start switching over to new tunable infrastructure

refpolicy/Makefile

@@ -56,6 +56,7 @@ SETFILES := $(SBINDIR)/setfiles
 
 SUPPORT := support
 GENDOC := $(SUPPORT)/sedoctool.py
+FCSORT := $(SUPPORT)/fc_sort
 
 XMLLINT := $(BINDIR)/xmllint
 
@@ -261,16 +262,15 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
 # Create config files
 #
 conf $(MOD_DISABLE) $(TUNABLES): tmp/policy.xml
-	$(QUIET) touch $(TUNABLES)
+	@echo "Creating $(MOD_DISABLE) and $(TUNABLES)"
-	@echo "Creating $(MOD_DISABLE)"
+#	@echo "# This file contains a listing of available modules." > $(MOD_DISABLE)
-	@echo "# This file contains a listing of available modules." > $(MOD_DISABLE)
+#	@echo "# To prevent a module from  being used in policy" >> $(MOD_DISABLE)
-	@echo "# To prevent a module from  being used in policy" >> $(MOD_DISABLE)
+#	@echo "# creation, uncomment the line with its name." >> $(MOD_DISABLE)
-	@echo "# creation, uncomment the line with its name." >> $(MOD_DISABLE)
+#	@echo "" >> $(MOD_DISABLE)
-	@echo "" >> $(MOD_DISABLE)
+#	@for i in $(sort $(patsubst %.te,%,$(notdir $(ALL_TE_FILES)))); do \
-	@for i in $(sort $(patsubst %.te,%,$(notdir $(ALL_TE_FILES)))); do \
+#		echo "#$$i" >> $(MOD_DISABLE) ;\
-		echo "#$$i" >> $(MOD_DISABLE) ;\
+#	done
-	done
+	$(QUIET) $(GENDOC) -x tmp/policy.xml -t $(TUNABLES) -m $(MOD_DISABLE)
-	$(QUIET) $(GENDOC) -x tmp/policy.xml -t $(TUNABLES)
 
 ########################################
 #
@@ -299,6 +299,7 @@ $(FCPATH): $(FC) $(USERPATH)/system.users
 	$(QUIET) install -m 644 $(FC) $(FCPATH)
 #	$(QUIET) install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
 #	$(QUIET) $(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
+	$(QUIET) $(FCSORT) $(FCPATH) $(FCPATH)
 
 ########################################
 #
@@ -422,6 +423,8 @@ clean:
 	rm -f $(FC)
 
 bare: clean
+	rm -f $(SUPPORT)/*.pyc
+	rm -f $(FCSORT)
 	rm -f $(MOD_DISABLE)
 	rm -f $(TUNABLES)
 

refpolicy/policy/modules/admin/consoletype.te

@@ -50,7 +50,7 @@ files_ignore_read_rootfs_file(consoletype_t)
 libraries_use_dynamic_loader(consoletype_t)
 libraries_use_shared_libraries(consoletype_t)
 
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
 	filesystem_use_tmpfs_character_devices(consoletype_t)
 ')
 

refpolicy/policy/modules/admin/dmesg.te

@@ -49,7 +49,7 @@ miscfiles_read_localization(dmesg_t)
 userdomain_use_admin_terminals(dmesg_t)
 userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t)
 
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(dmesg_t)
 	terminal_ignore_use_general_pseudoterminal(dmesg_t)
 	files_ignore_read_rootfs_file(dmesg_t)

refpolicy/policy/modules/kernel/bootloader.te

@@ -139,13 +139,13 @@ miscfiles_read_localization(bootloader_t)
 selinux_read_binary_policy(bootloader_t)
 selinux_read_load_policy_binary(bootloader_t)
 
-tunable_policy(`distro_debian', `
+ifdef(`distro_debian', `
 allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
 allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
 allow bootloader_t boot_t:file relabelfrom;
 ')
 
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
 	# for memlock
 	allow bootloader_t self:capability ipc_lock;
 
@@ -190,7 +190,7 @@ allow bootloader_t sysfs_t:dir getattr;
 allow bootloader_t var_t:dir search;
 allow bootloader_t var_t:file { getattr read };
 
-tunable_policy(`distro_debian', `
+ifdef(`distro_debian', `
 	allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
 	allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
 	allow bootloader_t tmpfs_t:dir r_dir_perms;
@@ -203,7 +203,7 @@ tunable_policy(`distro_debian', `
 	can_exec(bootloader_t, usr_t)
 ')
 
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
 	# new file system defaults to file_t, granting file_t access is still bad.
 	allow bootloader_t file_t:dir create_dir_perms;
 	allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;

refpolicy/policy/modules/kernel/terminal.if

@@ -62,11 +62,11 @@ define(`terminal_make_physical_terminal',`
 
 	# Debian login is from shadow utils and does not allow resetting the perms.
 	# have to fix this!
-	tunable_policy(`distro_debian',`
+	ifdef(`distro_debian',`
 		type_change $1 ttyfile:chr_file $2;
 	')
 
-	tunable_policy(`distro_redhat',`
+	ifdef(`distro_redhat',`
 		filesystem_tmpfs_associate($2)
 	')
 ')

refpolicy/policy/modules/services/cron.te

@@ -124,7 +124,7 @@ tunable_policy(`fcron_crond', `
 	allow crond_t system_cron_spool_t:file { create ioctl read getattr lock write setattr append link unlink rename };
 ')
 
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(crond_t)
 	terminal_ignore_use_general_pseudoterminal(crond_t)
 	files_ignore_read_rootfs_file(crond_t)
@@ -348,7 +348,7 @@ ifdef(`apache.te', `
 allow system_crond_t httpd_log_t:file { getattr read };
 ')
 
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
 optional_policy(`rpm.te', `
 allow system_crond_t rpm_log_t:file create_file_perms;
 ')

refpolicy/policy/modules/services/mta.te

@@ -27,7 +27,7 @@ type system_mail_t; #, user_mail_domain, nscd_client_domain;
 domain_make_domain(system_mail_t)
 role system_r types system_mail_t;
 
-tunable_policy(`targeted_policy',`',`
+ifdef(`targeted_policy',`',`
 optional_policy(`sendmail.te', `
 domain_make_entrypoint_file(system_mail_t,sendmail_exec_t)
 ', `

refpolicy/policy/modules/system/authlogin.te

@@ -174,7 +174,7 @@ tunable_policy(`direct_sysadm_daemon', `
 	dontaudit pam_console_t admin_tty_type:chr_file rw_file_perms;
 ')
 
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(pam_console_t)
 	terminal_ignore_use_general_pseudoterminal(pam_console_t)
 	files_ignore_read_rootfs_file(pam_console_t)

refpolicy/policy/modules/system/clock.te

@@ -57,7 +57,7 @@ logging_send_system_log_message(hwclock_t)
 
 miscfiles_read_localization(hwclock_t)
 
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(hwclock_t)
 	terminal_ignore_use_general_pseudoterminal(hwclock_t)
 	files_ignore_read_rootfs_file(hwclock_t)

refpolicy/policy/modules/system/hostname.te

@@ -54,11 +54,11 @@ miscfiles_read_localization(hostname_t)
 
 userdomain_use_all_users_file_descriptors(hostname_t)
 
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
 	filesystem_use_tmpfs_character_devices(hostname_t)
 ')
 
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(hostname_t)
 	terminal_ignore_use_general_pseudoterminal(hostname_t)
 	files_ignore_read_rootfs_file(hostname_t)

refpolicy/policy/modules/system/hotplug.te

@@ -108,7 +108,7 @@ sysnetwork_read_network_config(hotplug_t)
 
 userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t)
 
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
 	optional_policy(`netutils.te', `
 		# for arping used for static IP addresses on PCMCIA ethernet
 		netutils_transition(hotplug_t)
@@ -117,7 +117,7 @@ tunable_policy(`distro_redhat', `
 	files_get_system_lock_file_attributes(hotplug_t)
 ')
 
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(hotplug_t)
 	terminal_ignore_use_general_pseudoterminal(hotplug_t)
 	files_ignore_read_rootfs_file(hotplug_t)

refpolicy/policy/modules/system/init.te

@@ -139,7 +139,7 @@ selinux_read_config(init_t)
 
 miscfiles_read_localization(init_t)
 
-tunable_policy(`distro_redhat',`
+ifdef(`distro_redhat',`
 	filesystem_use_tmpfs_character_devices(init_t)
 	filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
 ')
@@ -307,11 +307,11 @@ userdomain_read_all_users_data(initrc_t)
 # started from init should be placed in their own domain.
 userdomain_use_admin_terminals(initrc_t)
 
-tunable_policy(`distro_debian', `
+ifdef(`distro_debian', `
 	filesystem_create_private_tmpfs_data(initrc_t,initrc_var_run_t,dir)
 ')
 
-tunable_policy(`distro_redhat',`
+ifdef(`distro_redhat',`
 	# this is from kmodule, which should get its own policy:
 	allow initrc_t self:capability sys_admin;
 
@@ -399,7 +399,7 @@ su_restricted_domain(initrc,system)
 role system_r types initrc_su_t;
 ')
 
-tunable_policy(`distro_debian', `
+ifdef(`distro_debian', `
 	allow initrc_t { etc_t device_t }:dir setattr;
 
 	# for storing state under /dev/shm
@@ -407,12 +407,12 @@ tunable_policy(`distro_debian', `
 	file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
 ')
 
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
 	# readahead asks for these
 	allow initrc_t var_lib_nfs_t:file { getattr read };
 ')
 
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
 	domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
 	allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
 	allow initrc_t unconfined_t:dbus { acquire_svc send_msg };

refpolicy/policy/modules/system/iptables.te

@@ -96,7 +96,7 @@ optional_policy(`udev.te', `
 	udev_read_database(iptables_t)
 ')
 
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(iptables_t)
 	terminal_ignore_use_general_pseudoterminal(iptables_t)
 

refpolicy/policy/modules/system/locallogin.te

@@ -235,7 +235,7 @@ ifdef(`monolithic_policy',`
 	ifdef(`distro_debian', `define(`sulogin_no_pam')')
 ') dnl end monolithic_policy
 
-tunable_policy(`sulogin_no_pam', `
+ifdef(`sulogin_no_pam', `
 	allow sulogin_t self:capability sys_tty_config;
 	init_get_process_group(sulogin_t)
 ', `

refpolicy/policy/modules/system/logging.te

@@ -274,7 +274,7 @@ tunable_policy(`direct_sysadm_daemon',`
 	dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
 ')
 
-tunable_policy(`distro_suse', `
+ifdef(`distro_suse', `
 	# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
 	file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
 ')

refpolicy/policy/modules/system/lvm.te

@@ -135,12 +135,12 @@ selinux_read_config(lvm_t)
 selinux_read_file_contexts(lvm_t)
 selinux_newrole_sigchld(lvm_t)
 
-tunable_policy(`distro_redhat',`
+ifdef(`distro_redhat',`
 	# this is from the initrd:
 	files_modify_isid_type_dir(lvm_t)
 ')
 
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(lvm_t)
 	terminal_ignore_use_general_pseudoterminal(lvm_t)
 

refpolicy/policy/modules/system/mount.te

@@ -68,7 +68,7 @@ miscfiles_read_localization(mount_t)
 
 userdomain_use_all_users_file_descriptors(mount_t)
 
-tunable_policy(`distro_redhat',`
+ifdef(`distro_redhat',`
 	filesystem_use_tmpfs_character_devices(mount_t)
 	allow mount_t tmpfs_t:dir mounton;
 

refpolicy/policy/modules/system/selinux.te

@@ -318,7 +318,7 @@ files_read_all_directories(restorecon_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(restorecon_t)
 
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
 filesystem_use_tmpfs_character_devices(restorecon_t)
 filesystem_use_tmpfs_block_devices(restorecon_t)
 filesystem_relabel_tmpfs_block_devices(restorecon_t)
@@ -349,7 +349,7 @@ kernel_compute_selinux_create_context(run_init_t)
 kernel_compute_selinux_relabel_context(run_init_t)
 kernel_compute_selinux_reachable_user_contexts(run_init_t)
 
-tunable_policy(`targeted_policy',`',`
+ifdef(`targeted_policy',`',`
 	allow run_init_t self:process setexec;
 	allow run_init_t self:capability setuid;
 
@@ -394,7 +394,7 @@ tunable_policy(`targeted_policy',`',`
 
 ifdef(`TODO',`
 
-tunable_policy(`distro_gentoo', `
+ifdef(`distro_gentoo', `
 	# Gentoo integrated run_init+open_init_pty-runscript:
 	domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
 	domain_make_entrypoint_file(run_init_t,initrc_exec_t)

refpolicy/policy/modules/system/selinuxutil.te

@@ -318,7 +318,7 @@ files_read_all_directories(restorecon_t)
 # this is to satisfy the assertion:
 authlogin_relabel_to_shadow_passwords(restorecon_t)
 
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
 filesystem_use_tmpfs_character_devices(restorecon_t)
 filesystem_use_tmpfs_block_devices(restorecon_t)
 filesystem_relabel_tmpfs_block_devices(restorecon_t)
@@ -349,7 +349,7 @@ kernel_compute_selinux_create_context(run_init_t)
 kernel_compute_selinux_relabel_context(run_init_t)
 kernel_compute_selinux_reachable_user_contexts(run_init_t)
 
-tunable_policy(`targeted_policy',`',`
+ifdef(`targeted_policy',`',`
 	allow run_init_t self:process setexec;
 	allow run_init_t self:capability setuid;
 
