Update modules for file_t merge into unlabeled_t.

policy/modules/admin/bootloader.te

@@ -1,4 +1,4 @@
-policy_module(bootloader, 1.14.0)
+policy_module(bootloader, 1.14.1)
 
 ########################################
 #
@@ -155,15 +155,14 @@ ifdef(`distro_redhat',`
 	# for memlock
 	allow bootloader_t self:capability ipc_lock;
 
-	# new file system defaults to file_t, granting file_t access is still bad.
 	allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms };
 
-	# new file system defaults to file_t, granting file_t access is still bad.
+	# new file system defaults to unlabeled, granting unlabeled access is still bad.
-	files_manage_isid_type_dirs(bootloader_t)
+	kernel_manage_unlabeled_dirs(bootloader_t)
-	files_manage_isid_type_files(bootloader_t)
+	kernel_manage_unlabeled_files(bootloader_t)
-	files_manage_isid_type_symlinks(bootloader_t)
+	kernel_manage_unlabeled_symlinks(bootloader_t)
-	files_manage_isid_type_blk_files(bootloader_t)
+	kernel_manage_unlabeled_blk_files(bootloader_t)
-	files_manage_isid_type_chr_files(bootloader_t)
+	kernel_manage_unlabeled_chr_files(bootloader_t)
 
 	# for mke2fs
 	mount_run(bootloader_t, bootloader_roles)

policy/modules/admin/dmesg.te

@@ -1,4 +1,4 @@
-policy_module(dmesg, 1.3.0)
+policy_module(dmesg, 1.3.1)
 
 ########################################
 #
@@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t)
 kernel_change_ring_buffer_level(dmesg_t)
 kernel_list_proc(dmesg_t)
 kernel_read_proc_symlinks(dmesg_t)
+# for when /usr is not mounted:
+kernel_dontaudit_search_unlabeled(dmesg_t)
 
 dev_read_sysfs(dmesg_t)
 
@@ -35,8 +37,6 @@ term_dontaudit_use_console(dmesg_t)
 domain_use_interactive_fds(dmesg_t)
 
 files_list_etc(dmesg_t)
-# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dirs(dmesg_t)
 
 init_use_fds(dmesg_t)
 init_use_script_ptys(dmesg_t)

policy/modules/contrib

@@ -1 +1 @@
-Subproject commit 1841db13d655ca7a090d4b7c86add9c2869b9e01
+Subproject commit fc714e2e840188c55b5ebc8e9b1e09d342f2864e

policy/modules/system/authlogin.te

@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.5.2)
+policy_module(authlogin, 2.5.3)
 
 ########################################
 #
@@ -220,6 +220,7 @@ dontaudit pam_console_t pam_var_console_t:file write;
 
 kernel_read_kernel_sysctls(pam_console_t)
 kernel_use_fds(pam_console_t)
+kernel_dontaudit_search_unlabeled(pam_console_t)
 # Read /proc/meminfo
 kernel_read_system_state(pam_console_t)
 
@@ -255,7 +256,6 @@ dev_read_urand(pam_console_t)
 files_read_etc_files(pam_console_t)
 files_search_pids(pam_console_t)
 files_list_mnt(pam_console_t)
-files_dontaudit_search_isid_type_dirs(pam_console_t)
 # read /etc/mtab
 files_read_etc_runtime_files(pam_console_t)
 

policy/modules/system/clock.te

@@ -1,4 +1,4 @@
-policy_module(clock, 1.7.0)
+policy_module(clock, 1.7.1)
 
