--- a/usr/src/cmd/fmac/policy/Makefile	Wed Jul 02 09:31:47 2008 -0400
+++ b/usr/src/cmd/fmac/policy/Makefile	Wed Jul 02 15:53:13 2008 -0400
@@ -38,8 +38,6 @@
 # install - compile and install the policy configuration.
 # load    - compile, install, and load the policy configuration.
 # relabel - relabel the file system based on file_contexts.
-# initpolicy - compile the initial policy configuration.
-# initinstall - compile and install the initial policy configuration.
 #
 # The default target is 'policy'.
 #
@@ -196,16 +194,6 @@
 	$(SETFILES) -v $(FILECONTEXT_FILE) `mount -p | awk '/ufs/{print $$3}; /zfs/{print $$3}'`
 	$(TOUCH) relabel
 
-initpolicy: initpolicy.conf $(CHECKPOLICY)
-	$(CHECKPOLICY) -o $@ initpolicy.conf
-	$(CHECKPOLICY) -b $@
-
-initpolicy.conf: $(INITPOLICYFILES) all.te
-	$(M4) $(M4FLAGS) -s $(INITPOLICYFILES) > initpolicy.conf
-
-initinstall:  initpolicy
-	install -m 644 -o root -g root initpolicy /ss_policy
-
 all.te: macros.te attrib.te all_types.te all_domains.te assert.te
 	$(CAT) $^ > $@
 
@@ -229,6 +217,5 @@
 
 clean:
 	$(RM) -f policy ss_policy policy.conf
-	$(RM) -f initpolicy initpolicy.conf 
 
 include ../../Makefile.targ

--- a/usr/src/cmd/fmac/policy/assert.te	Wed Jul 02 09:31:47 2008 -0400
+++ b/usr/src/cmd/fmac/policy/assert.te	Wed Jul 02 15:53:13 2008 -0400
@@ -129,24 +129,17 @@
 define(`assert_execute', `
     ifelse($#, 0, , 
            $#, 1, 
-           ``neverallow $1_t ~{ $1_exec_t ld_so_t shlib_t }:process execute;'',
+           ``neverallow $1_t ~$1_exec_t:file entrypoint;
+	    neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
            `assert_execute($1) assert_execute(shift($@))')')
 
 assert_execute(getty, klogd, atd, inetd, tcpd, rlogind, 
     	       ypbind, portmap, syslogd, rpcd, gpm, xfs, fsadm)
 
-neverallow local_login_t ~{ login_exec_t ld_so_t shlib_t }:process execute;
-neverallow remote_login_t ~{ login_exec_t ld_so_t shlib_t }:process execute;
+neverallow { local_login_t remote_login_t } ~login_exec_t:file entrypoint;
+neverallow { local_login_t remote_login_t } ~ld_so_t:file execute_no_trans;
 
 #
-# Verify that the passwd domain can only execute code from 
-# its entrypoint executable, the ordinary passwd program,
-# the dynamic loader, or the shared libraries.
+# Verify that only the admin domains and initrc_t have setenforce.
 #
-neverallow passwd_t ~{ passwd_exec_t bin_t ld_so_t shlib_t }:process execute;
-
-
-#
-# Verify that only the admin domains and initrc_t have avc_toggle.
-#
-neverallow ~{ admin initrc_t } kernel_t:system avc_toggle;
+neverallow ~{ admin initrc_t } security_t:security setenforce;

--- a/usr/src/cmd/fmac/policy/domains/every.te	Wed Jul 02 09:31:47 2008 -0400
+++ b/usr/src/cmd/fmac/policy/domains/every.te	Wed Jul 02 15:53:13 2008 -0400
@@ -30,7 +30,7 @@
 #
 
 # Access other processes in the same domain.
-allow domain self:process ~{ execute entrypoint };
+allow domain self:process *;
 
 # Access file descriptions, pipes, and sockets
 # created by processes in the same domain.

--- a/usr/src/cmd/fmac/policy/domains/program/netscape.te	Wed Jul 02 09:31:47 2008 -0400
+++ b/usr/src/cmd/fmac/policy/domains/program/netscape.te	Wed Jul 02 15:53:13 2008 -0400
@@ -55,7 +55,6 @@
 
