[selinux-policy: 674/3172] todo cleanup

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:03:12 UTC 2010 

commit 3774e4eb28e0e6055daa529a17406a5761e30fa6
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Sep 20 20:48:17 2005 +0000

    todo cleanup

 refpolicy/policy/modules/admin/consoletype.te |    3 +-
 refpolicy/policy/modules/admin/firstboot.te   |    4 +-
 refpolicy/policy/modules/admin/logrotate.te   |   12 +---
 refpolicy/policy/modules/admin/netutils.te    |    2 +-
 refpolicy/policy/modules/admin/rpm.te         |   22 +++---
 refpolicy/policy/modules/admin/usermanage.te  |   94 +++++++++----------------
 refpolicy/policy/modules/admin/vpn.te         |    5 +-
 refpolicy/policy/modules/services/cron.if     |   32 +++++----
 refpolicy/policy/modules/services/cron.te     |   20 +++---
 refpolicy/policy/modules/services/inetd.te    |   11 ++--
 refpolicy/policy/modules/services/kerberos.te |    8 --
 refpolicy/policy/modules/services/ldap.if     |   18 +++++
 refpolicy/policy/modules/services/ldap.te     |    4 +-
 refpolicy/policy/modules/services/nscd.te     |    2 +-
 refpolicy/policy/modules/services/rshd.te     |    3 -
 refpolicy/policy/modules/services/samba.te    |    2 +-
 refpolicy/policy/modules/system/authlogin.if  |   10 +--
 refpolicy/policy/modules/system/domain.if     |   23 ++++++
 refpolicy/policy/modules/system/hotplug.te    |    9 +--
 refpolicy/policy/modules/system/raid.te       |    4 +-
 20 files changed, 137 insertions(+), 151 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 61f46ad..016682c 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -67,6 +67,7 @@ optional_policy(`authlogin.te', `
 
 optional_policy(`cron.te',`
 	cron_read_pipe(consoletype_t)
+	cron_use_system_job_fd(consoletype_t)
 ')
 
 optional_policy(`firstboot.te',`
@@ -95,8 +96,6 @@ optional_policy(`userdomain.te',`
 ifdef(`TODO',`
 allow consoletype_t nfs_t:file write;
 
-allow consoletype_t system_crond_t:fd use;
-
 optional_policy(`xdm.te', `
 allow consoletype_t xdm_tmp_t:file rw_file_perms;
 ')
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index f39a053..7ad75c4 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -120,8 +120,10 @@ optional_policy(`samba.te',`
 ')
 
 optional_policy(`usermanage.te',`
-	usermanage_domtrans_useradd(firstboot_t)
+	usermanage_domtrans_chfn(firstboot_t)
 	usermanage_domtrans_groupadd(firstboot_t)
+	usermanage_domtrans_passwd(firstboot_t)
+	usermanage_domtrans_useradd(firstboot_t)
 ')
 
 ifdef(`TODO',`
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 1a1e714..5ddfe4b 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -85,6 +85,8 @@ corecmd_exec_ls(logrotate_t)
 domain_signal_all_domains(logrotate_t)
 domain_use_wide_inherit_fd(logrotate_t)
 domain_getattr_all_entry_files(logrotate_t)
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logrotate_t)
 
 files_read_usr_files(logrotate_t)
 files_read_etc_files(logrotate_t)
@@ -163,21 +165,11 @@ optional_policy(`squid.te',`
 ')
 
 ifdef(`TODO',`
-
-#from privmail this needs more work:
-allow mta_user_agent logrotate_t:fd use;
-allow mta_user_agent logrotate_t:process sigchld;
-allow mta_user_agent logrotate_t:fifo_file { read write };
-
 ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
 