 ########################################
 #
@@ -30,6 +30,8 @@ allow hwclock_t adjtime_t:file { rw_file_perms setattr };
 
 kernel_read_kernel_sysctls(hwclock_t)
 kernel_read_system_state(hwclock_t)
+# for when /usr is not mounted:
+kernel_dontaudit_search_unlabeled(hwclock_t)
 
 corecmd_exec_bin(hwclock_t)
 corecmd_exec_shell(hwclock_t)
@@ -38,8 +40,6 @@ dev_read_sysfs(hwclock_t)
 dev_rw_realtime_clock(hwclock_t)
 
 files_read_etc_files(hwclock_t)
-# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dirs(hwclock_t)
 
 fs_getattr_xattr_fs(hwclock_t)
 fs_search_auto_mountpoints(hwclock_t)

policy/modules/system/fstools.te

@@ -1,4 +1,4 @@
-policy_module(fstools, 1.16.3)
+policy_module(fstools, 1.16.4)
 
 ########################################
 #
@@ -56,6 +56,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
 kernel_read_system_state(fsadm_t)
 kernel_read_kernel_sysctls(fsadm_t)
 kernel_request_load_module(fsadm_t)
+kernel_manage_unlabeled_dirs(fsadm_t)
 # Allow console log change (updfstab)
 kernel_change_ring_buffer_level(fsadm_t)
 # mkreiserfs needs this
@@ -64,6 +65,7 @@ kernel_getattr_core_if(fsadm_t)
 # Access to /initrd devices
 kernel_rw_unlabeled_dirs(fsadm_t)
 kernel_rw_unlabeled_blk_files(fsadm_t)
+kernel_read_unlabeled_files(fsadm_t)
 
 corecmd_exec_bin(fsadm_t)
 #RedHat bug #201164
@@ -100,14 +102,9 @@ files_list_home(fsadm_t)
 files_read_usr_files(fsadm_t)
 files_read_etc_files(fsadm_t)
 files_manage_lost_found(fsadm_t)
-files_manage_isid_type_dirs(fsadm_t)
 # Write to /etc/mtab.
 files_manage_etc_runtime_files(fsadm_t)
 files_etc_filetrans_etc_runtime(fsadm_t, file)
-# Access to /initrd devices
-files_rw_isid_type_dirs(fsadm_t)
-files_rw_isid_type_blk_files(fsadm_t)
-files_read_isid_type_files(fsadm_t)
 
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)

policy/modules/system/hostname.te

@@ -1,4 +1,4 @@
-policy_module(hostname, 1.8.2)
+policy_module(hostname, 1.8.3)
 
 ########################################
 #
@@ -23,6 +23,8 @@ dontaudit hostname_t self:capability sys_tty_config;
 
 kernel_list_proc(hostname_t)
 kernel_read_proc_symlinks(hostname_t)
+# for when /usr is not mounted:
+kernel_dontaudit_search_unlabeled(hostname_t)
 
 dev_read_sysfs(hostname_t)
 # Early devtmpfs, before udev relabel
@@ -32,8 +34,6 @@ domain_use_interactive_fds(hostname_t)
 
 files_read_etc_files(hostname_t)
 files_dontaudit_search_var(hostname_t)
-# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dirs(hostname_t)
 
 fs_getattr_xattr_fs(hostname_t)
 fs_search_auto_mountpoints(hostname_t)

policy/modules/system/hotplug.te

@@ -1,4 +1,4 @@
-policy_module(hotplug, 1.16.0)
+policy_module(hotplug, 1.16.1)
 
 ########################################
 #
@@ -49,6 +49,8 @@ kernel_read_system_state(hotplug_t)
 kernel_read_network_state(hotplug_t)
 kernel_read_kernel_sysctls(hotplug_t)
 kernel_rw_net_sysctls(hotplug_t)
+# for when filesystems are not mounted early in the boot:
+kernel_dontaudit_search_unlabeled(hotplug_t)
 
 files_read_kernel_modules(hotplug_t)
 
