diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if
index e735de3..80b1624 100644
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@@ -30,6 +30,11 @@
##
#
template(`gpg_per_userdomain_template',`
+ gen_require(`
+ type gpg_exec_t, gpg_helper_exec_t;
+ type gpg_agent_exec_t, pinentry_exec_t;
+ ')
+
########################################
#
# Declarations
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 8b2a7c6..2b71fe1 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -10,10 +10,7 @@
#
interface(`bootloader_domtrans',`
gen_require(`
- type bootloader_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
+ type bootloader_t, bootloader_exec_t;
')
domain_auto_trans($1, bootloader_exec_t, bootloader_t)
@@ -42,7 +39,6 @@ interface(`bootloader_domtrans',`
interface(`bootloader_run',`
gen_require(`
type bootloader_t;
- class chr_file rw_file_perms;
')
bootloader_domtrans($1)
@@ -63,7 +59,6 @@ interface(`bootloader_run',`
interface(`bootloader_dontaudit_getattr_boot_dir',`
gen_require(`
type boot_t;
- class dir getattr;
')
dontaudit $1 boot_t:dir getattr;
@@ -80,7 +75,6 @@ interface(`bootloader_dontaudit_getattr_boot_dir',`
interface(`bootloader_search_boot',`
gen_require(`
type boot_t;
- class dir search;
')
allow $1 boot_t:dir search;
@@ -97,7 +91,6 @@ interface(`bootloader_search_boot',`
interface(`bootloader_dontaudit_search_boot',`
gen_require(`
type boot_t;
- class dir search;
')
dontaudit $1 boot_t:dir search;
@@ -115,8 +108,6 @@ interface(`bootloader_dontaudit_search_boot',`
interface(`bootloader_rw_boot_symlinks',`
gen_require(`
type boot_t;
- class dir r_dir_perms;
- class lnk_file rw_file_perms;
')
allow $1 boot_t:dir r_dir_perms;
@@ -134,9 +125,6 @@ interface(`bootloader_rw_boot_symlinks',`
interface(`bootloader_create_kernel',`
gen_require(`
type boot_t;
- class dir ra_dir_perms;
- class file { getattr read write create };
- class lnk_file { getattr read create unlink };
')
allow $1 boot_t:dir ra_dir_perms;
@@ -155,8 +143,6 @@ interface(`bootloader_create_kernel',`
interface(`bootloader_create_kernel_symbol_table',`
gen_require(`
type boot_t, system_map_t;
- class dir ra_dir_perms;
- class file { rw_file_perms create };
')
allow $1 boot_t:dir ra_dir_perms;
@@ -174,8 +160,6 @@ interface(`bootloader_create_kernel_symbol_table',`
interface(`bootloader_read_kernel_symbol_table',`
gen_require(`
type boot_t, system_map_t;
- class dir r_dir_perms;
- class file r_file_perms;
')
allow $1 boot_t:dir r_dir_perms;
@@ -193,8 +177,6 @@ interface(`bootloader_read_kernel_symbol_table',`
interface(`bootloader_delete_kernel',`
gen_require(`
type boot_t;
- class dir { r_dir_perms write remove_name };
- class file { getattr unlink };
')
allow $1 boot_t:dir { r_dir_perms write remove_name };
@@ -212,8 +194,6 @@ interface(`bootloader_delete_kernel',`
interface(`bootloader_delete_kernel_symbol_table',`
gen_require(`
type boot_t, system_map_t;
- class dir { r_dir_perms write remove_name };
- class file { getattr unlink };
')
allow $1 boot_t:dir { r_dir_perms write remove_name };
@@ -231,7 +211,6 @@ interface(`bootloader_delete_kernel_symbol_table',`
interface(`bootloader_read_config',`
gen_require(`
type bootloader_etc_t;
- class file r_file_perms;
')
allow $1 bootloader_etc_t:file r_file_perms;
@@ -249,7 +228,6 @@ interface(`bootloader_read_config',`
interface(`bootloader_rw_config',`
gen_require(`
type bootloader_etc_t;
- class file rw_file_perms;
')
allow $1 bootloader_etc_t:file rw_file_perms;
@@ -267,7 +245,6 @@ interface(`bootloader_rw_config',`
interface(`bootloader_rw_tmp_file',`
gen_require(`
type bootloader_tmp_t;
- class file rw_file_perms;
')
# FIXME: read tmp_t dir
@@ -286,8 +263,6 @@ interface(`bootloader_rw_tmp_file',`
interface(`bootloader_create_runtime_file',`
gen_require(`
type boot_t, boot_runtime_t;
- class dir rw_dir_perms;
- class file { rw_file_perms create unlink };
')
allow $1 boot_t:dir rw_dir_perms;
@@ -338,8 +313,6 @@ interface(`bootloader_list_kernel_modules',`
interface(`bootloader_getattr_kernel_modules',`
gen_require(`
type modules_object_t;
- class dir search;
- class file getattr;
')
allow $1 modules_object_t:dir search;
@@ -357,9 +330,6 @@ interface(`bootloader_getattr_kernel_modules',`
interface(`bootloader_read_kernel_modules',`
gen_require(`
type modules_object_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file r_file_perms;
')
allow $1 modules_object_t:dir r_dir_perms;
@@ -379,8 +349,6 @@ interface(`bootloader_write_kernel_modules',`
gen_require(`
attribute rw_kern_modules;
type modules_object_t;
- class dir r_dir_perms;
- class file { write append };
')
allow $1 modules_object_t:dir r_dir_perms;
@@ -402,8 +370,6 @@ interface(`bootloader_manage_kernel_modules',`
gen_require(`
attribute rw_kern_modules;
type modules_object_t;
- class file { getattr create read write setattr unlink };
- class dir rw_dir_perms;
')
allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
@@ -419,7 +385,6 @@ interface(`bootloader_manage_kernel_modules',`
interface(`bootloader_create_modules',`
gen_require(`
