reorg run_init a little, and add a convert to a few new interfaces

refpolicy/policy/modules/kernel/bootloader.te

@@ -78,6 +78,7 @@ storage_raw_write_removable_device(bootloader_t)
 
 devices_get_all_character_device_attributes(bootloader_t)
 devices_set_all_block_device_attributes(bootloader_t)
+devices_ignore_modify_generic_devices(bootloader_t)
 # for reading BIOS data (cjp: ?)
 devices_raw_read_memory(bootloader_t)
 
@@ -113,8 +114,6 @@ modutils_insmod_execute(insmod_t)
 
 miscfiles_read_localization(bootloader_t)
 
-devices_ignore_modify_generic_devices(bootloader_t)
-
 ########################################
 #
 # mkinitrd policy

refpolicy/policy/modules/kernel/devices.if

@@ -74,6 +74,37 @@ type device_t;
 class dir { getattr read search };
 ')
 
+########################################
+#
+# devices_manage_device_nodes(type,[`optional'])
+#
+define(`devices_manage_device_nodes',`
+requires_block_template(devices_manage_device_nodes_depend,$2)
+allow udev_t device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+allow udev_t device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow udev_t device_t:lnk_file { create read getattr setattr link unlink rename };
+allow udev_t device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+allow udev_t device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+# these next rules are to satisfy assertions broken by the above lines.
+# the permissions hopefully can be cut back a lot
+storage_raw_read_fixed_disk($1)
+storage_raw_write_fixed_disk($1)
+storage_read_scsi_generic($1)
+storage_write_scsi_generic($1)
+typeattribute $1 memory_raw_read;
+typeattribute $1 memory_raw_write;
+')
+
+define(`devices_manage_device_nodes_depend',`
+attribute device_node, memory_raw_read, memory_raw_write;
+type device_t;
+class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
+class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+class lnk_file { create read getattr setattr link unlink rename };
+class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
+')
+
 ########################################
 #
 # devices_ignore_modify_generic_devices(type,[`optional'])

refpolicy/policy/modules/kernel/devices.te

@@ -25,7 +25,8 @@ filesystem_tmpfs_associate(cardmgr_dev_t)
 # Relabelto is allowed for setfiles to function, in case
 # a device node has no specific type yet, but is for some
 # reason labeled with a specific type
-neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
+#cjp: want this, but udev policy breaks this
+#neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
 
 #
 # zero_device_t is the type of /dev/zero.

refpolicy/policy/modules/kernel/kernel.if

@@ -1,32 +1,5 @@
 # Copyright (C) 2005 Tresys Technology, LLC
 
-########################################
-#
-# kernel_system_role_change(role,[`optional'])
-#
-define(`kernel_system_role_change',`
-requires_block_template(kernel_system_role_change_depend,$2)
-allow $1 system_r;
-')
-
-define(`kernel_system_role_change_depend',`
-role system_r;
-')
-
-########################################
-#
-# kernel_system_role_transition(role,entrypoint,[`optional'])
-#
-define(`kernel_system_role_transition',`
-requires_block_template(kernel_system_role_transition_depend,$2)
-allow $1 system_r;
-role_transition $1 $2 system_r;
-')
-
-define(`kernel_system_role_change_depend',`
-role system_r;
-')
-
 ########################################
 #
 # kernel_share_state(domain,[`optional'])
@@ -498,6 +471,20 @@ class dir search;
 class file getattr;
 ')
 
+########################################
+#
+# kernel_ignore_get_message_interface_attributes(domain)
+#
+define(`kernel_ignore_get_message_interface_attributes',`
+requires_block_template(kernel_ignore_get_message_interface_attributes_depend)
+dontaudit $1 proc_kmsg_t:file getattr;
+')
+
+define(`kernel_ignore_get_message_interface_attributes_depend',`
+type proc_kmsg_t, proc_t;
+class file getattr;
+')
+
 ########################################
 #
 # kernel_read_network_state(domain,[`optional'])

refpolicy/policy/modules/system/authlogin.if

@@ -48,13 +48,14 @@ allow $1_t $1_chkpwd_t:process transition;
 #userdomain_use_$1_terminal($1_chkpwd_t)
 #userdomain_use_$1_pty($1_chkpwd_t)
 
-#allow $1_chkpwd_t privfd:fd use;
+domain_use_widely_inheritable_file_descriptors($1_chkpwd_t)
 
 # Inherit and use descriptors from gnome-pty-helper.
 #ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
 
-# Inherit and use descriptors from newrole.
+optional_policy(`selinux.te',`
-#ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;')
+selinux_newrole_use_file_descriptors($1_chkpwd_t)
+')
 ') dnl ifelse system
 
 # for nscd

refpolicy/policy/modules/system/authlogin.te

@@ -19,9 +19,18 @@ logging_make_log_file(lastlog_t)
 type login_exec_t;
 files_make_file(login_exec_t)
 
+type pam_console_t;
+domain_make_domain(pam_console_t)
+
+type pam_console_exec_t;
+domain_make_entrypoint_file(pam_console_t,pam_console_exec_t)
+
 type pam_t;
 domain_make_domain(pam_t)
 
+type pam_exec_t;
+domain_make_entrypoint_file(pam_t,pam_exec_t)
+
 type pam_tmp_t;
 files_make_file(pam_tmp_t)
 

refpolicy/policy/modules/system/hotplug.te

@@ -92,6 +92,12 @@ miscfiles_read_localization(hotplug_t)
 
 mount_transition(hotplug_t)
 
