diff --git a/refpolicy/policy/modules/admin/dmesg.te b/refpolicy/policy/modules/admin/dmesg.te
index 074246d..ca23adb 100644
--- a/refpolicy/policy/modules/admin/dmesg.te
+++ b/refpolicy/policy/modules/admin/dmesg.te
@@ -22,7 +22,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
allow dmesg_t self:process signal_perms;
kernel_read_kernel_sysctl(dmesg_t)
-kernel_read_hardware_state(dmesg_t)
+dev_read_sysfs(dmesg_t)
kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
kernel_change_ring_buffer_level(dmesg_t)
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 2936e1c..a018e06 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -9,7 +9,7 @@ policy_module(rpm,1.0)
type rpm_t; #, admin, privmem, priv_system_role;
type rpm_exec_t;
init_system_domain(rpm_t,rpm_exec_t)
-kernel_obj_id_change_exempt(rpm_t)
+domain_obj_id_change_exempt(rpm_t)
domain_wide_inherit_fd(rpm_t)
role system_r types rpm_t;
@@ -31,7 +31,7 @@ typealias rpm_var_lib_t alias var_lib_rpm_t;
type rpm_script_t; #, admin, privmem, priv_system_role;
type rpm_script_exec_t;
-kernel_obj_id_change_exempt(rpm_script_t)
+domain_obj_id_change_exempt(rpm_script_t)
corecmd_shell_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t,rpm_script_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 1e41365..ba4b220 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -10,7 +10,7 @@ type admin_passwd_exec_t;
files_file_type(admin_passwd_exec_t)
type chfn_t;
-kernel_obj_id_change_exempt(chfn_t)
+domain_obj_id_change_exempt(chfn_t)
domain_type(chfn_t)
role system_r types chfn_t;
@@ -31,12 +31,12 @@ files_tmp_file(crack_tmp_t)
type groupadd_t; #, nscd_client_domain;
type groupadd_exec_t;
-kernel_obj_id_change_exempt(groupadd_t)
+domain_obj_id_change_exempt(groupadd_t)
init_system_domain(groupadd_t,groupadd_exec_t)
role system_r types groupadd_t;
type passwd_t;
-kernel_obj_id_change_exempt(passwd_t)
+domain_obj_id_change_exempt(passwd_t)
domain_type(passwd_t)
role system_r types passwd_t;
@@ -44,7 +44,7 @@ type passwd_exec_t;
domain_entry_file(passwd_t,passwd_exec_t)
type sysadm_passwd_t;
-kernel_obj_id_change_exempt(sysadm_passwd_t)
+domain_obj_id_change_exempt(sysadm_passwd_t)
domain_type(sysadm_passwd_t)
domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
@@ -53,7 +53,7 @@ files_file_type(sysadm_passwd_tmp_t)
type useradd_t; # nscd_client_domain;
type useradd_exec_t;
-kernel_obj_id_change_exempt(useradd_t)
+domain_obj_id_change_exempt(useradd_t)
init_system_domain(useradd_t,useradd_exec_t)
role system_r types useradd_t;
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 5308261..df0f9dc 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1621,4 +1621,177 @@ define(`dev_rw_power_management_depend',`
class chr_file rw_file_perms;
')
+########################################
+## <interface name="dev_search_sysfs">
+## <description>
+## Search the directory containing hardware information.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## </interface>
+#
+define(`dev_search_sysfs',`
+ gen_require(`$0'_depend)
+
+ allow $1 sysfs_t:dir search;
+')
+
+define(`dev_search_sysfs_depend',`
+ type sysfs_t;
+
+ class dir search;
+')
+
+########################################
+## <interface name="dev_read_sysfs">
+## <description>
+## Allow caller to read hardware state information.
+## </description>
+## <parameter name="domain">
+## The process type reading hardware state information.
