 domain_wide_inherit_fd(remote_login_t)
 auth_login_entry_type(remote_login_t)
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 7bce7c0..d14ab32 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -40,7 +40,7 @@ allow sendmail_t sendmail_var_run_t:file { getattr create read write append seta
 files_create_pid(sendmail_t,sendmail_var_run_t)
 
 kernel_read_kernel_sysctl(sendmail_t)
-kernel_read_hardware_state(sendmail_t)
+dev_read_sysfs(sendmail_t)
 
 corenet_tcp_sendrecv_all_if(sendmail_t)
 corenet_raw_sendrecv_all_if(sendmail_t)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index ab39a7c..e085b1f 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -138,7 +138,7 @@ allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
 
 kernel_read_kernel_sysctl(pam_console_t)
 kernel_read_system_state(pam_console_t)
-kernel_read_hardware_state(pam_console_t)
+dev_read_sysfs(pam_console_t)
 kernel_use_fd(pam_console_t)
 
 # Allow to set attributes on /dev entries
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index df0aa9e..6c40663 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -30,7 +30,7 @@ dontaudit hwclock_t self:capability sys_tty_config;
 allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
 
 kernel_read_kernel_sysctl(hwclock_t)
-kernel_read_hardware_state(hwclock_t)
+dev_read_sysfs(hwclock_t)
 
 dev_rw_realtime_clock(hwclock_t)
 
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 57f6fec..481c201 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -86,6 +86,69 @@ define(`domain_wide_inherit_fd_depend',`
 ')
 
 ########################################
+## <interface name="domain_subj_id_change_exempt">
+##	<description>
+## 		Makes caller an exception to the constraint preventing
+## 		changing of user identity.
+##	</description>
+##	<parameter name="domain">
+##		The process type to make an exception to the constraint.
+##	</parameter>
+## </interface>
+#
+define(`domain_subj_id_change_exempt',`
+	gen_require(`$0'_depend)
+
+	typeattribute $1 can_change_process_identity;
+')
+
+define(`domain_subj_id_change_exempt_depend',`
+	attribute can_change_process_identity;
+')
+
+########################################
+## <interface name="domain_role_change_exempt">
+##	<description>
+## 		Makes caller an exception to the constraint preventing
+## 		changing of role.
+##	</description>
+##	<parameter name="domain">
+##		The process type to make an exception to the constraint.
+##	</parameter>
+## </interface>
+#
+define(`domain_role_change_exempt',`
+	gen_require(`$0'_depend)
+
+	typeattribute $1 can_change_process_role;
+')
+
+define(`domain_role_change_exempt_depend',`
+	attribute can_change_process_role;
+')
+
+########################################
+## <interface name="domain_obj_id_change_exempt">
+##	<description>
+## 		Makes caller an exception to the constraint preventing 
+## 		changing the user identity in object contexts.
+##	</description>
+##	<parameter name="domain">
+##		The process type to make an exception to the constraint.
+##	</parameter>
+## </interface>
+#
+define(`domain_obj_id_change_exempt',`
+	gen_require(`$0'_depend)
+
+	typeattribute $1 can_change_object_identity;
+')
+
+define(`domain_obj_id_change_exempt_depend',`
+	attribute can_change_object_identity;
+')
+
+########################################
 #
 # domain_use_wide_inherit_fd(domain)
 #
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
index bc5e387..cb3306d 100644
--- a/refpolicy/policy/modules/system/domain.te
+++ b/refpolicy/policy/modules/system/domain.te
@@ -10,6 +10,11 @@ attribute entry_type;
 # widely-inheritable file descriptors
 attribute privfd;
 
+# constraint related attributes
+attribute can_change_process_identity;
+attribute can_change_process_role;
+attribute can_change_object_identity;
+
 neverallow domain ~domain:process { transition dyntransition };
 
 # enabling setcurrent breaks process tranquility.  If you do not
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 46e3772..235375e 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -42,7 +42,7 @@ files_create_tmp_files(getty_t,getty_tmp_t,{ file dir })
 
 allow getty_t getty_log_t:file { getattr append setattr };
 
-kernel_read_hardware_state(getty_t)
+dev_read_sysfs(getty_t)
 
 # for error condition handling
 fs_getattr_xattr_fs(getty_t)
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 34ec9a9..3d99ae2 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -26,7 +26,7 @@ dontaudit hostname_t self:capability sys_tty_config;
 sysnet_read_config(hostname_t)
 
 kernel_read_kernel_sysctl(hostname_t)
-kernel_read_hardware_state(hostname_t)
+dev_read_sysfs(hostname_t)
 kernel_dontaudit_use_fd(hostname_t)
 
 fs_getattr_xattr_fs(hostname_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index a35f1d0..72de977 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -45,9 +45,9 @@ files_create_pid(hotplug_t,hotplug_var_run_t)
 
 kernel_read_system_state(hotplug_t)
 kernel_read_kernel_sysctl(hotplug_t)
-kernel_read_hardware_state(hotplug_t)
+dev_read_sysfs(hotplug_t)
 kernel_read_net_sysctl(hotplug_t)
-kernel_read_usb_hardware_state(hotplug_t)
+dev_read_usbfs(hotplug_t)
 
 bootloader_read_kernel_modules(hotplug_t)
 
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 303f8d9..9a3708a 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -90,7 +90,7 @@ domain_auto_trans(init_t,initrc_exec_t,initrc_t)
 
 kernel_set_boolean(init_t)
 kernel_read_system_state(init_t)
-kernel_read_hardware_state(init_t)
+dev_read_sysfs(init_t)
 kernel_share_state(init_t)
 
 term_use_all_terms(init_t)
@@ -180,12 +180,12 @@ kernel_read_ring_buffer(initrc_t)
 kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
-kernel_read_hardware_state(initrc_t)
-kernel_rw_hardware_config_option(initrc_t)
+dev_read_sysfs(initrc_t)
+dev_rw_sysfs(initrc_t)
 kernel_read_all_sysctl(initrc_t)
 kernel_rw_all_sysctl(initrc_t)
 kernel_get_selinux_enforcement_mode(initrc_t)
-kernel_list_usb_hardware(initrc_t)
+dev_list_usbfs(initrc_t)
 # for lsof which is used by alsa shutdown:
 kernel_dontaudit_getattr_message_if(initrc_t)
 
@@ -333,7 +333,7 @@ ifdef(`distro_redhat',`
 ')
 
 optional_policy(`hotplug.te',`
-	kernel_read_usb_hardware_state(initrc_t)
+	dev_read_usbfs(initrc_t)
 
 	# init scripts run /etc/hotplug/usb.rc
 	hotplug_read_config(initrc_t)
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 8e6d477..9064b0f 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -39,7 +39,7 @@ allow iptables_t self:rawip_socket create_socket_perms;
 
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
-kernel_read_hardware_state(iptables_t)
+dev_read_sysfs(iptables_t)
 kernel_read_kernel_sysctl(iptables_t)
 kernel_read_modprobe_sysctl(iptables_t)
 kernel_use_fd(iptables_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index e93ac69..fc98a88 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -7,9 +7,9 @@ policy_module(locallogin,1.0)
 #
 
 type local_login_t; #, nscd_client_domain;
-kernel_obj_id_change_exempt(local_login_t)
-kernel_subj_id_change_exempt(local_login_t)
-kernel_role_change_exempt(local_login_t)
+domain_obj_id_change_exempt(local_login_t)
+domain_subj_id_change_exempt(local_login_t)
+domain_role_change_exempt(local_login_t)
 auth_login_entry_type(local_login_t)
 domain_type(local_login_t)
 domain_wide_inherit_fd(local_login_t)
@@ -20,9 +20,9 @@ files_file_type(local_login_tmp_t)
 