 # Allow use of /dev/zero by ld.so.
 allow $1_netscape_t zero_device_t:chr_file rw_file_perms;
-allow $1_netscape_t zero_device_t:process execute;
 
 # Create temporary files
 file_type_auto_trans($1_netscape_t, tmp_t, $1_netscape_rw_t)

--- a/usr/src/cmd/fmac/policy/domains/program/passwd.te	Wed Jul 02 09:31:47 2008 -0400
+++ b/usr/src/cmd/fmac/policy/domains/program/passwd.te	Wed Jul 02 15:53:13 2008 -0400
@@ -47,9 +47,6 @@
 # Execute /usr/bin/{passwd,chfn,chsh}.
 can_exec(passwd_t, bin_t)
 
-# Test for the existence of a shell.
-allow passwd_t shell_exec_t:file access;
-
 # Update /etc/passwd.
 allow passwd_t etc_t:dir rw_dir_perms;
 allow passwd_t etc_t:file create_file_perms;

--- a/usr/src/cmd/fmac/policy/domains/program/utempter.te	Wed Jul 02 09:31:47 2008 -0400
+++ b/usr/src/cmd/fmac/policy/domains/program/utempter.te	Wed Jul 02 15:53:13 2008 -0400
@@ -43,7 +43,7 @@
 allow utempter_t wtmp_t:file rw_file_perms;
 
 # Allow ioctl and getattr /dev/ptmx.
-allow utempter_t ptmx_t:chr_file { ioctl getattr };
+allow utempter_t ptmx_t:chr_file { read getattr };
 
 # Inherit and use descriptors from login.
 allow utempter_t local_login_t:fd inherit_fd_perms;

--- a/usr/src/cmd/fmac/policy/domains/system/crond.te	Wed Jul 02 09:31:47 2008 -0400
+++ b/usr/src/cmd/fmac/policy/domains/system/crond.te	Wed Jul 02 15:53:13 2008 -0400
@@ -119,7 +119,7 @@
 # the system cron job.  It performs an entrypoint
 # permission check for this purpose.
 #
-allow system_crond_t system_crond_script_t:process entrypoint;
+allow system_crond_t system_crond_script_t:file entrypoint;
 
 # Run helper programs in the system_crond_t domain.
 can_exec_any(system_crond_t)
@@ -160,9 +160,9 @@
 file_type_auto_trans(system_crond_t, tmp_t, system_crond_tmp_t)
 
 # Used for /sbin/tmpwatch
-allow system_crond_t tmpfile:dir { read getattr setattr access lock search remove_name rmdir };
+allow system_crond_t tmpfile:dir { read getattr setattr lock search remove_name rmdir };
 allow system_crond_t tmpfile:notdevfile_class_set link_file_perms;
-allow system_crond_t catman_t:dir { read getattr setattr access lock search remove_name rmdir };
+allow system_crond_t catman_t:dir { read getattr setattr lock search remove_name rmdir };
 allow system_crond_t catman_t:notdevfile_class_set link_file_perms;
 
 
@@ -196,7 +196,7 @@
 # the user cron job.  It performs an entrypoint
 # permission check for this purpose.
 #
-allow $1_crond_t $1_cron_spool_t:process entrypoint;
+allow $1_crond_t $1_cron_spool_t:file entrypoint;
 
 # Use pipe from crond_t.
 allow $1_crond_t crond_t:pipe rw_file_perms;

--- a/usr/src/cmd/fmac/policy/domains/system/initrc.te	Wed Jul 02 09:31:47 2008 -0400
+++ b/usr/src/cmd/fmac/policy/domains/system/initrc.te	Wed Jul 02 15:53:13 2008 -0400
@@ -121,8 +121,8 @@
 file_type_auto_trans(initrc_t, boot_t, boot_runtime_t)
 
 # Unlink the xfs socket.
-allow initrc_t xfs_tmp_t:dir { read search getattr access remove_name rmdir };
-allow initrc_t xfs_tmp_t:sock_file { read getattr access unlink };
+allow initrc_t xfs_tmp_t:dir { read search getattr remove_name rmdir };
+allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
 
 # Update /var/log/wtmp and /var/log/dmesg.
 allow initrc_t wtmp_t:file rw_file_perms;

--- a/usr/src/cmd/fmac/policy/init.te	Wed Jul 02 09:31:47 2008 -0400
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,137 +0,0 @@
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-
-#
-# Original files contributed to OpenSolaris.org under license by the
-# United States Government (NSA) to Sun Microsystems, Inc.
-#
-
-#
-# Extensions to the Type Enforcement configuration
-# for the initial boot and relabeling of the system.
-#
-
-
-#
-# Define a new domain for all descendants of init.
-#
-type initial_boot_t, domain, privuser, privrole, privowner;
-
-#
-# Include the normal policy configuration so
-# that all types will be defined for the relabeling
-# and so that all rules that apply to all domains
-# will be applied.
-#
-include(all.te)
-
-#
-# Extend the kernel_t domain.
-#
-allow kernel_t file_t:dir_file_class_set *;
-
-#
-# Extend the init_t domain.
-#
-allow init_t file_t:dir_file_class_set *;
-allow init_t file_t:process { entrypoint execute };
-domain_auto_trans(init_t, file_t, initial_boot_t)
-can_unix_connect(init_t, initial_boot_t)
-
-#
-# Extend the initrc_t domain (for reboot after relabel).
-#
-can_unix_send(initrc_t, initial_boot_t)
-allow initrc_t file_t:file unlink;
-
-#
-# Extend the kmod_t domain.
-#
-allow kmod_t file_t:dir_file_class_set *;
-allow kmod_t file_t:process execute;
-can_unix_connect(kmod_t, initial_boot_t)
-
-#
-# Extend the sysadm_t domain.
-#
-allow sysadm_t file_t:dir_file_class_set *;
-allow sysadm_t file_t:process execute;
-can_exec(sysadm_t, user_home_t)
-allow sysadm_t tty_device_t:chr_file rw_file_perms;
-allow sysadm_t file_t:unix_stream_socket name_bind;
-allow sysadm_t file_t:unix_dgram_socket name_bind;
-can_unix_send(sysadm_t, initial_boot_t)
-can_unix_connect(sysadm_t, initial_boot_t)
-can_udp_send(sysadm_t, initial_boot_t)
-
-#
-# Rules for the initial_boot_t domain.
-#
-
-# Perform any privileged operation.
-allow initial_boot_t kernel_t:system *;
-allow initial_boot_t self:capability *;
-
-# Change sysctl variables.
-can_sysctl(initial_boot_t)
-
-# Read /proc/kmsg (for klogd).
-allow initial_boot_t proc_kmsg_t:file r_file_perms;
-
-# Use the network and configure network interfaces.
-can_network(initial_boot_t)
-allow initial_boot_t netif_type:netif { getattr setattr };
-
-# Bind to any network port.
-allow initial_boot_t port_type:tcp_socket name_bind;
-allow initial_boot_t port_type:udp_socket name_bind;
-
-# Perform any operation on any process.
-allow initial_boot_t domain:process ~{ entrypoint execute };
-allow initial_boot_t domain:dir_file_class_set *;
-
-# Execute code from any program.
-allow initial_boot_t file_type:process { entrypoint execute };
-
-# Perform any operation on any file system.
-allow initial_boot_t fs_type:filesystem *;
-
-# Perform any operation on any file.
-allow initial_boot_t file_type:dir_file_class_set *;
-
-# Bind to a file_t Unix domain socket file.
-allow initial_boot_t file_t:unix_stream_socket name_bind;
-allow initial_boot_t file_t:unix_dgram_socket name_bind;
-
-# Send to sysadm_t.
-can_udp_send(initial_boot_t, sysadm_t)
-
-# Can transition to sysadm_t for login.
-domain_trans(initial_boot_t, file_t, sysadm_t)
-
-# Transition to proper domain when executing module programs after relabel.
-domain_auto_trans(initial_boot_t, modprobe_exec_t, modprobe_t)
-domain_auto_trans(initial_boot_t, insmod_exec_t, insmod_t)
-domain_auto_trans(initial_boot_t, rmmod_exec_t, rmmod_t)
-
-# Add initial_boot_t to the system_r role.
-role system_r types initial_boot_t;
-

