diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index c2a81ad..89c8eb8 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -158,7 +158,9 @@ sysnet_read_config(rpm_t)
userdom_use_unpriv_users_fd(rpm_t)
-#cron_transition_from(rpm,rpm_exec_t)
+optional_policy(`cron.te',`
+ cron_system_entry(rpm_t,rpm_exec_t)
+')
optional_policy(`nis.te',`
nis_use_ypbind(rpm_t)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 516dfd3..0cfeafd 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -351,6 +351,25 @@ interface(`dev_manage_generic_symlinks',`
########################################
##
+## Relabel symbolic links in device directories.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_relabel_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ class dir r_dir_perms;
+ class lnk_file { relabelfrom relabelto };
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 device_t:lnk_file { relabelfrom relabelto };
+')
+
+########################################
+##
## Create, delete, read, and write device nodes in device directories.
##
##
diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index 79fb67b..b2682a0 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -141,9 +141,9 @@ interface(`storage_create_fixed_disk_dev_entry',`
')
########################################
-##
+##
## Create, read, write, and delete fixed disk device nodes.
-##
+##
##
## The type of the process performing this action.
##
@@ -161,6 +161,42 @@ interface(`storage_manage_fixed_disk',`
')
########################################
+##
+## Relabel fixed disk device nodes.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`storage_relabel_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ class blk_file { relabelfrom relabelto };
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto };
+')
+
+########################################
+##
+## Enable a fixed disk device as swap space
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`storage_swapon_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ class blk_file { getattr swapon };
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file { getattr swapon };
+')
+
+########################################
##
## Allow the caller to directly read from a logical volume.
## This is extremly dangerous as it can bypass the
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index d547c64..d611f0e 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -269,9 +269,46 @@ template(`cron_admin_template',`
')
########################################
+##
+## Make the specified program domain accessable
+## from the system cron jobs.
+##
+##
+## The type of the process to transition to.
+##
+##
+## The type of the file used as an entrypoint to this domain.
+##
#
-# cron_rw_log(domain)
-#
+interface(`cron_system_entry',`
+ gen_require(`
+ type crond_t, system_crond_t;
+ class fd use;
+ class fifo_file rw_file_perms;
+ class process sigchld;
+ ')
+
+ domain_auto_trans(system_crond_t, $2, $1)
+
+ # cjp: perhaps these four rules from the old
+ # domain_auto_trans are not needed?
+ allow system_crond_t $1:fd use;
+ allow $1 system_crond_t:fd use;
+ allow $1 system_crond_t:fifo_file rw_file_perms;
+ allow $1 system_crond_t:process sigchld;
+
+ allow $1 crond_t:fifo_file { getattr read write ioctl };
+ allow $1 crond_t:fd use;
+ allow $1 crond_t:process sigchld;
+')
+
+########################################
+##
+## Read and write the cron daemon log files.
+##
+##
+## The type of the process to performing this action.
+##
interface(`cron_rw_log',`
gen_require(`
type crond_log_t;
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 9f333e3..4d1ea1b 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -249,11 +249,8 @@ dev_read_urand(system_crond_t)
fs_getattr_all_fs(system_crond_t)
fs_getattr_all_files(system_crond_t)
-init_use_fd(system_crond_t)
-init_use_script_fd(system_crond_t)
-init_use_script_pty(system_crond_t)
-init_read_script_pid(system_crond_t)
-init_dontaudit_rw_script_pid(system_crond_t)
+corecmd_exec_bin(system_crond_t)
+corecmd_exec_sbin(system_crond_t)
domain_exec_all_entry_files(system_crond_t)
@@ -263,14 +260,20 @@ files_read_etc_runtime_files(system_crond_t)
files_list_all_dirs(system_crond_t)
files_getattr_all_files(system_crond_t)
files_read_usr_files(system_crond_t)
+files_read_var_file(system_crond_t)
# for nscd:
files_dontaudit_search_pids(system_crond_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_spools(system_crond_t)
-corecmd_exec_bin(system_crond_t)
-corecmd_exec_sbin(system_crond_t)
+init_use_fd(system_crond_t)
+init_use_script_fd(system_crond_t)
+init_use_script_pty(system_crond_t)
+init_read_script_pid(system_crond_t)
+init_dontaudit_rw_script_pid(system_crond_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_write_initctl(system_crond_t)
libs_use_ld_so(system_crond_t)
libs_use_shared_libs(system_crond_t)
@@ -314,12 +317,6 @@ dontaudit system_crond_t unlabeled_t:file r_file_perms;
allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
-# prelink tells init to restart it self, we either need to allow or dontaudit
-allow system_crond_t initctl_t:fifo_file write;
-
-allow system_crond_t var_t:dir r_dir_perms;
-allow system_crond_t var_t:file r_file_perms;
-
# Write to /var/lib/slocate.db.
allow system_crond_t var_lib_t:dir rw_dir_perms;
allow system_crond_t var_lib_t:file create_file_perms;
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index b4d4c4b..1ce9c12 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -53,6 +53,9 @@ dev_read_urand(fsadm_t)
dev_manage_generic_symlinks(fsadm_t)
# Access to /initrd devices
dev_search_usbfs(fsadm_t)
+# for swapon
+dev_getattr_sysfs_dir(fsadm_t)
+dev_search_sysfs(fsadm_t)
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
@@ -64,6 +67,7 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
+storage_swapon_fixed_disk(fsadm_t)
domain_use_wide_inherit_fd(fsadm_t)
@@ -93,14 +97,16 @@ seutil_read_config(fsadm_t)
userdom_use_unpriv_users_fd(fsadm_t)
+optional_policy(`cron.te',`
+ # for smartctl cron jobs
+ cron_system_entry(fsadm_t,fsadm_exec_t)
+')
+
optional_policy(`nis.te',`
nis_use_ypbind(fsadm_t)
')
ifdef(`TODO',`
-# for swapon
-allow fsadm_t sysfs_t:dir { search getattr };
-
# for /dev/shm
allow fsadm_t tmpfs_t:dir { getattr search };
@@ -126,15 +132,9 @@ allow fsadm_t file_t:dir { search read getattr rmdir create };
# Recreate /mnt/cdrom.
allow fsadm_t mnt_t:dir { rmdir create };
-# Enable swapping to devices and files
-allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
-
# Access terminals.
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
-# for smartctl cron jobs
-system_crond_entry(fsadm_exec_t, fsadm_t)
-
# Access to /initrd devices
allow fsadm_t unlabeled_t:dir rw_dir_perms;
allow fsadm_t unlabeled_t:blk_file rw_file_perms;
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 9f2932d..966f21b 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -160,6 +160,20 @@ interface(`init_dontaudit_getattr_initctl',`
########################################
#
+# init_write_initctl(domain)
+#
+interface(`init_write_initctl',`
+ gen_require(`
+ type initctl_t;
+ class fifo_file write;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file write;
+')
+
+########################################
+#
# init_use_initctl(domain)
#
interface(`init_use_initctl',`
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 0c9eeb9..35098c4 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -92,17 +92,21 @@ dev_manage_generic_blk_file(lvm_t)
dev_read_sysfs(lvm_t)
# Read /sys/block. Device mapper metadata is kept there.
dev_read_sysfs(sysfs_t)
+# cjp: this has no effect since LVM does not
+# have lnk_file relabelto for anything else.
+# perhaps this should be blk_files?
+dev_relabel_generic_symlinks(lvm_t)
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
dev_dontaudit_getattr_all_chr_files(lvm_t)
dev_dontaudit_getattr_all_blk_files(lvm_t)
dev_dontaudit_getattr_generic_chr_file(lvm_t)
dev_dontaudit_getattr_generic_blk_file(lvm_t)
dev_dontaudit_getattr_generic_pipe(lvm_t)
-term_dontaudit_getattr_all_user_ttys(lvm_t)
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
+storage_relabel_fixed_disk(lvm_t)
# LVM creates block devices in /dev/mapper or /dev/
# depending on its version
# LVM(2) needs to create directores (/dev/mapper, /dev/)
@@ -111,6 +115,8 @@ storage_create_fixed_disk_dev_entry(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
+term_dontaudit_getattr_all_user_ttys(lvm_t)
+
corecmd_search_sbin(lvm_t)
corecmd_dontaudit_getattr_sbin_file(lvm_t)
@@ -159,11 +165,6 @@ optional_policy(`udev.te', `
ifdef(`TODO',`
allow lvm_t default_context_t:dir search;
-allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
-
-# cjp: ? this has no effect since LVM does not
-# have lnk_file relabelto for anything else.
-allow lvm_t device_t:lnk_file { relabelfrom relabelto };
dontaudit lvm_t var_run_t:dir getattr;
@@ -175,10 +176,8 @@ optional_policy(`gpm.te', `
dontaudit lvm_t gpmctl_t:sock_file getattr;
')
-optional_policy(`rhgb.te', `
- allow $1_t rhgb_t:process sigchld;
- allow $1_t rhgb_t:fd use;
- allow $1_t rhgb_t:fifo_file { read write };
+optional_policy(`rhgb.te',`
+rhgb_domain(lvm_t)
')
') dnl end TODO