+## </parameter>
+## </interface>
+#
+define(`dev_read_sysfs',`
+ gen_require(`$0'_depend)
+
+ allow $1 sysfs_t:dir r_dir_perms;
+ allow $1 sysfs_t:{ file lnk_file } r_file_perms;
+')
+
+define(`dev_read_sysfs_depend',`
+ type sysfs_t;
+
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+')
+
+########################################
+## <interface name="dev_rw_sysfs">
+## <description>
+## Allow caller to modify hardware state information.
+## </description>
+## <parameter name="domain">
+## The process type modifying hardware state information.
+## </parameter>
+## </interface>
+#
+define(`dev_rw_sysfs',`
+ gen_require(`$0'_depend)
+
+ allow $1 sysfs_t:dir r_dir_perms;
+ allow $1 sysfs_t:lnk_file r_file_perms;
+ allow $1 sysfs_t:file rw_file_perms;
+')
+
+define(`dev_rw_sysfs_depend',`
+ type sysfs_t;
+
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ class lnk_file r_file_perms;
+')
+
+########################################
+## <interface name="dev_search_usbfs">
+## <description>
+## Search the directory containing USB hardware information.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## </interface>
+#
+define(`dev_search_usbfs',`
+ gen_require(`$0'_depend)
+
+ allow $1 usbfs_t:dir search;
+')
+
+define(`dev_search_usbfs_depend',`
+ type usbfs_t;
+
+ class dir search;
+')
+
+########################################
+## <interface name="dev_list_usbfs">
+## <description>
+## Allow caller to get a list of usb hardware.
+## </description>
+## <parameter name="domain">
+## The process type getting the list.
+## </parameter>
+## </interface>
+#
+define(`dev_list_usbfs',`
+ gen_require(`$0'_depend)
+
+ allow $1 usbfs_t:dir r_dir_perms;
+ allow $1 usbfs_t:lnk_file r_file_perms;
+ allow $1 usbfs_t:file getattr;
+')
+
+define(`dev_list_usbfs_depend',`
+ type usbfs_t;
+
+ class dir r_dir_perms;
+ class file getattr;
+ class lnk_file r_file_perms;
+')
+
+########################################
+## <interface name="dev_read_usbfs">
+## <description>
+## Read USB hardware information using
+## the usbfs filesystem interface.
+## </description>
+## <parameter name="domain">
+## The type of the process performing this action.
+## </parameter>
+## </interface>
+#
+define(`dev_read_usbfs',`
+ gen_require(`$0'_depend)
+
+ allow $1 usbfs_t:dir r_dir_perms;
+ allow $1 usbfs_t:{ file lnk_file } r_file_perms;
+')
+
+define(`dev_read_usbfs_depend',`
+ type usbfs_t;
+
+ class dir r_dir_perms;
+ class file r_file_perms;
+ class lnk_file r_file_perms;
+')
+
+########################################
+## <interface name="dev_rw_usbfs">
+## <description>
+## Allow caller to modify usb hardware configuration files.
+## </description>
+## <parameter name="domain">
+## The process type modifying the options.
+## </parameter>
+## </interface>
+#
+define(`dev_rw_usbfs',`
+ gen_require(`$0'_depend)
+
+ allow $1 usbfs_t:dir r_dir_perms;
+ allow $1 usbfs_t:lnk_file r_file_perms;
+ allow $1 usbfs_t:file rw_file_perms;
+')
+
+define(`dev_rw_usbfs_depend',`
+ type usbfs_t;
+
+ class dir r_dir_perms;
+ class file rw_file_perms;
+ class lnk_file r_file_perms;
+')
+
## </module>
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index b69faa2..302796e 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -144,12 +144,29 @@ fs_associate(sound_device_t)
fs_associate_tmpfs(sound_device_t)
#
+# sysfs_t is the type for the /sys pseudofs
+#
+type sysfs_t;
+files_mountpoint(sysfs_t)
+fs_make_fs(sysfs_t)
+genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
+
+#
# urandom_device_t is the type of /dev/urandom
#
type urandom_device_t, device_node;
fs_associate(urandom_device_t)
fs_associate_tmpfs(urandom_device_t)
+#
+# usbfs_t is the type for the /proc/bus/usb pseudofs
+#
+type usbfs_t alias usbdevfs_t;
+files_mountpoint(usbfs_t)
+fs_make_noxattr_fs(usbfs_t)
+genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
+genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
+
type v4l_device_t, device_node;
fs_associate(v4l_device_t)
fs_associate_tmpfs(v4l_device_t)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index e61d608..8a85ac7 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -130,69 +130,6 @@ define(`kernel_dontaudit_use_fd_depend',`
')
########################################
-## <interface name="kernel_subj_id_change_exempt">
-## <description>
-## Makes caller an exception to the constraint preventing
-## changing of user identity.
