[selinux-policy: 832/3172] hide broken symptoms

[Daniel J Walsh]

commit 3df88de0ba0e1ebc0ffa34266942fa7f95aec754
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Oct 24 22:55:28 2005 +0000

    hide broken symptoms

 refpolicy/policy/modules/services/cups.if      |   18 ++++++++++++++++++
 refpolicy/policy/modules/services/samba.te     |   10 +++++++++-
 refpolicy/policy/modules/system/selinuxutil.te |    2 +-
 refpolicy/policy/modules/system/sysnetwork.te  |    2 +-
 4 files changed, 29 insertions(+), 3 deletions(-)
---
diff --git a/refpolicy/policy/modules/services/cups.if b/refpolicy/policy/modules/services/cups.if
index 02c323e..d1e86d0 100644
--- a/refpolicy/policy/modules/services/cups.if
+++ b/refpolicy/policy/modules/services/cups.if
@@ -1 +1,19 @@
 ## <summary>Common UNIX printing system</summary>
+
+########################################
+## <summary>
+##	Read cups-writable configuration files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cups_read_rw_config',`
+	gen_require(`
+		type cupsd_etc_t, cupsd_rw_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 cupsd_etc_t:dir search_dir_perms;
+	allow $1 cupsd_rw_etc_t:file { getattr read };
+')
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index c6e77e8..28efc5a 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -208,6 +208,8 @@ allow smbd_t smbd_var_run_t:file create_file_perms;
 allow smbd_t smbd_var_run_t:sock_file create_file_perms;
 files_create_pid(smbd_t,smbd_var_run_t)
 
+allow smbd_t winbind_var_run_t:sock_file { read write getattr };
+
 kernel_getattr_core(smbd_t)
 kernel_getattr_message_if(smbd_t)
 kernel_read_network_state(smbd_t)
@@ -281,6 +283,10 @@ tunable_policy(`allow_smbd_anon_write',`
 	miscfiles_manage_public_files(smbd_t)
 ') 
 
+optional_policy(`cups.te',`
+	cups_read_rw_config(smbd_t)
+')
+
 optional_policy(`kerberos.te',`
 	kerberos_use(smbd_t)
 ')
@@ -305,11 +311,13 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(smbd_t)
 ')
+') dnl end TODO
+
 ifdef(`hide_broken_symptoms', `
 dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
 dontaudit smbd_t devpts_t:dir getattr;
 ')
-')
+allow smbd_t mtrr_device_t:file getattr;
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 071446b..33cf4ee 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -342,7 +342,7 @@ ifdef(`distro_redhat', `
 ')
 
 ifdef(`hide_broken_symptoms',`
-	udev_donaudit_rw_unix_dgram_socket(restorecon_t)
+	udev_dontaudit_rw_unix_dgram_socket(restorecon_t)
 ')
 
 optional_policy(`hotplug.te',`
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index d181cf9..631a5fe 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -329,7 +329,7 @@ ifdef(`hide_broken_symptoms',`
 	')
 
 	optional_policy(`udev.te',`
-		udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
+		udev_dontaudit_rw_unix_dgram_socket(ifconfig_t)
 	')
 ')