 # it should not require this
 allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
 
-# Read /proc/PID directories for all domains.
-allow logrotate_t domain:notdevfile_class_set r_file_perms;
-allow logrotate_t domain:dir r_dir_perms;
-
 # for /var/backups on Debian
 ifdef(`backup.te', `
 rw_dir_create_file(logrotate_t, backup_store_t)
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 01b3216..b6ce0ea 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.0)
+policy_module(netutils,1.0)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index bb43066..1da113f 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -6,11 +6,12 @@ policy_module(rpm,1.0)
 # Declarations
 #
 
-type rpm_t; #, priv_system_role;
+type rpm_t;
 type rpm_exec_t;
 init_system_domain(rpm_t,rpm_exec_t)
 domain_obj_id_change_exempt(rpm_t)
 domain_role_change_exempt(rpm_t)
+domain_system_change_exempt(rpm_t)
 domain_wide_inherit_fd(rpm_t)
 role system_r types rpm_t;
 
@@ -30,9 +31,10 @@ type rpm_var_lib_t;
 files_type(rpm_var_lib_t)
 typealias rpm_var_lib_t alias var_lib_rpm_t;
 
-type rpm_script_t; #, admin, privmem, priv_system_role;
+type rpm_script_t;
 type rpm_script_exec_t;
 domain_obj_id_change_exempt(rpm_script_t)
+domain_system_change_exempt(rpm_script_t)
 corecmd_shell_entry_type(rpm_script_t)
 domain_type(rpm_script_t)
 domain_entry_file(rpm_t,rpm_script_exec_t)
@@ -92,7 +94,7 @@ fs_create_tmpfs_data(rpm_t,rpm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }
 # Access /var/lib/rpm files
 allow rpm_t rpm_var_lib_t:file create_file_perms;
 allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
-#files_create_private_libraries(rpm_t,rpm_var_lib_t,dir)
+files_create_var_lib(rpm_t,rpm_var_lib_t,dir)
 
 kernel_read_system_state(rpm_t)
 kernel_read_kernel_sysctl(rpm_t)
@@ -114,7 +116,7 @@ dev_list_usbfs(rpm_t)
 dev_read_urand(rpm_t)
 #devices_manage_all_device_types(rpm_t)
 
-#fs_manage_nfs_dir(rpm_t)
+fs_manage_nfs_dirs(rpm_t)
 fs_manage_nfs_files(rpm_t)
 fs_manage_nfs_symlinks(rpm_t)
 fs_getattr_all_fs(rpm_t)
@@ -183,10 +185,6 @@ ifdef(`TODO',`
 # cjp: this seems way out of place
 role sysadm_r types initrc_t;
 
-type_transition rpm_t tmpfs_t:{ dir file lnk_file sock_file fifo_file } rpm_tmpfs_t;
-
-dontaudit rpm_t domain:process ptrace;
-
 # read/write/create any files in the system
 dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
 allow rpm_t ttyfile:chr_file unlink;
@@ -312,10 +310,6 @@ seutil_domtrans_restorecon(rpm_script_t)
 
 userdom_use_all_user_fd(rpm_script_t)
 
-if (allow_execmem) {
-	allow rpm_script_t self:process execmem;
-}
-
 # this should be tunable_policy, but
 # typeattribute does not work in conditionals
 ifdef(`unlimitedRPM',`
@@ -323,6 +317,10 @@ ifdef(`unlimitedRPM',`
 	unconfined_domain_template(rpm_script_t)
 ')
 
+tunable_policy(`allow_execmem',`
+	allow rpm_script_t self:process execmem;
+')
+
 optional_policy(`bootloader.te',`
 	bootloader_domtrans(rpm_script_t)
 ')
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 4452dee..b3ed57c 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -96,6 +96,9 @@ fs_search_auto_mountpoints(chfn_t)
 # for SSP
 dev_read_urand(chfn_t)
 
+auth_domtrans_chk_passwd(chfn_t)
+auth_dontaudit_read_shadow(chfn_t)
+
 # can exec /sbin/unix_chkpwd
 corecmd_search_bin(chfn_t)
 corecmd_search_sbin(chfn_t)
@@ -117,31 +120,23 @@ miscfiles_read_localization(chfn_t)
 
 logging_send_syslog_msg(chfn_t)
 