-## </description>
-## <parameter name="domain">
-## The process type to make an exception to the constraint.
-## </parameter>
-## </interface>
-#
-define(`kernel_subj_id_change_exempt',`
- gen_require(`$0'_depend)
-
- typeattribute $1 can_change_process_identity;
-')
-
-define(`kernel_subj_id_change_exempt_depend',`
- attribute can_change_process_identity;
-')
-
-########################################
-## <interface name="kernel_role_change_exempt">
-## <description>
-## Makes caller an exception to the constraint preventing
-## changing of role.
-## </description>
-## <parameter name="domain">
-## The process type to make an exception to the constraint.
-## </parameter>
-## </interface>
-#
-define(`kernel_role_change_exempt',`
- gen_require(`$0'_depend)
-
- typeattribute $1 can_change_process_role;
-')
-
-define(`kernel_role_change_exempt_depend',`
- attribute can_change_process_role;
-')
-
-########################################
-## <interface name="kernel_obj_id_change_exempt">
-## <description>
-## Makes caller an exception to the constraint preventing
-## changing the user identity in object contexts.
-## </description>
-## <parameter name="domain">
-## The process type to make an exception to the constraint.
-## </parameter>
-## </interface>
-#
-define(`kernel_obj_id_change_exempt',`
- gen_require(`$0'_depend)
-
- typeattribute $1 can_change_object_identity;
-')
-
-define(`kernel_obj_id_change_exempt_depend',`
- attribute can_change_object_identity;
-')
-
-########################################
## <interface name="kernel_load_module">
## <description>
## Allows caller to load kernel modules
@@ -1458,79 +1395,6 @@ define(`kernel_rw_all_sysctl',`
')
########################################
-## <interface name="kernel_search_sysfs">
-## <description>
-## Search the directory containing hardware information.
-## </description>
-## <parameter name="domain">
-## The type of the process performing this action.
-## </parameter>
-## </interface>
-#
-define(`kernel_search_sysfs',`
- gen_require(`$0'_depend)
-
- allow $1 sysfs_t:dir search;
-')
-
-define(`kernel_search_sysfs_depend',`
- type sysfs_t;
-
- class dir search;
-')
-
-########################################
-## <interface name="kernel_read_hardware_state">
-## <description>
-## Allow caller to read hardware state information.
-## </description>
-## <parameter name="domain">
-## The process type reading hardware state information.
-## </parameter>
-## </interface>
-#
-define(`kernel_read_hardware_state',`
- gen_require(`$0'_depend)
-
- allow $1 sysfs_t:dir r_dir_perms;
- allow $1 sysfs_t:{ file lnk_file } r_file_perms;
-')
-
-define(`kernel_read_hardware_state_depend',`
- type sysfs_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
-')
-
-########################################
-## <interface name="kernel_rw_hardware_config_option">
-## <description>
-## Allow caller to modify hardware state information.
-## </description>
-## <parameter name="domain">
-## The process type modifying hardware state information.
-## </parameter>
-## </interface>
-#
-define(`kernel_rw_hardware_config_option',`
- gen_require(`$0'_depend)
-
- allow $1 sysfs_t:dir r_dir_perms;
- allow $1 sysfs_t:lnk_file r_file_perms;
- allow $1 sysfs_t:file rw_file_perms;
-')
-
-define(`kernel_rw_hardware_config_option_depend',`
- type sysfs_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
- class lnk_file r_file_perms;
-')
-
-########################################
## <interface name="kernel_kill_unlabeled">
## <description>
## Send a kill signal to unlabeled processes.
@@ -1691,104 +1555,4 @@ define(`kernel_relabel_unlabeled_depend',`
class blk_file { getattr relabelfrom };
')
-########################################
-## <interface name="kernel_search_usbfs">
-## <description>
-## Search the directory containing USB hardware information.
-## </description>
-## <parameter name="domain">
-## The type of the process performing this action.
-## </parameter>
-## </interface>
-#
-define(`kernel_search_usbfs',`
- gen_require(`$0'_depend)
-
- allow $1 usbfs_t:dir search;
-')
-
-define(`kernel_search_usbfs_depend',`
- type usbfs_t;
-
- class dir search;
-')
-
-########################################
-## <interface name="kernel_list_usb_hardware">
-## <description>
-## Allow caller to get a list of usb hardware.
-## </description>
-## <parameter name="domain">
-## The process type getting the list.
-## </parameter>
-## </interface>
-#
-define(`kernel_list_usb_hardware',`
- gen_require(`$0'_depend)
-
- allow $1 usbfs_t:dir r_dir_perms;
- allow $1 usbfs_t:lnk_file r_file_perms;
- allow $1 usbfs_t:file getattr;
-')
-
-define(`kernel_list_usb_hardware_depend',`
- type usbfs_t;
-
- class dir r_dir_perms;
- class file getattr;
- class lnk_file r_file_perms;
-')
-
-########################################
-## <interface name="kernel_read_usb_hardware_state">
-## <description>
-## Read USB hardware information using
-## the usbfs filesystem interface.
-## </description>
-## <parameter name="domain">
-## The type of the process performing this action.
-## </parameter>
-## </interface>
-#
-define(`kernel_read_usb_hardware_state',`
- gen_require(`$0'_depend)
-
- allow $1 usbfs_t:dir r_dir_perms;
- allow $1 usbfs_t:{ file lnk_file } r_file_perms;
-')
-
-define(`kernel_read_usb_hardware_state_depend',`
- type usbfs_t;
-
- class dir r_dir_perms;
- class file r_file_perms;
- class lnk_file r_file_perms;
-')
-
-########################################
-## <interface name="kernel_rw_usb_hardware_config_option">
-## <description>
-## Allow caller to modify usb hardware configuration files.
-## </description>
-## <parameter name="domain">
-## The process type modifying the options.
-## </parameter>
-## </interface>
-#
-define(`kernel_rw_usb_hardware_config_option',`
- gen_require(`$0'_depend)
-
- allow $1 usbfs_t:dir r_dir_perms;
- allow $1 usbfs_t:lnk_file r_file_perms;
- allow $1 usbfs_t:file rw_file_perms;
-')
-
-define(`kernel_rw_usb_hardware_config_option_depend',`
- type usbfs_t;
-
- class dir r_dir_perms;
- class file rw_file_perms;
- class lnk_file r_file_perms;
-')
-
## </module>
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 8881b13..0a582a3 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -8,11 +8,6 @@ attribute can_setsecparam;
attribute can_load_kernmodule;
attribute can_receive_kernel_messages;
-# constraint related attributes
-attribute can_change_process_identity;
-attribute can_change_process_role;
-attribute can_change_object_identity;
-
#
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
@@ -60,14 +55,6 @@ sid security context_template(system_u:object_r:security_t,s0)
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
#
-# sysfs_t is the type for /sys
-#
-type sysfs_t;
-files_mountpoint(sysfs_t)
-fs_make_fs(sysfs_t)
-genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
-
-#
# Procfs types
#
@@ -144,15 +131,6 @@ genfscon proc /sys/vm context_template(system_u:object_r:sysctl_vm_t,s0)
type sysctl_dev_t;
genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0)
-#
-# usbfs_t is the type for /proc/bus/usb
-#
-type usbfs_t alias usbdevfs_t;
-files_mountpoint(usbfs_t)
