diff --git a/refpolicy/policy/modules/admin/bootloader.fc b/refpolicy/policy/modules/admin/bootloader.fc
new file mode 100644
index 0000000..bcedf95
--- /dev/null
+++ b/refpolicy/policy/modules/admin/bootloader.fc
@@ -0,0 +1,12 @@
+
+/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+
+/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/bootloader.if b/refpolicy/policy/modules/admin/bootloader.if
new file mode 100644
index 0000000..8f6707b
--- /dev/null
+++ b/refpolicy/policy/modules/admin/bootloader.if
@@ -0,0 +1,134 @@
+## Policy for the kernel modules, kernel image, and bootloader.
+
+########################################
+##
+## Execute bootloader in the bootloader domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`bootloader_domtrans',`
+ gen_require(`
+ type bootloader_t, bootloader_exec_t;
+ ')
+
+ domain_auto_trans($1, bootloader_exec_t, bootloader_t)
+
+ allow $1 bootloader_t:fd use;
+ allow bootloader_t $1:fd use;
+ allow bootloader_t $1:fifo_file rw_file_perms;
+ allow bootloader_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute bootloader interactively and do
+## a domain transition to the bootloader domain.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+##
+## The role to be allowed the bootloader domain.
+##
+##
+##
+##
+## The type of the terminal allow the bootloader domain to use.
+##
+##
+#
+interface(`bootloader_run',`
+ gen_require(`
+ type bootloader_t;
+ ')
+
+ bootloader_domtrans($1)
+
+ role $2 types bootloader_t;
+ allow bootloader_t $3:chr_file rw_file_perms;
+')
+
+########################################
+##
+## Read the bootloader configuration file.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`bootloader_read_config',`
+ gen_require(`
+ type bootloader_etc_t;
+ ')
+
+ allow $1 bootloader_etc_t:file r_file_perms;
+')
+
+########################################
+##
+## Read and write the bootloader
+## configuration file.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`bootloader_rw_config',`
+ gen_require(`
+ type bootloader_etc_t;
+ ')
+
+ allow $1 bootloader_etc_t:file rw_file_perms;
+')
+
+########################################
+##
+## Read and write the bootloader
+## temporary data in /tmp.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`bootloader_rw_tmp_files',`
+ gen_require(`
+ type bootloader_tmp_t;
+ ')
+
+ # FIXME: read tmp_t dir
+ allow $1 bootloader_tmp_t:file rw_file_perms;
+')
+
+########################################
+##
+## Read and write the bootloader
+## temporary data in /tmp.
+##
+##
+##
+## The type of the process performing this action.
+##
+##
+#
+interface(`bootloader_create_runtime_file',`
+ gen_require(`
+ type boot_t, boot_runtime_t;
+ ')
+
+ allow $1 boot_t:dir rw_dir_perms;
+ allow $1 boot_runtime_t:file { rw_file_perms create unlink };
+ type_transition $1 boot_t:file boot_runtime_t;
+')
diff --git a/refpolicy/policy/modules/admin/bootloader.te b/refpolicy/policy/modules/admin/bootloader.te
new file mode 100644
index 0000000..a0e3d9c
--- /dev/null
+++ b/refpolicy/policy/modules/admin/bootloader.te
@@ -0,0 +1,222 @@
+
+policy_module(bootloader,1.1.4)
+
+########################################
+#
+# Declarations
+#
+
+#
+# boot_runtime_t is the type for /boot/kernel.h,
+# which is automatically generated at boot time.
+# only for Red Hat
+#
+type boot_runtime_t;
+files_type(boot_runtime_t)
+
+type bootloader_t;
+domain_type(bootloader_t)
+role system_r types bootloader_t;
+
+type bootloader_exec_t;
+domain_entry_file(bootloader_t,bootloader_exec_t)
+
+#
+# bootloader_etc_t is the configuration file,
+# grub.conf, lilo.conf, etc.