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
+# uses unix_chkpwd for checking passwords
+seutil_dontaudit_search_config(chfn_t)
 
 userdom_use_unpriv_users_fd(chfn_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_all_users_home(chfn_t)
 
 optional_policy(`nis.te',`
 	nis_use_ypbind(chfn_t)
 ')
 
 ifdef(`TODO',`
-ifdef(`firstboot.te',`
-domain_auto_trans(firstboot_t, chfn_exec_t, chfn_t)
-')
-
 ifdef(`gnome-pty-helper.te', `allow chfn_t gphdomain:fd use;')
 
 # allow checking if a shell is executable
 allow chfn_t shell_exec_t:file execute;
-
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-dontaudit chfn_t { user_home_dir_type user_home_type }:dir search;
-
-# uses unix_chkpwd for checking passwords
-dontaudit chfn_t selinux_config_t:dir search;
 ') dnl endif TODO
 
 ########################################
@@ -180,16 +175,11 @@ libs_use_shared_libs(crack_t)
 
 logging_send_syslog_msg(crack_t)
 
-ifdef(`TODO',`
-ifdef(`crond.te', `
-domain_auto_trans(system_crond_t, crack_exec_t, crack_t)
-allow crack_t crond_t:fifo_file rw_file_perms;
-allow crack_t crond_t:fd use;
-allow crack_t crond_t:process sigchld;
-')
+userdom_dontaudit_search_sysadm_home_dir(crack_t)
 
-dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
-') dnl endif TODO
+optional_policy(`cron.te',`
+	cron_system_entry(crack_t,crack_exec_t)
+')
 
 ########################################
 #
@@ -250,6 +240,8 @@ auth_rw_lastlog(groupadd_t)
 seutil_read_config(groupadd_t)
 
 userdom_use_unpriv_users_fd(groupadd_t)
+# for when /root is the cwd
+userdom_dontaudit_search_sysadm_home_dir(groupadd_t)
 
 optional_policy(`nis.te',`
 	nis_use_ypbind(groupadd_t)
@@ -265,15 +257,11 @@ optional_policy(`rpm.te',`
 ')
 
 ifdef(`TODO',`
-
 # Update /etc/shadow and /etc/passwd
 allow groupadd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
 # Access terminals.
 ifdef(`gnome-pty-helper.te', `allow groupadd_t gphdomain:fd use;')
-
-# for when /root is the cwd
-dontaudit groupadd_t sysadm_home_dir_t:dir search;
 ') dnl end TODO
 
 ########################################
@@ -314,6 +302,8 @@ selinux_compute_create_context(passwd_t)
 selinux_compute_relabel_context(passwd_t)
 selinux_compute_user_contexts(passwd_t)
 
+auth_manage_shadow(passwd_t)
+
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
 init_dontaudit_rw_script_pid(passwd_t)
@@ -323,6 +313,7 @@ domain_use_wide_inherit_fd(passwd_t)
 files_read_etc_runtime_files(passwd_t)
 files_manage_etc_files(passwd_t)
 files_search_var(passwd_t)
+files_dontaudit_search_pids(passwd_t)
 
 libs_use_ld_so(passwd_t)
 libs_use_shared_libs(passwd_t)
@@ -331,20 +322,18 @@ logging_send_syslog_msg(passwd_t)
 
 miscfiles_read_localization(passwd_t)
 
-auth_manage_shadow(passwd_t)
+seutil_dontaudit_search_config(passwd_t)
 
 userdom_use_unpriv_users_fd(passwd_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_all_users_home(passwd_t)
 
 optional_policy(`nis.te',`
 	nis_use_ypbind(passwd_t)
 ')
 
 ifdef(`TODO',`
-
-ifdef(`firstboot.te',`
-domain_auto_trans(firstboot_t, passwd_exec_t, passwd_t)
-')
-
 # Update /etc/shadow and /etc/passwd
 allow passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
@@ -354,18 +343,10 @@ ifdef(`gnome-pty-helper.te', `allow passwd_t gphdomain:fd use;')
 # allow checking if a shell is executable
 allow passwd_t shell_exec_t:file execute;
 