-fs_make_noxattr_fs(usbfs_t)
-genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
-genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
-
########################################
#
# kernel local policy
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 7d25e80..6a3a773 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -76,7 +76,7 @@ allow crond_t system_cron_spool_t:dir r_dir_perms;
allow crond_t system_cron_spool_t:file r_file_perms;
kernel_read_kernel_sysctl(crond_t)
-kernel_read_hardware_state(crond_t)
+dev_read_sysfs(crond_t)
kernel_get_selinuxfs_mount_point(crond_t)
kernel_validate_context(crond_t)
kernel_compute_access_vector(crond_t)
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 3d00299..3058991 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -7,9 +7,9 @@ policy_module(authlogin,1.0)
#
type remote_login_t; #, nscd_client_domain;
-kernel_obj_id_change_exempt(remote_login_t)
-kernel_subj_id_change_exempt(remote_login_t)
-kernel_role_change_exempt(remote_login_t)
+domain_obj_id_change_exempt(remote_login_t)
+domain_subj_id_change_exempt(remote_login_t)
+domain_role_change_exempt(remote_login_t)
domain_type(remote_login_t)
domain_wide_inherit_fd(remote_login_t)
auth_login_entry_type(remote_login_t)
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 7bce7c0..d14ab32 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -40,7 +40,7 @@ allow sendmail_t sendmail_var_run_t:file { getattr create read write append seta
files_create_pid(sendmail_t,sendmail_var_run_t)
kernel_read_kernel_sysctl(sendmail_t)
-kernel_read_hardware_state(sendmail_t)
+dev_read_sysfs(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
corenet_raw_sendrecv_all_if(sendmail_t)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index ab39a7c..e085b1f 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -138,7 +138,7 @@ allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
kernel_read_kernel_sysctl(pam_console_t)
kernel_read_system_state(pam_console_t)
-kernel_read_hardware_state(pam_console_t)
+dev_read_sysfs(pam_console_t)
kernel_use_fd(pam_console_t)
# Allow to set attributes on /dev entries
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index df0aa9e..6c40663 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -30,7 +30,7 @@ dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append };
kernel_read_kernel_sysctl(hwclock_t)
-kernel_read_hardware_state(hwclock_t)
+dev_read_sysfs(hwclock_t)
dev_rw_realtime_clock(hwclock_t)
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 57f6fec..481c201 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -86,6 +86,69 @@ define(`domain_wide_inherit_fd_depend',`
')
########################################
+## <interface name="domain_subj_id_change_exempt">
+## <description>
+## Makes caller an exception to the constraint preventing
+## changing of user identity.
+## </description>
+## <parameter name="domain">
+## The process type to make an exception to the constraint.
+## </parameter>
+## </interface>
+#
+define(`domain_subj_id_change_exempt',`
+ gen_require(`$0'_depend)
+
+ typeattribute $1 can_change_process_identity;
+')
+
+define(`domain_subj_id_change_exempt_depend',`
+ attribute can_change_process_identity;
+')
+
+########################################
+## <interface name="domain_role_change_exempt">
+## <description>
+## Makes caller an exception to the constraint preventing
+## changing of role.
+## </description>
+## <parameter name="domain">
+## The process type to make an exception to the constraint.
+## </parameter>
+## </interface>
+#
+define(`domain_role_change_exempt',`
+ gen_require(`$0'_depend)
+
+ typeattribute $1 can_change_process_role;
+')
+
+define(`domain_role_change_exempt_depend',`
+ attribute can_change_process_role;
+')
+
+########################################
+## <interface name="domain_obj_id_change_exempt">
+## <description>
+## Makes caller an exception to the constraint preventing
+## changing the user identity in object contexts.
+## </description>
+## <parameter name="domain">
+## The process type to make an exception to the constraint.
