From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-660834-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
by finch.gentoo.org (Postfix) with ESMTP id 292F81387B2
for <garchives@archives.gentoo.org>; Sun, 19 Jan 2014 19:01:43 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 6B62AE0D08;
Sun, 19 Jan 2014 19:01:42 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id 98A78E0D08
for <gentoo-commits@lists.gentoo.org>; Sun, 19 Jan 2014 19:01:41 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id 2532E33F995
for <gentoo-commits@lists.gentoo.org>; Sun, 19 Jan 2014 19:01:40 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
by spoonbill.gentoo.org (Postfix) with ESMTP id CAC8D1872C
for <gentoo-commits@lists.gentoo.org>; Sun, 19 Jan 2014 19:01:38 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1390157425.04d8dfc736343c9a23530e5971f9048dc57cff2c.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/kernel/files.if policy/modules/kernel/files.te policy/modules/kernel/kernel.if policy/modules/kernel/kernel.te
X-VCS-Directories: policy/modules/kernel/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 04d8dfc736343c9a23530e5971f9048dc57cff2c
X-VCS-Branch: master
Date: Sun, 19 Jan 2014 19:01:38 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 0965bbec-3464-4664-a344-91c173ae8696
X-Archives-Hash: 3ad752e645882a7d257c7553ff4d54b4
commit: 04d8dfc736343c9a23530e5971f9048dc57cff2c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Jan 16 16:19:00 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 18:50:25 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=04d8dfc7
Merge file_t into unlabeled_t, as they are security equivalent.
---
policy/modules/kernel/files.if | 180 +++++++++++----------------------
policy/modules/kernel/files.te | 12 +--
policy/modules/kernel/kernel.if | 219 +++++++++++++++++++++++++++++++++++++++-
policy/modules/kernel/kernel.te | 11 +-
4 files changed, 288 insertions(+), 134 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 0d735e0..74959e8 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3190,7 +3190,7 @@ interface(`files_etc_filetrans_etc_runtime',`
########################################
## <summary>
## Getattr of directories on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3199,17 +3199,14 @@ interface(`files_etc_filetrans_etc_runtime',`
## </param>
#
interface(`files_getattr_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir getattr;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_getattr_unlabeled_dirs() instead.')
+ kernel_getattr_unlabeled_dirs($1)
')
########################################
## <summary>
## Do not audit attempts to search directories on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3218,17 +3215,14 @@ interface(`files_getattr_isid_type_dirs',`
## </param>
#
interface(`files_dontaudit_search_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- dontaudit $1 file_t:dir search_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_dontaudit_search_unlabeled() instead.')
+ kernel_dontaudit_search_unlabeled($1)
')
########################################
## <summary>
## List the contents of directories on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3237,17 +3231,14 @@ interface(`files_dontaudit_search_isid_type_dirs',`
## </param>
#
interface(`files_list_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir list_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_list_unlabeled() instead.')
+ kernel_list_unlabeled($1)
')
########################################
## <summary>
## Read and write directories on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3256,17 +3247,14 @@ interface(`files_list_isid_type_dirs',`
## </param>
#
interface(`files_rw_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir rw_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_rw_unlabeled_dirs() instead.')
+ kernel_rw_unlabeled_dirs($1)
')
########################################
## <summary>
## Delete directories on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3275,17 +3263,14 @@ interface(`files_rw_isid_type_dirs',`
## </param>
#
interface(`files_delete_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- delete_dirs_pattern($1, file_t, file_t)
+ refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_dirs() instead.')
+ kernel_delete_unlabeled_dirs($1)
')
########################################
## <summary>
## Create, read, write, and delete directories
-## on new filesystems that have not yet been labeled.
+## on new filesystems that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3294,17 +3279,14 @@ interface(`files_delete_isid_type_dirs',`
## </param>
#
interface(`files_manage_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir manage_dir_perms;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_dirs() instead.')
+ kernel_manage_unlabeled_dirs($1)
')
########################################
## <summary>
## Mount a filesystem on a directory on new filesystems
-## that has not yet been labeled.
+## that has not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3313,17 +3295,14 @@ interface(`files_manage_isid_type_dirs',`
## </param>
#
interface(`files_mounton_isid_type_dirs',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:dir { search_dir_perms mounton };
+ refpolicywarn(`$0($*) has been deprecated, use kernel_mounton_unlabeled_dirs() instead.')
+ kernel_mounton_unlabeled_dirs($1)
')
########################################
## <summary>
## Read files on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3332,17 +3311,14 @@ interface(`files_mounton_isid_type_dirs',`
## </param>
#
interface(`files_read_isid_type_files',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:file read_file_perms;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_read_unlabeled_files() instead.')
+ kernel_read_unlabeled_files($1)
')
########################################
## <summary>
## Delete files on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3351,17 +3327,14 @@ interface(`files_read_isid_type_files',`
## </param>
#
interface(`files_delete_isid_type_files',`
- gen_require(`
- type file_t;
- ')
-
- delete_files_pattern($1, file_t, file_t)
+ refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_files() instead.')
+ kernel_delete_unlabeled_files($1)
')
########################################
## <summary>
## Delete symbolic links on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3370,17 +3343,14 @@ interface(`files_delete_isid_type_files',`
## </param>
#
interface(`files_delete_isid_type_symlinks',`
- gen_require(`
- type file_t;
- ')
-
- delete_lnk_files_pattern($1, file_t, file_t)
+ refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_symlinks() instead.')
+ kernel_delete_unlabeled_symlinks($1)
')
########################################
## <summary>
## Delete named pipes on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3389,17 +3359,14 @@ interface(`files_delete_isid_type_symlinks',`
## </param>
#
interface(`files_delete_isid_type_fifo_files',`
- gen_require(`
- type file_t;
- ')
-
- delete_fifo_files_pattern($1, file_t, file_t)
+ refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_pipes() instead.')
+ kernel_delete_unlabeled_pipes($1)
')
########################################
## <summary>
## Delete named sockets on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3408,17 +3375,14 @@ interface(`files_delete_isid_type_fifo_files',`
## </param>
#
interface(`files_delete_isid_type_sock_files',`
- gen_require(`
- type file_t;
- ')
-
- delete_sock_files_pattern($1, file_t, file_t)
+ refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_sockets() instead.')
+ kernel_delete_unlabeled_sockets($1)
')
########################################
## <summary>
## Delete block files on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3427,17 +3391,14 @@ interface(`files_delete_isid_type_sock_files',`
## </param>
#
interface(`files_delete_isid_type_blk_files',`
- gen_require(`
- type file_t;
- ')
-
- delete_blk_files_pattern($1, file_t, file_t)
+ refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_blk_files() instead.')
+ kernel_delete_unlabeled_blk_files($1)
')
########################################
## <summary>
## Do not audit attempts to write to character
-## files that have not yet been labeled.
+## files that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3446,17 +3407,14 @@ interface(`files_delete_isid_type_blk_files',`
## </param>
#
interface(`files_dontaudit_write_isid_chr_files',`
- gen_require(`
- type file_t;
- ')
-
- dontaudit $1 file_t:chr_file write;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_dontaudit_write_unlabeled_chr_files() instead.')
+ kernel_dontaudit_write_unlabeled_chr_files($1)
')
########################################
## <summary>
## Delete chr files on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3465,17 +3423,14 @@ interface(`files_dontaudit_write_isid_chr_files',`
## </param>
#
interface(`files_delete_isid_type_chr_files',`
- gen_require(`
- type file_t;
- ')
-
- delete_chr_files_pattern($1, file_t, file_t)
+ refpolicywarn(`$0($*) has been deprecated, use kernel_delete_unlabeled_chr_files() instead.')
+ kernel_delete_unlabeled_chr_files($1)
')
########################################
## <summary>
## Create, read, write, and delete files
-## on new filesystems that have not yet been labeled.
+## on new filesystems that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3484,17 +3439,14 @@ interface(`files_delete_isid_type_chr_files',`
## </param>
#
interface(`files_manage_isid_type_files',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:file manage_file_perms;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_files() instead.')
+ kernel_manage_unlabeled_files($1)
')
########################################
## <summary>
## Create, read, write, and delete symbolic links
-## on new filesystems that have not yet been labeled.
+## on new filesystems that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3503,17 +3455,14 @@ interface(`files_manage_isid_type_files',`
## </param>
#
interface(`files_manage_isid_type_symlinks',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:lnk_file manage_lnk_file_perms;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_symlinks() instead.')
+ kernel_manage_unlabeled_symlinks($1)
')
########################################
## <summary>
## Read and write block device nodes on new filesystems
-## that have not yet been labeled.
+## that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3522,17 +3471,14 @@ interface(`files_manage_isid_type_symlinks',`
## </param>
#
interface(`files_rw_isid_type_blk_files',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:blk_file rw_blk_file_perms;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_rw_unlabeled_blk_files() instead.')
+ kernel_rw_unlabeled_blk_files($1)
')
########################################
## <summary>
## Create, read, write, and delete block device nodes
-## on new filesystems that have not yet been labeled.
+## on new filesystems that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3541,17 +3487,14 @@ interface(`files_rw_isid_type_blk_files',`
## </param>
#
interface(`files_manage_isid_type_blk_files',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:blk_file manage_blk_file_perms;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_blk_files() instead.')
+ kernel_manage_unlabeled_blk_files($1)
')
########################################
## <summary>
## Create, read, write, and delete character device nodes
-## on new filesystems that have not yet been labeled.
+## on new filesystems that have not yet been labeled. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -3560,11 +3503,8 @@ interface(`files_manage_isid_type_blk_files',`
## </param>
#
interface(`files_manage_isid_type_chr_files',`
- gen_require(`
- type file_t;
- ')
-
- allow $1 file_t:chr_file manage_chr_file_perms;
+ refpolicywarn(`$0($*) has been deprecated, use kernel_manage_unlabeled_chr_files() instead.')
+ kernel_manage_unlabeled_chr_files($1)
')
########################################
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..769a7f2 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.18.1)
+policy_module(files, 1.18.2)
########################################
#
@@ -75,16 +75,6 @@ files_type(etc_runtime_t)
typealias etc_runtime_t alias firstboot_rw_t;
#
-# file_t is the default type of a file that has not yet been
-# assigned an extended attribute (EA) value (when using a filesystem
-# that supports EAs).
-#
-type file_t;
-files_mountpoint(file_t)
-kernel_rootfs_mountpoint(file_t)
-sid file gen_context(system_u:object_r:file_t,s0)
-
-#
# home_root_t is the type for the directory where user home directories
# are created
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 54f1b0b..18cef42 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2282,6 +2282,42 @@ interface(`kernel_sigchld_unlabeled',`
########################################
## <summary>
+## Get the attributes of unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## List unlabeled directories.
## </summary>
## <param name="domain">
@@ -2356,6 +2392,78 @@ interface(`kernel_rw_unlabeled_dirs',`
########################################
## <summary>
+## Delete unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir delete_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_manage_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on an unlabeled directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
+## Read unlabeled files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read and write unlabeled files.
## </summary>
## <param name="domain">
@@ -2374,6 +2482,42 @@ interface(`kernel_rw_unlabeled_files',`
########################################
## <summary>
+## Delete unlabeled files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete unlabeled files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_manage_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to get the
## attributes of an unlabeled file.
## </summary>
@@ -2412,6 +2556,24 @@ interface(`kernel_dontaudit_read_unlabeled_files',`
########################################
## <summary>
+## Create, read, write, and delete unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_manage_unlabeled_symlinks',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to get the
## attributes of unlabeled symbolic links.
## </summary>
@@ -2501,7 +2663,25 @@ interface(`kernel_rw_unlabeled_blk_files',`
type unlabeled_t;
')
- allow $1 unlabeled_t:blk_file getattr;
+ allow $1 unlabeled_t:blk_file rw_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete unlabeled block device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_manage_unlabeled_blk_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:blk_file manage_blk_file_perms;
')
########################################
@@ -2525,6 +2705,43 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
########################################
## <summary>
+## Do not audit attempts to
+## write unlabeled character devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_unlabeled_chr_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:file write;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete unlabeled character device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_manage_unlabeled_chr_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:chr_file manage_chr_file_perms;
+')
+
+########################################
+## <summary>
## Allow caller to relabel unlabeled directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index a39d803..1437180 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.17.2)
+policy_module(kernel, 1.17.3)
########################################
#
@@ -162,8 +162,15 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
# Objects that have no known labeling information or that
# have labels that are no longer valid are treated as having this type.
#
-type unlabeled_t;
+# Mountpoint permissions are for the case when a file has been assigned
+# an extended attribute for the first time (old file_t). Directories
+# where filesystems are mounted may never get relabeled.
+#
+type unlabeled_t alias file_t;
+kernel_rootfs_mountpoint(unlabeled_t)
+files_mountpoint(unlabeled_t)
fs_associate(unlabeled_t)
+sid file gen_context(system_u:object_r:unlabeled_t,s0)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# These initial sids are no longer used, and can be removed: