From 09741b1f0eac5f37c8d81b0e8d19ed6a3ab4e0ac Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 25 Nov 2005 19:38:45 +0000
Subject: [PATCH] cleanup from sediff

---
 refpolicy/policy/modules/admin/rpm.te     | 17 ++++++-
 refpolicy/policy/modules/services/rshd.te | 11 +++--
 refpolicy/policy/modules/system/domain.if | 58 +++++++++++++++++++++--
 refpolicy/policy/modules/system/init.te   |  4 +-
 refpolicy/policy/modules/system/pcmcia.te |  2 +-
 5 files changed, 80 insertions(+), 12 deletions(-)

diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index dd7c79c1..0b65622a 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
 
-policy_module(rpm,1.0.1)
+policy_module(rpm,1.0.2)
 
 ########################################
 #
@@ -146,6 +146,13 @@ domain_read_all_domains_state(rpm_t)
 domain_getattr_all_domains(rpm_t)
 domain_dontaudit_ptrace_all_domains(rpm_t)
 domain_use_wide_inherit_fd(rpm_t)
+domain_dontaudit_getattr_all_pipes(rpm_t)
+domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
+domain_dontaudit_getattr_all_udp_sockets(rpm_t)
+domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+domain_dontaudit_getattr_all_raw_sockets(rpm_t)
+domain_dontaudit_getattr_all_stream_sockets(rpm_t)
+domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
 
 files_exec_etc_files(rpm_t)
 
@@ -167,6 +174,10 @@ sysnet_read_config(rpm_t)
 
 userdom_use_unpriv_users_fd(rpm_t)
 
+ifdef(`distro_redhat',`
+	unconfined_domain_template(rpm_t)
+')
+
 ifdef(`targeted_policy',`
 	unconfined_domain_template(rpm_t)
 ',`
@@ -318,6 +329,10 @@ seutil_domtrans_restorecon(rpm_script_t)
 
 userdom_use_all_user_fd(rpm_script_t)
 
+ifdef(`distro_redhat',`
+	unconfined_domain_template(rpm_script_t)
+')
+
 ifdef(`targeted_policy',`
 	unconfined_domain_template(rpm_script_t)
 ',`
diff --git a/refpolicy/policy/modules/services/rshd.te b/refpolicy/policy/modules/services/rshd.te
index e7f7d1b4..2ebf6f0b 100644
--- a/refpolicy/policy/modules/services/rshd.te
+++ b/refpolicy/policy/modules/services/rshd.te
@@ -23,11 +23,14 @@ allow rshd_t self:tcp_socket create_stream_socket_perms;
 
 kernel_read_kernel_sysctl(rshd_t)
 
-corenet_raw_sendrecv_all_if(rshd_t)
-corenet_tcp_sendrecv_all_if(rshd_t)
-corenet_raw_sendrecv_all_nodes(rshd_t)
+corenet_tcp_sendrecv_generic_if(rshd_t)
+corenet_udp_sendrecv_generic_if(rshd_t)
+corenet_raw_sendrecv_generic_if(rshd_t)
 corenet_tcp_sendrecv_all_nodes(rshd_t)
+corenet_udp_sendrecv_all_nodes(rshd_t)
+corenet_raw_sendrecv_all_nodes(rshd_t)
 corenet_tcp_sendrecv_all_ports(rshd_t)
+corenet_udp_sendrecv_all_ports(rshd_t)
 corenet_tcp_bind_all_nodes(rshd_t)
 corenet_tcp_bind_rsh_port(rshd_t)
 
@@ -52,7 +55,7 @@ files_search_tmp(rshd_t)
 libs_use_ld_so(rshd_t)
 libs_use_shared_libs(rshd_t)
 
-logging_send_syslog_msg(inetd_t)
+logging_send_syslog_msg(rshd_t)
 
 miscfiles_read_localization(rshd_t)
 
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 2440743f..e0b316cb 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -832,11 +832,45 @@ interface(`domain_dontaudit_rw_all_udp_sockets',`
 interface(`domain_dontaudit_getattr_all_key_sockets',`
 	gen_require(`
 		attribute domain;
-		class key_socket { read write };
 	')
 
 	dontaudit $1 domain:key_socket getattr;
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attribues of
+##	all domains packet sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_packet_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:packet_socket getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get attribues of
+##	all domains raw sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_raw_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:rawip_socket getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read or write
@@ -864,15 +898,31 @@ interface(`domain_dontaudit_rw_all_key_sockets',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
+interface(`domain_dontaudit_getattr_all_dgram_sockets',`
 	gen_require(`
 		attribute domain;
-		class unix_dgram_socket getattr;
 	')
 
 	dontaudit $1 domain:unix_dgram_socket getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_stream_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:unix_stream_socket getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@@ -882,7 +932,7 @@ interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
 ##	The type of the process performing this action.
 ## </param>
 #
-interface(`domain_dontaudit_getattr_all_unnamed_pipes',`
+interface(`domain_dontaudit_getattr_all_pipes',`
 	gen_require(`
 		attribute domain;
 		class fifo_file getattr;
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index ec04db5a..c1ca9bdb 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -318,8 +318,8 @@ domain_exec_all_entry_files(initrc_t)
 # for lsof which is used by alsa shutdown:
 domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
-domain_dontaudit_getattr_all_unix_dgram_sockets(initrc_t)
-domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
+domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
+domain_dontaudit_getattr_all_pipes(initrc_t)
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
diff --git a/refpolicy/policy/modules/system/pcmcia.te b/refpolicy/policy/modules/system/pcmcia.te
index 2a63867b..a189206a 100644
--- a/refpolicy/policy/modules/system/pcmcia.te
+++ b/refpolicy/policy/modules/system/pcmcia.te
@@ -79,7 +79,7 @@ domain_read_confined_domains_state(cardmgr_t)
 domain_getattr_confined_domains(cardmgr_t)
 domain_dontaudit_ptrace_confined_domains(cardmgr_t)
 # cjp: these look excessive:
-domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
+domain_dontaudit_getattr_all_pipes(cardmgr_t)
 domain_dontaudit_getattr_all_sockets(cardmgr_t)
 
 files_list_usr(cardmgr_t)