From 9bbc757a76805e80b1f587929d731e23c98ae1ac Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Oct 24 2005 18:40:24 +0000
Subject: more fix



---

diff --git a/refpolicy/policy/modules/admin/amanda.te b/refpolicy/policy/modules/admin/amanda.te
index 0e7427f..157ab14 100644
--- a/refpolicy/policy/modules/admin/amanda.te
+++ b/refpolicy/policy/modules/admin/amanda.te
@@ -105,7 +105,7 @@ allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
 allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
 
 allow amanda_t amanda_log_t:file create_file_perms;
-allow amanda_t amanda_log_t:dir rw_dir_perms;
+allow amanda_t amanda_log_t:dir { rw_dir_perms setattr };
 logging_create_log(amanda_t,amanda_log_t,{ file dir })
 
 allow amanda_t amanda_tmp_t:dir create_dir_perms;
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index 7ad75c4..3b952d9 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -17,8 +17,8 @@ domain_obj_id_change_exempt(firstboot_t)
 domain_subj_id_change_exempt(firstboot_t)
 role system_r types firstboot_t;
 
-type firstboot_etc_t; #, usercanread;
-files_type(firstboot_etc_t)
+type firstboot_etc_t;
+files_config_file(firstboot_etc_t)
 
 type firstboot_rw_t;
 files_type(firstboot_rw_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 612b4c5..920f280 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -24,8 +24,8 @@ role system_r types crack_t;
 type crack_exec_t;
 domain_entry_file(crack_t,crack_exec_t)
 
-type crack_db_t; #, usercanread;
-files_type(crack_db_t)
+type crack_db_t;
+files_config_file(crack_db_t)
 
 type crack_tmp_t;
 files_tmp_file(crack_tmp_t)
diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te
index 2225882..529fa63 100644
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ b/refpolicy/policy/modules/apps/webalizer.te
@@ -11,8 +11,8 @@ domain_type(webalizer_t)
 domain_entry_file(webalizer_t,webalizer_exec_t)
 role system_r types webalizer_t;
 
-type webalizer_etc_t; #, usercanread;
-files_type(webalizer_etc_t)
+type webalizer_etc_t;
+files_config_file(webalizer_etc_t)
 
 type webalizer_usage_t;
 files_type(webalizer_usage_t)
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 206b873..622d555 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -148,7 +148,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 #
 type removable_t, filesystem_type, noxattrfs;
 allow removable_t noxattrfs:filesystem associate;
-files_type(removable_t)
+files_config_file(removable_t)
 
 #
 # nfs_t is the default type for NFS file systems
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 24ef269..7601de6 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -62,6 +62,12 @@ allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
 allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
 type_transition bluetooth_t bluetooth_conf_t:{ file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
 
+domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
+allow bluetooth_t bluetooth_helper_t:fd use;
+allow bluetooth_helper_t bluetooth_t:fd use;
+allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
+allow bluetooth_helper_t bluetooth_t:process sigchld;
+
 allow bluetooth_t bluetooth_lock_t:file create_file_perms;
 files_create_lock(bluetooth_t,bluetooth_lock_t)
 
@@ -195,6 +201,8 @@ files_dontaudit_list_default(bluetooth_helper_t)
 libs_use_ld_so(bluetooth_helper_t)
 libs_use_shared_libs(bluetooth_helper_t)
 
+logging_send_syslog_msg(bluetooth_helper_t)
+
 miscfiles_read_localization(bluetooth_helper_t) 
 miscfiles_read_fonts(bluetooth_helper_t)
 
@@ -203,7 +211,6 @@ optional_policy(`nscd.te',`
 ')
 
 ifdef(`TODO',`
-domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
 
 # a "run" interface needs to be
 # added, and have sysadm_t use it
diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te
index f6e399e..317b261 100644
--- a/refpolicy/policy/modules/services/canna.te
+++ b/refpolicy/policy/modules/services/canna.te
@@ -25,7 +25,7 @@ files_pid_file(canna_var_run_t)
 # Local policy
 #
 
