diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c5058f160..d6333b5a6 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -478,6 +478,25 @@ interface(`dev_dontaudit_getattr_generic_blk_files',`
dontaudit $1 device_t:blk_file getattr;
')
+########################################
+##
+## Set the attributes on generic
+## block devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:blk_file setattr;
+')
+
########################################
##
## Dontaudit setattr on generic block devices.
@@ -568,6 +587,25 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
dontaudit $1 device_t:chr_file getattr;
')
+########################################
+##
+## Set the attributes for generic
+## character device files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file setattr;
+')
+
########################################
##
## Dontaudit setattr for generic character device files.
@@ -3895,6 +3933,24 @@ interface(`dev_manage_smartcard',`
manage_chr_files_pattern($1, device_t, smartcard_device_t)
')
+########################################
+##
+## Mount a filesystem on sysfs.
+##
+##
+##
+## Domain allow access.
+##
+##
+#
+interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
+')
+
########################################
##
## Associate a file to a sysfs filesystem.
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index c1362f460..3baa04146 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1782,6 +1782,25 @@ interface(`files_list_root',`
allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
')
+########################################
+##
+## Delete symbolic links in the
+## root directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_root_symlinks',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:lnk_file delete_lnk_file_perms;
+')
+
########################################
##
## Do not audit attempts to write to / dirs.
@@ -1910,6 +1929,25 @@ interface(`files_dontaudit_rw_root_chr_files',`
dontaudit $1 root_t:chr_file { read write };
')
+########################################
+##
+## Delete character device nodes in
+## the root directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_root_chr_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:chr_file delete_chr_file_perms;
+')
+
########################################
##
## Delete files in the root directory.
@@ -1928,6 +1966,24 @@ interface(`files_delete_root_files',`
allow $1 root_t:file unlink;
')
+########################################
+##
+## Execute files in the root directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_exec_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:file exec_file_perms;
+')
+
########################################
##
## Remove entries from the root directory.
@@ -1946,6 +2002,43 @@ interface(`files_delete_root_dir_entry',`
allow $1 root_t:dir rw_dir_perms;
')
+########################################
+##
+## Manage the root directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_root_dir',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir manage_dir_perms;
+')
+
+########################################
+##
+## Get the attributes of a rootfs
+## file system.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_getattr_rootfs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:filesystem getattr;
+')
+
########################################
##
## Associate to root file system.
@@ -3053,6 +3146,44 @@ interface(`files_delete_boot_flag',`
delete_files_pattern($1, root_t, etc_runtime_t)
')
+########################################
+##
+## Get the attributes of the
+## etc_runtime directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_getattr_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir getattr;
+')
+
+########################################
+##
+## Mount a filesystem on the
+## etc_runtime directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_mounton_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir mounton;
+')
+
########################################
##
## Do not audit attempts to set the attributes of the etc_runtime files
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index be1ea4534..607576b68 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4281,6 +4281,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
dontaudit $1 tmpfs_t:file rw_file_perms;
')
+########################################
+##
+## Delete tmpfs symbolic links.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_delete_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
+')
+
########################################
##
## Create, read, write, and delete
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index f03a3241d..5f38e5868 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -955,6 +955,24 @@ interface(`kernel_dontaudit_write_proc_dirs',`
dontaudit $1 proc_t:dir write;
')
+########################################
+##
+## Mount the directories in /proc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_mounton_proc_dirs',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
########################################
##
## Get the attributes of files in /proc.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index da0d48dbc..8375637ec 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+kernel_mounton_proc_dirs(kernel_t)
kernel_request_load_module(kernel_t)
# Allow unlabeled network traffic
@@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
+dev_mounton_sysfs(kernel_t)
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
# devtmpfs handling:
@@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
dev_mounton(kernel_t)
+dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_chr_files(kernel_t)
+dev_setattr_generic_blk_files(kernel_t)
+dev_setattr_generic_chr_files(kernel_t)
+dev_getattr_fs(kernel_t)
+dev_getattr_sysfs(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
fs_unmount_all_fs(kernel_t)
+fs_getattr_tmpfs(kernel_t)
+fs_getattr_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_files(kernel_t)
+fs_manage_tmpfs_sockets(kernel_t)
+fs_delete_tmpfs_symlinks(kernel_t)
+
+selinux_getattr_fs(kernel_t)
selinux_load_policy(kernel_t)
+term_getattr_pty_fs(kernel_t)
term_use_console(kernel_t)
+term_use_generic_ptys(kernel_t)
# for kdevtmpfs
term_setattr_unlink_unallocated_ttys(kernel_t)
@@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
domain_signal_all_domains(kernel_t)
domain_search_all_domains_state(kernel_t)
+files_getattr_rootfs(kernel_t)
+files_manage_root_dir(kernel_t)
+files_delete_root_files(kernel_t)
+files_exec_root_files(kernel_t)
+files_delete_root_symlinks(kernel_t)
+files_delete_root_chr_files(kernel_t)
files_list_root(kernel_t)
files_list_etc(kernel_t)
+files_getattr_etc_runtime_dirs(kernel_t)
+files_mounton_etc_runtime_dirs(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -343,6 +369,7 @@ optional_policy(`
')
optional_policy(`
+ logging_manage_generic_logs(kernel_t)
logging_send_syslog_msg(kernel_t)
')
@@ -355,6 +382,12 @@ optional_policy(`
nis_use_ypbind(kernel_t)
')
+optional_policy(`
+ plymouthd_read_lib_files(kernel_t)
+ term_use_ptmx(kernel_t)
+ term_use_unallocated_ttys(kernel_t)
+')
+
optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
@@ -405,6 +438,7 @@ optional_policy(`
optional_policy(`
seutil_read_config(kernel_t)
seutil_read_bin_policy(kernel_t)
+ seutil_domtrans_setfiles(kernel_t)
')
optional_policy(`
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 86692b04b..05be0475b 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -401,6 +401,25 @@ interface(`term_relabel_pty_fs',`
allow $1 devpts_t:filesystem { relabelto relabelfrom };
')
+########################################
+##
+## Get the attributes of the
+## /dev/pts directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`term_getattr_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir getattr;
+')
+
########################################
##
## Do not audit attempts to get the
@@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
allow $1 devpts_t:chr_file getattr;
')
+
########################################
##
## Do not audit attempts to get the attributes