type modules_object_t;
- class dir rw_dir_perms;
')
allow $1 modules_object_t:dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 5914abe..f7e9ba6 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -200,7 +200,7 @@ optional_policy(`lvm.te',`
')
optional_policy(`modutils.te',`
- modutils_exec_insmod(insmod_t)
+ modutils_exec_insmod(bootloader_t)
modutils_read_mods_deps(bootloader_t)
modutils_read_module_conf(bootloader_t)
modutils_exec_insmod(bootloader_t)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index f43158e..0919bae 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -59,13 +59,6 @@ interface(`dev_relabel_all_dev_nodes',`
gen_require(`
attribute device_node;
type device_t;
- class dir { getattr relabelfrom };
- class file { getattr relabelfrom };
- class lnk_file { getattr relabelfrom };
- class fifo_file { getattr relabelfrom };
- class sock_file { getattr relabelfrom };
- class blk_file { getattr relabelfrom relabelto };
- class chr_file { getattr relabelfrom relabelto };
')
allow $1 device_node:dir { getattr relabelfrom };
@@ -88,8 +81,6 @@ interface(`dev_relabel_all_dev_nodes',`
interface(`dev_list_all_dev_nodes',`
gen_require(`
type device_t;
- class dir r_dir_perms;
- class lnk_file { getattr read };
')
allow $1 device_t:dir r_dir_perms;
@@ -107,7 +98,6 @@ interface(`dev_list_all_dev_nodes',`
interface(`dev_setattr_dev_dir',`
gen_require(`
type device_t;
- class dir setattr;
')
allow $1 device_t:dir setattr;
@@ -124,7 +114,6 @@ interface(`dev_setattr_dev_dir',`
interface(`dev_dontaudit_list_all_dev_nodes',`
gen_require(`
type device_t;
- class dir r_dir_perms;
')
dontaudit $1 device_t:dir r_dir_perms;
@@ -141,7 +130,6 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
interface(`dev_create_dir',`
gen_require(`
type device_t;
- class dir { ra_dir_perms create };
')
allow $1 device_t:dir { ra_dir_perms create };
@@ -158,7 +146,6 @@ interface(`dev_create_dir',`
interface(`dev_relabel_dev_dirs',`
gen_require(`
type device_t;
- class dir { r_dir_perms relabelfrom relabelto };
')
allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
@@ -175,8 +162,6 @@ interface(`dev_relabel_dev_dirs',`
interface(`dev_rw_generic_file',`
gen_require(`
type device_t;
- class dir search;
- class file rw_file_perms;
')
allow $1 device_t:dir search;
@@ -194,8 +179,6 @@ interface(`dev_rw_generic_file',`
interface(`dev_delete_generic_file',`
gen_require(`
type device_t;
- class dir { search write remove_name };
- class file unlink;
')
allow $1 device_t:dir { search write remove_name };
@@ -213,7 +196,6 @@ interface(`dev_delete_generic_file',`
interface(`dev_dontaudit_getattr_generic_pipe',`
gen_require(`
type device_t;
- class fifo_file getattr;
')
dontaudit $1 device_t:fifo_file getattr;
@@ -230,8 +212,6 @@ interface(`dev_dontaudit_getattr_generic_pipe',`
interface(`dev_getattr_generic_blk_file',`
gen_require(`
type device_t;
- class dir r_dir_perms;
- class blk_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -249,7 +229,6 @@ interface(`dev_getattr_generic_blk_file',`
interface(`dev_dontaudit_getattr_generic_blk_file',`
gen_require(`
type device_t;
- class blk_file getattr;
')
dontaudit $1 device_t:blk_file getattr;
@@ -266,7 +245,6 @@ interface(`dev_dontaudit_getattr_generic_blk_file',`
interface(`dev_dontaudit_setattr_generic_blk_file',`
gen_require(`
type device_t;
- class blk_file setattr;
')
dontaudit $1 device_t:blk_file setattr;
@@ -284,7 +262,6 @@ interface(`dev_dontaudit_setattr_generic_blk_file',`
interface(`dev_manage_generic_blk_file',`
gen_require(`
type device_t;
- class blk_file create_file_perms;
')
allow $1 device_t:dir rw_dir_perms;
@@ -302,9 +279,6 @@ interface(`dev_manage_generic_blk_file',`
interface(`dev_create_generic_chr_file',`
gen_require(`
type device_t;
- class dir ra_dir_perms;
- class chr_file create;
- class capability mknod;
')
allow $1 device_t:dir ra_dir_perms;
@@ -324,8 +298,6 @@ interface(`dev_create_generic_chr_file',`
interface(`dev_getattr_generic_chr_file',`
gen_require(`
type device_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -343,7 +315,6 @@ interface(`dev_getattr_generic_chr_file',`
interface(`dev_dontaudit_getattr_generic_chr_file',`
gen_require(`
type device_t;
- class chr_file getattr;
')
dontaudit $1 device_t:chr_file getattr;
@@ -360,7 +331,6 @@ interface(`dev_dontaudit_getattr_generic_chr_file',`
interface(`dev_dontaudit_setattr_generic_chr_file',`
gen_require(`
type device_t;
- class chr_file setattr;
')
dontaudit $1 device_t:chr_file setattr;
@@ -378,7 +348,6 @@ interface(`dev_dontaudit_setattr_generic_chr_file',`
interface(`dev_dontaudit_setattr_generic_symlink',`
gen_require(`
type device_t;
- class lnk_file setattr;
')
dontaudit $1 device_t:lnk_file setattr;
@@ -395,8 +364,6 @@ interface(`dev_dontaudit_setattr_generic_symlink',`
interface(`dev_del_generic_symlinks',`
gen_require(`
type device_t;
- class dir { getattr read write remove_name };
- class lnk_file unlink;
')
allow $1 device_t:dir { getattr read write remove_name };
@@ -414,8 +381,6 @@ interface(`dev_del_generic_symlinks',`