--- a/usr/src/cmd/fmac/policy/macros.te	Wed Jul 02 09:31:47 2008 -0400
+++ b/usr/src/cmd/fmac/policy/macros.te	Wed Jul 02 15:53:13 2008 -0400
@@ -68,63 +68,63 @@
 # 
 # Permissions for getting file attributes.
 #
-define(`stat_file_perms', `{ getattr access }')
+define(`stat_file_perms', `{ getattr }')
 
 # 
 # Permissions for executing files.
 #
-define(`x_file_perms', `{ getattr access execute }')
+define(`x_file_perms', `{ getattr execute }')
 
 # 
 # Permissions for reading files and their attributes.
 #
-define(`r_file_perms', `{ read getattr access lock poll }')
+define(`r_file_perms', `{ read getattr lock }')
 
 # 
 # Permissions for reading and executing files.
 #
-define(`rx_file_perms', `{ read getattr access lock poll execute }')
+define(`rx_file_perms', `{ read getattr lock execute }')
 
 # 
 # Permissions for reading and writing files and their attributes.
 #
-define(`rw_file_perms', `{ ioctl read getattr access lock poll write setattr append }')
+define(`rw_file_perms', `{ read getattr lock write setattr append }')
 
 # 
 # Permissions for reading and appending to files.
 #
-define(`ra_file_perms', `{ ioctl read getattr access lock poll append }')
+define(`ra_file_perms', `{ read getattr lock append }')
 
 #
 # Permissions for linking, unlinking and renaming files.
 # 
-define(`link_file_perms', `{ getattr access link unlink rename }')
+define(`link_file_perms', `{ getattr link unlink rename }')
 
 #
 # Permissions for creating and using files.
 # 
-define(`create_file_perms', `{ create ioctl read getattr access lock poll write setattr append link unlink rename }')
+define(`create_file_perms', `{ create read getattr lock write setattr append link unlink rename }')
 
 # 
 # Permissions for reading directories and their attributes.
 #
-define(`r_dir_perms', `{ read getattr access lock poll search }')
+define(`r_dir_perms', `{ read getattr lock search }')
 
 # 
 # Permissions for reading and writing directories and their attributes.
 #
-define(`rw_dir_perms', `{ read getattr access lock poll setattr search add_name remove_name }')
+define(`rw_dir_perms', `{ read getattr lock setattr search add_name remove_name }')
 
 # 
 # Permissions for reading and adding names to directories.
 #
-define(`ra_dir_perms', `{ read getattr access lock poll setattr search add_name }')
+define(`ra_dir_perms', `{ read getattr lock setattr search add_name }')
 
 
 #
 # Permissions for creating and using directories.
 # 
-define(`create_dir_perms', `{ create read getattr access poll setattr link unlink rename search add_name remove_name reparent rmdir }')
+define(`create_dir_perms', `{ create read getattr setattr link unlink rename search add_name remove_name reparent rmdir }')
 
 #
 # Permissions to inherit and use file descriptions.
@@ -144,22 +144,22 @@
 #
 # Permissions for using sockets.
 # 
-define(`rw_socket_perms', `{ ioctl read getattr poll write setattr append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms', `{ read getattr write setattr append bind connect getopt setopt shutdown }')
 
 #
 # Permissions for creating and using sockets.
 # 
-define(`create_socket_perms', `{ create ioctl read getattr poll write setattr append bind connect getopt setopt shutdown }')
+define(`create_socket_perms', `{ create read getattr write setattr append bind connect getopt setopt shutdown }')
 
 #
 # Permissions for using stream sockets.
 # 
-define(`rw_stream_socket_perms', `{ ioctl read getattr poll write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`rw_stream_socket_perms', `{ read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
 
 #
 # Permissions for creating and using stream sockets.
 # 
-define(`create_stream_socket_perms', `{ create ioctl read getattr poll write setattr append bind connect getopt setopt shutdown listen accept }')
+define(`create_stream_socket_perms', `{ create read getattr write setattr append bind connect getopt setopt shutdown listen accept }')
 