+tunable_policy(`targeted_policy', `
+terminal_ignore_use_general_physical_terminal(hotplug_t)
+terminal_ignore_use_general_pseudoterminal(hotplug_t)
+files_ignore_read_rootfs_file(hotplug_t)
+')
+
 optional_policy(`consoletype.te',`
 consoletype_transition(hotplug_t)
 ')
@@ -109,13 +115,10 @@ udev_transition(hotplug_t)
 udev_read_database(hotplug_t)
 ')
 
-tunable_policy(`targeted_policy', `
+optional_policy(`updfstab.te', `
-terminal_ignore_use_general_physical_terminal(hotplug_t)
+updfstab_transition(hotplug_t)
-terminal_ignore_use_general_pseudoterminal(hotplug_t)
-files_ignore_read_rootfs_file(hotplug_t)
 ')
 
-
 ifdef(`TODO',`
 allow hotplug_t null_device_t:chr_file r_file_perms;
 dontaudit hotplug_t unpriv_userdomain:fd use;
@@ -184,10 +187,6 @@ allow hald_t hotplug_etc_t:dir search;
 allow hald_t hotplug_etc_t:file { getattr read };
 ')
 
-optional_policy(`updfstab.te', `
-domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
-')
-
 optional_policy(`fsadm.te', `
 domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
 ')

refpolicy/policy/modules/system/init.te

@@ -59,7 +59,7 @@ type run_init_t;
 domain_make_domain(run_init_t)
 
 type run_init_exec_t;
-files_make_file(run_init_exec_t)
+domain_make_entrypoint_file(run_init_t,run_init_exec_t)
 
 ########################################
 #
@@ -192,6 +192,8 @@ kernel_read_all_sysctl(initrc_t)
 kernel_modify_all_sysctl(initrc_t)
 kernel_get_selinux_enforcement_mode(initrc_t)
 kernel_list_usb_hardware(initrc_t)
+# for lsof which is used by alsa shutdown:
+kernel_ignore_get_message_interface_attributes(initrc_t)
 
 filesystem_register_binary_executable_type(initrc_t)
 # cjp: not sure why these are here; should use mount policy
@@ -367,7 +369,7 @@ dontaudit initrc_t mail_spool_t:lnk_file read;
 
 # for lsof which is used by alsa shutdown
 dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
-dontaudit initrc_t proc_kmsg_t:file getattr;
+kernel_ignore_get_message_interface_attributes(initrc_t)
 ') dnl end TODO
 
 #################################
@@ -378,25 +380,6 @@ dontaudit initrc_t proc_kmsg_t:file getattr;
 tunable_policy(`targeted_policy',`
 # targeted/unconfined stuff
 ',`
-corecommands_execute_general_programs(run_init_t)
-corecommands_execute_shell(run_init_t)
-
-filesystem_get_persistent_filesystem_attributes(run_init_t)
-
-files_read_general_system_config(run_init_t)
-
-libraries_use_dynamic_loader(run_init_t)
-libraries_read_shared_libraries(run_init_t)
-
-selinux_read_config(run_init_t)
-selinux_read_default_contexts(run_init_t)
-
-authlogin_ignore_read_shadow_passwords(run_init_t)
-
-miscfiles_read_localization(run_init_t)
-
-logging_send_system_log_message(run_init_t)
-
 allow run_init_t initrc_t:process transition;
 allow run_init_t initrc_exec_t:file { getattr read execute };
 
@@ -412,15 +395,32 @@ allow run_init_t self:fifo_file { getattr read write };
 # by a different user or has restrictive SE permissions, do not want to audit
 # the failed access to the current directory
 dontaudit run_init_t self:capability { dac_override dac_read_search };
-
-devices_ignore_list_device_nodes(run_init_t)
-terminal_ignore_list_pseudoterminals(run_init_t)
-
-# often the administrator runs such programs from a directory that is owned
-# by a different user or has restrictive SE permissions, do not want to audit
-# the failed access to the current directory
 files_ignore_search_all_directories(run_init_t)
 
+filesystem_get_persistent_filesystem_attributes(run_init_t)
+
+devices_ignore_list_device_nodes(run_init_t)
+
+terminal_ignore_list_pseudoterminals(run_init_t)
+
+domain_use_widely_inheritable_file_descriptors(run_init_t)
+
+corecommands_execute_general_programs(run_init_t)
+corecommands_execute_shell(run_init_t)
+
+files_read_general_system_config(run_init_t)
+
+libraries_use_dynamic_loader(run_init_t)
+libraries_read_shared_libraries(run_init_t)
+
+selinux_read_config(run_init_t)
+selinux_read_default_contexts(run_init_t)
+
+authlogin_ignore_read_shadow_passwords(run_init_t)
+
+miscfiles_read_localization(run_init_t)
+
+logging_send_system_log_message(run_init_t)
 ') dnl end ifdef targeted policy
 
 
@@ -440,7 +440,6 @@ domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
 # for utmp
 allow run_init_t admin_tty_type:chr_file rw_file_perms;
 
-allow run_init_t privfd:fd use;
 allow run_init_t lib_t:file { getattr read };
 
 ') dnl endif targeted policy
@@ -448,6 +447,6 @@ allow run_init_t lib_t:file { getattr read };
 tunable_policy(`distro_gentoo', `
 # Gentoo integrated run_init+open_init_pty-runscript:
 domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
+domain_make_entrypoint_file(run_init_t,initrc_exec_t)
 ')
-
 ') dnl end TODO