-allow canna_t self:capability { setgid setuid };
+allow canna_t self:capability { setgid setuid net_bind_service };
 dontaudit canna_t self:capability sys_tty_config;
 allow canna_t self:process signal_perms;
 allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 615bba7..d806c5a 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -209,7 +209,16 @@ allow crond_t user_home_dir_type:dir r_dir_perms;
 #
 # System cron process domain
 #
-ifdef(`targeted_policy',`',`
+
+optional_policy(`squid.te',`
+	# cjp: why?
+	squid_domtrans(system_crond_t)
+')
+
+ifdef(`targeted_policy',`
+	# cjp: fix:
+	allow crond_t unconfined_t:process transition;
+',`
 	allow system_crond_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid };
 	allow system_crond_t self:process { signal_perms setsched };
 	allow system_crond_t self:fifo_file rw_file_perms;
@@ -370,11 +379,6 @@ ifdef(`targeted_policy',`',`
 		#samba_read_secrets(system_crond_t)
 	')
 
-	optional_policy(`squid.te',`
-		# cjp: why?
-		squid_domtrans(system_crond_t)
-	')
-
 	ifdef(`TODO',`
 	dontaudit userdomain system_crond_t:fd use;
 
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 9867a94..4513ef3 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -21,11 +21,11 @@ gen_require(`
 ')
 init_daemon_domain(cupsd_t,cupsd_exec_t)
 
-type cupsd_etc_t; #, usercanread;
-files_type(cupsd_etc_t)
+type cupsd_etc_t;
+files_config_file(cupsd_etc_t)
 
-type cupsd_rw_etc_t; #, usercanread;
-files_type(cupsd_rw_etc_t)
+type cupsd_rw_etc_t;
+files_config_file(cupsd_rw_etc_t)
 
 type cupsd_log_t;
 logging_log_file(cupsd_log_t)
@@ -51,8 +51,8 @@ type hplip_t;
 type hplip_exec_t;
 init_daemon_domain(hplip_t,hplip_exec_t)
 
-type hplip_etc_t; #, usercanread;
-files_type(hplip_etc_t)
+type hplip_etc_t;
+files_config_file(hplip_etc_t)
 
 type hplip_var_run_t;
 files_pid_file(hplip_var_run_t)
@@ -61,8 +61,8 @@ type ptal_t;
 type ptal_exec_t;
 init_daemon_domain(ptal_t,ptal_exec_t)
 
-type ptal_etc_t; #, usercanread;
-files_type(ptal_etc_t)
+type ptal_etc_t;
+files_config_file(ptal_etc_t)
 
 type ptal_var_run_t;
 files_pid_file(ptal_var_run_t)
@@ -74,8 +74,8 @@ files_pid_file(ptal_var_run_t)
 
 # /usr/lib/cups/backend/serial needs sys_admin(?!)
 allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
-dontaudit cupsd_t self:capability net_admin;
-allow cupsd_t self:process setsched;
+dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+allow cupsd_t self:process { setsched signal_perms };
 allow cupsd_t self:fifo_file rw_file_perms;
 allow cupsd_t self:unix_stream_socket create_socket_perms;
 allow cupsd_t self:unix_dgram_socket create_socket_perms;
@@ -85,7 +85,7 @@ allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom 
 allow cupsd_t self:udp_socket create_socket_perms;
 
 allow cupsd_t cupsd_etc_t:file { r_file_perms setattr };
-allow cupsd_t cupsd_etc_t:dir { r_dir_perms setattr };
+allow cupsd_t cupsd_etc_t:dir { rw_dir_perms setattr };
 allow cupsd_t cupsd_etc_t:lnk_file { getattr read };
 files_search_etc(cupsd_t)
 
@@ -100,7 +100,7 @@ allow cupsd_t cupsd_exec_t:dir search;
 allow cupsd_t cupsd_exec_t:lnk_file read;
 
 allow cupsd_t cupsd_log_t:file create_file_perms;
-allow cupsd_t cupsd_log_t:dir rw_dir_perms;
+allow cupsd_t cupsd_log_t:dir { setattr rw_dir_perms };
 logging_create_log(cupsd_t,cupsd_log_t,{ file dir })
 
 allow cupsd_t cupsd_tmp_t:dir create_dir_perms;
@@ -232,13 +232,11 @@ allow web_client_domain cupsd_t:tcp_socket { connectto recvfrom };
 allow cupsd_t web_client_domain:tcp_socket { acceptfrom recvfrom };
 allow cupsd_t kernel_t:tcp_socket recvfrom;
 allow web_client_domain kernel_t:tcp_socket recvfrom;
-
-allow cupsd_t usercanread:dir { getattr read search };
-allow cupsd_t usercanread:file { read getattr };
-allow cupsd_t usercanread:lnk_file { getattr read };
 ') dnl end TODO
 
-
+allow cupsd_t usercanread:dir r_dir_perms;
+allow cupsd_t usercanread:file r_file_perms;
+allow cupsd_t usercanread:lnk_file { getattr read };
 
 allow cupsd_t devpts_t:dir search;
 
@@ -279,7 +277,7 @@ allow cupsd_t portmap_t:udp_socket recvfrom;
 #
 allow initrc_t cupsd_log_t:file { getattr read };
 allow cupsd_t var_t:dir { getattr read search };
-allow cupsd_t var_t:file { read getattr };
+allow cupsd_t var_t:file r_file_perms;
 allow cupsd_t var_t:lnk_file { getattr read };
 
 optional_policy(`samba.te', `
@@ -506,6 +504,7 @@ allow hplip_t devpts_t:chr_file { getattr ioctl };
 #
 
 allow cupsd_config_t self:capability { chown sys_tty_config };
+allow cupsd_config_t self:process signal_perms;
 allow cupsd_config_t self:fifo_file rw_file_perms;
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
 allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
@@ -699,8 +698,8 @@ optional_policy(`kerberos.te',`
 ')
 #end for identd
 
-allow cupsd_lpd_t cupsd_etc_t:dir { getattr read search };
-allow cupsd_lpd_t cupsd_etc_t:file { read getattr };
+allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
+allow cupsd_lpd_t cupsd_etc_t:file r_file_perms;
 allow cupsd_lpd_t cupsd_etc_t:lnk_file { getattr read };
 
 allow cupsd_lpd_t cupsd_lpd_tmp_t:dir create_dir_perms;
@@ -711,7 +710,7 @@ allow cupsd_lpd_t cupsd_lpd_var_run_t:file create_file_perms;
 allow cupsd_lpd_t cupsd_lpd_var_run_t:dir rw_dir_perms;
 files_create_pid(cupsd_lpd_t,cupsd_lpd_var_run_t)
 
-allow cupsd_lpd_t cupsd_rw_etc_t:dir { getattr read search };
+allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
 allow cupsd_lpd_t cupsd_rw_etc_t:file { read getattr };
 allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read };
 
diff --git a/refpolicy/policy/modules/services/dictd.te b/refpolicy/policy/modules/services/dictd.te
index a1f9e73..ba4f132 100644
--- a/refpolicy/policy/modules/services/dictd.te
+++ b/refpolicy/policy/modules/services/dictd.te
@@ -10,8 +10,8 @@ type dictd_t;
 type dictd_exec_t;
 init_daemon_domain(dictd_t,dictd_exec_t)
 
-type dictd_etc_t; #, usercanread;
-files_type(dictd_etc_t)
+type dictd_etc_t;
+files_config_file(dictd_etc_t)
 
 type dictd_var_lib_t alias var_lib_dictd_t;
 files_type(dictd_var_lib_t)
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index d0c236f..d3adfd9 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -12,8 +12,8 @@ init_daemon_domain(dovecot_t,dovecot_exec_t)
 type dovecot_cert_t;
 files_type(dovecot_cert_t)
 
-type dovecot_etc_t; #, usercanread;
-files_type(dovecot_etc_t)
+type dovecot_etc_t;
+files_config_file(dovecot_etc_t)
 
 type dovecot_passwd_t;
 files_type(dovecot_passwd_t)
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index 94e85c2..64c4d5d 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -10,8 +10,8 @@ type fingerd_exec_t;
 init_daemon_domain(fingerd_t,fingerd_exec_t)
 inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
 
-type fingerd_etc_t; #, usercanread;
-files_type(fingerd_etc_t)
+type fingerd_etc_t;
+files_config_file(fingerd_etc_t)
 
 type fingerd_log_t;
 logging_log_file(fingerd_log_t)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index bd0e210..bce55f0 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -11,7 +11,7 @@ type ftpd_exec_t;
 init_daemon_domain(ftpd_t,ftpd_exec_t)
 
 type ftpd_etc_t;
-files_type(ftpd_etc_t)
+files_config_file(ftpd_etc_t)
 
 # ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
 type ftpd_lock_t;
diff --git a/refpolicy/policy/modules/services/inn.te b/refpolicy/policy/modules/services/inn.te
index 6c6eb3f..11b1b03 100644
--- a/refpolicy/policy/modules/services/inn.te
+++ b/refpolicy/policy/modules/services/inn.te
@@ -9,8 +9,8 @@ type innd_t;
 type innd_exec_t;
 init_daemon_domain(innd_t,innd_exec_t)
 
-type innd_etc_t; #, usercanread;
-files_type(innd_etc_t)
+type innd_etc_t;
+files_config_file(innd_etc_t)
 
 type innd_log_t;
 logging_log_file(innd_log_t)
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index 18ec509..796cf67 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -13,8 +13,8 @@ init_daemon_domain(slapd_t,slapd_exec_t)
 type slapd_db_t;
 files_type(slapd_db_t)
 
-type slapd_etc_t; #, usercanread;
-files_type(slapd_etc_t)
+type slapd_etc_t;
+files_config_file(slapd_etc_t)
 
 type slapd_replog_t;
 files_type(slapd_replog_t)
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 14f0d27..08dcb93 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -521,15 +521,12 @@ interface(`mta_delete_spool',`
 interface(`mta_manage_spool',`
 	gen_require(`
 		type mail_spool_t;
-		class dir rw_dir_perms;
-		class lnk_file { getattr read };
-		class file create_file_perms;
 	')
 
 	files_search_spool($1)
-	allow $1 mail_spool_t:dir rw_dir_perms;
-	allow $1 mail_spool_t:lnk_file { getattr read };
-	allow $1 mail_spool_t:file create_file_perms;
+	allow $1 mail_spool_t:dir manage_dir_perms;
+	allow $1 mail_spool_t:lnk_file create_lnk_perms;
+	allow $1 mail_spool_t:file manage_file_perms;
 ')
 
 #######################################
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index a1c9513..271ac25 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -17,7 +17,7 @@ type etc_aliases_t;
 files_type(etc_aliases_t)
 
 type etc_mail_t;
-files_type(etc_mail_t)
+files_config_file(etc_mail_t)
 
 type mqueue_spool_t;
 files_type(mqueue_spool_t)
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index caf53fc..e0dadf0 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -17,7 +17,7 @@ type mysqld_db_t;
 files_type(mysqld_db_t)
 
 type mysqld_etc_t alias etc_mysqld_t;
-files_type(mysqld_etc_t)
+files_config_file(mysqld_etc_t)
 
 type mysqld_log_t;
 logging_log_file(mysqld_log_t)
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 7646adb..2451eb2 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -117,6 +117,28 @@ interface(`nis_use_ypbind',`
 
 ########################################
 ## <summary>
+##	Execute ypbind in the ypbind domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`nis_domtrans_ypbind',`
+	gen_require(`
+		type ypbind_t, ypbind_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1,ypbind_exec_t,ypbind_t)
+
+	allow $1 ypbind_t:fd use;
+	allow ypbind_t $1:fd use;
+	allow ypbind_t $1:fifo_file rw_file_perms;
+	allow ypbind_t $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Send generic signals to ypbind.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/postgresql.te b/refpolicy/policy/modules/services/postgresql.te
index 0123946..5c19d7f 100644
--- a/refpolicy/policy/modules/services/postgresql.te
+++ b/refpolicy/policy/modules/services/postgresql.te
@@ -12,8 +12,8 @@ init_daemon_domain(postgresql_t,postgresql_exec_t)
 type postgresql_db_t;
 files_type(postgresql_db_t)
 
-type postgresql_etc_t; #, usercanread;
-files_type(postgresql_etc_t)
+type postgresql_etc_t;
+files_config_file(postgresql_etc_t)
 
 type postgresql_lock_t;
 files_lock_file(postgresql_lock_t)
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index c7a80b8..5054eab 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -16,8 +16,8 @@ type pppd_devpts_t;
 term_pty(pppd_devpts_t)
 
 # Define a separate type for /etc/ppp
-type pppd_etc_t; #, usercanread;
-files_type(pppd_etc_t)
+type pppd_etc_t;
+files_config_file(pppd_etc_t)
 
 # Define a separate type for writable files under /etc/ppp
 type pppd_etc_rw_t;
diff --git a/refpolicy/policy/modules/services/radius.te b/refpolicy/policy/modules/services/radius.te
index 4e165b6..3f62838 100644
--- a/refpolicy/policy/modules/services/radius.te
+++ b/refpolicy/policy/modules/services/radius.te
@@ -10,8 +10,8 @@ type radiusd_t;
 type radiusd_exec_t;
 init_daemon_domain(radiusd_t,radiusd_exec_t)
 
-type radiusd_etc_t; #, usercanread;
-files_type(radiusd_etc_t)
+type radiusd_etc_t;
+files_config_file(radiusd_etc_t)
 
 type radiusd_log_t;
 logging_log_file(radiusd_log_t)
diff --git a/refpolicy/policy/modules/services/radvd.te b/refpolicy/policy/modules/services/radvd.te
index d2569ea..d874fb3 100644
--- a/refpolicy/policy/modules/services/radvd.te
+++ b/refpolicy/policy/modules/services/radvd.te
@@ -12,8 +12,8 @@ init_daemon_domain(radvd_t,radvd_exec_t)
 type radvd_var_run_t;
 files_pid_file(radvd_var_run_t)
 
-type radvd_etc_t; #, usercanread;
-files_type(radvd_etc_t)
+type radvd_etc_t;
+files_config_file(radvd_etc_t)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 6b20ad5..91303af 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -24,13 +24,13 @@ rpc_domain_template(rpcd)
 rpc_domain_template(nfsd)
 
 type nfsd_rw_t;
-files_type(nfsd_rw_t)
+files_config_file(nfsd_rw_t)
 
 type nfsd_ro_t;
-files_type(nfsd_ro_t)
+files_config_file(nfsd_ro_t)
 
 type var_lib_nfs_t;
-files_type(var_lib_nfs_t)
+files_config_file(var_lib_nfs_t)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 853c334..44119dc 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -13,8 +13,8 @@ init_daemon_domain(nmbd_t,nmbd_exec_t)
 type nmbd_var_run_t;
 files_pid_file(nmbd_var_run_t)
 
-type samba_etc_t; #, usercanread;
-files_type(samba_etc_t)
+type samba_etc_t;
+files_config_file(samba_etc_t)
 
 type samba_log_t;
 logging_log_file(samba_log_t)
@@ -32,8 +32,8 @@ files_tmp_file(samba_net_tmp_t)
 type samba_secrets_t;
 files_type(samba_secrets_t)
 
-type samba_share_t; #, customizable;
-files_type(samba_share_t)
+type samba_share_t;
+files_config_file(samba_share_t)
 
 type samba_var_t;
 files_type(samba_var_t)
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index 3149ccc..e453757 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -9,8 +9,8 @@ type snmpd_t;
 type snmpd_exec_t;
 init_daemon_domain(snmpd_t,snmpd_exec_t)
 
-type snmpd_etc_t; #, usercanread;
-files_type(snmpd_etc_t)
+type snmpd_etc_t;
+files_config_file(snmpd_etc_t)
 
 type snmpd_log_t;
 logging_log_file(snmpd_log_t)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 59d562a..fd793e9 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -80,6 +80,26 @@ interface(`files_pid_file',`
 ########################################
 ## <summary>
 ##	Make the specified type a 
+##	configuration file.
+## </summary>
+## <param name="file_type">
+##	Type to be used as a configuration file.
+## </param>
+#
+interface(`files_config_file',`
+	gen_require(`
+		attribute usercanread;
+	')
+
+	files_type($1)
+
+	# this is a hack and should be removed.
+	typeattribute $1 usercanread;
+')
+
+########################################
+## <summary>
+##	Make the specified type a 
 ##	polyinstantiated directory.
 ## </summary>
 ## <param name="file_type">
@@ -2947,11 +2967,10 @@ interface(`files_delete_all_pid_dirs',`
 interface(`files_search_spool',`
 	gen_require(`
 		type var_t, var_spool_t;
-		class dir search;
 	')
 
-	allow $1 var_t:dir search;
-	allow $1 var_spool_t:dir search;
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_spool_t:dir search_dir_perms;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
index f6b418f..acd0117 100644
--- a/refpolicy/policy/modules/system/files.te
+++ b/refpolicy/policy/modules/system/files.te
@@ -18,6 +18,9 @@ attribute pidfile;
 # For labeling types that are to be polyinstantiated
 attribute polydir;
 
+# this is a hack and should be changed
+attribute usercanread;
+
 # And for labeling the parent directories of those polyinstantiated directories
 # This is necessary for remounting the original in the parent to give
 # security aware apps access
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 8b8e950..ee7cda2 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -17,7 +17,7 @@ domain_wide_inherit_fd(getty_t)
 
 type getty_etc_t;
 typealias getty_etc_t alias etc_getty_t;
-files_type(getty_etc_t)
+files_config_file(getty_etc_t)
 
 type getty_lock_t;
 files_lock_file(getty_lock_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 9309e8a..8b05c41 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -11,8 +11,8 @@ type hotplug_exec_t;
 kernel_userland_entry(hotplug_t,hotplug_exec_t)
 init_daemon_domain(hotplug_t,hotplug_exec_t)
 
-type hotplug_etc_t; #, usercanread;
-files_type(hotplug_etc_t)
+type hotplug_etc_t;
+files_config_file(hotplug_etc_t)
 kernel_search_from(hotplug_etc_t)
 domain_entry_file(hotplug_t,hotplug_etc_t)
 
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index ba7d43e..3cbca5a 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -17,7 +17,7 @@ files_type(cert_t)
 # files in /usr
 #
 type fonts_t;
-files_type(fonts_t)
+files_config_file(fonts_t)
 
 #
 # type for /usr/share/hwdata
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 9959852..3467a7a 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -191,10 +191,11 @@ optional_policy(`rpm.te',`
 ')
 
 ifdef(`TODO',`
-allow depmod_t modules_object_t:file unlink;
 ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
 ') dnl end ifdef TODO
 
+allow depmod_t modules_object_t:file unlink;
+
 #################################
 #
 # update-modules local policy
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index f724db3..8951f70 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -144,11 +144,13 @@ optional_policy(`udev.te', `
 ')
 
 ifdef(`TODO',`
-# Create device files in /tmp.
-# cjp: why is this created all over the place?
-file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
-
 optional_policy(`rhgb.te',`
 	rhgb_domain(cardmgr_t)
 ')
 ') dnl end TODO
+
+# Create device files in /tmp.
+# cjp: why is this created all over the place?
+allow cardmgr_t cardmgr_dev_t:{ chr_file blk_file } manage_file_perms;
+allow cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:dir rw_dir_perms;
+type_transition cardmgr_t { var_run_t cardmgr_var_run_t device_t tmp_t }:{ chr_file blk_file } cardmgr_dev_t;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 9a44ac6..d181cf9 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -7,9 +7,9 @@ policy_module(sysnetwork,1.0)
 #
 
 # this is shared between dhcpc and dhcpd:
-type dhcp_etc_t; #, usercanread; 
+type dhcp_etc_t;
 typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
-files_type(dhcp_etc_t)
+files_config_file(dhcp_etc_t)
 
 # this is shared between dhcpc and dhcpd:
 type dhcp_state_t;
@@ -206,7 +206,7 @@ optional_policy(`nis.te',`
 	nis_signal_ypbind(dhcpc_t)
 	# dhclient sometimes starts ypbind
 	init_exec_script(dhcpc_t)
-	#nis_domtrans_ypbind(dhcpc_t)
+	nis_domtrans_ypbind(dhcpc_t)
 ')
 
 optional_policy(`nscd.te',`
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index c021f91..fe5626d 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -21,7 +21,7 @@ domain_wide_inherit_fd(udev_t)
 init_daemon_domain(udev_t,udev_exec_t)
 
 type udev_etc_t alias etc_udev_t;
-files_type(udev_etc_t)
+files_config_file(udev_etc_t)
 
 # udev_runtime_t is the type of the udev table file
 # cjp: this is probably a copy of udev_tbl_t and can be removed