[selinux-policy: 218/3172] many fixes from cab testing

[Daniel J Walsh]

commit efd8ede34d97578cc661c53f63f480050cdb3bf4
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed May 25 20:58:21 2005 +0000

    many fixes from cab testing

 refpolicy/policy/modules/admin/rpm.te          |    4 +-
 refpolicy/policy/modules/kernel/bootloader.if  |    2 +
 refpolicy/policy/modules/kernel/devices.if     |   68 ++-----------
 refpolicy/policy/modules/kernel/filesystem.if  |   46 +++++++++
 refpolicy/policy/modules/services/cron.te      |   32 +++----
 refpolicy/policy/modules/system/authlogin.if   |   52 ++++++++++
 refpolicy/policy/modules/system/domain.if      |    2 +-
 refpolicy/policy/modules/system/files.if       |  129 +++++++++++++++++++++---
 refpolicy/policy/modules/system/getty.te       |    4 +
 refpolicy/policy/modules/system/hotplug.te     |    2 +-
 refpolicy/policy/modules/system/init.te        |   18 ++--
 refpolicy/policy/modules/system/libraries.if   |    1 +
 refpolicy/policy/modules/system/selinux.if     |   23 ++++
 refpolicy/policy/modules/system/selinux.te     |   28 ++---
 refpolicy/policy/modules/system/selinuxutil.if |   23 ++++
 refpolicy/policy/modules/system/selinuxutil.te |   28 ++---
 refpolicy/policy/modules/system/sysnetwork.te  |    4 +-
 refpolicy/policy/modules/system/userdomain.if  |   37 +++----
 18 files changed, 341 insertions(+), 162 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 9803431..988ee39 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -266,6 +266,8 @@ terminal_get_general_physical_terminal_attributes(rpm_script_t)
 terminal_list_pseudoterminals(rpm_script_t)
 
 authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t)
+# ideally we would not need this
+authlogin_manage_all_files_except_shadow(rpm_script_t)
 
 corecommands_execute_general_programs(rpm_script_t)
 corecommands_execute_system_programs(rpm_script_t)
@@ -307,8 +309,6 @@ ifdef(`TODO',`
 allow rpm_script_t sysfs_t:dir r_dir_perms;
 
 # ideally we would not need this
-allow rpm_script_t { file_type - shadow_t }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
-allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } { create ioctl read getattr lock write setattr append link unlink rename };
 allow rpm_script_t { device_t device_type }:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename };
 
 allow rpm_script_t usr_t:file { getattr read execute execute_no_trans };
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 9e28046..742e7a5 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -300,9 +300,11 @@ define(`bootloader_modify_kernel_modules',`
 requires_block_template(`$0'_depend)
 allow $1 modules_object_t:file { getattr create read write setattr unlink };
 allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
+typeattribute $1 can_modify_kernel_modules;
 ')
 
 define(`bootloader_modify_kernel_modules_depend',`
+attribute can_modify_kernel_modules;
 type modules_object_t;
 class file { getattr create read write setattr unlink };
 class dir { getattr search read write add_name remove_name };
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 151b359..d64ae40 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -427,84 +427,34 @@ class chr_file { getattr write ioctl };
 
 ########################################
 #
-# devices_read_dev_null(domain)
-#
-define(`devices_read_dev_null',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 null_device_t:chr_file { getattr read };
-')
-
-define(`devices_read_dev_null_depend',`
-type device_t, null_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr read };
-')
-
-########################################
-#
-# devices_write_dev_null(domain)
-#
-define(`devices_write_dev_null',`
-requires_block_template(`$0'_depend)
-allow $1 device_t:dir { getattr read search };
-allow $1 null_device_t:chr_file { getattr append write };
-')
-
-define(`devices_write_dev_null_depend',`
-type device_t, null_device_t;
-class device_t:dir { getattr read search };
-class chr_file { getattr append write };
-')
-
-########################################
-#
 # devices_use_dev_null(domain)
 #
 define(`devices_use_dev_null',`
-devices_read_dev_null($1)
-devices_write_dev_null($1)
-')
-
-########################################
-#
-# devices_read_dev_zero(domain)
-#
-define(`devices_read_dev_zero',`
 requires_block_template(`$0'_depend)
 allow $1 device_t:dir { getattr read search };
-allow $1 zero_device_t:chr_file { getattr read };
+allow $1 null_device_t:chr_file { getattr read write append ioctl };
 ')
 
-define(`devices_read_dev_zero_depend',`
-type device_t, zero_device_t;
+define(`devices_use_dev_null_depend',`
+type device_t, null_device_t;
 class device_t:dir { getattr read search };
-class chr_file { getattr read };
+class chr_file { getattr read write append ioctl };
 ')
 
 ########################################
 #
-# devices_write_dev_zero(domain)
+# devices_use_dev_zero(domain)
 #
-define(`devices_write_dev_zero',`
+define(`devices_use_dev_zero',`
 requires_block_template(`$0'_depend)
 allow $1 device_t:dir { getattr read search };
-allow $1 zero_device_t:chr_file { getattr append write };
+allow $1 zero_device_t:chr_file { getattr read write append ioctl };
 ')
 
-define(`devices_write_dev_zero_depend',`
+define(`devices_use_dev_zero_depend',`
 type device_t, zero_device_t;
 class device_t:dir { getattr read search };
-class chr_file { getattr append write };
-')
-
-########################################
-#
-# devices_use_dev_zero(domain)
-#
-define(`devices_use_dev_zero',`
-devices_read_dev_zero($1)
-devices_write_dev_zero($1)
+class chr_file { getattr read write append ioctl };
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index e226fec..6f566b9 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -973,6 +973,29 @@ class chr_file { getattr read write ioctl };
 ')
 
 ########################################
+## <interface name="filesystem_relabel_tmpfs_character_devices">
+##	<description>
+##		Relabel character nodes on tmpfs filesystems.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`filesystem_relabel_tmpfs_character_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
+')
+
+define(`filesystem_relabel_tmpfs_character_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read }; 
+class chr_file { getattr relabelfrom relabelto };
+')
+
+########################################
 ## <interface name="filesystem_use_tmpfs_block_devices">
 ##	<description>
 ##		Read and write block nodes on tmpfs filesystems.
@@ -996,6 +1019,29 @@ class blk_file { getattr read write ioctl };
 ')
 
 ########################################
+## <interface name="filesystem_relabel_tmpfs_block_devices">
+##	<description>
+##		Relabel block nodes on tmpfs filesystems.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`filesystem_relabel_tmpfs_block_devices',`
+requires_block_template(`$0'_depend)
+allow $1 tmpfs_t:dir { getattr search read };
+allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
+')
+
+define(`filesystem_use_tmpfs_block_devices_depend',`
+type tmpfs_t;
+class dir { getattr search read }; 
+class blk_file { getattr relabelfrom relabelto };
+')
+
+########################################
 ## <interface name="filesystem_manage_tmpfs_character_devices">
 ##	<description>
 ##		Read and write, create and delete character
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index c8c904e..8b4c7e2 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -94,15 +94,19 @@ filesystem_get_all_filesystems_attributes(crond_t)
 
 terminal_ignore_use_console(crond_t)
 
-init_use_file_descriptors(crond_t)
-init_script_use_pseudoterminal(crond_t)
+# need auth_chkpwd to check for locked accounts.
+authlogin_check_password_transition(crond_t)
+
+corecommands_execute_shell(crond_t)
+corecommands_read_system_programs_directory(crond_t)
 
 domain_use_widely_inheritable_file_descriptors(crond_t)
 
 files_read_general_system_config(crond_t)
+files_read_system_spools(crond_t)
 
-corecommands_execute_shell(crond_t)
-corecommands_read_system_programs_directory(crond_t)
+init_use_file_descriptors(crond_t)
+init_script_use_pseudoterminal(crond_t)
 
 libraries_use_dynamic_loader(crond_t)
 libraries_use_shared_libraries(crond_t)
@@ -115,8 +119,7 @@ selinux_newrole_sigchld(crond_t)
 
 miscfiles_read_localization(crond_t)
 
-# need auth_chkpwd to check for locked accounts.
-authlogin_check_password_transition(crond_t)
+userdomain_use_all_unprivileged_users_file_descriptors(crond_t)
 
 tunable_policy(`fcron_crond', `
 allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
@@ -136,7 +139,6 @@ ifdef(`TODO',`
 # NB The constraints file has some entries for crond_t, this makes it
 # different from all other domains...
 
-allow crond_t unpriv_userdomain:fd use;
 allow crond_t autofs_t:dir { search getattr };
 dontaudit crond_t sysadm_home_dir_t:dir search;
 
@@ -153,18 +155,15 @@ allow crond_t autofs_t:dir { search getattr };
 
 # Read from /var/spool/cron.
 allow crond_t var_lib_t:dir search;
-allow crond_t var_spool_t:dir r_dir_perms;
-allow crond_t var_spool_t:file { getattr read };
 allow crond_t mail_spool_t:dir search;
+# for if /var/mail is a symlink
+allow crond_t mail_spool_t:lnk_file read;
 
 allow crond_t default_t:dir search;
 
 # crond tries to search /root.  Not sure why.
 allow crond_t sysadm_home_dir_t:dir r_dir_perms;
 
-# for if /var/mail is a symlink
-allow crond_t mail_spool_t:lnk_file read;
-
 # to search /home
 allow crond_t user_home_dir_type:dir r_dir_perms;
 
@@ -269,6 +268,9 @@ files_get_all_file_attributes(system_crond_t)
 files_read_general_application_resources(system_crond_t)
 # for nscd:
 files_ignore_search_runtime_data_directory(system_crond_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
+files_manage_system_spools(system_crond_t)
 
 corecommands_execute_general_programs(system_crond_t)
 corecommands_execute_system_programs(system_crond_t)
@@ -324,14 +326,9 @@ allow system_crond_t var_t:file { getattr read ioctl };
 allow system_crond_t var_lib_t:dir rw_dir_perms;
 allow system_crond_t var_lib_t:file create_file_perms;
 
-# Access other spool directories like
-# /var/spool/anacron and /var/spool/slrnpull.
-allow system_crond_t var_spool_t:file create_file_perms;
-allow system_crond_t var_spool_t:dir rw_dir_perms;
 # for if /var/mail is a symlink
 allow system_crond_t mail_spool_t:lnk_file read;
 
-
 #
 #  These rules are here to allow system cron jobs to su
 #
@@ -360,7 +357,6 @@ mta_send_mail_transition(system_crond_t)
 # system_mail_t should only be reading from the cron fifo not needing to write
 dontaudit system_mail_t crond_t:fifo_file write;
 allow mta_user_agent system_crond_t:fd use;
-allow mta_user_agent system_crond_t:fd use;
 r_dir_file(system_mail_t, crond_tmp_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index ecaf4d1..de01298 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -441,6 +441,58 @@ class lnk_file { create read getattr setattr link unlink rename };
 ')
 
 ########################################
+## <interface name="authlogin_relabel_all_files_except_shadow">
+##	<description>
+##		Relabel all files on the filesystem, except
+##		the shadow passwords and listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+
+define(`authlogin_relabel_all_files_except_shadow',`
+requires_block_template(`$0'_depend)
+files_relabel_all_files($1,$2 -shadow_t)
+')
+
+define(`authlogin_relabel_all_files_except_shadow_depend',`
+type shadow_t;
+')
+
+########################################
+## <interface name="authlogin_manage_all_files_except_shadow">
+##	<description>
+##		Manage all files on the filesystem, except
+##		the shadow passwords and listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+
+define(`authlogin_manage_all_files_except_shadow',`
+requires_block_template(`$0'_depend)
+files_manage_all_files($1,$2 -shadow_t)
+')
+
+define(`authlogin_manage_all_files_except_shadow_depend',`
+type shadow_t;
+')
+
+########################################
 ## <interface name="authlogin_utempter_transition">
 ##	<description>
 ##		Execute utempter programs in the utempter domain.
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 3246c7a..42de0c9 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -62,7 +62,7 @@ define(`domain_make_entrypoint_file',`
 requires_block_template(`$0'_depend)
 allow $1 $2:file entrypoint;
 files_make_file($2)
-typeattribute $1 entry_type;
+typeattribute $2 entry_type;
 ')
 
 define(`domain_make_entrypoint_file_depend',`
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 03542e2..6735cf0 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -99,7 +99,7 @@ attribute tmpfsfile;
 ########################################
 #
 # files_get_all_file_attributes(domain)
-#
+
 define(`files_get_all_file_attributes',`
 requires_block_template(`$0'_depend)
 allow $1 file_type:dir { search getattr };
@@ -119,23 +119,37 @@ class sock_file getattr;
 ')
 
 ########################################
+## <interface name="files_relabel_all_files">
+##	<description>
+##		Relabel all files on the filesystem, except
+##		the listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
 #
-# files_manage_all_files_labels(type)
-#
-define(`files_manage_all_files_labels',`
+define(`files_relabel_all_files',`
 requires_block_template(`$0'_depend)
-allow $1 file_type:dir { getattr relabelfrom relabelto };
-allow $1 file_type:file { getattr relabelfrom relabelto };
-allow $1 file_type:lnk_file { getattr relabelfrom relabelto };
-allow $1 file_type:fifo_file { getattr relabelfrom relabelto };
-allow $1 file_type:sock_file { getattr relabelfrom relabelto };
-allow $1 file_type:blk_file { getattr relabelfrom };
-allow $1 file_type:chr_file { getattr relabelfrom };
-')
-
-define(`files_manage_all_files_labels_depend',`
+allow $1 { file_type $2 }:dir { getattr search read relabelfrom relabelto };
+allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
+allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
+allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
+# satisfy the assertions:
+selinux_relabelto_binary_policy($1)
+')
+
+define(`files_relabel_all_files_depend',`
 attribute file_type;
-class dir { relabelfrom relabelto };
+class dir { getattr search read relabelfrom relabelto };
 class file { relabelfrom relabelto };
 class lnk_file { relabelfrom relabelto };
 class fifo_file { relabelfrom relabelto };
@@ -145,6 +159,43 @@ class chr_file relabelfrom;
 ')
 
 ########################################
+## <interface name="files_manage_all_files">
+##	<description>
+##		Manage all files on the filesystem, except
+##		the listed exceptions.
+##	</description>
+##	<parameter name="domain">
+##		The type of the domain perfoming this action.
+##	</parameter>
+##	<parameter name="exception_types" optional="true">
+##		The types to be excluded.  Each type or attribute
+##		must be negated by the caller.
+##	</parameter>
+##	<infoflow type="both" weight="10"/>
+## </interface>
+#
+define(`files_manage_all_files',`
+requires_block_template(`$0'_depend)
+allow $1 { file_type $2 }:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow $1 { file_type $2 }:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1 { file_type $2 }:lnk_file { create read getattr setattr link unlink rename };
+allow $1 { file_type $2 }:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow $1 { file_type $2 }:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+# satisfy the assertions:
+selinux_write_binary_policy($1)
+bootloader_modify_kernel_modules($1)
+')
+
+define(`files_manage_all_files_depend',`
+attribute file_type;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+class file { create ioctl read getattr lock write setattr append link unlink rename };
+class lnk_file { create read getattr setattr link unlink rename };
+class fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+')
+
+########################################
 #
 # files_search_all_directories(domain)
 #
@@ -648,6 +699,20 @@ class sock_file { getattr unlink };
 
 ########################################
 #
+# files_search_general_application_resources_dir(domain)
+#
+define(`files_search_general_application_resources_dir',`
+requires_block_template(`$0'_depend)
+allow $1 usr_t:dir search;
+')
+
+define(`files_search_general_application_resources_dir_depend',`
+type usr_t;
+class dir search;
+')
+
+########################################
+#
 # files_read_general_application_resources(domain)
 #
 define(`files_read_general_application_resources',`
@@ -998,4 +1063,38 @@ type var_t, var_spool_t;
 class dir { getattr search read };
 ')
 
+########################################
+#
+# files_read_system_spools(domain)
+#
+define(`files_read_system_spools',`
+requires_block_template(`$0'_depend)
+allow $1 var_t:dir search;
+allow $1 var_spool_t:dir { getattr search read };
+allow $1 var_spool_t:file { getattr read };
+')
+
+define(`files_read_system_spools_depend',`
+type var_t, var_spool_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# files_manage_system_spools(domain)
+#
+define(`files_manage_system_spools',`
+requires_block_template(`$0'_depend)
+allow $1 var_t:dir search;
+allow $1 var_spool_t:dir { getattr search read write add_name remove_name };
+allow $1 var_spool_t:file { getattr create read write append unlink setattr };
+')
+
+define(`files_manage_system_spools_depend',`
+type var_t, var_spool_t;
+class dir { getattr search read write add_name remove_name };
+class file { getattr create read write append unlink setattr };
+')
+
 ## </module>
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index c4d0c56..9536e3e 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -44,6 +44,7 @@ filesystem_get_persistent_filesystem_attributes(getty_t)
 terminal_use_all_terminals(getty_t)
 terminal_set_console_attributes(getty_t)
 
+init_script_modify_runtime_data(getty_t)
 init_script_use_pseudoterminal(getty_t)
 
 files_modify_system_runtime_data(getty_t)
@@ -55,6 +56,9 @@ files_read_general_system_config(getty_t)
 
 authlogin_modify_login_records(getty_t)
 
+libraries_use_dynamic_loader(getty_t)
+libraries_use_shared_libraries(getty_t)
+
 locallogin_transition(getty_t)
 
 logging_send_system_log_message(getty_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 3acb8cc..bc63bb8 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -112,7 +112,7 @@ optional_policy(`netutils.te', `
 netutils_transition(hotplug_t)
 filesystem_use_tmpfs_character_devices(hotplug_t)
 ') dnl endif netutils optional
-files_get_system_lock_file_attribues(hotplug_t)
+files_get_system_lock_file_attributes(hotplug_t)
 ')dnl end distro_redhat tunable
 
 tunable_policy(`targeted_policy', `
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 6b38a53..937b98c 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -22,20 +22,18 @@ kernel_make_userland_entrypoint(init_t,init_exec_t)
 domain_make_entrypoint_file(init_t,init_exec_t)
 
 #
+# init_var_run_t is the type for /var/run/shutdown.pid.
+#
+type init_var_run_t;
+files_make_daemon_runtime_file(init_var_run_t)
+
+#
 # initctl_t is the type of the named pipe created 
 # by init during initialization.  This pipe is used
 # to communicate with init.
 #
 type initctl_t;
 files_make_file(initctl_t)
-filesystem_tmpfs_associate(initctl_t)
-devices_create_dev_entry(init_t,initctl_t,fifo_file)
-
-#
-# init_var_run_t is the type for /var/run/shutdown.pid.
-#
-type init_var_run_t;
-files_make_daemon_runtime_file(init_var_run_t)
 
 type initrc_t;
 domain_make_domain(initrc_t)
@@ -70,6 +68,10 @@ allow init_t init_exec_t:file { getattr read execute execute_no_trans };
 allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
 files_create_daemon_runtime_data(init_t,init_var_run_t)
 
+allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
+filesystem_tmpfs_associate(initctl_t)
+devices_create_dev_entry(init_t,initctl_t,fifo_file)
+
 # Run init scripts.  this is ok since initrc
 # is also in this module
 allow init_t initrc_t:process transition;
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 3f22b3d..23b6ea8 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -132,6 +132,7 @@ class file { getattr read write };
 #
 define(`libraries_use_shared_libraries',`
 requires_block_template(`$0'_depend)
+files_search_general_application_resources_dir($1)
 allow $1 lib_t:dir { getattr search read };
 allow $1 lib_t:lnk_file { getattr read };
 allow $1 { shlib_t texrel_shlib_t }:lnk_file { getattr read };
diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if
index 4d2f562..fd97ed4 100644
--- a/refpolicy/policy/modules/system/selinux.if
+++ b/refpolicy/policy/modules/system/selinux.if
@@ -571,6 +571,29 @@ class file { getattr create write unlink };
 ')
 
 ########################################
+## <interface name="selinux_relabelto_binary_policy">
+##	<description>
+##		Allow the caller to relabel a file to the binary policy type.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_relabelto_binary_policy',`
+requires_block_template(`$0'_depend)
+allow $1 policy_config_t:file relabelto;
+typeattribute $1 can_relabelto_binary_policy;
+')
+
+define(`selinux_relabelto_binary_policy_depend',`
+attribute can_relabelto_binary_policy;
+type policy_config_t;
+class file relabelto;
+')
+
+########################################
 #
 # selinux_manage_binary_policy(domain)
 #
diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te
index 7ecde92..96f0f0c 100644
--- a/refpolicy/policy/modules/system/selinux.te
+++ b/refpolicy/policy/modules/system/selinux.te
@@ -108,7 +108,8 @@ type_transition checkpolicy_t policy_src_t:file policy_config_t;
 
 # only allow read of policy source files
 allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
+allow checkpolicy_t policy_src_t:file { getattr read ioctl };
+allow checkpolicy_t policy_src_t:lnk_file { getattr read };
 allow checkpolicy_t selinux_config_t:dir search;
 
 filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
@@ -145,9 +146,9 @@ allow load_policy_t policy_src_t:dir search;
 allow load_policy_t policy_config_t:dir { getattr search read };
 allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
 
-allow newrole_t selinux_config_t:dir { getattr read search };
-allow newrole_t selinux_config_t:file { read getattr };
-allow newrole_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:dir { getattr read search };
+allow load_policy_t selinux_config_t:file { read getattr };
+allow load_policy_t selinux_config_t:lnk_file { getattr read };
 
 kernel_get_selinuxfs_mount_point(load_policy_t)
 kernel_load_selinux_policy(load_policy_t)
@@ -163,6 +164,8 @@ init_script_use_pseudoterminal(load_policy_t)
 
 domain_use_widely_inheritable_file_descriptors(load_policy_t)
 
+files_search_general_system_config_directory(load_policy_t)
+
 libraries_use_dynamic_loader(load_policy_t)
 libraries_use_shared_libraries(load_policy_t)
 
@@ -170,12 +173,6 @@ miscfiles_read_localization(load_policy_t)
 
 userdomain_use_all_users_file_descriptors(load_policy_t)
 
-ifdef(`TODO',`
-
-# directory search permissions for path to binary policy files
-allow load_policy_t etc_t:dir search;
-') dnl endif TODO
-
 ########################################
 #
 # Newrole local policy
@@ -317,7 +314,7 @@ hotplug_use_file_descriptors(restorecon_t)
 # relabeling rules
 kernel_relabel_unlabeled_object(restorecon_t)
 devices_manage_all_devices_labels(restorecon_t)
-files_manage_all_files_labels(restorecon_t)
+files_relabel_all_files(restorecon_t)
 files_read_all_directories(restorecon_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(restorecon_t)
@@ -325,6 +322,8 @@ authlogin_relabel_to_shadow_passwords(restorecon_t)
 tunable_policy(`distro_redhat', `
 filesystem_use_tmpfs_character_devices(restorecon_t)
 filesystem_use_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_character_devices(restorecon_t)
 ')
 
 ifdef(`TODO',`
@@ -333,11 +332,6 @@ ifdef(`TODO',`
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
 
-tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
-allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
-')
-
 allow restorecon_t fs_type:dir r_dir_perms;
 
 allow restorecon_t device_t:file { read write };
@@ -467,7 +461,7 @@ userdomain_read_all_users_data(setfiles_t)
 kernel_relabel_unlabeled_object(setfiles_t)
 devices_manage_all_devices_labels(setfiles_t)
 files_read_all_directories(setfiles_t)
-files_manage_all_files_labels(setfiles_t)
+files_relabel_all_files(setfiles_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(setfiles_t)
 
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index 4d2f562..fd97ed4 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -571,6 +571,29 @@ class file { getattr create write unlink };
 ')
 
 ########################################
+## <interface name="selinux_relabelto_binary_policy">
+##	<description>
+##		Allow the caller to relabel a file to the binary policy type.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
+#
+define(`selinux_relabelto_binary_policy',`
+requires_block_template(`$0'_depend)
+allow $1 policy_config_t:file relabelto;
+typeattribute $1 can_relabelto_binary_policy;
+')
+
+define(`selinux_relabelto_binary_policy_depend',`
+attribute can_relabelto_binary_policy;
+type policy_config_t;
+class file relabelto;
+')
+
+########################################
 #
 # selinux_manage_binary_policy(domain)
 #
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 7ecde92..96f0f0c 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -108,7 +108,8 @@ type_transition checkpolicy_t policy_src_t:file policy_config_t;
 
 # only allow read of policy source files
 allow checkpolicy_t policy_src_t:dir { getattr search read };
-allow checkpolicy_t policy_src_t:{ file lnk_file } { getattr read };
+allow checkpolicy_t policy_src_t:file { getattr read ioctl };
+allow checkpolicy_t policy_src_t:lnk_file { getattr read };
 allow checkpolicy_t selinux_config_t:dir search;
 
 filesystem_get_persistent_filesystem_attributes(checkpolicy_t)
@@ -145,9 +146,9 @@ allow load_policy_t policy_src_t:dir search;
 allow load_policy_t policy_config_t:dir { getattr search read };
 allow load_policy_t policy_config_t:{ file lnk_file sock_file fifo_file } { getattr read };
 
-allow newrole_t selinux_config_t:dir { getattr read search };
-allow newrole_t selinux_config_t:file { read getattr };
-allow newrole_t selinux_config_t:lnk_file { getattr read };
+allow load_policy_t selinux_config_t:dir { getattr read search };
+allow load_policy_t selinux_config_t:file { read getattr };
+allow load_policy_t selinux_config_t:lnk_file { getattr read };
 
 kernel_get_selinuxfs_mount_point(load_policy_t)
 kernel_load_selinux_policy(load_policy_t)
@@ -163,6 +164,8 @@ init_script_use_pseudoterminal(load_policy_t)
 
 domain_use_widely_inheritable_file_descriptors(load_policy_t)
 
+files_search_general_system_config_directory(load_policy_t)
+
 libraries_use_dynamic_loader(load_policy_t)
 libraries_use_shared_libraries(load_policy_t)
 
@@ -170,12 +173,6 @@ miscfiles_read_localization(load_policy_t)
 
 userdomain_use_all_users_file_descriptors(load_policy_t)
 
-ifdef(`TODO',`
-
-# directory search permissions for path to binary policy files
-allow load_policy_t etc_t:dir search;
-') dnl endif TODO
-
 ########################################
 #
 # Newrole local policy
@@ -317,7 +314,7 @@ hotplug_use_file_descriptors(restorecon_t)
 # relabeling rules
 kernel_relabel_unlabeled_object(restorecon_t)
 devices_manage_all_devices_labels(restorecon_t)
-files_manage_all_files_labels(restorecon_t)
+files_relabel_all_files(restorecon_t)
 files_read_all_directories(restorecon_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(restorecon_t)
@@ -325,6 +322,8 @@ authlogin_relabel_to_shadow_passwords(restorecon_t)
 tunable_policy(`distro_redhat', `
 filesystem_use_tmpfs_character_devices(restorecon_t)
 filesystem_use_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_block_devices(restorecon_t)
+filesystem_relabel_tmpfs_character_devices(restorecon_t)
 ')
 
 ifdef(`TODO',`
@@ -333,11 +332,6 @@ ifdef(`TODO',`
 # scripts will put things in a state such that restorecon can not be run!
 allow restorecon_t lib_t:file { read execute };
 
-tunable_policy(`distro_redhat', `
-allow restorecon_t tmpfs_t:chr_file { relabelfrom relabelto };
-allow restorecon_t tmpfs_t:blk_file { relabelfrom relabelto };
-')
-
 allow restorecon_t fs_type:dir r_dir_perms;
 
 allow restorecon_t device_t:file { read write };
@@ -467,7 +461,7 @@ userdomain_read_all_users_data(setfiles_t)
 kernel_relabel_unlabeled_object(setfiles_t)
 devices_manage_all_devices_labels(setfiles_t)
 files_read_all_directories(setfiles_t)
-files_manage_all_files_labels(setfiles_t)
+files_relabel_all_files(setfiles_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(setfiles_t)
 
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 95753f8..8c377ac 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -57,9 +57,9 @@ allow dhcpc_t dhcpc_tmp_t:dir { create read getattr lock setattr ioctl link unli
 allow dhcpc_t dhcpc_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir })
 
-# Allow dhcpc_t to use packet sockets
+allow dhcpc_t self:tcp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow dhcpc_t self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
 allow dhcpc_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
-
 allow dhcpc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
 
 allow dhcpc_t self:fifo_file { ioctl read getattr lock write append };
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index e0b7ab2..55d3e48 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -10,6 +10,10 @@
 
 define(`base_user_domain',`
 
+attribute $1_file_type;
+
+type $1_t, userdomain;
+corecommands_make_shell_entrypoint($1_t)
 role $1_r types $1_t;
 allow system_r $1_r;
 
@@ -370,9 +374,10 @@ define(`user_domain_template', `
 # Declarations
 #
 
-attribute $1_file_type;
+# Inherit rules for ordinary users.
+base_user_domain($1)
 
-type $1_t, userdomain, unpriv_userdomain; #, web_client_domain, nscd_client_domain;
+typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
 domain_make_domain($1_t)
 domain_make_file_descriptors_widely_inheritable($1_t)
 
@@ -398,9 +403,6 @@ terminal_make_physical_terminal($1_t,$1_tty_device_t)
 # Local policy
 #
 
-# Inherit rules for ordinary users.
-base_user_domain($1)
-
 allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
 terminal_create_private_pseudoterminal($1_t,$1_devpts_t)
 
@@ -584,9 +586,10 @@ define(`admin_domain_template',`
 # Declarations
 #
 
-attribute $1_file_type;
+# Inherit rules for ordinary users.
+base_user_domain($1)
 
-type $1_t, userdomain, privhome; #, admin, web_client_domain, nscd_client_domain;
+typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
 kernel_make_object_identity_change_constraint_exception($1_t)
 domain_make_domain($1_t)
 role system_r types $1_t;
@@ -615,9 +618,6 @@ terminal_make_physical_terminal($1_t,$1_tty_device_t)
 # $1_t local policy
 #
 
-# Inherit rules for ordinary users.
-base_user_domain($1)
-
 allow $1_t self:capability ~sys_module;
 allow $1_t self:process { setexec setfscreate };
 
@@ -682,6 +682,11 @@ terminal_use_general_physical_terminal($1_t)
 terminal_use_all_private_pseudoterminals($1_t)
 terminal_use_all_private_physical_terminals($1_t)
 
+# Manage almost all files
+authlogin_manage_all_files_except_shadow($1_t)
+# Relabel almost all files
+authlogin_relabel_all_files_except_shadow($1_t)
+
 domain_set_all_domains_priorities($1_t)
 
 files_execute_system_source_code_scripts($1_t)
@@ -710,18 +715,6 @@ ifdef(`TODO',`
 # Let admin stat the shadow file.
 allow $1_t shadow_t:file getattr;
 
-# Create and use all files that have the sysadmfile attribute.
-allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
-allow $1_t sysadmfile:lnk_file create_lnk_perms;
-allow $1_t sysadmfile:dir create_dir_perms;
-
-# Relabel all files.
-# Actually this will not allow relabeling ALL files unless you change
-# sysadmfile to file_type (and change the assertion in assert.te that
-# only auth_write can relabel shadow_t)
-allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
-allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
-
 # for lsof
 allow $1_t mtrr_device_t:file getattr;