[selinux-policy: 826/3172] fix most disable_trans errors

[Daniel J Walsh]

commit 69dcd685adb4e5bb3334e9f38c0f3b3fcefb7b26
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Oct 24 22:08:13 2005 +0000

    fix most disable_trans errors

 refpolicy/Makefile                              |    2 +-
 refpolicy/policy/modules/services/cpucontrol.te |   12 ++++++-
 refpolicy/policy/modules/services/finger.te     |    2 +-
 refpolicy/policy/modules/services/inetd.if      |   35 +++++++++++++++++++----
 refpolicy/policy/modules/services/tftp.te       |    2 +-
 refpolicy/policy/modules/system/init.if         |    6 ++++
 refpolicy/policy/modules/system/unconfined.te   |    1 +
 7 files changed, 49 insertions(+), 11 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 6f3ac9f..c49cfdb 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -71,7 +71,7 @@ MONOLITHIC=y
 PREFIX := /usr
 BINDIR := $(PREFIX)/bin
 SBINDIR := $(PREFIX)/sbin
-CHECKPOLICY := $(BINDIR)/checkpolicy
+CHECKPOLICY := /tmp/$(BINDIR)/checkpolicy
 CHECKMODULE := $(BINDIR)/checkmodule
 SEMOD_PKG := $(BINDIR)/semodule_package
 LOADPOLICY := $(SBINDIR)/load_policy
diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te
index ddb5869..c858827 100644
--- a/refpolicy/policy/modules/services/cpucontrol.te
+++ b/refpolicy/policy/modules/services/cpucontrol.te
@@ -8,14 +8,14 @@ policy_module(cpucontrol,1.0)
 
 type cpucontrol_t;
 type cpucontrol_exec_t;
-init_daemon_domain(cpucontrol_t,cpucontrol_exec_t)
+init_system_domain(cpucontrol_t,cpucontrol_exec_t)
 
 type cpucontrol_conf_t;
 files_type(cpucontrol_conf_t)
 
 type cpuspeed_t;
 type cpuspeed_exec_t;
-init_daemon_domain(cpuspeed_t,cpuspeed_exec_t)
+init_system_domain(cpuspeed_t,cpuspeed_exec_t)
 
 ########################################
 #
@@ -61,6 +61,10 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(cpucontrol_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(cpucontrol_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(cpucontrol_t)
 ')
@@ -117,6 +121,10 @@ ifdef(`targeted_policy',`
 	files_dontaudit_read_root_file(cpuspeed_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(cpuspeed_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(cpuspeed_t)
 ')
diff --git a/refpolicy/policy/modules/services/finger.te b/refpolicy/policy/modules/services/finger.te
index 64c4d5d..72c467f 100644
--- a/refpolicy/policy/modules/services/finger.te
+++ b/refpolicy/policy/modules/services/finger.te
@@ -7,7 +7,7 @@ policy_module(finger,1.0)
 #
 type fingerd_t;
 type fingerd_exec_t;
-init_daemon_domain(fingerd_t,fingerd_exec_t)
+init_system_domain(fingerd_t,fingerd_exec_t)
 inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
 
 type fingerd_etc_t;
diff --git a/refpolicy/policy/modules/services/inetd.if b/refpolicy/policy/modules/services/inetd.if
index 4a85162..3d97f1c 100644
--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@@ -32,14 +32,37 @@ interface(`inetd_core_service_domain',`
 
 	role system_r types $1;
 
-	domain_auto_trans(inetd_t,$2,$1)
-
-	allow $1 inetd_t:fd use;
-	allow inetd_t $1:fd use;
-	allow $1 inetd_t:fifo_file rw_file_perms;
-	allow $1 inetd_t:process sigchld;
-
 	allow inetd_t $1:process sigkill;
+
+	ifdef(`targeted_policy',`
+		# this regex is a hack, since it assumes there is a
+		# _t at the end of the domain type.  If there is no _t
+		# at the end of the type, it returns empty!
+		bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
+		if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
+			can_exec(inetd_t,$2)
+		} else {
+			domain_auto_trans(inetd_t,$2,$1)
+			allow inetd_t $1:fd use;
+			allow $1 inetd_t:fd use;
+			allow $1 inetd_t:fifo_file rw_file_perms;
+			allow $1 inetd_t:process sigchld;
+			dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
+
+			# make sediff happy
+			allow $1 $2:file { rx_file_perms entrypoint };
+		}
+	',`
+		domain_auto_trans(inetd_t,$2,$1)
+		allow inetd_t $1:fd use;
+		allow $1 inetd_t:fd use;
+		allow $1 inetd_t:fifo_file rw_file_perms;
+		allow $1 inetd_t:process sigchld;
+		dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
+
+		# make sediff happy
+		allow $1 $2:file { rx_file_perms entrypoint };
+	')
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/tftp.te b/refpolicy/policy/modules/services/tftp.te
index d6e1096..2b791ad 100644
--- a/refpolicy/policy/modules/services/tftp.te
+++ b/refpolicy/policy/modules/services/tftp.te
@@ -8,7 +8,7 @@ policy_module(tftp,1.0)
 
 type tftpd_t;
 type tftpd_exec_t;
-init_daemon_domain(tftpd_t,tftpd_exec_t)
+init_system_domain(tftpd_t,tftpd_exec_t)
 inetd_udp_service_domain(tftpd_t,tftpd_exec_t)
 
 type tftpd_var_run_t;
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 8623dd5..d4b8319 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -99,6 +99,9 @@ interface(`init_daemon_domain',`
 			allow $1 initrc_t:fifo_file rw_file_perms;
 			allow $1 initrc_t:process sigchld;
 			allow initrc_t $1:process { noatsecure siginh rlimitinh };
+
+			# make sediff happy
+			allow $1 $2:file { rx_file_perms entrypoint };
 		}
 	',`
 		domain_auto_trans(initrc_t,$2,$1)
@@ -107,6 +110,9 @@ interface(`init_daemon_domain',`
 		allow $1 initrc_t:fifo_file rw_file_perms;
 		allow $1 initrc_t:process sigchld;
 		dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
+
+		# make sediff happy
+		allow $1 $2:file { rx_file_perms entrypoint };
 	')
 
 	optional_policy(`nscd.te',`
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 01962c1..99fbe40 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -49,4 +49,5 @@ ifdef(`targeted_policy',`
 	')
 
 	') dnl end TODO
+	typeattribute unconfined_t direct_run_init;
 ')