 
 #
@@ -224,14 +224,9 @@
 allow $3 $2:file r_file_perms;
 
 #
-# Allow the new domain to execute from the program.
-#
-allow $3 $2:process execute;
-
-#
 # Allow the new domain to be entered by the program.
 #
-allow $3 $2:process entrypoint;
+allow $3 $2:file entrypoint;
 ')
 
 #################################
@@ -254,9 +249,8 @@
 #
 define(`uses_shlib',`
 allow $1 ld_so_t:file rx_file_perms;
-allow $1 ld_so_t:process execute;
-allow $1 shlib_t:file r_file_perms;
-allow $1 shlib_t:process execute;
+allow $1 ld_so_t:file execute_no_trans;
+allow $1 shlib_t:file rx_file_perms;
 ')
 
 #################################
@@ -268,7 +262,7 @@
 #
 define(`can_exec',`
 allow $1 $2:file rx_file_perms;
-allow $1 $2:process execute;
+allow $1 $2:file execute_no_trans;
 ')
 
 #################################

--- a/usr/src/cmd/fmac/policy/mls	Wed Jul 02 09:31:47 2008 -0400
+++ b/usr/src/cmd/fmac/policy/mls	Wed Jul 02 15:53:13 2008 -0400
@@ -62,23 +62,21 @@
 
 common file
 {
-	poll		:	none
-	ioctl		:	none
+	execute		:	read
+	write		:	write
 	read		:	read
-	write		:	write
+	append		:	write
+	open		:	read
 	create		:	write
+	link		:	write
+	unlink		:	write
+	rename		:	write
 	getattr		:	read
 	setattr		:	write
 	lock		:	none
 	relabelfrom	:	{ read write }
 	relabelto	:	write
 	transition	:	write
-	append		:	write
-	access		:	none
-	unlink		:	write
-	link		:	write
-	rename		:	write
-	execute		:	read
 }
 
 common socket
@@ -142,6 +140,11 @@
 }
 
 class file
+{
+	execute_no_trans	: read
+	entrypoint	: read
+}
+
 class lnk_file
 class chr_file
 class blk_file
@@ -211,7 +214,6 @@
 
 class process
 {
-	execute		: 	read
 	fork		:	none
 	transition	:	write
 	sigchld		:	readby
@@ -224,9 +226,9 @@
 	getsession	:	read
 	getpgid		:	read
 	setpgid		:	write
-	getcap		:	read
-	setcap		:	write
-	entrypoint	:	read
+	setexec		:	write
+	setfscreate	:	write
+	execsetid	:	none
 }
 
 class sem
@@ -262,7 +264,6 @@
 	arp_control		: 	none
 	rarp_control		: 	none
 	ipc_info		:	read
-	avc_toggle		:	none
 }
 
 class capability

--- a/usr/src/common/fmac/policy/flask/access_vectors	Wed Jul 02 09:31:47 2008 -0400
+++ b/usr/src/common/fmac/policy/flask/access_vectors	Wed Jul 02 15:53:13 2008 -0400
@@ -36,23 +36,21 @@
 
 common file
 {
-	poll
-	ioctl
+	execute
+	write
 	read
-	write
+	append
+	open
 	create
+	link
+	unlink
+	rename
 	getattr
 	setattr
 	lock
 	relabelfrom
 	relabelto
 	transition
-	append
-	access
-	unlink
-	link
-	rename
-	execute
 }
 
 
@@ -139,6 +137,10 @@
 
 class file
 inherits file
+{
+	execute_no_trans
+	entrypoint
+}
 
 class lnk_file
 inherits file
@@ -241,7 +243,6 @@
 
 class process
 {
-	execute
 	fork
 	transition
 	sigchld
@@ -254,9 +255,9 @@
 	getsession
 	getpgid
 	setpgid
-	getcap
-	setcap
-	entrypoint
+	setexec
+	setfscreate
+	execsetid
 }
 
 
@@ -310,7 +311,6 @@
 	arp_control
 	rarp_control
 	ipc_info
-	avc_toggle
 }
 
 #