interface(`dev_manage_generic_symlinks',`
gen_require(`
type device_t;
- class dir rw_dir_perms;
- class lnk_file create_lnk_perms;
')
allow $1 device_t:dir rw_dir_perms;
@@ -433,8 +398,6 @@ interface(`dev_manage_generic_symlinks',`
interface(`dev_relabel_generic_symlinks',`
gen_require(`
type device_t;
- class dir r_dir_perms;
- class lnk_file { relabelfrom relabelto };
')
allow $1 device_t:dir r_dir_perms;
@@ -453,11 +416,6 @@ interface(`dev_manage_dev_nodes',`
gen_require(`
attribute device_node, memory_raw_read, memory_raw_write;
type device_t;
- class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
- class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- class lnk_file { create read getattr setattr link unlink rename };
- class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
- class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
')
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
@@ -488,8 +446,6 @@ interface(`dev_manage_dev_nodes',`
interface(`dev_dontaudit_rw_generic_dev_nodes',`
gen_require(`
type device_t;
- class chr_file { getattr read write ioctl };
- class blk_file { getattr read write ioctl };
')
dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
@@ -506,8 +462,6 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',`
interface(`dev_manage_generic_blk_file',`
gen_require(`
type device_t;
- class dir rw_dir_perms;
- class blk_file create_file_perms;
')
allow $1 device_t:dir rw_dir_perms;
@@ -525,8 +479,6 @@ interface(`dev_manage_generic_blk_file',`
interface(`dev_manage_generic_chr_file',`
gen_require(`
type device_t;
- class dir rw_dir_perms;
- class chr_file create_file_perms;
')
allow $1 device_t:dir rw_dir_perms;
@@ -552,7 +504,6 @@ interface(`dev_manage_generic_chr_file',`
interface(`dev_create_dev_node',`
gen_require(`
type device_t;
- class dir rw_dir_perms;
')
allow $1 device_t:dir rw_dir_perms;
@@ -574,8 +525,6 @@ interface(`dev_create_dev_node',`
interface(`dev_getattr_all_blk_files',`
gen_require(`
attribute device_node;
- class blk_file getattr;
- class dir r_dir_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -593,7 +542,6 @@ interface(`dev_getattr_all_blk_files',`
interface(`dev_dontaudit_getattr_all_blk_files',`
gen_require(`
attribute device_node;
- class blk_file getattr;
')
allow $1 device_node:blk_file getattr;
@@ -610,8 +558,6 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
interface(`dev_getattr_all_chr_files',`
gen_require(`
attribute device_node;
- class chr_file getattr;
- class dir r_dir_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -629,7 +575,6 @@ interface(`dev_getattr_all_chr_files',`
interface(`dev_dontaudit_getattr_all_chr_files',`
gen_require(`
attribute device_node;
- class chr_file getattr;
')
dontaudit $1 device_node:chr_file getattr;
@@ -646,8 +591,6 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
interface(`dev_setattr_all_blk_files',`
gen_require(`
attribute device_node;
- class dir r_dir_perms;
- class blk_file setattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -665,8 +608,6 @@ interface(`dev_setattr_all_blk_files',`
interface(`dev_setattr_all_chr_files',`
gen_require(`
attribute device_node;
- class dir r_dir_perms;
- class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -716,8 +657,6 @@ interface(`dev_dontaudit_read_all_chr_files',`
interface(`dev_manage_all_blk_files',`
gen_require(`
attribute device_node;
- class dir rw_dir_perms;
- class blk_file create_file_perms;
')
allow $1 device_t:dir rw_dir_perms;
@@ -741,8 +680,6 @@ interface(`dev_manage_all_blk_files',`
interface(`dev_manage_all_chr_files',`
gen_require(`
attribute device_node, memory_raw_read, memory_raw_write;
- class dir rw_dir_perms;
- class chr_file create_file_perms;
')
allow $1 device_t:dir rw_dir_perms;
@@ -762,8 +699,6 @@ interface(`dev_manage_all_chr_files',`
interface(`dev_rw_agp_dev',`
gen_require(`
type device_t, agp_device_t;
- class dir r_dir_perms;
- class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -781,8 +716,6 @@ interface(`dev_rw_agp_dev',`
interface(`dev_getattr_apm_bios',`
gen_require(`
type device_t, apm_bios_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -801,7 +734,6 @@ interface(`dev_getattr_apm_bios',`
interface(`dev_dontaudit_getattr_apm_bios',`
gen_require(`
type apm_bios_t;
- class chr_file getattr;
')
dontaudit $1 apm_bios_t:chr_file getattr;
@@ -818,8 +750,6 @@ interface(`dev_dontaudit_getattr_apm_bios',`
interface(`dev_setattr_apm_bios',`
gen_require(`
type device_t, apm_bios_t;
- class dir r_dir_perms;
- class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -838,7 +768,6 @@ interface(`dev_setattr_apm_bios',`
interface(`dev_dontaudit_setattr_apm_bios',`
gen_require(`
type apm_bios_t;
- class chr_file setattr;
')
dontaudit $1 apm_bios_t:chr_file setattr;
@@ -855,8 +784,6 @@ interface(`dev_dontaudit_setattr_apm_bios',`
interface(`dev_rw_apm_bios',`
gen_require(`
type device_t, apm_bios_t;
- class dir r_dir_perms;
- class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -875,7 +802,6 @@ interface(`dev_rw_apm_bios',`