+## </parameter>
+## </interface>
+#
+define(`domain_obj_id_change_exempt',`
+ gen_require(`$0'_depend)
+
+ typeattribute $1 can_change_object_identity;
+')
+
+define(`domain_obj_id_change_exempt_depend',`
+ attribute can_change_object_identity;
+')
+
+########################################
#
# domain_use_wide_inherit_fd(domain)
#
diff --git a/refpolicy/policy/modules/system/domain.te b/refpolicy/policy/modules/system/domain.te
index bc5e387..cb3306d 100644
--- a/refpolicy/policy/modules/system/domain.te
+++ b/refpolicy/policy/modules/system/domain.te
@@ -10,6 +10,11 @@ attribute entry_type;
# widely-inheritable file descriptors
attribute privfd;
+# constraint related attributes
+attribute can_change_process_identity;
+attribute can_change_process_role;
+attribute can_change_object_identity;
+
neverallow domain ~domain:process { transition dyntransition };
# enabling setcurrent breaks process tranquility. If you do not
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index 46e3772..235375e 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -42,7 +42,7 @@ files_create_tmp_files(getty_t,getty_tmp_t,{ file dir })
allow getty_t getty_log_t:file { getattr append setattr };
-kernel_read_hardware_state(getty_t)
+dev_read_sysfs(getty_t)
# for error condition handling
fs_getattr_xattr_fs(getty_t)
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 34ec9a9..3d99ae2 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -26,7 +26,7 @@ dontaudit hostname_t self:capability sys_tty_config;
sysnet_read_config(hostname_t)
kernel_read_kernel_sysctl(hostname_t)
-kernel_read_hardware_state(hostname_t)
+dev_read_sysfs(hostname_t)
kernel_dontaudit_use_fd(hostname_t)
fs_getattr_xattr_fs(hostname_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index a35f1d0..72de977 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -45,9 +45,9 @@ files_create_pid(hotplug_t,hotplug_var_run_t)
kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t)
-kernel_read_hardware_state(hotplug_t)
+dev_read_sysfs(hotplug_t)
kernel_read_net_sysctl(hotplug_t)
-kernel_read_usb_hardware_state(hotplug_t)
+dev_read_usbfs(hotplug_t)
bootloader_read_kernel_modules(hotplug_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 303f8d9..9a3708a 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -90,7 +90,7 @@ domain_auto_trans(init_t,initrc_exec_t,initrc_t)
kernel_set_boolean(init_t)
kernel_read_system_state(init_t)
-kernel_read_hardware_state(init_t)
+dev_read_sysfs(init_t)
kernel_share_state(init_t)
term_use_all_terms(init_t)
@@ -180,12 +180,12 @@ kernel_read_ring_buffer(initrc_t)
kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
-kernel_read_hardware_state(initrc_t)
-kernel_rw_hardware_config_option(initrc_t)
+dev_read_sysfs(initrc_t)
+dev_rw_sysfs(initrc_t)
kernel_read_all_sysctl(initrc_t)
kernel_rw_all_sysctl(initrc_t)
kernel_get_selinux_enforcement_mode(initrc_t)
-kernel_list_usb_hardware(initrc_t)
+dev_list_usbfs(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
@@ -333,7 +333,7 @@ ifdef(`distro_redhat',`
')
optional_policy(`hotplug.te',`
- kernel_read_usb_hardware_state(initrc_t)
+ dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
hotplug_read_config(initrc_t)
diff --git a/refpolicy/policy/modules/system/iptables.te b/refpolicy/policy/modules/system/iptables.te
index 8e6d477..9064b0f 100644