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-dontaudit passwd_t { user_home_dir_type user_home_type }:dir search;
-
 # make sure that getcon succeeds
 allow passwd_t userdomain:dir search;
 allow passwd_t userdomain:file read;
 allow passwd_t userdomain:process getattr;
-
-dontaudit passwd_t selinux_config_t:dir search;
-
-dontaudit passwd_t var_run_t:dir search;
 ') dnl endif TODO
 
 ########################################
@@ -424,6 +405,8 @@ domain_use_wide_inherit_fd(sysadm_passwd_t)
 
 files_manage_etc_files(sysadm_passwd_t)
 files_read_etc_runtime_files(sysadm_passwd_t)
+# for nscd lookups
+files_dontaudit_search_pids(sysadm_passwd_t)
 
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
@@ -436,7 +419,12 @@ miscfiles_read_localization(sysadm_passwd_t)
 
 logging_send_syslog_msg(sysadm_passwd_t)
 
+seutil_dontaudit_search_config(sysadm_passwd_t)
+
 userdom_use_unpriv_users_fd(sysadm_passwd_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_all_users_home(sysadm_passwd_t)
 
 optional_policy(`nis.te',`
 	nis_use_ypbind(sysadm_passwd_t)
@@ -452,20 +440,9 @@ ifdef(`gnome-pty-helper.te', `allow sysadm_passwd_t gphdomain:fd use;')
 # allow checking if a shell is executable
 allow sysadm_passwd_t shell_exec_t:file execute;
 
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-dontaudit sysadm_passwd_t { user_home_dir_type user_home_type }:dir search;
-
 # Update /etc/shadow and /etc/passwd
 allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
-# for vipw - vi looks in the root home directory for config
-dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
-
-# for nscd lookups
-dontaudit sysadm_passwd_t var_run_t:dir search;
-
-dontaudit sysadm_passwd_t selinux_config_t:dir search;
 ifdef(`targeted_policy', `
 role system_r types sysadm_passwd_t;
 allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
@@ -534,6 +511,12 @@ seutil_read_config(useradd_t)
 seutil_read_file_contexts(useradd_t)
 
 userdom_use_unpriv_users_fd(useradd_t)
+# for when /root is the cwd
+userdom_dontaudit_search_sysadm_home_dir(useradd_t)
+# Add/remove user home directories
+userdom_create_user_home_dir(useradd_t)
+userdom_manage_user_home_dir(useradd_t)
+userdom_create_user_home(useradd_t,notdevfile_class_set)
 
 mta_manage_spool(useradd_t)
 
@@ -551,21 +534,12 @@ optional_policy(`rpm.te',`
 ')
 
 ifdef(`TODO',`
-
 # Update /etc/shadow and /etc/passwd
 allow useradd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
 # Access terminals.
 ifdef(`gnome-pty-helper.te', `allow useradd_t gphdomain:fd use;')
 
-# for when /root is the cwd
-dontaudit useradd_t sysadm_home_dir_t:dir search;
-
-# Add/remove user home directories
-file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
-file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
-
 # /var/mail is a link to /var/spool/mail
 allow useradd_t mail_spool_t:lnk_file read;
-
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/admin/vpn.te b/refpolicy/policy/modules/admin/vpn.te
index 0eba8d1..b95df4e 100644
--- a/refpolicy/policy/modules/admin/vpn.te
+++ b/refpolicy/policy/modules/admin/vpn.te
@@ -96,6 +96,7 @@ sysnet_create_config(vpnc_t)
 sysnet_manage_config(vpnc_t)
 