interface(`dev_dontaudit_rw_cardmgr',`
gen_require(`
type cardmgr_dev_t;
- class chr_file { read write };
')
dontaudit $1 cardmgr_dev_t:chr_file { read write };
@@ -910,8 +836,6 @@ interface(`dev_getattr_cpu',`
interface(`dev_read_cpuid',`
gen_require(`
type device_t, cpu_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -930,8 +854,6 @@ interface(`dev_read_cpuid',`
interface(`dev_rw_cpu_microcode',`
gen_require(`
type device_t, cpu_device_t;
- class dir r_dir_perms;
- class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -966,8 +888,6 @@ interface(`dev_rw_crypto',`
interface(`dev_getattr_agp_dev',`
gen_require(`
type device_t, dri_device_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -985,8 +905,6 @@ interface(`dev_getattr_agp_dev',`
interface(`dev_rw_dri_dev',`
gen_require(`
type device_t, dri_device_t;
- class dir r_dir_perms;
- class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1004,7 +922,6 @@ interface(`dev_rw_dri_dev',`
interface(`dev_dontaudit_rw_dri_dev',`
gen_require(`
type dri_device_t;
- class chr_file { getattr read write ioctl };
')
dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
@@ -1021,8 +938,6 @@ interface(`dev_dontaudit_rw_dri_dev',`
interface(`dev_read_input',`
gen_require(`
type device_t, event_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1040,8 +955,6 @@ interface(`dev_read_input',`
interface(`dev_getattr_framebuffer',`
gen_require(`
type device_t, framebuf_device_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1059,8 +972,6 @@ interface(`dev_getattr_framebuffer',`
interface(`dev_setattr_framebuffer',`
gen_require(`
type device_t, framebuf_device_t;
- class dir r_dir_perms;
- class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1079,7 +990,6 @@ interface(`dev_setattr_framebuffer',`
interface(`dev_dontaudit_setattr_framebuffer',`
gen_require(`
type framebuf_device_t;
- class chr_file setattr;
')
dontaudit $1 framebuf_device_t:chr_file setattr;
@@ -1096,8 +1006,6 @@ interface(`dev_dontaudit_setattr_framebuffer',`
interface(`dev_read_framebuffer',`
gen_require(`
type framebuf_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1115,7 +1023,6 @@ interface(`dev_read_framebuffer',`
interface(`dev_dontaudit_read_framebuffer',`
gen_require(`
type framebuf_device_t;
- class chr_file r_file_perms;
')
dontaudit $1 framebuf_device_t:chr_file { getattr read };
@@ -1132,8 +1039,6 @@ interface(`dev_dontaudit_read_framebuffer',`
interface(`dev_write_framebuffer',`
gen_require(`
type device_t, framebuf_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
@@ -1151,8 +1056,6 @@ interface(`dev_write_framebuffer',`
interface(`dev_read_lvm_control',`
gen_require(`
type device_t, lvm_control_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1170,8 +1073,6 @@ interface(`dev_read_lvm_control',`
interface(`dev_rw_lvm_control',`
gen_require(`
type device_t, lvm_control_t;
- class dir r_dir_perms;
- class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1189,8 +1090,6 @@ interface(`dev_rw_lvm_control',`
interface(`dev_delete_lvm_control',`
gen_require(`
type device_t, lvm_control_t;
- class dir { getattr search read write remove_name };
- class chr_file unlink;
')
allow $1 device_t:dir { getattr search read write remove_name };
@@ -1209,9 +1108,6 @@ interface(`dev_read_raw_memory',`
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_read;
- class dir r_dir_perms;
- class chr_file r_file_perms;
- class capability sys_rawio;
')
allow $1 device_t:dir r_dir_perms;
@@ -1233,9 +1129,6 @@ interface(`dev_write_raw_memory',`
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_write;
- class dir r_dir_perms;
- class chr_file write;
- class capability sys_rawio;
')
allow $1 device_t:dir r_dir_perms;
@@ -1256,7 +1149,6 @@ interface(`dev_write_raw_memory',`
interface(`dev_rx_raw_memory',`
gen_require(`
type device_t, memory_device_t;
- class chr_file execute;
')
dev_read_raw_memory($1)
@@ -1274,7 +1166,6 @@ interface(`dev_rx_raw_memory',`
interface(`dev_wx_raw_memory',`
gen_require(`
type device_t, memory_device_t;
- class chr_file execute;
')
dev_write_raw_memory($1)
@@ -1292,8 +1183,6 @@ interface(`dev_wx_raw_memory',`
interface(`dev_getattr_misc',`
gen_require(`
type device_t, misc_device_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1312,7 +1201,6 @@ interface(`dev_getattr_misc',`
interface(`dev_dontaudit_getattr_misc',`
gen_require(`
type misc_device_t;
- class chr_file getattr;
')
dontaudit $1 misc_device_t:chr_file getattr;
@@ -1329,8 +1217,6 @@ interface(`dev_dontaudit_getattr_misc',`
interface(`dev_setattr_misc',`
gen_require(`
type device_t, misc_device_t;
- class dir r_dir_perms;
- class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1349,7 +1235,6 @@ interface(`dev_setattr_misc',`
interface(`dev_dontaudit_setattr_misc',`
gen_require(`
type misc_device_t;
- class chr_file setattr;
')
dontaudit $1 misc_device_t:chr_file setattr;
@@ -1366,8 +1251,6 @@ interface(`dev_dontaudit_setattr_misc',`
interface(`dev_read_misc',`
gen_require(`
