diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 9803431..988ee39 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -266,6 +266,8 @@ terminal_get_general_physical_terminal_attributes(rpm_script_t)
terminal_list_pseudoterminals(rpm_script_t)
authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t)
+# ideally we would not need this
+authlogin_manage_all_files_except_shadow(rpm_script_t)
corecommands_execute_general_programs(rpm_script_t)
corecommands_execute_system_programs(rpm_script_t)
@@ -307,8 +309,6 @@ ifdef(`TODO',`
allow rpm_script_t sysfs_t:dir r_dir_perms;
# ideally we would not need this
-allow rpm_script_t { file_type - shadow_t }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_script_t { device_t device_type }:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename };
allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 9e28046..742e7a5 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -300,9 +300,11 @@ define(`bootloader_modify_kernel_modules',`
requires_block_template(`$0'_depend)
allow $1 modules_object_t:file { getattr create read write setattr unlink };
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
+typeattribute $1 can_modify_kernel_modules;
')
define(`bootloader_modify_kernel_modules_depend',`
+attribute can_modify_kernel_modules;
type modules_object_t;
class file { getattr create read write setattr unlink };
class dir { getattr search read write add_name remove_name };
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 151b359..d64ae40 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -427,84 +427,34 @@ class chr_file { getattr write ioctl };
########################################
#
-# devices_read_dev_null(domain)
-#
-define(`devices_read_dev_null',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 null_device_t:chr_file { getattr read };
-')
-
-define(`devices_read_dev_null_depend',`
-type device_t, null_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr read };
-')
-
-########################################
-#
-# devices_write_dev_null(domain)
-#
-define(`devices_write_dev_null',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 null_device_t:chr_file { getattr append write };
-')
-
-define(`devices_write_dev_null_depend',`
-type device_t, null_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr append write };
-')
-
-########################################
-#
# devices_use_dev_null(domain)
#
define(`devices_use_dev_null',`
-devices_read_dev_null($1)
-devices_write_dev_null($1)
-')
-
-########################################
-#
-# devices_read_dev_zero(domain)
-#
-define(`devices_read_dev_zero',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr read search };
-allow $1 zero_device_t:chr_file { getattr read };
+allow $1 null_device_t:chr_file { getattr read write append ioctl };
')
-define(`devices_read_dev_zero_depend',`
-type device_t, zero_device_t;
+define(`devices_use_dev_null_depend',`
+type device_t, null_device_t;
class device_t:dir { getattr read search };
-class chr_file { getattr read };
+class chr_file { getattr read write append ioctl };
')
########################################
#
-# devices_write_dev_zero(domain)
+# devices_use_dev_zero(domain)
#
-define(`devices_write_dev_zero',`
+define(`devices_use_dev_zero',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr read search };
-allow $1 zero_device_t:chr_file { getattr append write };
+allow $1 zero_device_t:chr_file { getattr read write append ioctl };
')
-define(`devices_write_dev_zero_depend',`
+define(`devices_use_dev_zero_depend',`
type device_t, zero_device_t;
class device_t:dir { getattr read search };
-class chr_file { getattr append write };
-')
-
-########################################
-#
-# devices_use_dev_zero(domain)
-#
-define(`devices_use_dev_zero',`
-devices_read_dev_zero($1)
-devices_write_dev_zero($1)
+class chr_file { getattr read write append ioctl };
')
########################################
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index e226fec..6f566b9 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -973,6 +973,29 @@ class chr_file { getattr read write ioctl };
')
########################################
+##
+##
+## Relabel character nodes on tmpfs filesystems.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`filesystem_relabel_tmpfs_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
+')
+
+define(`filesystem_relabel_tmpfs_character_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read };
+class chr_file { getattr relabelfrom relabelto };
+')
+
+########################################
##
##
## Read and write block nodes on tmpfs filesystems.
@@ -996,6 +1019,29 @@ class blk_file { getattr read write ioctl };
')
########################################
+##
+##
+## Relabel block nodes on tmpfs filesystems.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`filesystem_relabel_tmpfs_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
+')
+
+define(`filesystem_use_tmpfs_block_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read };
+class blk_file { getattr relabelfrom relabelto };
+')
+
+########################################
##
##
## Read and write, create and delete character
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index c8c904e..8b4c7e2 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -94,15 +94,19 @@ filesystem_get_all_filesystems_attributes(crond_t)
terminal_ignore_use_console(crond_t)
-init_use_file_descriptors(crond_t)
-init_script_use_pseudoterminal(crond_t)
+# need auth_chkpwd to check for locked accounts.
