diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 69b4342..23b4e59 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -2,9 +2,15 @@
## Enable extra rules in the cron domain
## to support fcron.
##
-tunable_def(fcron_crond,false)
+gen_tunable(fcron_crond,false)
##
## Allow the use of DNS for name resolution.
##
-tunable_def(use_dns,false)
+gen_tunable(use_dns,false)
+
+##
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+##
+gen_tunable(cron_can_relabel,false)
diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 735d869..074246d 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -51,7 +51,7 @@ userdom_dontaudit_use_unpriv_user_fd(dmesg_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(dmesg_t)
- terminal_ignore_use_general_pseudoterminal(dmesg_t)
+ term_dontaudit_use_generic_pty(dmesg_t)
files_dontaudit_read_root_file(dmesg_t)
')
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 525fff2..7d25e80 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -6,9 +6,6 @@ policy_module(cron, 1.0)
# Declarations
#
-# Allow system cron jobs to relabel filesystem for restoring file contexts.
-bool cron_can_relabel false;
-
type anacron_exec_t;
files_file_type(anacron_exec_t)
@@ -126,7 +123,7 @@ tunable_policy(`fcron_crond', `
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(crond_t)
- terminal_ignore_use_general_pseudoterminal(crond_t)
+ term_dontaudit_use_generic_pty(crond_t)
files_dontaudit_read_root_file(crond_t)
')
@@ -292,9 +289,9 @@ miscfiles_rw_man_cache(system_crond_t)
selinux_read_config(system_crond_t)
-if (cron_can_relabel) {
+tunable_policy(`cron_can_relabel',`
selinux_domtrans_setfiles(system_crond_t)
-} else {
+',`
kernel_get_selinuxfs_mount_point(system_crond_t)
kernel_validate_context(system_crond_t)
kernel_compute_access_vector(system_crond_t)
@@ -302,7 +299,7 @@ if (cron_can_relabel) {
kernel_compute_relabel_context(system_crond_t)
kernel_compute_reachable_user_contexts(system_crond_t)
selinux_read_file_contexts(system_crond_t)
-}
+')
ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 4fe5d0c..7bce7c0 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -90,7 +90,7 @@ sysnet_read_config(sendmail_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(sendmail_t)
- terminal_ignore_use_general_pseudoterminal(sendmail_t)
+ term_dontaudit_use_generic_pty(sendmail_t)
files_dontaudit_read_root_file(sendmail_t)
')
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 9cc541d..ab39a7c 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -152,7 +152,6 @@ term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
init_use_fd(pam_console_t)
-init_use_fd(pam_console_t)
init_use_script_pty(pam_console_t)
domain_use_wide_inherit_fd(pam_console_t)
@@ -176,7 +175,7 @@ ifdef(`direct_sysadm_daemon', `
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(pam_console_t)
- terminal_ignore_use_general_pseudoterminal(pam_console_t)
+ term_dontaudit_use_generic_pty(pam_console_t)
files_dontaudit_read_root_file(pam_console_t)
')
@@ -186,7 +185,7 @@ optional_policy(`hotplug.te', `
')
optional_policy(`selinux.te',`
-selinux_newrole_sigchld(pam_console_t)
+ selinux_newrole_sigchld(pam_console_t)
')
optional_policy(`udev.te', `
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 6cad75b..df0aa9e 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -59,7 +59,7 @@ miscfiles_read_localization(hwclock_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(hwclock_t)
- terminal_ignore_use_general_pseudoterminal(hwclock_t)
+ term_dontaudit_use_generic_pty(hwclock_t)
files_dontaudit_read_root_file(hwclock_t)
')
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index ae17162..34ec9a9 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -29,8 +29,6 @@ kernel_read_kernel_sysctl(hostname_t)
kernel_read_hardware_state(hostname_t)
kernel_dontaudit_use_fd(hostname_t)
-files_read_generic_etc_files(hostname_t)
-files_dontaudit_search_var(hostname_t)
fs_getattr_xattr_fs(hostname_t)
term_dontaudit_use_console(hostname_t)
@@ -42,6 +40,8 @@ init_use_script_pty(hostname_t)
domain_use_wide_inherit_fd(hostname_t)
+files_read_generic_etc_files(hostname_t)
+files_dontaudit_search_var(hostname_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(hostname_t)
@@ -60,7 +60,7 @@ ifdef(`distro_redhat', `
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(hostname_t)
- terminal_ignore_use_general_pseudoterminal(hostname_t)
+ term_dontaudit_use_generic_pty(hostname_t)
files_dontaudit_read_root_file(hostname_t)
')
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 991c4fb..a35f1d0 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -119,7 +119,7 @@ ifdef(`distro_redhat', `
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(hotplug_t)
- terminal_ignore_use_general_pseudoterminal(hotplug_t)
+ term_dontaudit_use_generic_pty(hotplug_t)
files_dontaudit_read_root_file(hotplug_t)
')
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index c2b04e8..8e6d477 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -98,7 +98,7 @@ optional_policy(`udev.te', `
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(iptables_t)
- terminal_ignore_use_general_pseudoterminal(iptables_t)
+ term_dontaudit_use_generic_pty(iptables_t)
files_dontaudit_read_root_file(iptables_t)
')
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index f2fe8aa..3b6ba04 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -81,7 +81,7 @@ miscfiles_read_localization(auditd_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(auditd_t)
- terminal_ignore_use_general_pseudoterminal(auditd_t)
+ term_dontaudit_use_generic_pty(auditd_t)
files_dontaudit_read_root_file(auditd_t)
')
@@ -245,7 +245,7 @@ ifdef(`klogd.te', `', `
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(syslogd_t)
- terminal_ignore_use_general_pseudoterminal(syslogd_t)
+ term_dontaudit_use_generic_pty(syslogd_t)
files_dontaudit_read_root_file(syslogd_t)
')
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 82f9752..382379a 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -143,7 +143,7 @@ ifdef(`distro_redhat',`
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(lvm_t)
- terminal_ignore_use_general_pseudoterminal(lvm_t)
+ term_dontaudit_use_generic_pty(lvm_t)
files_dontaudit_read_root_file(lvm_t)
')
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 4b8e79d..efb45c8 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -139,7 +139,7 @@ ifdef(`distro_redhat', `
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(dhcpc_t)
- terminal_ignore_use_general_pseudoterminal(dhcpc_t)
+ term_dontaudit_use_generic_pty(dhcpc_t)
files_dontaudit_read_root_file(dhcpc_t)
')
@@ -153,7 +153,7 @@ optional_policy(`hostname.te',`
')
optional_policy(`nscd.te',`
- nscd_transition(dhcpc_t)
+ nscd_domtrans(dhcpc_t)
')
optional_policy(`selinux.te',`
@@ -173,10 +173,10 @@ optional_policy(`userdomain.te',`
#
init_exec_script(dhcpc_t)
optional_policy(`ypbind.te',`
- ypbind_transition(dhcpc_t)
+ ypbind_domtrans(dhcpc_t)
')
optional_policy(`ntpd.te',`
- ntpd_transition(dhcpc_t)
+ ntpd_domtrans(dhcpc_t)
')
ifdef(`TODO',`
diff --git a/refpolicy/policy/support/loadable_module.spt b/refpolicy/policy/support/loadable_module.spt
index 36bb673..2ceba74 100644
--- a/refpolicy/policy/support/loadable_module.spt
+++ b/refpolicy/policy/support/loadable_module.spt
@@ -61,15 +61,15 @@ define(`optional_policy',`
# tunable value as specified by the policy
# or if the override value should be used
#
-define(`deflt_or_overr',`ifdef(`$1',$1,$2)')
+define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
##############################
#
# Tunable declaration
#
-define(`tunable_def',`
+define(`gen_tunable',`
ifdef(`monolithic_policy',`
- bool $1 deflt_or_overr(`$1'_conf,$2);
+ bool $1 dflt_or_overr(`$1'_conf,$2);
',`
# loadable module tunable
# declaration will go here