type device_t, misc_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1385,8 +1268,6 @@ interface(`dev_read_misc',`
interface(`dev_write_misc',`
gen_require(`
type device_t, misc_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
@@ -1404,8 +1285,6 @@ interface(`dev_write_misc',`
interface(`dev_getattr_mouse',`
gen_require(`
type device_t, mouse_device_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1423,8 +1302,6 @@ interface(`dev_getattr_mouse',`
interface(`dev_setattr_mouse',`
gen_require(`
type device_t, mouse_device_t;
- class dir r_dir_perms;
- class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1442,8 +1319,6 @@ interface(`dev_setattr_mouse',`
interface(`dev_read_mouse',`
gen_require(`
type device_t, mouse_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1478,8 +1353,6 @@ interface(`dev_rw_mouse',`
interface(`dev_read_mtrr',`
gen_require(`
type device_t, mtrr_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1497,8 +1370,6 @@ interface(`dev_read_mtrr',`
interface(`dev_write_mtrr',`
gen_require(`
type device_t, mtrr_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
@@ -1516,8 +1387,6 @@ interface(`dev_write_mtrr',`
interface(`dev_rw_null_dev',`
gen_require(`
type device_t, null_device_t;
- class dir r_dir_perms;
- class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1535,8 +1404,6 @@ interface(`dev_rw_null_dev',`
interface(`dev_setattr_printer',`
gen_require(`
type device_t, printer_device_t;
- class dir search;
- class chr_file setattr;
')
allow $1 device_t:dir search;
@@ -1554,8 +1421,6 @@ interface(`dev_setattr_printer',`
interface(`dev_rw_printer',`
gen_require(`
type device_t, printer_device_t;
- class dir search;
- class chr_file rw_file_perms;
')
allow $1 device_t:dir search;
@@ -1573,8 +1438,6 @@ interface(`dev_rw_printer',`
interface(`dev_read_rand',`
gen_require(`
type device_t, random_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1594,8 +1457,6 @@ interface(`dev_read_rand',`
interface(`dev_write_rand',`
gen_require(`
type device_t, random_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
@@ -1613,8 +1474,6 @@ interface(`dev_write_rand',`
interface(`dev_read_realtime_clock',`
gen_require(`
type device_t, clock_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1632,8 +1491,6 @@ interface(`dev_read_realtime_clock',`
interface(`dev_write_realtime_clock',`
gen_require(`
type device_t, clock_device_t;
- class dir r_dir_perms;
- class chr_file { setattr lock write append ioctl };
')
allow $1 device_t:dir r_dir_perms;
@@ -1664,8 +1521,6 @@ interface(`dev_rw_realtime_clock',`
interface(`dev_getattr_scanner',`
gen_require(`
type device_t, scanner_device_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1684,7 +1539,6 @@ interface(`dev_getattr_scanner',`
interface(`dev_dontaudit_getattr_scanner',`
gen_require(`
type scanner_device_t;
- class chr_file getattr;
')
dontaudit $1 scanner_device_t:chr_file getattr;
@@ -1701,8 +1555,6 @@ interface(`dev_dontaudit_getattr_scanner',`
interface(`dev_setattr_scanner',`
gen_require(`
type device_t, scanner_device_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1721,7 +1573,6 @@ interface(`dev_setattr_scanner',`
interface(`dev_dontaudit_setattr_scanner',`
gen_require(`
type scanner_device_t;
- class chr_file getattr;
')
dontaudit $1 scanner_device_t:chr_file setattr;
@@ -1738,8 +1589,6 @@ interface(`dev_dontaudit_setattr_scanner',`
interface(`dev_rw_scanner',`
gen_require(`
type device_t, scanner_device_t;
- class dir r_dir_perms;
- class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1757,8 +1606,6 @@ interface(`dev_rw_scanner',`
interface(`dev_getattr_snd_dev',`
gen_require(`
type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1776,8 +1623,6 @@ interface(`dev_getattr_snd_dev',`
interface(`dev_setattr_snd_dev',`
gen_require(`
type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1795,8 +1640,6 @@ interface(`dev_setattr_snd_dev',`
interface(`dev_read_snd_dev',`
gen_require(`
type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1814,8 +1657,6 @@ interface(`dev_read_snd_dev',`
interface(`dev_write_snd_dev',`
gen_require(`
type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
@@ -1833,8 +1674,6 @@ interface(`dev_write_snd_dev',`
interface(`dev_read_snd_mixer_dev',`
gen_require(`
type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file { getattr read ioctl };
')
allow $1 device_t:dir r_dir_perms;
@@ -1852,8 +1691,6 @@ interface(`dev_read_snd_mixer_dev',`
interface(`dev_write_snd_mixer_dev',`
gen_require(`
type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
@@ -1871,8 +1708,6 @@ interface(`dev_write_snd_mixer_dev',`
interface(`dev_getattr_power_management',`
gen_require(`
type device_t, power_device_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1890,8 +1725,6 @@ interface(`dev_getattr_power_management',`
interface(`dev_setattr_power_management',`
gen_require(`
type device_t, power_device_t;
- class dir r_dir_perms;
- class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -1909,8 +1742,6 @@ interface(`dev_setattr_power_management',`