--- a/refpolicy/policy/modules/system/iptables.te
+++ b/refpolicy/policy/modules/system/iptables.te
@@ -39,7 +39,7 @@ allow iptables_t self:rawip_socket create_socket_perms;
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
-kernel_read_hardware_state(iptables_t)
+dev_read_sysfs(iptables_t)
kernel_read_kernel_sysctl(iptables_t)
kernel_read_modprobe_sysctl(iptables_t)
kernel_use_fd(iptables_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index e93ac69..fc98a88 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -7,9 +7,9 @@ policy_module(locallogin,1.0)
#
type local_login_t; #, nscd_client_domain;
-kernel_obj_id_change_exempt(local_login_t)
-kernel_subj_id_change_exempt(local_login_t)
-kernel_role_change_exempt(local_login_t)
+domain_obj_id_change_exempt(local_login_t)
+domain_subj_id_change_exempt(local_login_t)
+domain_role_change_exempt(local_login_t)
auth_login_entry_type(local_login_t)
domain_type(local_login_t)
domain_wide_inherit_fd(local_login_t)
@@ -20,9 +20,9 @@ files_file_type(local_login_tmp_t)
type sulogin_t;
type sulogin_exec_t;
-kernel_obj_id_change_exempt(sulogin_t)
-kernel_subj_id_change_exempt(sulogin_t)
-kernel_role_change_exempt(sulogin_t)
+domain_obj_id_change_exempt(sulogin_t)
+domain_subj_id_change_exempt(sulogin_t)
+domain_role_change_exempt(sulogin_t)
domain_wide_inherit_fd(sulogin_t)
init_domain(sulogin_t,sulogin_exec_t)
init_system_domain(sulogin_t,sulogin_exec_t)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 3b6ba04..69f178f 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -59,7 +59,7 @@ allow auditd_t auditd_var_run_t:file create_file_perms;
files_create_pid(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t)
-kernel_read_hardware_state(auditd_t)
+dev_read_sysfs(auditd_t)
fs_getattr_all_fs(auditd_t)
@@ -186,7 +186,7 @@ allow syslogd_t devlog_t:unix_dgram_socket name_bind;
allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_pid(syslogd_t,syslogd_var_run_t)
-kernel_read_hardware_state(syslogd_t)
+dev_read_sysfs(syslogd_t)
kernel_read_kernel_sysctl(syslogd_t)
dev_create_dev_node(syslogd_t,devlog_t,sock_file)
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 382379a..390a82e 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -11,7 +11,7 @@ type lvm_exec_t;
init_system_domain(lvm_t,lvm_exec_t)
# needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin
-kernel_obj_id_change_exempt(lvm_t)
+domain_obj_id_change_exempt(lvm_t)
role system_r types lvm_t;
type lvm_etc_t;
@@ -76,9 +76,9 @@ kernel_compute_create_context(lvm_t)
kernel_compute_relabel_context(lvm_t)
kernel_compute_reachable_user_contexts(lvm_t)
kernel_read_kernel_sysctl(lvm_t)
-kernel_read_hardware_state(lvm_t)
+dev_read_sysfs(lvm_t)
# Read /sys/block. Device mapper metadata is kept there.
-kernel_read_hardware_state(sysfs_t)
+dev_read_sysfs(sysfs_t)
# Read system variables in /proc/sys
kernel_read_kernel_sysctl(lvm_t)
# it has no reason to need this
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index d9cdace..c8f80f0 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -51,8 +51,6 @@ can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t)
-kernel_search_sysfs(insmod_t)
-kernel_search_usbfs(insmod_t)
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctl(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
@@ -62,6 +60,8 @@ bootloader_read_kernel_modules(insmod_t)
