[selinux-policy: 3140/3172] Tunable, optional and if(n)def blocks go below.

Thu Oct 7 23:39:13 UTC 2010

commit 4781493e450b993fb291e8d5ba8e66c151acd975
Author: Dominick Grift <domg472 at gmail.com>
Date:   Fri Sep 24 09:38:13 2010 +0200

    Tunable, optional and if(n)def blocks go below.
    
    Tunable, optional and if(n)def blocks go below.
    
    Tunable, optional and if(n)def blocks go below.
    
    Tunable, optional and if(n)def blocks go below.
    
    Tunable, optional and if(n)def blocks go below.
    
    Tunable, optional and if(n)def blocks go below.
    
    Tunable, optional and if(n)def blocks go below.
    
    Tunable, optional and if(n)def blocks go below.
    
    Tunable, optional and if(n)def blocks go below.

 policy/modules/services/rpc.te     |    3 +-
 policy/modules/services/ssh.te     |   23 +++++------
 policy/modules/services/stunnel.te |   12 +++---
 policy/modules/services/telnet.te  |   11 +++--
 policy/modules/services/xserver.te |   78 ++++++++++++++++++------------------
 5 files changed, 64 insertions(+), 63 deletions(-)
---

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index c524171..698b763 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -161,6 +161,8 @@ storage_raw_read_removable_device(nfsd_t)
 # Read access to public_content_t and public_content_rw_t
 miscfiles_read_public_files(nfsd_t)
 
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
+
 # Write access to public_content_t and public_content_rw_t
 tunable_policy(`allow_nfsd_anon_write',`
 	miscfiles_manage_public_files(nfsd_t)
@@ -173,7 +175,6 @@ tunable_policy(`nfs_export_all_rw',`
 	fs_read_noxattr_fs_files(nfsd_t)
 	auth_manage_all_files_except_shadow(nfsd_t)
 ')
-userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
 
 tunable_policy(`nfs_export_all_ro',`
 	dev_getattr_all_blk_files(nfsd_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 135bb1b..f03a8ce 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -45,10 +45,6 @@ init_script_file(sshd_initrc_exec_t)
 type sshd_key_t;
 files_type(sshd_key_t)
 
-ifdef(`enable_mcs',`
-	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
-')
-
 type ssh_t;
 type ssh_exec_t;
 typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
@@ -83,6 +79,10 @@ typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_ho
 typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
 userdom_user_home_content(ssh_home_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+')
+
 ##############################
 #
 # SSH client local policy
@@ -296,15 +296,17 @@ term_use_ptmx(sshd_t)
 corenet_tcp_bind_xserver_port(sshd_t)
 corenet_sendrecv_xserver_server_packets(sshd_t)
 
-tunable_policy(`sshd_forward_ports',`
-	corenet_tcp_bind_all_unreserved_ports(sshd_t)
-	corenet_tcp_connect_all_ports(sshd_t)
-')
-
 userdom_read_user_home_content_files(sshd_t)
 userdom_read_user_home_content_symlinks(sshd_t)
 userdom_search_admin_dir(sshd_t)
 userdom_manage_tmp_role(system_r, sshd_t)
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+
+tunable_policy(`sshd_forward_ports',`
+	corenet_tcp_bind_all_unreserved_ports(sshd_t)
+	corenet_tcp_connect_all_ports(sshd_t)
+')
 
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
@@ -314,9 +316,6 @@ tunable_policy(`ssh_sysadm_login',`
 	userdom_signal_all_users(sshd_t)
 ')
 
-userdom_spec_domtrans_unpriv_users(sshd_t)
-userdom_signal_unpriv_users(sshd_t)
-
 optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index abd06df..9cc4d7d 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -8,12 +8,6 @@ policy_module(stunnel, 1.9.1)
 type stunnel_t;
 type stunnel_exec_t;
 
-ifdef(`distro_gentoo',`
-	init_daemon_domain(stunnel_t, stunnel_exec_t)
-',`
-	inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
-')
-
 type stunnel_etc_t;
 files_config_file(stunnel_etc_t)
 
@@ -23,6 +17,12 @@ files_tmp_file(stunnel_tmp_t)
 type stunnel_var_run_t;
 files_pid_file(stunnel_var_run_t)
 
+ifdef(`distro_gentoo',`
+	init_daemon_domain(stunnel_t, stunnel_exec_t)
+',`
+	inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
+')
+
 ########################################
 #
 # Local policy
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index fcdde4c..d9d8e18 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -83,11 +83,6 @@ userdom_setattr_user_ptys(telnetd_t)
 userdom_manage_user_tmp_files(telnetd_t)
 userdom_tmp_filetrans_user_tmp(telnetd_t, file)
 
-optional_policy(`
-	kerberos_keytab_template(telnetd, telnetd_t)
-	kerberos_manage_host_rcache(telnetd_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_search_nfs(telnetd_t)
 ')
@@ -95,3 +90,9 @@ tunable_policy(`use_nfs_home_dirs',`
 tunable_policy(`use_samba_home_dirs',`
 	fs_search_cifs(telnetd_t)
 ')
+
+optional_policy(`
+	kerberos_keytab_template(telnetd, telnetd_t)
+	kerberos_manage_host_rcache(telnetd_t)
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index b8d770d..3812d23 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -358,6 +358,8 @@ userdom_use_user_terminals(xauth_t)
 userdom_read_user_tmp_files(xauth_t)
 userdom_read_all_users_state(xauth_t)
 
+xserver_rw_xdm_tmp_files(xauth_t)
+
 ifdef(`hide_broken_symptoms',`
 	fs_dontaudit_rw_anon_inodefs_files(xauth_t)
 	fs_dontaudit_list_inotifyfs(xauth_t)
@@ -367,8 +369,6 @@ ifdef(`hide_broken_symptoms',`
 	miscfiles_read_fonts(xauth_t)
 ')
 
-xserver_rw_xdm_tmp_files(xauth_t)
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(xauth_t)
 	fs_read_nfs_symlinks(xauth_t)
@@ -651,6 +651,14 @@ application_signal(xdm_t)
 xserver_rw_session(xdm_t, xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
 
+ifndef(`distro_redhat',`
+	allow xdm_t self:process { execheap execmem };
+')
+
+ifdef(`distro_rhel4',`
+	allow xdm_t self:process { execheap execmem };
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_t)
 	fs_manage_nfs_files(xdm_t)
@@ -815,14 +823,6 @@ optional_policy(`
 	unconfined_signal(xdm_t)
 ')
 
-ifndef(`distro_redhat',`
-	allow xdm_t self:process { execheap execmem };
-')
-
-ifdef(`distro_rhel4',`
-	allow xdm_t self:process { execheap execmem };
-')
-
 optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
 ')
@@ -1142,10 +1142,6 @@ userdom_read_all_users_state(xserver_t)
 
 xserver_use_user_fonts(xserver_t)
 
-optional_policy(`
-	userhelper_search_config(xserver_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
@@ -1175,6 +1171,10 @@ optional_policy(`
 	rhgb_rw_tmpfs_files(xserver_t)
 ')
 
+optional_policy(`
+	userhelper_search_config(xserver_t)
+')
+
 ########################################
 #
 # Rules common to all X window domains
@@ -1281,6 +1281,22 @@ allow x_domain xserver_t:x_screen getattr;
 # Rules for unconfined access to this module
 #
 
+allow xserver_unconfined_type xserver_t:x_server *;
+allow xserver_unconfined_type xdrawable_type:x_drawable *;
+allow xserver_unconfined_type xserver_t:x_screen *;
+allow xserver_unconfined_type x_domain:x_gc *;
+allow xserver_unconfined_type xcolormap_type:x_colormap *;
+allow xserver_unconfined_type xproperty_type:x_property *;
+allow xserver_unconfined_type xselection_type:x_selection *;
+allow xserver_unconfined_type x_domain:x_cursor *;
+allow xserver_unconfined_type x_domain:x_client *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+allow xserver_unconfined_type xextension_type:x_extension *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
@@ -1302,31 +1318,6 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
-allow xserver_unconfined_type xserver_t:x_server *;
-allow xserver_unconfined_type xdrawable_type:x_drawable *;
-allow xserver_unconfined_type xserver_t:x_screen *;
-allow xserver_unconfined_type x_domain:x_gc *;
-allow xserver_unconfined_type xcolormap_type:x_colormap *;
-allow xserver_unconfined_type xproperty_type:x_property *;
-allow xserver_unconfined_type xselection_type:x_selection *;
-allow xserver_unconfined_type x_domain:x_cursor *;
-allow xserver_unconfined_type x_domain:x_client *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
-allow xserver_unconfined_type xextension_type:x_extension *;
-allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
-allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
-
-optional_policy(`
-	unconfined_rw_shm(xserver_t)
-	unconfined_execmem_rw_shm(xserver_t)
-
-	# xserver signals unconfined user on startx
-	unconfined_signal(xserver_t)
-	unconfined_getpgid(xserver_t)
-')
-
 tunable_policy(`allow_xserver_execmem',`
 	allow xserver_t self:process { execheap execmem execstack };
 ')
@@ -1347,3 +1338,12 @@ tunable_policy(`use_nfs_home_dirs',`
 tunable_policy(`use_samba_home_dirs',`
 	fs_append_cifs_files(xdmhomewriter)
 ')
+
+optional_policy(`
+	unconfined_rw_shm(xserver_t)
+	unconfined_execmem_rw_shm(xserver_t)
+
+	# xserver signals unconfined user on startx
+	unconfined_signal(xserver_t)
+	unconfined_getpgid(xserver_t)
+')