interface(`dev_rw_power_management',`
gen_require(`
type device_t, power_device_t;
- class dir r_dir_perms;
- class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -1928,7 +1759,6 @@ interface(`dev_rw_power_management',`
interface(`dev_getattr_sysfs_dir',`
gen_require(`
type sysfs_t;
- class dir getattr;
')
allow $1 sysfs_t:dir getattr;
@@ -1945,7 +1775,6 @@ interface(`dev_getattr_sysfs_dir',`
interface(`dev_search_sysfs',`
gen_require(`
type sysfs_t;
- class dir search;
')
allow $1 sysfs_t:dir search;
@@ -1962,7 +1791,6 @@ interface(`dev_search_sysfs',`
interface(`dev_dontaudit_search_sysfs',`
gen_require(`
type sysfs_t;
- class dir search;
')
dontaudit $1 sysfs_t:dir search;
@@ -1979,7 +1807,6 @@ interface(`dev_dontaudit_search_sysfs',`
interface(`dev_list_sysfs',`
gen_require(`
type sysfs_t;
- class dir r_dir_perms;
')
allow $1 sysfs_t:dir r_dir_perms;
@@ -1996,9 +1823,6 @@ interface(`dev_list_sysfs',`
interface(`dev_read_sysfs',`
gen_require(`
type sysfs_t;
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
')
allow $1 sysfs_t:dir r_dir_perms;
@@ -2016,9 +1840,6 @@ interface(`dev_read_sysfs',`
interface(`dev_rw_sysfs',`
gen_require(`
type sysfs_t;
- class dir r_dir_perms;
- class file rw_file_perms;
- class lnk_file r_file_perms;
')
allow $1 sysfs_t:dir r_dir_perms;
@@ -2037,8 +1858,6 @@ interface(`dev_rw_sysfs',`
interface(`dev_read_urand',`
gen_require(`
type device_t, urandom_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -2057,8 +1876,6 @@ interface(`dev_read_urand',`
interface(`dev_write_urand',`
gen_require(`
type device_t, urandom_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
@@ -2076,7 +1893,6 @@ interface(`dev_write_urand',`
interface(`dev_mount_usbfs',`
gen_require(`
type usbfs_t;
- class filesystem mount;
')
allow $1 usbfs_t:filesystem mount;
@@ -2093,7 +1909,6 @@ interface(`dev_mount_usbfs',`
interface(`dev_getattr_usbfs_dir',`
gen_require(`
type usbfs_t;
- class dir getattr;
')
allow $1 usbfs_t:dir getattr;
@@ -2110,7 +1925,6 @@ interface(`dev_getattr_usbfs_dir',`
interface(`dev_search_usbfs',`
gen_require(`
type usbfs_t;
- class dir search;
')
allow $1 usbfs_t:dir search;
@@ -2127,9 +1941,6 @@ interface(`dev_search_usbfs',`
interface(`dev_list_usbfs',`
gen_require(`
type usbfs_t;
- class dir r_dir_perms;
- class file getattr;
- class lnk_file r_file_perms;
')
allow $1 usbfs_t:dir r_dir_perms;
@@ -2149,9 +1960,6 @@ interface(`dev_list_usbfs',`
interface(`dev_read_usbfs',`
gen_require(`
type usbfs_t;
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
')
allow $1 usbfs_t:dir r_dir_perms;
@@ -2169,9 +1977,6 @@ interface(`dev_read_usbfs',`
interface(`dev_rw_usbfs',`
gen_require(`
type usbfs_t;
- class dir r_dir_perms;
- class file rw_file_perms;
- class lnk_file r_file_perms;
')
allow $1 usbfs_t:dir r_dir_perms;
@@ -2190,8 +1995,6 @@ interface(`dev_rw_usbfs',`
interface(`dev_getattr_video_dev',`
gen_require(`
type device_t, v4l_device_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -2210,7 +2013,6 @@ interface(`dev_getattr_video_dev',`
interface(`dev_dontaudit_getattr_video_dev',`
gen_require(`
type v4l_device_t;
- class chr_file getattr;
')
dontaudit $1 v4l_device_t:chr_file getattr;
@@ -2227,8 +2029,6 @@ interface(`dev_dontaudit_getattr_video_dev',`
interface(`dev_setattr_video_dev',`
gen_require(`
type device_t, v4l_device_t;
- class dir r_dir_perms;
- class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -2247,7 +2047,6 @@ interface(`dev_setattr_video_dev',`
interface(`dev_dontaudit_setattr_video_dev',`
gen_require(`
type v4l_device_t;
- class chr_file setattr;
')
dontaudit $1 v4l_device_t:chr_file setattr;
@@ -2264,8 +2063,6 @@ interface(`dev_dontaudit_setattr_video_dev',`
interface(`dev_getattr_xserver_misc_dev',`
gen_require(`
type device_t, xserver_misc_device_t;
- class dir r_dir_perms;
- class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -2283,8 +2080,6 @@ interface(`dev_getattr_xserver_misc_dev',`
interface(`dev_setattr_xserver_misc_dev',`
gen_require(`
type device_t, xserver_misc_device_t;
- class dir r_dir_perms;
- class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
@@ -2302,8 +2097,6 @@ interface(`dev_setattr_xserver_misc_dev',`
interface(`dev_rw_zero_dev',`
gen_require(`
type device_t, zero_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
@@ -2321,7 +2114,6 @@ interface(`dev_rw_zero_dev',`
interface(`dev_rwx_zero_dev',`
gen_require(`
type zero_device_t;
- class chr_file execute;
')
dev_rw_zero_dev($1)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 4f75c58..4e9b0e3 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1697,7 +1697,7 @@ interface(`kernel_send_syslog_msg_from',`
#
interface(`kernel_udp_sendfrom',`
gen_require(`
- type portmap_t;
+ type kernel_t;
class udp_socket { sendto recvfrom };
')
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index bb43dde..bc558ec 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -10,6 +10,9 @@
##
#
template(`apache_content_template',`
+ gen_require(`
+ attribute httpdcontent, httpd_script_domains;
+ ')
# allow write access to public file transfer
# services files.
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 80755b2..144df9b 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -374,6 +374,8 @@ optional_policy(`mailman.te',`
')
optional_policy(`mta.te',`
+ mta_stub()
+
# apache should set close-on-exec
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index ecd5bdf..37edbc1 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -28,6 +28,10 @@
##
#
template(`cron_per_userdomain_template',`
+ gen_require(`
+ attribute cron_spool_type;
+ type crontab_exec_t;
+ ')
# Type of user crontabs once moved to cron spool.
type $1_cron_spool_t, cron_spool_type;
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 4c9ad48..1cac664 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -1,5 +1,19 @@
## Policy common to all email tranfer agents.
+########################################
+##
+## MTA stub interface. No access allowed.
+##
+##
+## N/A
+##
+#
+interface(`mta_stub',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+')
+
#######################################
##
## The per user domain template for the mta module.
@@ -109,11 +123,11 @@ template(`mta_per_userdomain_template',`
nscd_use_socket($1_mail_t)
')
+ ifdef(`TODO',`
optional_policy(`procmail.te',`
procmail_execute($1_mail_t)
')
- ifdef(`TODO',`
# Read user temporary files.
allow $1_mail_t $1_tmp_t:file r_file_perms;
dontaudit $1_mail_t $1_tmp_t:file append;
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 07b40e9..1faa732 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -28,15 +28,16 @@ files_type(sendmail_exec_t)
type system_mail_t;
domain_type(system_mail_t)
+domain_entry_file(system_mail_t,sendmail_exec_t)
role system_r types system_mail_t;
-ifdef(`targeted_policy',`',`
- optional_policy(`sendmail.te',`
- domain_entry_file(system_mail_t,sendmail_exec_t)
- ',`
- init_system_domain(system_mail_t,sendmail_exec_t)
- ')
-')
+# cjp: need to resolve this, but require{}
+# does not work in the else part of the optional
+#ifdef(`targeted_policy',`',`
+# optional_policy(`sendmail.te',`',`
+# init_system_domain(system_mail_t,sendmail_exec_t)
+# ')
+#')
########################################
#
@@ -150,11 +151,9 @@ optional_policy(`nscd.te',`
nscd_use_socket(system_mail_t)
')
-optional_policy(`procmail.te',`
- procmail_exec(system_mail_t)
-')
-
optional_policy(`sendmail.te',`
+ sendmail_stub()
+
allow system_mail_t etc_mail_t:dir { getattr search };
# sendmail -q
@@ -163,6 +162,10 @@ optional_policy(`sendmail.te',`
')
ifdef(`TODO',`
+optional_policy(`procmail.te',`
+ procmail_exec(system_mail_t)
+')
+
optional_policy(`sendmail.te',`
allow system_mail_t { var_t var_spool_t }:dir getattr;
dontaudit system_mail_t userpty_type:chr_file { getattr read write };
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 8c9428a..7d3fbc9 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -57,10 +57,6 @@ interface(`nis_use_ypbind_uncond',`
corenet_dontaudit_tcp_connect_all_reserved_ports($1)
sysnet_read_config($1)
-
- optional_policy(`mount.te',`
- mount_send_nfs_client_request($1)
- ')
')
########################################
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index c1c2fa0..8add650 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -10,6 +10,11 @@ gen_require(`
# Declarations
#
+# cjp: this is out of order because of an
+# ordering problem with loadable modules
+type nscd_var_run_t;
+files_pid_file(nscd_var_run_t)
+
# nscd is both the client program and the daemon.
type nscd_t;
type nscd_exec_t;
@@ -18,9 +23,6 @@ init_daemon_domain(nscd_t,nscd_exec_t)
type nscd_log_t;
logging_log_file(nscd_log_t)
-type nscd_var_run_t;
-files_pid_file(nscd_var_run_t)
-
########################################
#
# Local policy
diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if
index 908ac9c..8e109e5 100644
--- a/refpolicy/policy/modules/services/sendmail.if
+++ b/refpolicy/policy/modules/services/sendmail.if
@@ -2,6 +2,20 @@
########################################
##
+## Sendmail stub interface. No access allowed.
