diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index eddbb0d..57ab907 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -110,6 +110,7 @@ dev_read_raw_memory(bootloader_t)
fs_getattr_xattr_fs(bootloader_t)
term_getattr_all_user_ttys(bootloader_t)
+term_dontaudit_manage_pty_dir(bootloader_t)
corecmd_exec_bin(bootloader_t)
corecmd_exec_sbin(bootloader_t)
@@ -149,8 +150,18 @@ ifdef(`distro_debian',`
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
allow bootloader_t boot_t:file relabelfrom;
+ fs_list_tmpfs(bootloader_t)
+
+ files_relabelto_usr_files(bootloader_t)
+ files_search_var_lib(bootloader_t)
+ files_list_script_pids(bootloader_t)
# for /usr/share/initrd-tools/scripts
files_exec_usr_files(bootloader_t)
+
+ fstools_manage_entry_files(bootloader_t)
+ fstools_relabelto_entry_files(bootloader_t)
+
+ libs_relabelto_lib_files(bootloader_t)
')
ifdef(`distro_redhat',`
@@ -204,16 +215,15 @@ optional_policy(`userdomain.te',`
')
ifdef(`TODO',`
-dontaudit bootloader_t devpts_t:dir create_dir_perms;
ifdef(`distro_debian', `
- allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
- allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
- allow bootloader_t tmpfs_t:dir r_dir_perms;
- allow bootloader_t initrc_var_run_t:dir r_dir_perms;
- allow bootloader_t var_lib_t:dir search;
+ # cjp: there is no setfscreate or type_transition, and
+ # bootloader_t cannot rw a usr_t or lib_t directory, so
+ # how can this work? This is probably rw_file_perms,
+ # possibly with unlink. Files are probably "created"
+ # by the above relabeling permissions.
+ allow bootloader_t { usr_t lib_t }:file create_file_perms;
+
allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
allow bootloader_t dpkg_var_lib_t:file { getattr read };
-
')
-
') dnl end TODO
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 36c1184..15eb72e 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -233,7 +233,7 @@ interface(`term_list_ptys',`
########################################
##
## Do not audit attempts to read the
-## /dev/pts directory to.
+## /dev/pts directory.
##
##
## The type of the process to not audit.
@@ -250,6 +250,24 @@ interface(`term_dontaudit_list_ptys',`
########################################
##
+## Do not audit attempts to create, read,
+## write, or delete the /dev/pts directory.
+##
+##
+## The type of the process to not audit.
+##
+#
+interface(`term_dontaudit_manage_pty_dir',`
+ gen_require(`
+ type devpts_t;
+ class dir create_dir_perms;
+ ')
+
+ dontaudit $1 devpts_t:dir create_dir_perms;
+')
+
+########################################
+##
## Read and write the generic pty
## type. This is generally only used in
## the targeted policy.
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 576dfde..6acc26c 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1593,6 +1593,23 @@ interface(`files_read_usr_files',`
########################################
##
+## Relabel a file to the type used in /usr.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`files_relabelto_usr_files',`
+ gen_require(`
+ type usr_t;
+ class file relabelto;
+ ')
+
+ allow $1 usr_t:file relabelto;
+')
+
+########################################
+##
## Read symbolic links in /usr.
##
##
diff --git a/refpolicy/policy/modules/system/fstools.if b/refpolicy/policy/modules/system/fstools.if
index bb2f5fa..f6a52b9 100644
--- a/refpolicy/policy/modules/system/fstools.if
+++ b/refpolicy/policy/modules/system/fstools.if
@@ -65,3 +65,38 @@ interface(`fstools_exec',`
can_exec($1,fsadm_exec_t)
')
+
+########################################
+##
+## Relabel a file to the type used by the
+## filesystem tools programs.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`fstools_relabelto_entry_files',`
+ gen_require(`
+ type fsadm_exec_t;
+ ')
+
+ allow $1 fsadm_exec_t:file relabelto;
+')
+
+########################################
+##
+## Create, read, write, and delete a file used by the
+## filesystem tools programs.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`fstools_manage_entry_files',`
+ gen_require(`
+ type fsadm_exec_t;
+ class file create_file_perms;
+ ')
+
+ allow $1 fsadm_exec_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index d9c14e9..ad9cce6 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -485,6 +485,24 @@ interface(`init_rw_script_tmp_files',`
')
########################################
+##
+## List the contents of an init script
+## process id directory.
+##
+##
+## Domain allowed access.
+##
+interface(`init_list_script_pids',`
+ gen_require(`
+ type initrc_var_run_t;
+ class dir r_dir_perms;
+ ')
+
+ files_search_pids($1)
+ allow $1 initrc_var_run_t:dir r_dir_perms;
+')
+
+########################################
#
# init_read_script_pid(domain)
#
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index d3e8a70..a651e4d 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -197,6 +197,23 @@ interface(`libs_exec_lib_files',`
########################################
##
+## Relabel files to the type used in library directories.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`libs_relabelto_lib_files',`
+ gen_require(`
+ type lib_t;
+ class file relabelto;
+ ')
+
+ allow $1 lib_t:file relabelto;
+')
+
+########################################
+##
## Load and execute functions from shared libraries.
##
##