 userdom_use_all_user_fd(vpnc_t)
+userdom_dontaudit_search_all_users_home(vpnc_t)
 
 optional_policy(`mount.te',`
         mount_send_nfs_client_request(vpnc_t)
@@ -108,7 +109,3 @@ optional_policy(`nis.te',`
 optional_policy(`nscd.te',`
 	nscd_use_socket(vpnc_t)
 ')
-
-ifdef(`TODO',`
-dontaudit vpnc_t user_home_dir_type:dir search;
-')
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index e642b2a..6689e65 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -98,6 +98,8 @@ template(`cron_per_userdomain_template',`
 	fs_getattr_all_fs($1_crond_t)
 
 	domain_exec_all_entry_files($1_crond_t)
+	# quiet other ps operations
+	domain_dontaudit_read_all_domains_state($1_crond_t)
 
 	files_read_usr_files($1_crond_t)
 	files_exec_etc_files($1_crond_t)
@@ -113,6 +115,8 @@ template(`cron_per_userdomain_template',`
 	libs_exec_ld_so($1_crond_t)
 
 	files_read_etc_runtime_files($1_crond_t)
+	files_read_var_files($1_crond_t)
+	files_search_spool($1_crond_t)
 
 	logging_search_logs($1_crond_t)
 
@@ -126,6 +130,13 @@ template(`cron_per_userdomain_template',`
 	userdom_manage_user_tmp_sockets($1,$1_crond_t)
 	# Run scripts in user home directory and access shared libs.
 	userdom_exec_user_home_files($1,$1_crond_t)
+	# Access user files and dirs.
+#	userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
+	userdom_manage_user_home_subdir_files($1,$1_crond_t)
+	userdom_manage_user_home_subdir_symlinks($1,$1_crond_t)
+	userdom_manage_user_home_subdir_pipes($1,$1_crond_t)
+	userdom_manage_user_home_subdir_sockets($1,$1_crond_t)
+#	userdom_create_user_home($1,$1_crond_t,notdevfile_class_set)
 
 	tunable_policy(`fcron_crond', `
 		allow crond_t $1_cron_spool_t:file create_file_perms;
@@ -136,9 +147,6 @@ template(`cron_per_userdomain_template',`
 	')
 
 	ifdef(`TODO',`
-	# Access user files and dirs.
-	file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
-
 	allow $1_crond_t tmp_t:dir rw_dir_perms;
 	type_transition $1_crond_t $1_tmp_t:{ file lnk_file sock_file fifo_file } $1_tmp_t;
 
@@ -150,13 +158,6 @@ template(`cron_per_userdomain_template',`
 		dontaudit $1_mail_t crond_t:fifo_file write;
 		allow mta_user_agent $1_crond_t:fd use;
 	')
-
-	allow $1_crond_t var_spool_t:dir search;
-	allow $1_crond_t var_t:dir r_dir_perms;
-	allow $1_crond_t var_t:file r_file_perms;
-
-	# quiet other ps operations
-	dontaudit $1_crond_t domain:dir { getattr search };
 	') dnl endif TODO
 
 	##############################
@@ -171,6 +172,12 @@ template(`cron_per_userdomain_template',`
 	allow $1_crontab_t $2:fifo_file rw_file_perms;
 	allow $1_crontab_t $2:process sigchld;
 
+	# crontab shows up in user ps
+	allow $2 $1_crontab_t:dir { search getattr read };
+	allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
+	allow $2 $1_crontab_t:process getattr;
+	dontaudit $2 $1_crontab_t:process ptrace;
+
 	# for ^Z
 	allow $2 $1_crontab_t:process signal;
 
@@ -229,15 +236,10 @@ template(`cron_per_userdomain_template',`
 	')
 
 	ifdef(`TODO',`
-	can_ps($1_t, $1_crontab_t)
-
-	dontaudit $1_crontab_t proc_t:dir search;
-
 	allow $1_crond_t tmp_t:dir rw_dir_perms;
 	type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
 