+##
+##
+## N/A
+##
+#
+interface(`sendmail_stub',`
+ gen_require(`
+ type sendmail_t;
+ ')
+')
+
+########################################
+##
## Domain transition to sendmail.
##
##
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 66ae081..ab35a65 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -28,6 +28,11 @@
##
#
template(`ssh_per_userdomain_template',`
+ gen_require(`
+ type ssh_exec_t, ssh_agent_exec_t;
+ type ssh_keysign_exec_t;
+ ')
+
##############################
#
# Declarations
@@ -328,10 +333,10 @@ template(`ssh_per_userdomain_template',`
nis_use_ypbind($1_ssh_agent_t)
')
- optional_policy(`xdm.te', `
- # KDM:
- #xdm_sigchld($1_ssh_agent_t)
- ')
+# optional_policy(`xdm.te', `
+# # KDM:
+# xdm_sigchld($1_ssh_agent_t)
+# ')
ifdef(`TODO',`
ifdef(`xdm.te',`
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index a574392..61bb2ec 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -451,9 +451,6 @@ interface(`auth_rw_lastlog',`
interface(`auth_domtrans_pam',`
gen_require(`
type pam_t, pam_exec_t;
- class process sigchld;
- class fd
- class fifo_file rw_file_perms;
')
domain_auto_trans($1,pam_exec_t,pam_t)
diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if
index c960b6c..35c144e 100644
--- a/refpolicy/policy/modules/system/lvm.if
+++ b/refpolicy/policy/modules/system/lvm.if
@@ -11,9 +11,6 @@
interface(`lvm_domtrans',`
gen_require(`
type lvm_t, lvm_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
@@ -42,7 +39,6 @@ interface(`lvm_domtrans',`
interface(`lvm_run',`
gen_require(`
type lvm_t;
- class chr_file rw_term_perms;
')
lvm_domtrans($1)
@@ -60,9 +56,7 @@ interface(`lvm_run',`
#
interface(`lvm_read_config',`
gen_require(`
- type lvm_t, lvm_exec_t;
- class dir r_dir_perms;
- class file r_file_perms;
+ type lvm_t, lvm_etc_t;
')
files_search_etc($1)
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index 9bb2340..b7f78b0 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -11,7 +11,6 @@
interface(`modutils_read_mods_deps',`
gen_require(`
type modules_dep_t;
- class file r_file_perms;
')
bootloader_list_kernel_modules($1)
@@ -30,7 +29,6 @@ interface(`modutils_read_mods_deps',`
interface(`modutils_read_module_conf',`
gen_require(`
type modules_conf_t;
- class file r_file_perms;
')
# This file type can be in /etc or
@@ -69,9 +67,6 @@ interface(`modutils_rename_module_conf',`
interface(`modutils_domtrans_insmod',`
gen_require(`
type insmod_t, insmod_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
@@ -103,7 +98,6 @@ interface(`modutils_domtrans_insmod',`
interface(`modutils_run_insmod',`
gen_require(`
type insmod_t;
- class chr_file rw_term_perms;
')
modutils_domtrans_insmod($1)
@@ -135,9 +129,6 @@ interface(`modutils_exec_insmod',`
interface(`modutils_domtrans_depmod',`
gen_require(`
type depmod_t, depmod_exec_t;
- class process sigchld;
- class fd use;
- class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
@@ -166,7 +157,6 @@ interface(`modutils_domtrans_depmod',`
interface(`modutils_run_depmod',`
gen_require(`
type depmod_t;
- class chr_file rw_term_perms;
')
modutils_domtrans_depmod($1)
@@ -180,7 +170,7 @@ interface(`modutils_run_depmod',`
#
interface(`modutils_exec_depmod',`
gen_require(`
- type depmod_t;
+ type depmod_exec_t;
')
corecmd_search_sbin($1)
@@ -198,9 +188,6 @@ interface(`modutils_exec_depmod',`
interface(`modutils_domtrans_update_mods',`
gen_require(`
type update_modules_t, update_modules_exec_t;
- class process signal;
- class fd use;
- class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
@@ -229,7 +216,6 @@ interface(`modutils_domtrans_update_mods',`
interface(`modutils_run_update_mods',`
gen_require(`
type update_modules_t;
- class chr_file rw_term_perms;
')
modutils_domtrans_update_mods($1)
@@ -243,10 +229,9 @@ interface(`modutils_run_update_mods',`
#
interface(`modutils_exec_update_mods',`
gen_require(`
- type update_modules_t;
+ type update_modules_exec_t;
')
corecmd_search_sbin($1)
can_exec($1, update_modules_exec_t)
')
-
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 0006949..10da914 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,6 +1,10 @@
policy_module(selinuxutil,1.0)
+gen_require(`
+ bool secure_mode;
+')
+
########################################
#
# Declarations
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 18d669f..013f085 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -641,7 +641,7 @@ template(`unpriv_user_template', `
# Need the following rule to allow users to run vpnc
optional_policy(`xserver.te', `
- corenetwork_bind_tcp_on_xserver_port($1_t)
+ corenet_tcp_bind_xserver_port($1_t)
')
ifdef(`TODO',`