diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 9c5445b..7078d54 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Remove kernel module reversed interfaces.
- Add filename attribute to module XML tag and lineno attribute to
interface XML tag.
- Changed QUIET build option to a yes or no option.
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 323164a..b512d8e 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -216,6 +216,23 @@ interface(`kernel_tcp_recvfrom',`
########################################
##
+## Send UDP network traffic to the kernel.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`kernel_udp_sendto',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:udp_socket sendto;
+ allow kernel_t $1:udp_socket recvfrom;
+')
+
+########################################
+##
## Receive messages from kernel UDP sockets.
##
##
@@ -1667,197 +1684,3 @@ interface(`kernel_unconfined',`
kernel_rw_all_sysctl($1)
')
-
-################################################################################
-#
-# Reversed interfaces
-#
-# The following are reversed interfaces, meaning the point of view of the caller
-# of the interface is the object (target) type, rather than the subject (source)
-# type, like all other interfaces in the policy. These interfaces are here to
-# decouple policy from the base module, and should not be used anywhere else.
-#
-################################################################################
-
-########################################
-##
-## Allow the kernel to send a SIGCHLD
-## signal to the specified domain.
-##
-##
-## Domain receiving the SIGCHLD.
-##
-#
-interface(`kernel_sigchld_from',`
- gen_require(`
- type kernel_t;
- ')
-
- allow kernel_t $1:process sigchld;
-')
-
-########################################
-##
-## Allow unlabeled processes to send a SIGCHLD
-## signal to the specified domain.
-##
-##
-## Domain receiving the SIGCHLD.
-##
-#
-interface(`kernel_sigchld_from_unlabeled',`
- gen_require(`
- type unlabeled_t;
- ')
-
- allow unlabeled_t $1:process sigchld;
-')
-
-########################################
-##
-## Allow the kernel to search the
-## specified directory.
-##
-##
-## Directory type to search.
-##
-#
-interface(`kernel_search_from',`
- gen_require(`
- type kernel_t;
- ')
-
- allow kernel_t $1:dir search;
-')
-
-########################################
-##
-## Allow the kernel to read the contents
-## of the specified directory.
-##
-##
-## Directory type to list.
-##
-#
-interface(`kernel_list_from',`
- gen_require(`
- type kernel_t;
- ')
-
- allow kernel_t $1:dir r_dir_perms;
-')
-
-########################################
-##
-## Allow the kernel to read the
-## specified file.
-##
-##
-## Directory type to list.
-##
-#
-interface(`kernel_read_file_from',`
- gen_require(`
- type kernel_t;
- ')
-
- allow kernel_t $1:file r_file_perms;
-')
-
-########################################
-##
-## Use the specified types for /lib directory
-## and use the dynamic link/loader for automatic loading
-## of shared libraries, and the link/loader
-## cache.
-##
-##
-## The type of the lib directories.
-##
-##
-## The type of the dynamic link/loader.
-##
-##
-## The type of the dynamic link/loader cache.
-##
-#
-interface(`kernel_use_ld_so_from',`
- gen_require(`
- type kernel_t;
- ')
-
- files_list_etc(kernel_t)
- allow kernel_t $1:dir r_dir_perms;
- allow kernel_t $1:lnk_file r_file_perms;
- allow kernel_t $2:lnk_file r_file_perms;
- allow kernel_t $2:file rx_file_perms;
- allow kernel_t $3:file r_file_perms;
-')
-
-########################################
-##
-## Allow the kernel to load and execute
-## functions from the specified shared libraries.
-##
-##
-## The type of the lib directories.
-##
-##
-## Shared library type.
-##
-#
-interface(`kernel_use_shared_libs_from',`
- gen_require(`
- type kernel_t;
- ')
-
- allow kernel_t $1:dir r_dir_perms;
- allow kernel_t $1:lnk_file r_file_perms;
- allow kernel_t $2:lnk_file r_file_perms;
- allow kernel_t $2:file rx_file_perms;
-')
-
-#######################################
-##
-## Allow the kernel to send a syslog
-## message to the specified domain,
-## connecting over the specified named
-## socket.
-##
-##
-## The type of the named socket file.
-##
-##
-## The domain of the syslog daemon.
-##
-#
-interface(`kernel_send_syslog_msg_from',`
- gen_require(`
- type syslogd_t, devlog_t;
- ')
-
- allow kernel_t $1:lnk_file read;
- allow kernel_t $1:sock_file rw_file_perms;
-
- # the type of socket depends on the syslog daemon
- allow kernel_t $2:unix_dgram_socket sendto;
- allow kernel_t $2:unix_stream_socket connectto;
-')
-
-########################################
-##
-## Allow the kernel to send UDP network traffic
-## the specified domain.
-##
-##
-## The type of the receiving domain.
-##
-#
-interface(`kernel_udp_sendfrom',`
- gen_require(`
- type kernel_t;
- ')
-
- allow kernel_t $1:udp_socket sendto;
- allow $1 kernel_t:udp_socket recvfrom;
-')
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index e5f3996..b6a5823 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.2.0)
+policy_module(kernel,1.2.1)
########################################
#
@@ -244,10 +244,31 @@ tunable_policy(`read_default_t',`
files_read_default_pipes(kernel_t)
')
+optional_policy(`hotplug',`
+ hotplug_search_config(kernel_t)
+')
+
+optional_policy(`init',`
+ init_sigchld(kernel_t)
+')
+
+optional_policy(`libraries',`
+ libs_use_ld_so(kernel_t)
+ libs_use_shared_libs(kernel_t)
+')
+
+optional_policy(`logging',`
+ logging_send_syslog_msg(kernel_t)
+')
+
optional_policy(`nis',`
nis_use_ypbind(kernel_t)
')
+optional_policy(`portmap',`
+ portmap_udp_sendto(kernel_t)
+')
+
optional_policy(`rpc',`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
@@ -271,9 +292,7 @@ optional_policy(`rpc',`
rpc_manage_nfs_ro_content(kernel_t)
rpc_manage_nfs_rw_content(kernel_t)
-
rpc_udp_rw_nfs_sockets(kernel_t)
- #rpc_udp_sendto_sockets(kernel_t)
rpc_udp_sendto_nfs(kernel_t)
tunable_policy(`nfs_export_all_ro',`
@@ -295,6 +314,11 @@ optional_policy(`rpc',`
')
')
+optional_policy(`selinuxutil',`
+ seutil_read_config(kernel_t)
+ seutil_read_binary_pol(kernel_t)
+')
+
########################################
#
# Unlabeled process local policy
@@ -303,3 +327,11 @@ optional_policy(`rpc',`
ifdef(`targeted_policy',`
allow unlabeled_t self:filesystem associate;
')
+
+optional_policy(`init',`
+ # If you load a new policy that removes active domains, processes can
+ # get stuck if you do not allow unlabeled processes to signal init.
+ # If you load an incompatible policy, you should probably reboot,
+ # since you may have compromised system security.
+ init_sigchld(unlabeled_t)
+')
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
index 96bcc65..d0ecdbd 100644
--- a/refpolicy/policy/modules/services/portmap.te
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -1,5 +1,5 @@
-policy_module(portmap,1.1.0)
+policy_module(portmap,1.1.1)
########################################
#
@@ -45,7 +45,6 @@ files_filetrans_pid(portmap_t,portmap_var_run_t)
kernel_read_kernel_sysctl(portmap_t)
kernel_list_proc(portmap_t)
kernel_read_proc_symlinks(portmap_t)
-kernel_udp_sendfrom(portmap_t)
kernel_tcp_recvfrom(portmap_t)
corenet_tcp_sendrecv_all_if(portmap_t)
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
index 50ba3a3..eeb169f 100644
--- a/refpolicy/policy/modules/services/rpc.if
+++ b/refpolicy/policy/modules/services/rpc.if
@@ -258,11 +258,10 @@ interface(`rpc_udp_rw_nfs_sockets',`
########################################
##
-## Allow NFS to send UDP network traffic
-## the specified domain and recieve from it.
+## Send UDP traffic to NFSd.
##
##
-## The type of the receiving domain.
+## Domain allowed access.
##
#
interface(`rpc_udp_sendto_nfs',`
@@ -270,8 +269,8 @@ interface(`rpc_udp_sendto_nfs',`
type nfsd_t;
')
- allow nfsd_t $1:udp_socket sendto;
- allow $1 nfsd_t:udp_socket recvfrom;
+ allow $1 nfsd_t:udp_socket sendto;
+ allow nfsd_t $1:udp_socket recvfrom;
')
########################################
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index db9be79..8743033 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc,1.1.0)
+policy_module(rpc,1.1.1)
########################################
#
@@ -84,7 +84,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
-kernel_udp_sendfrom(nfsd_t)
+kernel_udp_sendto(nfsd_t)
kernel_tcp_recvfrom(nfsd_t)
corenet_udp_bind_generic_port(nfsd_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 4ae405c..de64e15 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
-policy_module(hotplug,1.1.0)
+policy_module(hotplug,1.1.1)
########################################
#
@@ -13,7 +13,6 @@ init_daemon_domain(hotplug_t,hotplug_exec_t)
type hotplug_etc_t;
files_config_file(hotplug_etc_t)
-kernel_search_from(hotplug_etc_t)
init_daemon_domain(hotplug_t,hotplug_etc_t)
type hotplug_var_run_t;
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 91fa300..60754d0 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.2.0)
+policy_module(init,1.2.1)
gen_require(`
class passwd rootok;
@@ -118,12 +118,6 @@ domain_auto_trans(init_t,initrc_exec_t,initrc_t)
kernel_read_system_state(init_t)
kernel_share_state(init_t)
-kernel_sigchld_from(init_t)
-# If you load a new policy that removes active domains, processes can
-# get stuck if you do not allow unlabeled processes to signal init.
-# If you load an incompatible policy, you should probably reboot,
-# since you may have compromised system security.
-kernel_sigchld_from_unlabeled(init_t)
dev_read_sysfs(init_t)
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index edece21..2b31a94 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -24,9 +24,6 @@ files_type(ld_so_t)
type lib_t;
files_type(lib_t)
-kernel_use_ld_so_from(lib_t,ld_so_t,ld_so_cache_t)
-kernel_use_shared_libs_from(lib_t,{ shlib_t textrel_shlib_t })
-
#
# shlib_t is the type of shared objects in the system lib
# directories.
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 082d7f6..4a49c91 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -296,7 +296,6 @@ files_filetrans_pid(syslogd_t,syslogd_var_run_t)
kernel_read_kernel_sysctl(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
-kernel_send_syslog_msg_from(devlog_t,syslogd_t)
# Allow access to /proc/kmsg for syslog-ng
kernel_read_messages(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index ba76789..3bc1b79 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -22,8 +22,6 @@ attribute can_relabelto_binary_policy;
# (fix dup decl)
type selinux_config_t;
files_type(selinux_config_t)
-kernel_list_from(selinux_config_t)
-kernel_read_file_from(selinux_config_t)
type checkpolicy_t, can_write_binary_policy;
domain_type(checkpolicy_t)
@@ -68,8 +66,6 @@ domain_entry_file(newrole_t,newrole_exec_t)
#
type policy_config_t;
files_type(policy_config_t)
-kernel_list_from(policy_config_t)
-kernel_read_file_from(policy_config_t)
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };