try to knock out more of the distro_debian bootloader stuff

refpolicy/policy/modules/kernel/bootloader.te

@@ -110,6 +110,7 @@ dev_read_raw_memory(bootloader_t)
 fs_getattr_xattr_fs(bootloader_t)
 
 term_getattr_all_user_ttys(bootloader_t)
+term_dontaudit_manage_pty_dir(bootloader_t)
 
 corecmd_exec_bin(bootloader_t)
 corecmd_exec_sbin(bootloader_t)
@@ -149,8 +150,18 @@ ifdef(`distro_debian',`
 	allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
 	allow bootloader_t boot_t:file relabelfrom;
 
+	fs_list_tmpfs(bootloader_t)
+
+	files_relabelto_usr_files(bootloader_t)
+	files_search_var_lib(bootloader_t)
+	files_list_script_pids(bootloader_t)
 	# for /usr/share/initrd-tools/scripts
 	files_exec_usr_files(bootloader_t)
+
+	fstools_manage_entry_files(bootloader_t)
+	fstools_relabelto_entry_files(bootloader_t)
+
+	libs_relabelto_lib_files(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`
@@ -204,16 +215,15 @@ optional_policy(`userdomain.te',`
 ')
 
 ifdef(`TODO',`
-dontaudit bootloader_t devpts_t:dir create_dir_perms;
 ifdef(`distro_debian', `
-	allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
+	# cjp: there is no setfscreate or type_transition, and
-	allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
+	# bootloader_t cannot rw a usr_t or lib_t directory, so
-	allow bootloader_t tmpfs_t:dir r_dir_perms;
+	# how can this work?  This is probably rw_file_perms,
-	allow bootloader_t initrc_var_run_t:dir r_dir_perms;
+	# possibly with unlink.  Files are probably "created"
-	allow bootloader_t var_lib_t:dir search;
+	# by the above relabeling permissions.
+	allow bootloader_t { usr_t lib_t }:file create_file_perms;
+
 	allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
 	allow bootloader_t dpkg_var_lib_t:file { getattr read };
-
 ')
-
 ') dnl end TODO

refpolicy/policy/modules/kernel/terminal.if

@@ -233,7 +233,7 @@ interface(`term_list_ptys',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to read the
-##	/dev/pts directory to.
+##	/dev/pts directory.
 ## </summary>
 ## <param name="domain">
 ##	The type of the process to not audit.
@@ -248,6 +248,24 @@ interface(`term_dontaudit_list_ptys',`
 	dontaudit $1 devpts_t:dir { getattr search read };
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, or delete the /dev/pts directory.
+## </summary>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
+#
+interface(`term_dontaudit_manage_pty_dir',`
+	gen_require(`
+		type devpts_t;
+		class dir create_dir_perms;
+	')
+
+	dontaudit $1 devpts_t:dir create_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the generic pty

refpolicy/policy/modules/system/files.if

@@ -1591,6 +1591,23 @@ interface(`files_read_usr_files',`
 	allow $1 usr_t:{ file lnk_file } r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Relabel a file to the type used in /usr.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_relabelto_usr_files',`
+	gen_require(`
+		type usr_t;
+		class file relabelto;
+	')
+
+	allow $1 usr_t:file relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Read symbolic links in /usr.

refpolicy/policy/modules/system/fstools.if

@@ -65,3 +65,38 @@ interface(`fstools_exec',`
 
 	can_exec($1,fsadm_exec_t)
 ')
+
+########################################
+## <summary>
+##	Relabel a file to the type used by the
+##	filesystem tools programs.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fstools_relabelto_entry_files',`
+	gen_require(`
+		type fsadm_exec_t;
+	')
+
+	allow $1 fsadm_exec_t:file relabelto;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete a file used by the
+##	filesystem tools programs.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fstools_manage_entry_files',`
+	gen_require(`
+		type fsadm_exec_t;
+		class file create_file_perms;
+	')
+
+	allow $1 fsadm_exec_t:file create_file_perms;
+')

refpolicy/policy/modules/system/init.if

@@ -484,6 +484,24 @@ interface(`init_rw_script_tmp_files',`
 	allow $1 initrc_tmp_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	List the contents of an init script
+##	process id directory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## 
+interface(`init_list_script_pids',`
+	gen_require(`
+		type initrc_var_run_t;
+		class dir r_dir_perms;
+	')
+
+	files_search_pids($1)
+	allow $1 initrc_var_run_t:dir r_dir_perms;
+')
+
 ########################################
 #
 # init_read_script_pid(domain)

refpolicy/policy/modules/system/libraries.if

@@ -195,6 +195,23 @@ interface(`libs_exec_lib_files',`
 	can_exec($1,lib_t)
 ')
 
+########################################
+## <summary>
+##	Relabel files to the type used in library directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`libs_relabelto_lib_files',`
+	gen_require(`
+		type lib_t;
+		class file relabelto;
+	')
+
+	allow $1 lib_t:file relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Load and execute functions from shared libraries.