 type sulogin_t;
 type sulogin_exec_t;
-kernel_obj_id_change_exempt(sulogin_t)
-kernel_subj_id_change_exempt(sulogin_t)
-kernel_role_change_exempt(sulogin_t)
+domain_obj_id_change_exempt(sulogin_t)
+domain_subj_id_change_exempt(sulogin_t)
+domain_role_change_exempt(sulogin_t)
 domain_wide_inherit_fd(sulogin_t)
 init_domain(sulogin_t,sulogin_exec_t)
 init_system_domain(sulogin_t,sulogin_exec_t)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 3b6ba04..69f178f 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -59,7 +59,7 @@ allow auditd_t auditd_var_run_t:file create_file_perms;
 files_create_pid(auditd_t,auditd_var_run_t)
 
 kernel_read_kernel_sysctl(auditd_t)
-kernel_read_hardware_state(auditd_t)
+dev_read_sysfs(auditd_t)
 
 fs_getattr_all_fs(auditd_t)
 
@@ -186,7 +186,7 @@ allow syslogd_t devlog_t:unix_dgram_socket name_bind;
 allow syslogd_t syslogd_var_run_t:file create_file_perms;
 files_create_pid(syslogd_t,syslogd_var_run_t)
 
-kernel_read_hardware_state(syslogd_t)
+dev_read_sysfs(syslogd_t)
 kernel_read_kernel_sysctl(syslogd_t)
 
 dev_create_dev_node(syslogd_t,devlog_t,sock_file)
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 382379a..390a82e 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -11,7 +11,7 @@ type lvm_exec_t;
 init_system_domain(lvm_t,lvm_exec_t)
 # needs privowner because it assigns the identity system_u to device nodes
 # but runs as the identity of the sysadmin
-kernel_obj_id_change_exempt(lvm_t)
+domain_obj_id_change_exempt(lvm_t)
 role system_r types lvm_t;
 
 type lvm_etc_t;
@@ -76,9 +76,9 @@ kernel_compute_create_context(lvm_t)
 kernel_compute_relabel_context(lvm_t)
 kernel_compute_reachable_user_contexts(lvm_t)
 kernel_read_kernel_sysctl(lvm_t)
-kernel_read_hardware_state(lvm_t)
+dev_read_sysfs(lvm_t)
 # Read /sys/block. Device mapper metadata is kept there.
-kernel_read_hardware_state(sysfs_t)
+dev_read_sysfs(sysfs_t)
 # Read system variables in /proc/sys
 kernel_read_kernel_sysctl(lvm_t)
 # it has no reason to need this
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index d9cdace..c8f80f0 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -51,8 +51,6 @@ can_exec(insmod_t, insmod_exec_t)
 
 kernel_load_module(insmod_t)
 kernel_read_system_state(insmod_t)
-kernel_search_sysfs(insmod_t)
-kernel_search_usbfs(insmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctl(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
@@ -62,6 +60,8 @@ bootloader_read_kernel_modules(insmod_t)
 # for locking: (cjp: ????)
 bootloader_write_kernel_modules(insmod_t)
 
+dev_search_sysfs(insmod_t)
+dev_search_usbfs(insmod_t)
 dev_write_mtrr(insmod_t)
 dev_read_urand(insmod_t)
 dev_rw_agp_dev(insmod_t)
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 4926625..6027d4a 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -38,8 +38,8 @@ type load_policy_exec_t;
 domain_entry_file(load_policy_t,load_policy_exec_t)
 
 type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
-kernel_role_change_exempt(newrole_t)
-kernel_obj_id_change_exempt(newrole_t)
+domain_role_change_exempt(newrole_t)
+domain_obj_id_change_exempt(newrole_t)
 domain_type(newrole_t)
 domain_wide_inherit_fd(newrole_t)
 
@@ -65,7 +65,7 @@ files_file_type(policy_src_t)
 
 type restorecon_t, can_relabelto_binary_policy;
 type restorecon_exec_t;
-kernel_obj_id_change_exempt(restorecon_t)
+domain_obj_id_change_exempt(restorecon_t)
 init_system_domain(restorecon_t,restorecon_exec_t)
 role system_r types restorecon_t;
 
@@ -83,7 +83,7 @@ type selinux_config_t;
 files_file_type(selinux_config_t)
 
 type setfiles_t, can_relabelto_binary_policy;
-kernel_obj_id_change_exempt(setfiles_t)
+domain_obj_id_change_exempt(setfiles_t)
 domain_type(setfiles_t)
 role system_r types setfiles_t;
 