 	# Read user crontabs
-	allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;  
 	dontaudit $1_crontab_t $1_home_dir_t:dir write;
 
 	# Inherit and use descriptors from gnome-pty-helper.
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index c8f3573..214eb03 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -13,7 +13,7 @@ files_type(anacron_exec_t)
 type cron_spool_t;
 files_type(cron_spool_t)
 
-type crond_t; #, privmail
+type crond_t;
 type crond_exec_t;
 init_daemon_domain(crond_t,crond_exec_t)
 domain_wide_inherit_fd(crond_t)
@@ -31,7 +31,7 @@ files_type(crontab_exec_t)
 type system_cron_spool_t, cron_spool_type;
 files_type(system_cron_spool_t)
 
-type system_crond_t; #, privmail
+type system_crond_t;
 init_daemon_domain(system_crond_t,anacron_exec_t)
 corecmd_shell_entry_type(system_crond_t)
 role system_r types system_crond_t;
@@ -100,6 +100,9 @@ domain_use_wide_inherit_fd(crond_t)
 
 files_read_etc_files(crond_t)
 files_read_generic_spools(crond_t)
+# Read from /var/spool/cron.
+files_search_var_lib(crond_t)
+files_search_default(crond_t)
 
 init_use_fd(crond_t)
 init_use_script_pty(crond_t)
@@ -117,6 +120,8 @@ miscfiles_read_localization(crond_t)
 
 userdom_use_unpriv_users_fd(crond_t)
 
+mta_send_mail(crond_t)
+
 ifdef(`distro_redhat', `
 	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 	# via redirection of standard out.
@@ -169,10 +174,6 @@ optional_policy(`rhgb.te', `
 rhgb_domain(crond_t)
 ')
 
-# Read from /var/spool/cron.
-allow crond_t var_lib_t:dir search;
-allow crond_t default_t:dir search;
-
 # crond tries to search /root.  Not sure why.
 allow crond_t sysadm_home_dir_t:dir r_dir_perms;
 
@@ -257,6 +258,8 @@ corecmd_exec_bin(system_crond_t)
 corecmd_exec_sbin(system_crond_t)
 
 domain_exec_all_entry_files(system_crond_t)
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(system_crond_t)
 
 files_exec_etc_files(system_crond_t)
 files_read_etc_files(system_crond_t)
@@ -296,6 +299,8 @@ miscfiles_manage_man_pages(system_crond_t)
 
 seutil_read_config(system_crond_t)
 
+mta_send_mail(system_crond_t)
+
 ifdef(`distro_redhat', `
 	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
 	# via redirection of standard out.
@@ -342,9 +347,6 @@ optional_policy(`squid.te',`
 ifdef(`TODO',`
 dontaudit userdomain system_crond_t:fd use;
 
-# quiet other ps operations
-dontaudit system_crond_t domain:dir { getattr search };
-
 # Do not audit attempts to search unlabeled directories (e.g. slocate).
 dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
 dontaudit system_crond_t unlabeled_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 12869b9..25db7d4 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -6,7 +6,7 @@ policy_module(inetd,1.0)
 # Declarations
 #
 
-type inetd_t; # ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')
+type inetd_t;
 type inetd_exec_t;
 init_daemon_domain(inetd_t,inetd_exec_t)
 
@@ -127,6 +127,11 @@ optional_policy(`mount.te',`
 	mount_send_nfs_client_request(inetd_t)
 ')
 
+# Communicate with the portmapper.
+optional_policy(`portmap.te',`
+	portmap_udp_sendto(inetd_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(inetd_t)
 ')
@@ -146,13 +151,9 @@ ifdef(`unlimitedInetd', `
 ')
 
 ifdef(`TODO',`
-
 optional_policy(`rhgb.te',`
 	rhgb_domain(inetd_t)
 ')
-
-# Communicate with the portmapper.
-ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
 ') dnl TODO
 