@@ -394,7 +394,7 @@ tunable_policy(`targeted_policy',`',`
 
 ifdef(`TODO',`
 
-tunable_policy(`distro_gentoo', `
+ifdef(`distro_gentoo', `
 	# Gentoo integrated run_init+open_init_pty-runscript:
 	domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
 	domain_make_entrypoint_file(run_init_t,initrc_exec_t)

refpolicy/policy/modules/system/sysnetwork.te

@@ -140,7 +140,7 @@ ifdef(`distro_redhat', `
 	files_execute_system_config_script(dhcpc_t)
 ')
 
-tunable_policy(`targeted_policy', `
+ifdef(`targeted_policy', `
 	terminal_ignore_use_general_physical_terminal(dhcpc_t)
 	terminal_ignore_use_general_pseudoterminal(dhcpc_t)
 
@@ -205,7 +205,7 @@ allow hotplug_t dhcpc_t:process signal_perms;
 allow hotplug_t dhcpc_var_run_t:file { getattr read };
 allow hotplug_t dhcp_etc_t:file rw_file_perms;
 allow dhcpc_t hotplug_etc_t:dir { getattr search };
-tunable_policy(`distro_redhat', `
+ifdef(`distro_redhat', `
 logging_syslogd_transition(dhcpc_t)
 ')
 ')dnl end hotplug.te

refpolicy/policy/modules/system/udev.te

@@ -113,13 +113,13 @@ selinux_restorecon_transition(udev_t)
 
 sysnetwork_ifconfig_transition(udev_t)
 
-tunable_policy(`distro_redhat',`
+ifdef(`distro_redhat',`
 	filesystem_manage_tmpfs_block_devices(udev_t)
 	filesystem_manage_tmpfs_character_devices(udev_t)
 
 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_transition(udev_t)
-') dnl end ifdef distro_redhat
+')
 
 optional_policy(`authlogin.te',`
 	authlogin_pam_console_read_runtime_data(udev_t)
@@ -156,12 +156,11 @@ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
 
 dbusd_client(system, udev)
 
-# Ifdefs
+ifdef(`distro_redhat',`
-tunable_policy(`distro_redhat',`
 allow udev_t tmpfs_t:sock_file create_file_perms;
 allow udev_t tmpfs_t:lnk_file create_lnk_perms;
 allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto };
-') dnl end ifdef distro_redhat
+')
 
 tunable_policy(`hide_broken_symptoms',`
 dontaudit restorecon_t udev_t:unix_dgram_socket { read write };

refpolicy/policy/modules/system/userdomain.te

@@ -99,7 +99,10 @@ role_change(sysadm, staff)
 # only staff_r can change to sysadm_r
 role_change(staff, sysadm)
 
-tunable_policy(`user_canbe_sysadm',`
+# this should be tunable_policy, but
+# currently type_change and RBAC allow
+# do not work in conditionals
+ifdef(`user_canbe_sysadm',`
 	role_change(user,sysadm)
 ')
 

refpolicy/policy/support/loadable_module.spt

@@ -9,9 +9,9 @@
 # For adding the module statement
 #
 define(`policy_module',`
-ifdef(`monolithic_policy',`',`
+	ifdef(`monolithic_policy',`',`
-module $1 $2;
+		module $1 $2;
-')
+	')
 ')
 
 ##############################
@@ -19,42 +19,46 @@ module $1 $2;
 # For use in interfaces, to optionally insert a requires block
 #
 define(`requires_block_template',`
-ifdef(`monolithic_policy',`',`
+	ifdef(`monolithic_policy',`',`
-require {
+		require {
-$1
+			$1
-}
+		}
-') dnl end ifdef monolithic_policy
+	')
-') dnl end requires_block_template
+')
 
 ##############################
 #
 # Optional policy handling
 #
 define(`optional_policy',`
-ifdef(`monolithic_policy',`
+	ifdef(`monolithic_policy',`
-ifdef(`$1',$2,$3)
+		ifdef(`$1',$2,$3)
-',`
+	',`
-optional {
+		optional {
-$2
+			$2
-} else {
+		} else {
-$3
+			$3
-}
+		}
-') dnl end ifdef monolithic_policy
+	')
-') dnl end optional_policy
+')
 
 ##############################
 #
 # Tunable policy handling
 #
 define(`tunable_policy',`
-ifdef(`monolithic_policy',`
+	ifdef(`monolithic_policy',`
-ifdef(`$1',$2,$3)
+		if (`$1') {
-',`
+			$2
-optional {
+		} else {
-require { $1 }
+			$3
-$2
+		}
-} else {
+	',`
-$3
+		optional {
-}
+			require { `$1' }
-') dnl end ifdef monolithic_policy
+			$2
-') dnl end tunable_policy
+		} else {
+			$3
+		}
+	')
+')