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 4926625..6027d4a 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -38,8 +38,8 @@ type load_policy_exec_t;
 domain_entry_file(load_policy_t,load_policy_exec_t)
 
 type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
-kernel_role_change_exempt(newrole_t)
-kernel_obj_id_change_exempt(newrole_t)
+domain_role_change_exempt(newrole_t)
+domain_obj_id_change_exempt(newrole_t)
 domain_type(newrole_t)
 domain_wide_inherit_fd(newrole_t)
 
@@ -65,7 +65,7 @@ files_file_type(policy_src_t)
 
 type restorecon_t, can_relabelto_binary_policy;
 type restorecon_exec_t;
-kernel_obj_id_change_exempt(restorecon_t)
+domain_obj_id_change_exempt(restorecon_t)
 init_system_domain(restorecon_t,restorecon_exec_t)
 role system_r types restorecon_t;
 
@@ -83,7 +83,7 @@ type selinux_config_t;
 files_file_type(selinux_config_t)
 
 type setfiles_t, can_relabelto_binary_policy;
-kernel_obj_id_change_exempt(setfiles_t)
+domain_obj_id_change_exempt(setfiles_t)
 domain_type(setfiles_t)
 role system_r types setfiles_t;
 
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index efb45c8..1237c5c 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -86,7 +86,7 @@ allow ifconfig_t dhcpc_t:process sigchld;
 kernel_read_system_state(dhcpc_t)
 kernel_read_network_state(dhcpc_t)
 kernel_read_kernel_sysctl(dhcpc_t)
-kernel_read_hardware_state(dhcpc_t)
+dev_read_sysfs(dhcpc_t)
 kernel_use_fd(dhcpc_t)
 
 corenet_tcp_sendrecv_all_if(dhcpc_t)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index bd6cc1a..bfeb6f6 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -10,7 +10,7 @@ type udev_t; # nscd_client_domain
 type udev_exec_t;
 type udev_helper_exec_t;
 kernel_userland_entry(udev_t,udev_exec_t)
-kernel_obj_id_change_exempt(udev_t)
+domain_obj_id_change_exempt(udev_t)
 domain_entry_file(udev_t,udev_helper_exec_t)
 domain_wide_inherit_fd(udev_t)
 init_daemon_domain(udev_t,udev_exec_t)
@@ -70,7 +70,7 @@ kernel_read_device_sysctl(udev_t)
 kernel_read_hotplug_sysctl(udev_t)
 kernel_read_modprobe_sysctl(udev_t)
 kernel_read_kernel_sysctl(udev_t)
-kernel_read_hardware_state(udev_t)
+dev_read_sysfs(udev_t)
 kernel_get_selinuxfs_mount_point(udev_t)
 kernel_validate_context(udev_t)
 kernel_compute_access_vector(udev_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index d1118e7..b626591 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -108,7 +108,7 @@ define(`base_user_domain',`
 	# Find CDROM devices:
 	kernel_read_device_sysctl($1_t)
 	# GNOME checks for usb and other devices:
-	kernel_rw_usb_hardware_config_option($1_t)
+	dev_rw_usbfs($1_t)
 
 	corenet_tcp_sendrecv_all_if($1_t)
 	corenet_raw_sendrecv_all_if($1_t)
@@ -453,7 +453,7 @@ define(`user_domain_template', `
 
 	kernel_read_system_state($1_t)
 	kernel_read_network_state($1_t)
-	kernel_read_hardware_state($1_t)
+	dev_read_sysfs($1_t)
 
 	# cjp: why?
 	bootloader_read_kernel_symbol_table($1_t)
@@ -614,7 +614,7 @@ define(`admin_domain_template',`
 	base_user_domain($1)
 
 	typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
-	kernel_obj_id_change_exempt($1_t)
+	domain_obj_id_change_exempt($1_t)
 	role system_r types $1_t;
 
 	#ifdef(`direct_sysadm_daemon', `, priv_system_role')