# for locking: (cjp: ????)
bootloader_write_kernel_modules(insmod_t)
+dev_search_sysfs(insmod_t)
+dev_search_usbfs(insmod_t)
dev_write_mtrr(insmod_t)
dev_read_urand(insmod_t)
dev_rw_agp_dev(insmod_t)
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 4926625..6027d4a 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -38,8 +38,8 @@ type load_policy_exec_t;
domain_entry_file(load_policy_t,load_policy_exec_t)
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
-kernel_role_change_exempt(newrole_t)
-kernel_obj_id_change_exempt(newrole_t)
+domain_role_change_exempt(newrole_t)
+domain_obj_id_change_exempt(newrole_t)
domain_type(newrole_t)
domain_wide_inherit_fd(newrole_t)
@@ -65,7 +65,7 @@ files_file_type(policy_src_t)
type restorecon_t, can_relabelto_binary_policy;
type restorecon_exec_t;
-kernel_obj_id_change_exempt(restorecon_t)
+domain_obj_id_change_exempt(restorecon_t)
init_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t;
@@ -83,7 +83,7 @@ type selinux_config_t;
files_file_type(selinux_config_t)
type setfiles_t, can_relabelto_binary_policy;
-kernel_obj_id_change_exempt(setfiles_t)
+domain_obj_id_change_exempt(setfiles_t)
domain_type(setfiles_t)
role system_r types setfiles_t;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 4926625..6027d4a 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -38,8 +38,8 @@ type load_policy_exec_t;
domain_entry_file(load_policy_t,load_policy_exec_t)
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
-kernel_role_change_exempt(newrole_t)
-kernel_obj_id_change_exempt(newrole_t)
+domain_role_change_exempt(newrole_t)
+domain_obj_id_change_exempt(newrole_t)
domain_type(newrole_t)
domain_wide_inherit_fd(newrole_t)
@@ -65,7 +65,7 @@ files_file_type(policy_src_t)
type restorecon_t, can_relabelto_binary_policy;
type restorecon_exec_t;
-kernel_obj_id_change_exempt(restorecon_t)
+domain_obj_id_change_exempt(restorecon_t)
init_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t;
@@ -83,7 +83,7 @@ type selinux_config_t;
files_file_type(selinux_config_t)
type setfiles_t, can_relabelto_binary_policy;
-kernel_obj_id_change_exempt(setfiles_t)
+domain_obj_id_change_exempt(setfiles_t)
domain_type(setfiles_t)
role system_r types setfiles_t;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index efb45c8..1237c5c 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -86,7 +86,7 @@ allow ifconfig_t dhcpc_t:process sigchld;
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
kernel_read_kernel_sysctl(dhcpc_t)
-kernel_read_hardware_state(dhcpc_t)
+dev_read_sysfs(dhcpc_t)
kernel_use_fd(dhcpc_t)
corenet_tcp_sendrecv_all_if(dhcpc_t)
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index bd6cc1a..bfeb6f6 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -10,7 +10,7 @@ type udev_t; # nscd_client_domain
type udev_exec_t;
type udev_helper_exec_t;
kernel_userland_entry(udev_t,udev_exec_t)
-kernel_obj_id_change_exempt(udev_t)
+domain_obj_id_change_exempt(udev_t)
domain_entry_file(udev_t,udev_helper_exec_t)
domain_wide_inherit_fd(udev_t)
init_daemon_domain(udev_t,udev_exec_t)
@@ -70,7 +70,7 @@ kernel_read_device_sysctl(udev_t)
kernel_read_hotplug_sysctl(udev_t)
kernel_read_modprobe_sysctl(udev_t)
kernel_read_kernel_sysctl(udev_t)
-kernel_read_hardware_state(udev_t)
+dev_read_sysfs(udev_t)
kernel_get_selinuxfs_mount_point(udev_t)
kernel_validate_context(udev_t)
kernel_compute_access_vector(udev_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index d1118e7..b626591 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -108,7 +108,7 @@ define(`base_user_domain',`
# Find CDROM devices:
kernel_read_device_sysctl($1_t)
# GNOME checks for usb and other devices:
- kernel_rw_usb_hardware_config_option($1_t)
+ dev_rw_usbfs($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_raw_sendrecv_all_if($1_t)
@@ -453,7 +453,7 @@ define(`user_domain_template', `
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
- kernel_read_hardware_state($1_t)
+ dev_read_sysfs($1_t)
# cjp: why?
bootloader_read_kernel_symbol_table($1_t)
@@ -614,7 +614,7 @@ define(`admin_domain_template',`
base_user_domain($1)
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
- kernel_obj_id_change_exempt($1_t)
+ domain_obj_id_change_exempt($1_t)
role system_r types $1_t;
#ifdef(`direct_sysadm_daemon', `, priv_system_role')