@@ -86,8 +88,6 @@ files_read_etc_files(hotplug_t)
 files_manage_etc_runtime_files(hotplug_t)
 files_etc_filetrans_etc_runtime(hotplug_t, file)
 files_exec_etc_files(hotplug_t)
-# for when filesystems are not mounted early in the boot:
-files_dontaudit_search_isid_type_dirs(hotplug_t)
 
 init_read_script_state(hotplug_t)
 # Allow hotplug (including /sbin/ifup-local) to start/stop services and

policy/modules/system/init.te

@@ -1,4 +1,4 @@
-policy_module(init, 1.20.4)
+policy_module(init, 1.20.5)
 
 gen_require(`
 	class passwd rootok;
@@ -125,6 +125,7 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
+kernel_dontaudit_search_unlabeled(init_t)
 
 corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
@@ -142,7 +143,6 @@ domain_sigchld_all_domains(init_t)
 
 files_read_etc_files(init_t)
 files_rw_generic_pids(init_t)
-files_dontaudit_search_isid_type_dirs(init_t)
 files_manage_etc_runtime_files(init_t)
 files_etc_filetrans_etc_runtime(init_t, file)
 # Run /etc/X11/prefdm:
@@ -289,6 +289,9 @@ kernel_read_all_sysctls(initrc_t)
 kernel_rw_all_sysctls(initrc_t)
 # for lsof which is used by alsa shutdown:
 kernel_dontaudit_getattr_message_if(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+kernel_list_unlabeled(initrc_t)
+kernel_mounton_unlabeled_dirs(initrc_t)
 
 files_create_lock_dirs(initrc_t)
 files_pid_filetrans_lock_dir(initrc_t, "lock")
@@ -367,8 +370,6 @@ files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
 # Mount and unmount file systems.
 # cjp: not sure why these are here; should use mount policy
-files_list_isid_type_dirs(initrc_t)
-files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
 

policy/modules/system/locallogin.te

@@ -1,4 +1,4 @@
-policy_module(locallogin, 1.12.0)
+policy_module(locallogin, 1.12.1)
 
 ########################################
 #
@@ -216,13 +216,13 @@ allow sulogin_t self:msgq create_msgq_perms;
 allow sulogin_t self:msg { send receive };
 
 kernel_read_system_state(sulogin_t)
+# because file systems are not mounted:
+kernel_dontaudit_search_unlabeled(sulogin_t)
 
 fs_search_auto_mountpoints(sulogin_t)
 fs_rw_tmpfs_chr_files(sulogin_t)
 
 files_read_etc_files(sulogin_t)
-# because file systems are not mounted:
-files_dontaudit_search_isid_type_dirs(sulogin_t)
 
 auth_read_shadow(sulogin_t)
 

policy/modules/system/logging.te

@@ -1,4 +1,4 @@
-policy_module(logging, 1.20.2)
+policy_module(logging, 1.20.3)
 
 ########################################
 #
@@ -406,6 +406,8 @@ kernel_read_messages(syslogd_t)
 kernel_read_vm_sysctls(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
+# /initrd is not umounted before minilog starts
+kernel_dontaudit_search_unlabeled(syslogd_t)
 
 corenet_all_recvfrom_unlabeled(syslogd_t)
 corenet_all_recvfrom_netlabel(syslogd_t)
@@ -443,7 +445,6 @@ files_read_usr_files(syslogd_t)
 files_read_var_files(syslogd_t)
 files_read_etc_runtime_files(syslogd_t)
 # /initrd is not umounted before minilog starts
-files_dontaudit_search_isid_type_dirs(syslogd_t)
 files_read_kernel_symbol_table(syslogd_t)
 files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 

policy/modules/system/lvm.te

@@ -1,4 +1,4 @@
-policy_module(lvm, 1.15.3)
+policy_module(lvm, 1.15.4)
 
 ########################################
 #
@@ -217,6 +217,8 @@ kernel_get_sysvipc_info(lvm_t)
 kernel_read_system_state(lvm_t)
 # Read system variables in /proc/sys
 kernel_read_kernel_sysctls(lvm_t)
+# for when /usr is not mounted:
+kernel_dontaudit_search_unlabeled(lvm_t)
 # it has no reason to need this
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)
@@ -254,8 +256,6 @@ domain_read_all_domains_state(lvm_t)
 files_read_usr_files(lvm_t)
 files_read_etc_files(lvm_t)
 files_read_etc_runtime_files(lvm_t)
-# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dirs(lvm_t)
 