+authlogin_check_password_transition(crond_t)
+
+corecommands_execute_shell(crond_t)
+corecommands_read_system_programs_directory(crond_t)
domain_use_widely_inheritable_file_descriptors(crond_t)
files_read_general_system_config(crond_t)
+files_read_system_spools(crond_t)
-corecommands_execute_shell(crond_t)
-corecommands_read_system_programs_directory(crond_t)
+init_use_file_descriptors(crond_t)
+init_script_use_pseudoterminal(crond_t)
libraries_use_dynamic_loader(crond_t)
libraries_use_shared_libraries(crond_t)
@@ -115,8 +119,7 @@ selinux_newrole_sigchld(crond_t)
miscfiles_read_localization(crond_t)
-# need auth_chkpwd to check for locked accounts.
-authlogin_check_password_transition(crond_t)
+userdomain_use_all_unprivileged_users_file_descriptors(crond_t)
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
@@ -136,7 +139,6 @@ ifdef(`TODO',`
# NB The constraints file has some entries for crond_t, this makes it
# different from all other domains...
-allow crond_t unpriv_userdomain:fd use;
allow crond_t autofs_t:dir { search getattr };
dontaudit crond_t sysadm_home_dir_t:dir search;
@@ -153,18 +155,15 @@ allow crond_t autofs_t:dir { search getattr };
# Read from /var/spool/cron.
allow crond_t var_lib_t:dir search;
-allow crond_t var_spool_t:dir r_dir_perms;
-allow crond_t var_spool_t:file { getattr read };
allow crond_t mail_spool_t:dir search;
+# for if /var/mail is a symlink
+allow crond_t mail_spool_t:lnk_file read;
allow crond_t default_t:dir search;
# crond tries to search /root. Not sure why.
allow crond_t sysadm_home_dir_t:dir r_dir_perms;
-# for if /var/mail is a symlink
-allow crond_t mail_spool_t:lnk_file read;
-
# to search /home
allow crond_t user_home_dir_type:dir r_dir_perms;
@@ -269,6 +268,9 @@ files_get_all_file_attributes(system_crond_t)
files_read_general_application_resources(system_crond_t)
# for nscd:
files_ignore_search_runtime_data_directory(system_crond_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
+files_manage_system_spools(system_crond_t)
corecommands_execute_general_programs(system_crond_t)
corecommands_execute_system_programs(system_crond_t)
@@ -324,14 +326,9 @@ allow system_crond_t var_t:file { getattr read ioctl };
allow system_crond_t var_lib_t:dir rw_dir_perms;
allow system_crond_t var_lib_t:file create_file_perms;
-# Access other spool directories like
-# /var/spool/anacron and /var/spool/slrnpull.
-allow system_crond_t var_spool_t:file create_file_perms;
-allow system_crond_t var_spool_t:dir rw_dir_perms;
# for if /var/mail is a symlink
allow system_crond_t mail_spool_t:lnk_file read;
-
#
# These rules are here to allow system cron jobs to su
#
@@ -360,7 +357,6 @@ mta_send_mail_transition(system_crond_t)
# system_mail_t should only be reading from the cron fifo not needing to write
dontaudit system_mail_t crond_t:fifo_file write;
allow mta_user_agent system_crond_t:fd use;
-allow mta_user_agent system_crond_t:fd use;
r_dir_file(system_mail_t, crond_tmp_t)
')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index ecaf4d1..de01298 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -441,6 +441,58 @@ class lnk_file { create read getattr setattr link unlink rename };
')
########################################
+##
+##
+## Relabel all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+##
+##
+## The type of the domain perfoming this action.
+##
+##
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+##
+##
+##
+#
+
+define(`authlogin_relabel_all_files_except_shadow',`
+requires_block_template(`$0'_depend)
+files_relabel_all_files($1,$2 -shadow_t)
+')
+
+define(`authlogin_relabel_all_files_except_shadow_depend',`
+type shadow_t;
+')
+
+########################################
+##
+##
+## Manage all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+##
+##
+## The type of the domain perfoming this action.
+##
+##
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+##
+##
+##
+#
+
+define(`authlogin_manage_all_files_except_shadow',`
+requires_block_template(`$0'_depend)
+files_manage_all_files($1,$2 -shadow_t)
+')
+
+define(`authlogin_manage_all_files_except_shadow_depend',`
+type shadow_t;
+')
+
+########################################
##
##
## Execute utempter programs in the utempter domain.
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 3246c7a..42de0c9 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -62,7 +62,7 @@ define(`domain_make_entrypoint_file',`
requires_block_template(`$0'_depend)
allow $1 $2:file entrypoint;
files_make_file($2)
-typeattribute $1 entry_type;
+typeattribute $2 entry_type;
')
define(`domain_make_entrypoint_file_depend',`
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 03542e2..6735cf0 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -99,7 +99,7 @@ attribute tmpfsfile;
########################################
#
# files_get_all_file_attributes(domain)
-#
+
define(`files_get_all_file_attributes',`
requires_block_template(`$0'_depend)
allow $1 file_type:dir { search getattr };
@@ -119,23 +119,37 @@ class sock_file getattr;
')
########################################
+##
+##
+## Relabel all files on the filesystem, except
+## the listed exceptions.
+##
+##
+## The type of the domain perfoming this action.
+##
+##
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+##
+##
+##
#
-# files_manage_all_files_labels(type)
-#
-define(`files_manage_all_files_labels',`
+define(`files_relabel_all_files',`
requires_block_template(`$0'_depend)
-allow $1 file_type:dir { getattr relabelfrom relabelto };
-allow $1 file_type:file { getattr relabelfrom relabelto };
-allow $1 file_type:lnk_file { getattr relabelfrom relabelto };
-allow $1 file_type:fifo_file { getattr relabelfrom relabelto };
-allow $1 file_type:sock_file { getattr relabelfrom relabelto };
-allow $1 file_type:blk_file { getattr relabelfrom };
-allow $1 file_type:chr_file { getattr relabelfrom };
-')
-
-define(`files_manage_all_files_labels_depend',`
+allow $1 { file_type $2 }:dir { getattr search read relabelfrom relabelto };
+allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
+allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
+# satisfy the assertions:
+selinux_relabelto_binary_policy($1)
+')
+
+define(`files_relabel_all_files_depend',`
attribute file_type;
-class dir { relabelfrom relabelto };
+class dir { getattr search read relabelfrom relabelto };
class file { relabelfrom relabelto };
class lnk_file { relabelfrom relabelto };
class fifo_file { relabelfrom relabelto };
@@ -145,6 +159,43 @@ class chr_file relabelfrom;
')
########################################
+##
+##
+## Manage all files on the filesystem, except
+## the listed exceptions.
+##
+##
+## The type of the domain perfoming this action.
+##
+##
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+##
+##
+##
+#
+define(`files_manage_all_files',`
+requires_block_template(`$0'_depend)
+allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename };
+allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+# satisfy the assertions:
+selinux_write_binary_policy($1)
+bootloader_modify_kernel_modules($1)
+')
+
+define(`files_manage_all_files_depend',`
+attribute file_type;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+class lnk_file { create read getattr setattr link unlink rename };
+class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
#
# files_search_all_directories(domain)
#
@@ -648,6 +699,20 @@ class sock_file { getattr unlink };
########################################
#
+# files_search_general_application_resources_dir(domain)
+#
+define(`files_search_general_application_resources_dir',`
+requires_block_template(`$0'_depend)
+allow $1 usr_t:dir search;
+')
+
+define(`files_search_general_application_resources_dir_depend',`
+type usr_t;
+class dir search;
+')
+
+########################################
+#
# files_read_general_application_resources(domain)
#
define(`files_read_general_application_resources',`
@@ -998,4 +1063,38 @@ type var_t, var_spool_t;
class dir { getattr search read };
')
+########################################
+#
+# files_read_system_spools(domain)
+#
+define(`files_read_system_spools',`
+requires_block_template(`$0'_depend)
+allow $1 var_t:dir search;
+allow $1 var_spool_t:dir { getattr search read };
+allow $1 var_spool_t:file { getattr read };
+')
+
+define(`files_read_system_spools_depend',`
+type var_t, var_spool_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# files_manage_system_spools(domain)
+#
+define(`files_manage_system_spools',`
+requires_block_template(`$0'_depend)
+allow $1 var_t:dir search;
+allow $1 var_spool_t:dir { getattr search read write add_name remove_name };
+allow $1 var_spool_t:file { getattr create read write append unlink setattr };
+')
+
+define(`files_manage_system_spools_depend',`
+type var_t, var_spool_t;
+class dir { getattr search read write add_name remove_name };
+class file { getattr create read write append unlink setattr };
+')
+
##
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index c4d0c56..9536e3e 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -44,6 +44,7 @@ filesystem_get_persistent_filesystem_attributes(getty_t)
terminal_use_all_terminals(getty_t)
terminal_set_console_attributes(getty_t)
+init_script_modify_runtime_data(getty_t)
init_script_use_pseudoterminal(getty_t)
files_modify_system_runtime_data(getty_t)
@@ -55,6 +56,9 @@ files_read_general_system_config(getty_t)
authlogin_modify_login_records(getty_t)
+libraries_use_dynamic_loader(getty_t)
+libraries_use_shared_libraries(getty_t)
+
locallogin_transition(getty_t)
logging_send_system_log_message(getty_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 3acb8cc..bc63bb8 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -112,7 +112,7 @@ optional_policy(`netutils.te', `
netutils_transition(hotplug_t)
filesystem_use_tmpfs_character_devices(hotplug_t)
') dnl endif netutils optional
-files_get_system_lock_file_attribues(hotplug_t)
+files_get_system_lock_file_attributes(hotplug_t)
')dnl end distro_redhat tunable
tunable_policy(`targeted_policy', `
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 6b38a53..937b98c 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -22,20 +22,18 @@ kernel_make_userland_entrypoint(init_t,init_exec_t)
domain_make_entrypoint_file(init_t,init_exec_t)
#
+# init_var_run_t is the type for /var/run/shutdown.pid.
+#
+type init_var_run_t;
+files_make_daemon_runtime_file(init_var_run_t)
+
+#
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
#
type initctl_t;
files_make_file(initctl_t)
-filesystem_tmpfs_associate(initctl_t)
-devices_create_dev_entry(init_t,initctl_t,fifo_file)
-
-#
-# init_var_run_t is the type for /var/run/shutdown.pid.
-#
-type init_var_run_t;
-files_make_daemon_runtime_file(init_var_run_t)
type initrc_t;
domain_make_domain(initrc_t)
@@ -70,6 +68,10 @@ allow init_t init_exec_t:file { getattr read execute execute_no_trans };
allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
files_create_daemon_runtime_data(init_t,init_var_run_t)
+allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
+filesystem_tmpfs_associate(initctl_t)
+devices_create_dev_entry(init_t,initctl_t,fifo_file)
+
# Run init scripts. this is ok since initrc
# is also in this module
allow init_t initrc_t:process transition;
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 3f22b3d..23b6ea8 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -132,6 +132,7 @@ class file { getattr read write };
#
define(`libraries_use_shared_libraries',`
requires_block_template(`$0'_depend)
+files_search_general_application_resources_dir($1)
allow $1 lib_t:dir { getattr search read };
allow $1 lib_t:lnk_file { getattr read };
allow $1 { shlib_t texrel_shlib_t }:lnk_file { getattr read };
diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if
index 4d2f562..fd97ed4 100644
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@@ -571,6 +571,29 @@ class file { getattr create write unlink };
')
########################################
+##
+##
+## Allow the caller to relabel a file to the binary policy type.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`selinux_relabelto_binary_policy',`
+requires_block_template(`$0'_depend)
+allow $1 policy_config_t:file relabelto;
+typeattribute $1 can_relabelto_binary_policy;
+')
+
+define(`selinux_relabelto_binary_policy_depend',`
+attribute can_relabelto_binary_policy;
+type policy_config_t;
+class file relabelto;
+')
+
+########################################
#
# selinux_manage_binary_policy(domain)
#
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 7ecde92..96f0f0c 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -108,7 +108,8 @@ type_transition checkpolicy_t policy_src_t:file policy_config_t;
# only allow read of policy source files
allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
+allow checkpolicy_t policy_src_t:file { getattr read ioctl };
+allow checkpolicy_t policy_src_t:lnk_file { getattr read };
allow checkpolicy_t selinux_config_t:dir search;
filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
@@ -145,9 +146,9 @@ allow load_policy_t policy_src_t:dir search;
allow load_policy_t policy_config_t:dir { getattr search read };
allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
-allow newrole_t selinux_config_t:dir { getattr read search };
-allow newrole_t selinux_config_t:file { read getattr };
-allow newrole_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:dir { getattr read search };
+allow load_policy_t selinux_config_t:file { read getattr };
+allow load_policy_t selinux_config_t:lnk_file { getattr read };
kernel_get_selinuxfs_mount_point(load_policy_t)
kernel_load_selinux_policy(load_policy_t)
@@ -163,6 +164,8 @@ init_script_use_pseudoterminal(load_policy_t)
domain_use_widely_inheritable_file_descriptors(load_policy_t)
+files_search_general_system_config_directory(load_policy_t)
+
libraries_use_dynamic_loader(load_policy_t)
libraries_use_shared_libraries(load_policy_t)
@@ -170,12 +173,6 @@ miscfiles_read_localization(load_policy_t)
userdomain_use_all_users_file_descriptors(load_policy_t)
-ifdef(`TODO',`
-
-# directory search permissions for path to binary policy files
-allow load_policy_t etc_t:dir search;
-') dnl endif TODO
-
########################################
#
# Newrole local policy
@@ -317,7 +314,7 @@ hotplug_use_file_descriptors(restorecon_t)
# relabeling rules
kernel_relabel_unlabeled_object(restorecon_t)
devices_manage_all_devices_labels(restorecon_t)
-files_manage_all_files_labels(restorecon_t)
+files_relabel_all_files(restorecon_t)
files_read_all_directories(restorecon_t)
# this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(restorecon_t)
@@ -325,6 +322,8 @@ authlogin_relabel_to_shadow_passwords(restorecon_t)
tunable_policy(`distro_redhat', `
filesystem_use_tmpfs_character_devices(restorecon_t)
filesystem_use_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_character_devices(restorecon_t)
')
ifdef(`TODO',`
@@ -333,11 +332,6 @@ ifdef(`TODO',`
# scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute };
-tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
-allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
-')
-
allow restorecon_t fs_type:dir r_dir_perms;
allow restorecon_t device_t:file { read write };
@@ -467,7 +461,7 @@ userdomain_read_all_users_data(setfiles_t)
kernel_relabel_unlabeled_object(setfiles_t)
devices_manage_all_devices_labels(setfiles_t)
files_read_all_directories(setfiles_t)
-files_manage_all_files_labels(setfiles_t)
+files_relabel_all_files(setfiles_t)
# this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(setfiles_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 4d2f562..fd97ed4 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -571,6 +571,29 @@ class file { getattr create write unlink };
')
########################################
+##
+##
+## Allow the caller to relabel a file to the binary policy type.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`selinux_relabelto_binary_policy',`
+requires_block_template(`$0'_depend)
+allow $1 policy_config_t:file relabelto;
+typeattribute $1 can_relabelto_binary_policy;
+')
+
+define(`selinux_relabelto_binary_policy_depend',`
+attribute can_relabelto_binary_policy;
+type policy_config_t;
+class file relabelto;
+')
+
+########################################
#
# selinux_manage_binary_policy(domain)
#
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 7ecde92..96f0f0c 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -108,7 +108,8 @@ type_transition checkpolicy_t policy_src_t:file policy_config_t;
# only allow read of policy source files
allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
+allow checkpolicy_t policy_src_t:file { getattr read ioctl };
+allow checkpolicy_t policy_src_t:lnk_file { getattr read };
allow checkpolicy_t selinux_config_t:dir search;
filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
@@ -145,9 +146,9 @@ allow load_policy_t policy_src_t:dir search;
allow load_policy_t policy_config_t:dir { getattr search read };
allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
-allow newrole_t selinux_config_t:dir { getattr read search };
-allow newrole_t selinux_config_t:file { read getattr };
-allow newrole_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:dir { getattr read search };
+allow load_policy_t selinux_config_t:file { read getattr };
+allow load_policy_t selinux_config_t:lnk_file { getattr read };
kernel_get_selinuxfs_mount_point(load_policy_t)
kernel_load_selinux_policy(load_policy_t)
@@ -163,6 +164,8 @@ init_script_use_pseudoterminal(load_policy_t)
domain_use_widely_inheritable_file_descriptors(load_policy_t)
+files_search_general_system_config_directory(load_policy_t)
+
libraries_use_dynamic_loader(load_policy_t)
libraries_use_shared_libraries(load_policy_t)
@@ -170,12 +173,6 @@ miscfiles_read_localization(load_policy_t)
userdomain_use_all_users_file_descriptors(load_policy_t)
-ifdef(`TODO',`
-
-# directory search permissions for path to binary policy files
-allow load_policy_t etc_t:dir search;
-') dnl endif TODO
-
########################################
#
# Newrole local policy
@@ -317,7 +314,7 @@ hotplug_use_file_descriptors(restorecon_t)
# relabeling rules
kernel_relabel_unlabeled_object(restorecon_t)
devices_manage_all_devices_labels(restorecon_t)
-files_manage_all_files_labels(restorecon_t)
+files_relabel_all_files(restorecon_t)
files_read_all_directories(restorecon_t)
# this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(restorecon_t)
@@ -325,6 +322,8 @@ authlogin_relabel_to_shadow_passwords(restorecon_t)
tunable_policy(`distro_redhat', `
filesystem_use_tmpfs_character_devices(restorecon_t)
filesystem_use_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_character_devices(restorecon_t)
')
ifdef(`TODO',`
@@ -333,11 +332,6 @@ ifdef(`TODO',`
# scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute };
-tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
-allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
-')
-
allow restorecon_t fs_type:dir r_dir_perms;
allow restorecon_t device_t:file { read write };
@@ -467,7 +461,7 @@ userdomain_read_all_users_data(setfiles_t)
kernel_relabel_unlabeled_object(setfiles_t)
devices_manage_all_devices_labels(setfiles_t)
files_read_all_directories(setfiles_t)
-files_manage_all_files_labels(setfiles_t)
+files_relabel_all_files(setfiles_t)
# this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(setfiles_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 95753f8..8c377ac 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -57,9 +57,9 @@ allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unli
allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
-# Allow dhcpc_t to use packet sockets
+allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-
allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index e0b7ab2..55d3e48 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -10,6 +10,10 @@
define(`base_user_domain',`
+attribute $1_file_type;
+
+type $1_t, userdomain;
+corecommands_make_shell_entrypoint($1_t)
role $1_r types $1_t;
allow system_r $1_r;
@@ -370,9 +374,10 @@ define(`user_domain_template', `
# Declarations
#
-attribute $1_file_type;
+# Inherit rules for ordinary users.
+base_user_domain($1)
-type $1_t, userdomain, unpriv_userdomain; #, web_client_domain, nscd_client_domain;
+typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
domain_make_domain($1_t)
domain_make_file_descriptors_widely_inheritable($1_t)
@@ -398,9 +403,6 @@ terminal_make_physical_terminal($1_t,$1_tty_device_t)
# Local policy
#
-# Inherit rules for ordinary users.
-base_user_domain($1)
-
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
@@ -584,9 +586,10 @@ define(`admin_domain_template',`
# Declarations
#
-attribute $1_file_type;
+# Inherit rules for ordinary users.
+base_user_domain($1)
-type $1_t, userdomain, privhome; #, admin, web_client_domain, nscd_client_domain;
+typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
kernel_make_object_identity_change_constraint_exception($1_t)
domain_make_domain($1_t)
role system_r types $1_t;
@@ -615,9 +618,6 @@ terminal_make_physical_terminal($1_t,$1_tty_device_t)
# $1_t local policy
#
-# Inherit rules for ordinary users.
-base_user_domain($1)
-
allow $1_t self:capability ~sys_module;
allow $1_t self:process { setexec setfscreate };
@@ -682,6 +682,11 @@ terminal_use_general_physical_terminal($1_t)
terminal_use_all_private_pseudoterminals($1_t)
terminal_use_all_private_physical_terminals($1_t)
+# Manage almost all files
+authlogin_manage_all_files_except_shadow($1_t)
+# Relabel almost all files
+authlogin_relabel_all_files_except_shadow($1_t)
+
domain_set_all_domains_priorities($1_t)
files_execute_system_source_code_scripts($1_t)
@@ -710,18 +715,6 @@ ifdef(`TODO',`
# Let admin stat the shadow file.
allow $1_t shadow_t:file getattr;
-# Create and use all files that have the sysadmfile attribute.
-allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
-allow $1_t sysadmfile:lnk_file create_lnk_perms;
-allow $1_t sysadmfile:dir create_dir_perms;
-
-# Relabel all files.
-# Actually this will not allow relabeling ALL files unless you change
-# sysadmfile to file_type (and change the assertion in assert.te that
-# only auth_write can relabel shadow_t)
-allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
-allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
-
# for lsof
allow $1_t mtrr_device_t:file getattr;