 ########################################
diff --git a/refpolicy/policy/modules/services/kerberos.te b/refpolicy/policy/modules/services/kerberos.te
index da1ded3..27fac58 100644
--- a/refpolicy/policy/modules/services/kerberos.te
+++ b/refpolicy/policy/modules/services/kerberos.te
@@ -145,9 +145,6 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(kadmind_t)
 ')
-
-# cjp: not sure, but I think this has no effect
-can_tcp_connect(kerberos_admin_port_t, kadmind_t)
 ') dnl end TODO
 
 ########################################
@@ -250,9 +247,4 @@ optional_policy(`rhgb.te',`
 # Allow user programs to talk to KDC
 allow krb5kdc_t userdomain:udp_socket recvfrom;
 allow userdomain krb5kdc_t:udp_socket recvfrom;
-
-# cjp: not sure, but I think these have no effect
-can_udp_send(kerberos_port_t, krb5kdc_t)
-can_udp_send(krb5kdc_t, kerberos_port_t)
-can_tcp_connect(kerberos_port_t, krb5kdc_t)
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ldap.if b/refpolicy/policy/modules/services/ldap.if
index 833e02c..2f3b0ea 100644
--- a/refpolicy/policy/modules/services/ldap.if
+++ b/refpolicy/policy/modules/services/ldap.if
@@ -35,3 +35,21 @@ interface(`ldap_read_config',`
 	files_search_etc($1)
 	allow $1 slapd_etc_t:file { getattr read };
 ')
+
+########################################
+## <summary>
+##	Use LDAP over TCP connection.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`ldap_use',`
+	gen_require(`
+		type slapd_t;
+	')
+
+	allow $1 slapd_t:tcp_socket { connectto recvfrom };
+	allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
+	kernel_tcp_recvfrom($1)
+')
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
index e55e70d..18ec509 100644
--- a/refpolicy/policy/modules/services/ldap.te
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -59,6 +59,7 @@ files_create_pid(slapd_t,slapd_var_run_t)
 
 kernel_read_system_state(slapd_t)
 kernel_read_kernel_sysctl(slapd_t)
+kernel_tcp_recvfrom(slapd_t)
 
 corenet_tcp_sendrecv_all_if(slapd_t)
 corenet_udp_sendrecv_all_if(slapd_t)
@@ -124,7 +125,4 @@ r_dir_file(slapd_t, cert_t)
 optional_policy(`rhgb.te',`
 	rhgb_domain(slapd_t)
 ')
-# allow any domain to connect to the LDAP server
-# cjp: how does this relate to the old can_ldap() macro?
-can_tcp_connect(domain, slapd_t)
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index abb9b6e..0e5f6f7 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -2,7 +2,7 @@
 policy_module(nscd,1.0)
 
 gen_require(`
-	class nscd { admin getstat };
+	class nscd all_nscd_perms;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te
index 717ac4a..ba7c21b 100644
--- a/refpolicy/policy/modules/services/rshd.te
+++ b/refpolicy/policy/modules/services/rshd.te
@@ -86,7 +86,4 @@ ifdef(`TODO',`
 optional_policy(`rlogind.te', `
 	allow rshd_t rlogind_tmp_t:file rw_file_perms;
 ')
-
-allow rshd_t selinux_config_t:lnk_file { getattr read };
-allow rshd_t default_context_t:lnk_file { getattr read };
 ')
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 03bc86d..b73bd1d 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -21,6 +21,7 @@ files_type(samba_log_t)
 
 type samba_net_t;
 domain_type(samba_net_t)
+role system_r types samba_net_t;
 
 type samba_net_exec_t;
 domain_entry_file(samba_net_t,samba_net_exec_t)
@@ -126,7 +127,6 @@ optional_policy(`nscd.te',`
 ')
 
 ifdef(`TODO',`
-role system_r types samba_net_t;
 in_user_role(samba_net_t)
 ')
 