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
@@ -306,7 +306,7 @@ userdom_use_user_terminals(lvm_t)
 
 ifdef(`distro_redhat',`
 	# this is from the initrd:
-	files_rw_isid_type_dirs(lvm_t)
+	kernel_rw_unlabeled_dirs(lvm_t)
 
 	optional_policy(`
 		unconfined_domain(lvm_t)

policy/modules/system/modutils.te

@@ -1,4 +1,4 @@
-policy_module(modutils, 1.14.0)
+policy_module(modutils, 1.14.1)
 
 ########################################
 #
@@ -130,6 +130,8 @@ kernel_read_kernel_sysctls(insmod_t)
 kernel_rw_kernel_sysctl(insmod_t)
 kernel_read_hotplug_sysctls(insmod_t)
 kernel_setsched(insmod_t)
+# for when /var is not mounted early in the boot:
+kernel_dontaudit_search_unlabeled(insmod_t)
 
 corecmd_exec_bin(insmod_t)
 corecmd_exec_shell(insmod_t)
@@ -153,8 +155,6 @@ files_read_usr_files(insmod_t)
 files_exec_etc_files(insmod_t)
 # for nscd:
 files_dontaudit_search_pids(insmod_t)
-# for when /var is not mounted early in the boot:
-files_dontaudit_search_isid_type_dirs(insmod_t)
 # for locking: (cjp: ????)
 files_write_kernel_modules(insmod_t)
 
@@ -299,9 +299,10 @@ userdom_use_user_terminals(update_modules_t)
 userdom_dontaudit_search_user_home_dirs(update_modules_t)
 
 ifdef(`distro_gentoo',`
+	kernel_list_unlabeled(update_modules_t) # /var
+
 	files_search_pids(update_modules_t)
 	files_getattr_usr_src_files(update_modules_t)
-	files_list_isid_type_dirs(update_modules_t) # /var
 
 	# update-modules on Gentoo throws errors when run because it
 	# sources /etc/init.d/functions.sh, which always scans

policy/modules/system/mount.te

@@ -1,4 +1,4 @@
-policy_module(mount, 1.16.3)
+policy_module(mount, 1.16.4)
 
 ########################################
 #
@@ -65,6 +65,9 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
 kernel_dontaudit_write_proc_dirs(mount_t)
 # To load binfmt_misc kernel module
 kernel_request_load_module(mount_t)
+# for when /etc/mtab loses its type
+# cjp: this seems wrong, the type should probably be etc
+kernel_read_unlabeled_files(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_bin(mount_t)
@@ -92,9 +95,6 @@ files_unmount_rootfs(mount_t)
 files_relabelto_all_file_type_fs(mount_t)
 files_mount_all_file_type_fs(mount_t)
 files_unmount_all_file_type_fs(mount_t)
-# for when /etc/mtab loses its type
-# cjp: this seems wrong, the type should probably be etc
-files_read_isid_type_files(mount_t)
 # For reading cert files
 files_read_usr_files(mount_t)
 files_list_all_mountpoints(mount_t)

policy/modules/system/udev.te

@@ -1,4 +1,4 @@
-policy_module(udev, 1.16.5)
+policy_module(udev, 1.16.6)
 
 ########################################
 #
@@ -95,6 +95,7 @@ kernel_search_debugfs(udev_t)
 kernel_rw_net_sysctls(udev_t)
 kernel_read_network_state(udev_t)
 kernel_read_software_raid_state(udev_t)
+kernel_dontaudit_search_unlabeled(udev_t)
 
 corecmd_exec_all_executables(udev_t)
 
@@ -116,7 +117,6 @@ files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
 files_read_etc_files(udev_t)
 files_exec_etc_files(udev_t)
-files_dontaudit_search_isid_type_dirs(udev_t)
 files_getattr_generic_locks(udev_t)
 files_search_mnt(udev_t)