diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index f11c1c4..f91ce4a 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -8,6 +8,7 @@
* Misc. cleanups.
* Added policies:
acct
+ loadkeys
mysql
quota
su
diff --git a/refpolicy/policy/modules/apps/loadkeys.fc b/refpolicy/policy/modules/apps/loadkeys.fc
new file mode 100644
index 0000000..040d261
--- /dev/null
+++ b/refpolicy/policy/modules/apps/loadkeys.fc
@@ -0,0 +1,3 @@
+
+/bin/loadkeys -- context_template(system_u:object_r:loadkeys_exec_t,s0)
+/bin/unikeys -- context_template(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/loadkeys.if b/refpolicy/policy/modules/apps/loadkeys.if
new file mode 100644
index 0000000..cf97b11
--- /dev/null
+++ b/refpolicy/policy/modules/apps/loadkeys.if
@@ -0,0 +1,67 @@
+## Load keyboard mappings.
+
+########################################
+##
+## Execute the loadkeys program in the loadkeys domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`loadkeys_domtrans',`
+ gen_require(`
+ type loadkeys_t, loadkeys_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1, loadkeys_exec_t, loadkeys_t)
+
+ allow $1 loadkeys_t:fd use;
+ allow loadkeys_t $1:fd use;
+ allow loadkeys_t $1:fifo_file rw_file_perms;
+ allow loadkeys_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute the loadkeys program in the loadkeys domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to allow the loadkeys domain.
+##
+##
+## The type of the terminal allow the loadkeys domain to use.
+##
+#
+interface(`loadkeys_run',`
+ gen_require(`
+ type loadkeys_t;
+ class chr_file rw_term_perms;
+ ')
+
+ loadkeys_domtrans($1)
+ role $2 types loadkeys_t;
+ allow loadkeys_t $3:chr_file rw_term_perms;
+')
+
+########################################
+##
+## Execute the loadkeys program in the caller domain.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`loadkeys_exec',`
+ gen_require(`
+ type loadkeys_exec_t;
+ ')
+
+ can_exec($1,loadkeys_exec_t)
+')
diff --git a/refpolicy/policy/modules/apps/loadkeys.te b/refpolicy/policy/modules/apps/loadkeys.te
new file mode 100644
index 0000000..7e58c33
--- /dev/null
+++ b/refpolicy/policy/modules/apps/loadkeys.te
@@ -0,0 +1,39 @@
+
+policy_module(loadkeys,1.0)
+
+########################################
+#
+# Declarations
+#
+
+# cjp: this should probably be rewritten
+# per user domain, since it can rw
+# all user domain ttys
+
+type loadkeys_t;
+domain_type(loadkeys_t)
+
+type loadkeys_exec_t;
+domain_entry_file(loadkeys_t,loadkeys_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow loadkeys_t self:capability { setuid sys_tty_config };
+allow loadkeys_t self:fifo_file rw_file_perms;
+
+kernel_read_system_state(loadkeys_t)
+
+corecmd_exec_bin(loadkeys_t)
+corecmd_exec_shell(loadkeys_t)
+
+files_dontaudit_read_etc_runtime_files(loadkeys_t)
+
+libs_use_ld_so(loadkeys_t)
+libs_use_shared_libs(loadkeys_t)
+
+locallogin_use_fd(loadkeys_t)
+
+miscfiles_read_localization(loadkeys_t)
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index ecfc8dd..576dfde 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -923,34 +923,64 @@ interface(`files_create_boot_flag',`
')
########################################
+##
+## Read files in /etc that are dynamically
+## created on boot, such as mtab.
+##
+##
+## Domain allowed access.
+##
#
-# files_manage_etc_runtime_files(type)
-#
-interface(`files_manage_etc_runtime_files',`
+interface(`files_read_etc_runtime_files',`
gen_require(`
type etc_t, etc_runtime_t;
- class dir rw_dir_perms;
- class file create_file_perms;
+ class dir r_dir_perms;
+ class file r_file_perms;
')
- allow $1 etc_t:dir rw_dir_perms;
- allow $1 etc_runtime_t:file create_file_perms;
- type_transition $1 etc_t:file etc_runtime_t;
+ allow $1 etc_t:dir r_dir_perms;
+ allow $1 etc_runtime_t:file r_file_perms;
')
########################################
+##
+## Do not audit attempts to read files
+## in /etc that are dynamically
+## created on boot, such as mtab.
+##
+##
+## Domain to not audit.
+##
#
-# files_read_etc_runtime_files(domain)
+interface(`files_dontaudit_read_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ class file { getattr read };
+ ')
+
+ allow $1 etc_runtime_t:file { getattr read };
+')
+
+########################################
+##
+## Create, read, write, and delete files in
+## /etc that are dynamically created on boot,
+## such as mtab.
+##
+##
+## Domain allowed access.
+##
#
-interface(`files_read_etc_runtime_files',`
+interface(`files_manage_etc_runtime_files',`
gen_require(`
type etc_t, etc_runtime_t;
- class dir r_dir_perms;
- class file r_file_perms;
+ class dir rw_dir_perms;
+ class file create_file_perms;
')
- allow $1 etc_t:dir r_dir_perms;
- allow $1 etc_runtime_t:file r_file_perms;
+ allow $1 etc_t:dir rw_dir_perms;
+ allow $1 etc_runtime_t:file create_file_perms;
+ type_transition $1 etc_t:file etc_runtime_t;
')
########################################
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 129b41c..6c39e70 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -381,6 +381,10 @@ optional_policy(`kerberos.te',`
kerberos_use(initrc_t)
')
+optional_policy(`loadkeys.te',`
+ loadkeys_exec(initrc_t)
+')
+
optional_policy(`lvm.te',`
#allow initrc_t lvm_control_t:chr_file unlink;
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index cc1a1b4..d3809ef 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -543,6 +543,10 @@ template(`unpriv_user_template', `
kerberos_use($1_t)
')
+ optional_policy(`loadkeys.te',`
+ loadkeys_run($1_t,$1_r,$1_tty_device_t)
+ ')
+
# for running depmod as part of the kernel packaging process
optional_policy(`modutils.te',`
modutils_read_module_conf($1_t)