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 1e34ffc..5afaeea 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -32,13 +32,6 @@ template(`authlogin_per_userdomain_template',`
 	gen_require(`
 		attribute can_read_shadow_passwords;
 		type chkpwd_exec_t, system_chkpwd_t, shadow_t;
-		class file rx_file_perms;
-		class process { getattr transition sigchld };
-		class capability setuid;
-		class unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown }; 
-		class unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	type $1_chkpwd_t, can_read_shadow_passwords;
@@ -63,6 +56,8 @@ template(`authlogin_per_userdomain_template',`
 	allow $1_chkpwd_t $2:fifo_file rw_file_perms;
 	allow $1_chkpwd_t $2:process sigchld;
 
+	dontaudit $2 shadow_t:file { getattr read };
+
 	# is_selinux_enabled
 	kernel_read_system_state($1_chkpwd_t)
 
@@ -114,7 +109,6 @@ template(`authlogin_per_userdomain_template',`
 	ifdef(`TODO',`
 	can_winbind($1)
 	r_dir_file($1, cert_t)
-	dontaudit $1 shadow_t:file { getattr read };
 	')
 ')
 
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 6e5af0f..5da415f 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -71,6 +71,11 @@ interface(`domain_type',`
 		unconfined_sigchld($1)
 	')
 
+	# allow any domain to connect to the LDAP server
+	optional_policy(`ldap.te',`
+		ldap_use($1)
+	')
+
 	# this seems highly questionable:
 	optional_policy(`rpm.te',`
 		rpm_use_fd($1)
@@ -131,6 +136,24 @@ interface(`domain_dyntrans_type',`
 
 ########################################
 ## <summary>
+##	Makes caller and execption to the constraint
+##	preventing changing to the system user
+##	identity and system role.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`domain_system_change_exempt',`
+	gen_require(`
+		attribute can_system_change;
+	')
+
+	typeattribute $1 can_system_change;
+')
+
+########################################
+## <summary>
 ##	Makes caller an exception to the constraint preventing
 ##	changing of user identity.
 ## </summary>
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index 514724b..10118fe 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -78,6 +78,8 @@ corecmd_exec_shell(hotplug_t)
 corecmd_exec_sbin(hotplug_t)
 
 domain_use_wide_inherit_fd(hotplug_t)
+# for ps
+domain_dontaudit_read_all_domains_state(hotplug_t)
 
 files_read_etc_files(hotplug_t)
 files_manage_etc_runtime_files(hotplug_t)
@@ -187,16 +189,9 @@ optional_policy(`rhgb.te',`
 rhgb_domain(hotplug_t)
 ')
 
-# for ps
-dontaudit hotplug_t domain:dir { getattr search };
 dontaudit hotplug_t { init_t kernel_t }:file read;
 
 optional_policy(`hald.te', `
 	allow hotplug_t hald_t:unix_dgram_socket sendto;
 ')
-
-# this block goes to hald:
-optional_policy(`hotplug.te',`
-	hotplug_read_config(hald_t)
-')
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/system/raid.te b/refpolicy/policy/modules/system/raid.te
index 5a0665c..f65de87 100644
--- a/refpolicy/policy/modules/system/raid.te
+++ b/refpolicy/policy/modules/system/raid.te
@@ -6,7 +6,7 @@ policy_module(raid,1.0)
 # Declarations
 #
 
-type mdadm_t; # privmail
+type mdadm_t;
 type mdadm_exec_t;
 init_daemon_domain(mdadm_t,mdadm_exec_t)
 role system_r types mdadm_t;
@@ -67,6 +67,8 @@ miscfiles_read_localization(mdadm_t)
 userdom_dontaudit_use_unpriv_user_fd(mdadm_t)
 userdom_dontaudit_use_sysadm_tty(mdadm_t)
 
+mta_send_mail(mdadm_t)
+
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_tty(mdadm_t)
 	term_dontaudit_use_generic_pty(mdadm_t)

More information about the scm-commits mailing list