+#
+type bootloader_etc_t alias etc_bootloader_t;
+files_type(bootloader_etc_t)
+
+#
+# The temp file is used for initrd creation;
+# it consists of files and device nodes
+#
+type bootloader_tmp_t;
+files_tmp_file(bootloader_tmp_t)
+dev_node(bootloader_tmp_t)
+
+#
+# /var/log/ksyms
+# cjp: this probably can be removed, I do not
+# think it is used on 2.6 kernels
+type var_log_ksyms_t;
+logging_log_file(var_log_ksyms_t)
+
+########################################
+#
+# bootloader local policy
+#
+
+allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:process { sigkill sigstop signull signal };
+allow bootloader_t self:fifo_file rw_file_perms;
+
+allow bootloader_t bootloader_etc_t:file r_file_perms;
+# uncomment the following lines if you use "lilo -p"
+#allow bootloader_t bootloader_etc_t:file manage_file_perms;
+#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
+
+allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
+allow bootloader_t bootloader_tmp_t:file create_file_perms;
+allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
+allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
+allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
+files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
+# for tune2fs (cjp: ?)
+files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
+
+kernel_getattr_core_if(bootloader_t)
+kernel_read_system_state(bootloader_t)
+kernel_read_software_raid_state(bootloader_t)
+kernel_read_kernel_sysctls(bootloader_t)
+
+storage_raw_read_fixed_disk(bootloader_t)
+storage_raw_write_fixed_disk(bootloader_t)
+storage_raw_read_removable_device(bootloader_t)
+storage_raw_write_removable_device(bootloader_t)
+
+dev_getattr_all_chr_files(bootloader_t)
+dev_getattr_all_blk_files(bootloader_t)
+dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
+dev_read_rand(bootloader_t)
+dev_read_urand(bootloader_t)
+dev_read_sysfs(bootloader_t)
+# for reading BIOS data
+dev_read_raw_memory(bootloader_t)
+
+fs_getattr_xattr_fs(bootloader_t)
+fs_read_tmpfs_symlinks(bootloader_t)
+
+term_getattr_all_user_ttys(bootloader_t)
+term_dontaudit_manage_pty_dirs(bootloader_t)
+
+corecmd_exec_bin(bootloader_t)
+corecmd_exec_sbin(bootloader_t)
+corecmd_exec_shell(bootloader_t)
+
+domain_exec_all_entry_files(bootloader_t)
+domain_use_interactive_fds(bootloader_t)
+
+files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
+files_read_etc_files(bootloader_t)
+files_exec_etc_files(bootloader_t)
+files_read_etc_runtime_files(bootloader_t)
+files_read_usr_src_files(bootloader_t)
+files_read_usr_files(bootloader_t)
+files_read_var_files(bootloader_t)
+files_read_kernel_modules(bootloader_t)
+# for nscd
+files_dontaudit_search_pids(bootloader_t)
+
+init_getattr_initctl(bootloader_t)
+init_use_script_ptys(bootloader_t)
+init_use_script_fds(bootloader_t)
+init_rw_script_pipes(bootloader_t)
+
+libs_use_ld_so(bootloader_t)
+libs_use_shared_libs(bootloader_t)
+libs_read_lib_files(bootloader_t)
+libs_exec_lib_files(bootloader_t)
+
+logging_send_syslog_msg(bootloader_t)
+logging_rw_generic_logs(bootloader_t)
+
+miscfiles_read_localization(bootloader_t)
+
+seutil_read_bin_policy(bootloader_t)
+seutil_read_loadpolicy(bootloader_t)
+seutil_dontaudit_search_config(bootloader_t)
+
+ifdef(`distro_debian',`
+ allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+ fs_list_tmpfs(bootloader_t)
+
+ files_relabel_kernel_modules(bootloader_t)
+ files_relabelfrom_boot_files(bootloader_t)
+ files_delete_kernel_modules(bootloader_t)
+ files_relabelto_usr_files(bootloader_t)
+ files_search_var_lib(bootloader_t)
+ # for /usr/share/initrd-tools/scripts
+ files_exec_usr_files(bootloader_t)
+
+ fstools_manage_entry_files(bootloader_t)
+ fstools_relabelto_entry_files(bootloader_t)
+
+ libs_relabelto_lib_files(bootloader_t)
+')
+
+ifdef(`distro_redhat',`
+ # for memlock
+ allow bootloader_t self:capability ipc_lock;
+
+ # new file system defaults to file_t, granting file_t access is still bad.
+ allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
+
+ # mkinitrd mount initrd on bootloader temp dir
+ files_mountpoint(bootloader_tmp_t)
+
+ # new file system defaults to file_t, granting file_t access is still bad.
+ files_manage_isid_type_dirs(bootloader_t)
+ files_manage_isid_type_files(bootloader_t)
+ files_manage_isid_type_symlinks(bootloader_t)
+ files_manage_isid_type_blk_files(bootloader_t)
+ files_manage_isid_type_chr_files(bootloader_t)
+
+ # for mke2fs
+ mount_domtrans(bootloader_t)
+')
+
+ifdef(`targeted_policy',`
+ term_use_unallocated_ttys(bootloader_t)
+ term_use_generic_ptys(bootloader_t)
+')
+
+optional_policy(`fstools',`
+ fstools_exec(bootloader_t)
+')
+
+optional_policy(`lvm',`
+ dev_rw_lvm_control(bootloader_t)
+
+ lvm_domtrans(bootloader_t)
+ lvm_read_config(bootloader_t)
+')
+
+optional_policy(`modutils',`
+ modutils_exec_insmod(bootloader_t)
+ modutils_read_module_deps(bootloader_t)
+ modutils_read_module_config(bootloader_t)
+ modutils_exec_insmod(bootloader_t)
+ modutils_exec_depmod(bootloader_t)
+ modutils_exec_update_mods(bootloader_t)
+')
+
+optional_policy(`nscd',`
+ nscd_socket_use(bootloader_t)
+')
+
+optional_policy(`rpm',`
+ rpm_rw_pipes(bootloader_t)
+')
+
+optional_policy(`userdomain',`
+ userdom_dontaudit_search_staff_home_dirs(bootloader_t)
+ userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
+')
+
+ifdef(`TODO',`
+ifdef(`distro_debian', `
+ # cjp: there is no setfscreate or type_transition, and
+ # bootloader_t cannot rw a usr_t or lib_t directory, so
+ # how can this work? This is probably rw_file_perms,
+ # possibly with unlink. Files are probably "created"
+ # by the above relabeling permissions.
+ allow bootloader_t { usr_t lib_t }:file create_file_perms;
+
+ allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
+ allow bootloader_t dpkg_var_lib_t:file { getattr read };
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/kernel/bootloader.fc b/refpolicy/policy/modules/kernel/bootloader.fc
deleted file mode 100644
index bcedf95..0000000
--- a/refpolicy/policy/modules/kernel/bootloader.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-
-/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-
-/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-
-/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-
-/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
deleted file mode 100644
index 8f6707b..0000000
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ /dev/null
@@ -1,134 +0,0 @@
-## Policy for the kernel modules, kernel image, and bootloader.
-
-########################################
-##
-## Execute bootloader in the bootloader domain.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_domtrans',`
- gen_require(`
- type bootloader_t, bootloader_exec_t;
- ')
-
- domain_auto_trans($1, bootloader_exec_t, bootloader_t)
-
- allow $1 bootloader_t:fd use;
- allow bootloader_t $1:fd use;
- allow bootloader_t $1:fifo_file rw_file_perms;
- allow bootloader_t $1:process sigchld;
-')
-
-########################################
-##
-## Execute bootloader interactively and do
-## a domain transition to the bootloader domain.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-##
-## The role to be allowed the bootloader domain.
-##
-##
-##
-##
-## The type of the terminal allow the bootloader domain to use.
-##
-##
-#
-interface(`bootloader_run',`
- gen_require(`
- type bootloader_t;
- ')
-
- bootloader_domtrans($1)
-
- role $2 types bootloader_t;
- allow bootloader_t $3:chr_file rw_file_perms;
-')
-
-########################################
-##
-## Read the bootloader configuration file.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_read_config',`
- gen_require(`
- type bootloader_etc_t;
- ')
-
- allow $1 bootloader_etc_t:file r_file_perms;
-')
-
-########################################
-##
-## Read and write the bootloader
-## configuration file.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_rw_config',`
- gen_require(`
- type bootloader_etc_t;
- ')
-
- allow $1 bootloader_etc_t:file rw_file_perms;
-')
-
-########################################
-##
-## Read and write the bootloader
-## temporary data in /tmp.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_rw_tmp_files',`
- gen_require(`
- type bootloader_tmp_t;
- ')
-
- # FIXME: read tmp_t dir
- allow $1 bootloader_tmp_t:file rw_file_perms;
-')
-
-########################################
-##
-## Read and write the bootloader
-## temporary data in /tmp.
-##
-##
-##
-## The type of the process performing this action.
-##
-##
-#
-interface(`bootloader_create_runtime_file',`
- gen_require(`
- type boot_t, boot_runtime_t;
- ')
-
- allow $1 boot_t:dir rw_dir_perms;
- allow $1 boot_runtime_t:file { rw_file_perms create unlink };
- type_transition $1 boot_t:file boot_runtime_t;
-')
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
deleted file mode 100644
index a0e3d9c..0000000
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ /dev/null
@@ -1,222 +0,0 @@
-
-policy_module(bootloader,1.1.4)
-
-########################################
-#
-# Declarations
-#
-
-#
-# boot_runtime_t is the type for /boot/kernel.h,
-# which is automatically generated at boot time.
-# only for Red Hat
-#
-type boot_runtime_t;
-files_type(boot_runtime_t)
-
-type bootloader_t;
-domain_type(bootloader_t)
-role system_r types bootloader_t;
-
-type bootloader_exec_t;
-domain_entry_file(bootloader_t,bootloader_exec_t)
-
-#
-# bootloader_etc_t is the configuration file,
-# grub.conf, lilo.conf, etc.
-#
-type bootloader_etc_t alias etc_bootloader_t;
-files_type(bootloader_etc_t)
-
-#
-# The temp file is used for initrd creation;
-# it consists of files and device nodes
-#
-type bootloader_tmp_t;
-files_tmp_file(bootloader_tmp_t)
-dev_node(bootloader_tmp_t)
-
-#
-# /var/log/ksyms
-# cjp: this probably can be removed, I do not
-# think it is used on 2.6 kernels
-type var_log_ksyms_t;
-logging_log_file(var_log_ksyms_t)
-
-########################################
-#
-# bootloader local policy
-#
-
-allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
-allow bootloader_t self:process { sigkill sigstop signull signal };
-allow bootloader_t self:fifo_file rw_file_perms;
-
-allow bootloader_t bootloader_etc_t:file r_file_perms;
-# uncomment the following lines if you use "lilo -p"
-#allow bootloader_t bootloader_etc_t:file manage_file_perms;
-#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
-
-allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
-allow bootloader_t bootloader_tmp_t:file create_file_perms;
-allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
-allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
-allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
-files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
-# for tune2fs (cjp: ?)
-files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
-
-kernel_getattr_core_if(bootloader_t)
-kernel_read_system_state(bootloader_t)
-kernel_read_software_raid_state(bootloader_t)
-kernel_read_kernel_sysctls(bootloader_t)
-
-storage_raw_read_fixed_disk(bootloader_t)
-storage_raw_write_fixed_disk(bootloader_t)
-storage_raw_read_removable_device(bootloader_t)
-storage_raw_write_removable_device(bootloader_t)
-
-dev_getattr_all_chr_files(bootloader_t)
-dev_getattr_all_blk_files(bootloader_t)
-dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
-dev_read_rand(bootloader_t)
-dev_read_urand(bootloader_t)
-dev_read_sysfs(bootloader_t)
-# for reading BIOS data
-dev_read_raw_memory(bootloader_t)
-
-fs_getattr_xattr_fs(bootloader_t)
-fs_read_tmpfs_symlinks(bootloader_t)
-
-term_getattr_all_user_ttys(bootloader_t)
-term_dontaudit_manage_pty_dirs(bootloader_t)
-
-corecmd_exec_bin(bootloader_t)
-corecmd_exec_sbin(bootloader_t)
-corecmd_exec_shell(bootloader_t)
-
-domain_exec_all_entry_files(bootloader_t)
-domain_use_interactive_fds(bootloader_t)
-
-files_create_boot_dirs(bootloader_t)
-files_manage_boot_files(bootloader_t)
-files_manage_boot_symlinks(bootloader_t)
-files_read_etc_files(bootloader_t)
-files_exec_etc_files(bootloader_t)
-files_read_etc_runtime_files(bootloader_t)
-files_read_usr_src_files(bootloader_t)
-files_read_usr_files(bootloader_t)
-files_read_var_files(bootloader_t)
-files_read_kernel_modules(bootloader_t)
-# for nscd
-files_dontaudit_search_pids(bootloader_t)
-
-init_getattr_initctl(bootloader_t)
-init_use_script_ptys(bootloader_t)
-init_use_script_fds(bootloader_t)
-init_rw_script_pipes(bootloader_t)
-
-libs_use_ld_so(bootloader_t)
-libs_use_shared_libs(bootloader_t)
-libs_read_lib_files(bootloader_t)
-libs_exec_lib_files(bootloader_t)
-
-logging_send_syslog_msg(bootloader_t)
-logging_rw_generic_logs(bootloader_t)
-
-miscfiles_read_localization(bootloader_t)
-
-seutil_read_bin_policy(bootloader_t)
-seutil_read_loadpolicy(bootloader_t)
-seutil_dontaudit_search_config(bootloader_t)
-
-ifdef(`distro_debian',`
- allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
- fs_list_tmpfs(bootloader_t)
-
- files_relabel_kernel_modules(bootloader_t)
- files_relabelfrom_boot_files(bootloader_t)
- files_delete_kernel_modules(bootloader_t)
- files_relabelto_usr_files(bootloader_t)
- files_search_var_lib(bootloader_t)
- # for /usr/share/initrd-tools/scripts
- files_exec_usr_files(bootloader_t)
-
- fstools_manage_entry_files(bootloader_t)
- fstools_relabelto_entry_files(bootloader_t)
-
- libs_relabelto_lib_files(bootloader_t)
-')
-
-ifdef(`distro_redhat',`
- # for memlock
- allow bootloader_t self:capability ipc_lock;
-
- # new file system defaults to file_t, granting file_t access is still bad.
- allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
-
- # mkinitrd mount initrd on bootloader temp dir
- files_mountpoint(bootloader_tmp_t)
-
- # new file system defaults to file_t, granting file_t access is still bad.
- files_manage_isid_type_dirs(bootloader_t)
- files_manage_isid_type_files(bootloader_t)
- files_manage_isid_type_symlinks(bootloader_t)
- files_manage_isid_type_blk_files(bootloader_t)
- files_manage_isid_type_chr_files(bootloader_t)
-
- # for mke2fs
- mount_domtrans(bootloader_t)
-')
-
-ifdef(`targeted_policy',`
- term_use_unallocated_ttys(bootloader_t)
- term_use_generic_ptys(bootloader_t)
-')
-
-optional_policy(`fstools',`
- fstools_exec(bootloader_t)
-')
-
-optional_policy(`lvm',`
- dev_rw_lvm_control(bootloader_t)
-
- lvm_domtrans(bootloader_t)
- lvm_read_config(bootloader_t)
-')
-
-optional_policy(`modutils',`
- modutils_exec_insmod(bootloader_t)
- modutils_read_module_deps(bootloader_t)
- modutils_read_module_config(bootloader_t)
- modutils_exec_insmod(bootloader_t)
- modutils_exec_depmod(bootloader_t)
- modutils_exec_update_mods(bootloader_t)
-')
-
-optional_policy(`nscd',`
- nscd_socket_use(bootloader_t)
-')
-
-optional_policy(`rpm',`
- rpm_rw_pipes(bootloader_t)
-')
-
-optional_policy(`userdomain',`
- userdom_dontaudit_search_staff_home_dirs(bootloader_t)
- userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
-')
-
-ifdef(`TODO',`
-ifdef(`distro_debian', `
- # cjp: there is no setfscreate or type_transition, and
- # bootloader_t cannot rw a usr_t or lib_t directory, so
- # how can this work? This is probably rw_file_perms,
- # possibly with unlink. Files are probably "created"
- # by the above relabeling permissions.
- allow bootloader_t { usr_t lib_t }:file create_file_perms;
-
- allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
- allow bootloader_t dpkg_var_lib_t:file { getattr read };
-')
-') dnl end TODO